Managing COI Compliance Gaps: From Detection to Resolution

A compliance gap is the difference between what your requirements demand and what a vendor's certificate of insurance actually shows. Every gap represents uninsured or underinsured exposure — a window through which a loss can pass without triggering the coverage you assumed was in place.

Gaps are inevitable. Policies expire. Vendors switch carriers. Endorsements get dropped at renewal. New requirement sets get applied to existing vendors. The question is not whether gaps will occur, but how quickly you detect them, how clearly you communicate them, and how systematically you resolve them.

This guide covers the complete gap management lifecycle: detection, classification, notification, escalation, resolution, and measurement. If you manage more than a handful of vendors, this process will define the operational credibility of your compliance program.

---

What Is a Compliance Gap?

A compliance gap exists whenever a vendor's insurance documentation fails to meet one or more elements of the applicable requirement set. Gaps can range from trivial (a certificate holder name is misspelled) to critical (a required coverage type is entirely absent).

The formal definition: A compliance gap is any discrepancy between a required insurance element and the corresponding element on the vendor's current certificate of insurance, endorsements, or policy documents.

Gaps fall into three broad categories:

• Coverage gaps: A required coverage type is missing entirely, or the wrong form/trigger is in place.
• Limit gaps: A coverage exists but the limit is below the required minimum.
• Provision gaps: A required provision (additional insured, waiver of subrogation, primary and non-contributory) is missing or not evidenced on the certificate.

A fourth category — documentation gaps — applies when the vendor has the correct coverage but has not provided a current certificate, or the certificate is technically deficient (expired, unsigned, or missing required information). Documentation gaps are procedural rather than substantive, but they still represent non-compliance until resolved.

---

Gap Severity Classification

Not all gaps carry equal weight. A missing workers' compensation policy on a vendor with 50 employees on your jobsite is an immediate safety and legal concern. A certificate that lists the wrong zip code for the certificate holder is an administrative issue. Your gap management process must distinguish between these.

Critical Gaps

Critical gaps represent material uninsured exposure. They require immediate action and may warrant suspension of the vendor's work until resolved.

• Missing required coverage entirely — the vendor has no CGL, no Workers' Comp, or no Auto policy when one is required.
• Expired policy — the policy period has ended and no renewal certificate has been provided.
• Coverage limit below 50% of requirement — the gap is so large that the coverage provides inadequate protection (e.g., $500,000 GL when $1,000,000 is required).
• Missing Workers' Compensation in a mandatory state — this is not just a compliance gap; it is a legal violation.

Warning Gaps

Warning gaps represent real but manageable exposure. They require prompt resolution but typically do not warrant immediate work stoppage.

• Coverage limit below requirement but above 50% — the vendor carries $750,000 GL when $1,000,000 is required. There is a gap, but meaningful coverage exists.
• Missing additional insured endorsement — the vendor has GL but your organization is not named as an additional insured. You have no direct rights under the policy until this is corrected.
• Missing waiver of subrogation — the vendor's insurer retains the right to subrogate against you, undermining the contractual transfer of risk.
• Policy expiring within 30 days — not yet a gap, but it will become one if the vendor does not provide a renewal certificate.

Informational Gaps

Informational gaps are minor discrepancies that should be corrected but do not create meaningful exposure.

• Missing primary and non-contributory language — important for claim ordering but not for coverage existence.
• Certificate holder name or address formatting issues — the intent is clear but the certificate is not technically correct.
• Missing per-project aggregate (when per-occurrence limit meets requirement) — a best practice gap, not a coverage gap.
• Damage to rented premises limit below requirement — typically a minor sub-limit issue.

---

The 5 Most Common Gap Types

Across thousands of vendor records, five gap types account for the overwhelming majority of compliance issues. Understanding these patterns helps you prioritize your audit process and target your vendor communications.

1. Missing Coverage Entirely

The vendor simply does not carry a required coverage type. This most often occurs with:

• Umbrella / Excess Liability: Smaller vendors, particularly sole proprietors and small trade contractors, often do not carry umbrella policies. They view it as an unnecessary expense until a contract requires it.
• Professional Liability / E&O: Vendors who perform professional services (consultants, technology providers, engineers) sometimes carry only GL, not understanding that GL excludes professional errors.
• Cyber Liability: Still a relatively new requirement, many vendors — particularly in construction and maintenance — have never purchased a cyber policy.

Resolution path: The vendor must purchase the coverage. This typically takes 2 to 4 weeks and requires the vendor to contact their broker, obtain quotes, and bind the policy. Set a realistic deadline — 30 days is standard for a new coverage purchase.

2. Insufficient Limits

The vendor carries the correct coverage type but at limits below your requirement. Common examples:

• GL at $1M/$1M instead of $1M/$2M (aggregate is half the standard).
• Umbrella at $1M when $5M is required.
• Auto at $500,000 when $1M is required.

Resolution path: The vendor can either increase limits on their existing policy (an endorsement that takes 1 to 2 weeks) or purchase additional umbrella coverage to fill the gap. If the vendor has umbrella coverage that sits over the deficient primary policy, the combined limits may meet the requirement — see the section on umbrella supplementation below.

3. Expired Coverage

The policy period shown on the certificate has passed, and no renewal certificate has been provided. This is the most common gap type by volume because policies expire on a fixed cycle and vendors frequently fail to send updated certificates proactively.

Resolution path: In most cases, the vendor has renewed their policy but simply has not sent a new certificate. A notification requesting an updated certificate resolves the majority of expired-coverage gaps within a few days. If the vendor has actually let coverage lapse, the resolution path is the same as missing coverage — they must reinstate or repurchase.

4. Missing Additional Insured

The vendor carries adequate GL coverage, but your organization is not listed as an additional insured on the policy. Without additional insured status, you have no direct rights under the vendor's policy — if a loss occurs, the vendor's insurer has no obligation to defend or indemnify you.

Resolution path: The vendor must contact their broker and request an additional insured endorsement naming your organization. This is a routine request that takes 1 to 2 weeks. The vendor should provide both an updated certificate showing "additional insured" in the description of operations and a copy of the actual endorsement (CG 20 10, CG 20 37, or equivalent).

5. Missing Waiver of Subrogation

Waiver of subrogation prevents the vendor's insurer from recovering from you after paying a claim. Without it, the insurer can sue you to recover what it paid — even if the contract between you and the vendor says otherwise (because the insurer is not a party to the contract).

Resolution path: The vendor requests a waiver of subrogation endorsement from their carrier. This is a standard endorsement available on virtually all commercial policies. Most carriers add it at no charge or for a nominal premium. Turnaround is typically 1 to 2 weeks.

---

Writing an Effective Gap Notification

The gap notification is the most important communication in the compliance process. A well-written notice gets results; a poorly written one gets ignored. The goal is to be specific, professional, and action-oriented.

What Every Gap Notice Must Include

1. Vendor name and record identifier — so the vendor knows exactly which relationship this pertains to.
2. The specific gaps — listed individually with the required element and the current finding.
3. The deadline for resolution — a specific calendar date, not "as soon as possible."
4. How to resolve — clear instructions on what the vendor needs to provide (updated certificate, endorsement, new policy).
5. Where to send the updated documentation — an email address, portal upload link, or fax number.
6. Consequences of non-resolution — what happens if the deadline passes (escalation, work suspension, contract termination).

What a Gap Notice Should Not Include

• Threats or adversarial language. The vendor is your business partner, not your adversary. Most gaps are administrative oversights, not intentional non-compliance.
• Insurance advice. Do not tell the vendor what coverage to buy or which carrier to use. Direct them to their insurance broker.
• Ambiguous descriptions. "Your insurance is not compliant" is not actionable. "Your GL per-occurrence limit is $500,000; the requirement is $1,000,000" is.

Sample Gap Notification Email

Subject: Insurance Compliance Update Required — [Vendor Name] / [Project or Property Name]

Dear [Vendor Contact],

During our routine review of insurance documentation for [Project/Property Name], we identified the following gaps between your current certificate of insurance and the requirements for this engagement:

Gap 1: Insufficient Commercial General Liability Limit

• Required: $1,000,000 per occurrence / $2,000,000 aggregate
• Current: $1,000,000 per occurrence / $1,000,000 aggregate
• Action needed: Increase general aggregate to $2,000,000 or provide evidence of umbrella coverage that brings the effective aggregate to $2,000,000.

Gap 2: Missing Waiver of Subrogation — Workers' Compensation

• Required: Waiver of Subrogation endorsement in favor of [Your Organization Name]
• Current: Not evidenced on certificate
• Action needed: Request WC waiver of subrogation endorsement from your carrier and provide updated certificate.

Please provide an updated certificate of insurance and any applicable endorsements by [Date — 14 days from notice]. You may upload documents directly to [portal link] or email them to [compliance email].

If you have questions about these requirements, please contact your insurance broker. If you believe these gaps have already been resolved, please send the current certificate so we can update our records.

Thank you for your prompt attention.

[Your Name] [Title] [Contact Information]

---

Escalation Workflows

A single notification resolves most gaps. But some vendors are slow to respond, and a subset will not respond at all without escalation. Your process must account for this with a defined escalation timeline.

Recommended Escalation Timeline

Day 0 — Initial Gap Notification Send the gap notice using the template above. Set the resolution deadline at Day 14.

Day 7 — Reminder If no response has been received, send a reminder. Reference the original notice, restate the gaps, and emphasize the approaching deadline. The tone is still professional and helpful.

Day 14 — Escalation Notice If the deadline has passed without resolution, send a formal escalation. This notice should:

• Reference the original notice and the reminder.
• State that the vendor is now past the compliance deadline.
• Set a final deadline (Day 21).
• Explicitly state the consequences: suspension of work authorization, withholding of payment, or contract termination, depending on your contract terms.
• Copy the vendor's project manager or account executive in addition to the insurance contact.

Day 21 — Final Action If the vendor remains non-compliant after the escalation, execute the stated consequence. This may mean:

• Suspending the vendor's access to the property or project.
• Withholding payment pending compliance.
• Issuing a formal notice of default under the contract.
• Terminating the vendor relationship.

The key principle is do what you said you would do. An escalation process that threatens consequences but never follows through teaches vendors that compliance is optional.

When to Involve Legal

Involve your legal team when:

• A vendor disputes the requirement itself (claims the contract does not require the coverage).
• A vendor's broker provides a letter stating the vendor cannot obtain the required coverage.
• You are considering work suspension or contract termination based on non-compliance.
• The gap involves a regulatory requirement (e.g., Workers' Comp) that may create liability for your organization.

---

Waiver Management

Sometimes a vendor genuinely cannot meet a requirement. The coverage may be unavailable in their market, prohibitively expensive relative to the contract value, or commercially unreasonable for their trade. In these cases, you may grant a formal waiver.

When to Consider a Waiver

• The required coverage is not commercially available for the vendor's trade or size.
• The cost of the coverage exceeds a material percentage (typically 5% or more) of the contract value.
• The vendor carries alternative coverage that substantially addresses the same risk.
• The risk exposure is genuinely low and the requirement is a blanket standard that does not fit this vendor.

The Formal Waiver Process

1. Vendor requests the waiver in writing, explaining why the requirement cannot be met and what alternative measures (if any) they propose.
2. Risk assessment: Evaluate the actual exposure. What is the worst-case loss scenario if this coverage is not in place? Who bears the loss?
3. Approval authority: Waivers should require approval from a designated authority — typically a risk manager, VP of operations, or legal counsel. Front-line compliance analysts should not have unilateral waiver authority.
4. Documentation: The waiver must be documented with the specific requirement being waived, the reason, the approver, and the expiration date.
5. Expiration: Every waiver must have an expiration date, typically aligned with the vendor's policy renewal. At expiration, the waiver is reassessed — it does not automatically renew.

Tracking Waivers

Waivers should be visible in your compliance system alongside gaps. A record with a waiver is not the same as a compliant record — it is a known, accepted exception. Your compliance reporting should distinguish between:

• Compliant: Meets all requirements.
• Non-compliant: Has open gaps.
• Waived: Has gaps that have been formally accepted.

---

Umbrella Supplementation

A vendor's primary policy may have limits below your requirement, but their umbrella policy may fill the gap. Understanding how umbrella supplementation works is essential for accurate gap analysis.

The Math

If your requirement is $1,000,000 per occurrence for Commercial Auto, and the vendor carries:

• Auto: $500,000 combined single limit
• Umbrella: $5,000,000 (follow-form over auto)

The effective auto limit is $500,000 + $5,000,000 = $5,500,000. The requirement is met.

However, this only works if:

1. The umbrella policy is follow-form over the deficient primary policy. If the umbrella does not sit over auto, it does not supplement auto limits.
2. The umbrella policy does not contain exclusions that the primary policy does not. A follow-form umbrella with a transportation pollution exclusion does not supplement auto coverage for a chemical spill.
3. The umbrella's retained limit (self-insured retention or SIR) is not higher than the primary limit. If the umbrella has a $1,000,000 SIR but the primary auto is $500,000, there is a $500,000 gap between where the primary stops and where the umbrella starts.

Best Practice

Accept umbrella supplementation for limit gaps, but verify the umbrella structure. At minimum, confirm:

• The umbrella is listed on the ACORD 25 certificate.
• The umbrella's underlying insurance schedule lists the deficient primary policy.
• The umbrella does not contain restrictive endorsements that narrow its coverage.

---

Resolution Tracking

Once a gap is identified and communicated, you need to track its lifecycle from open to resolved. Every gap should have a status:

• Open: Gap has been identified but not yet communicated to the vendor.
• Notified: Vendor has been informed of the gap.
• In Progress: Vendor has acknowledged the gap and is working on resolution.
• Resolved: Vendor has provided documentation that closes the gap.
• Waived: Gap has been formally accepted via the waiver process.
• Escalated: Gap has passed the initial deadline and is in the escalation workflow.

Track the date each status changed. This gives you the data to calculate resolution time, identify vendors who consistently delay, and demonstrate the effectiveness of your compliance program.

---

Compliance Scoring

A compliance program without measurement is a compliance program without accountability. Scoring transforms subjective impressions ("I think we are mostly in good shape") into objective metrics ("87% of our active vendor records are fully compliant").

Core Metrics

Compliance Rate = (Compliant Records / Total Active Records) x 100

This is the headline number. It tells you what percentage of your vendor relationships are fully insured to your standards at any given point in time.

• Below 70%: The program has systemic issues. Requirements may be unclear, enforcement may be inconsistent, or the team lacks capacity to manage the volume.
• 70% to 80%: The program is functioning but has material gaps. Focus on process improvements and vendor communication.
• 80% to 90%: The program is solid. Focus on closing the remaining gaps and preventing new ones.
• Above 90%: The program is performing at a high level. Maintain it.

Collection Rate = (COIs Received / COIs Required) x 100

This measures whether you are even receiving certificates from your vendors. A low collection rate indicates a fundamental breakdown — you cannot audit what you do not have.

Average Resolution Time = Sum of (Resolution Date - Detection Date) / Number of Resolved Gaps

This measures how quickly gaps are closed once detected. Industry benchmarks suggest 7 to 14 days for routine gaps and 21 to 30 days for gaps requiring new coverage purchases.

Gap Density = (Total Open Gaps / Total Active Records) x 100

This measures how many gaps exist relative to your portfolio size. A program with 500 active records and 50 open gaps has a gap density of 10%, which is acceptable. A gap density above 25% indicates systemic issues.

Trending and Reporting

Track these metrics monthly. Look for trends:

• Is compliance rate improving or declining?
• Are certain vendor categories consistently non-compliant?
• Is resolution time getting longer (indicating process problems) or shorter (indicating process improvements)?
• Does gap density spike at certain times of year (policy renewal season)?

Report to leadership quarterly. A simple dashboard showing compliance rate, gap density, and resolution time over time tells the story of your program's health more effectively than any narrative.

---

Conclusion

Gap management is the operational core of COI compliance. Detecting gaps is necessary but not sufficient — the value is in resolving them. A well-designed gap management process turns your compliance program from a documentation exercise into a genuine risk management function.

The key principles are consistency, specificity, and follow-through. Classify every gap. Communicate every gap clearly. Escalate on schedule. Follow through on consequences. Measure everything. And never accept "we will get to it" as a resolution.