Building and Scaling a COI Compliance Program

A COI compliance program is not a tool or a checklist. It is an operational function within your organization — one that requires staffing, processes, metrics, technology, and ongoing management like any other business function. The difference between organizations that do compliance well and those that do not is rarely knowledge. It is execution. Most risk managers know what good compliance looks like. The gap is in building a program that delivers it consistently at scale.

This guide covers the full arc of building a compliance program: from the initial startup phase where one person is tracking everything in a spreadsheet, to the enterprise phase where automated systems manage thousands of vendors across hundreds of projects with minimal human intervention.

The Compliance Program Maturity Model

COI compliance programs follow a predictable maturity curve. Understanding where your organization sits on this curve helps you prioritize investments and set realistic expectations.

Level 1: Ad Hoc / Reactive

Characteristics:

• No formal compliance program exists
• Certificates are collected inconsistently, usually only when someone remembers to ask
• Certificates are stored in email inboxes, local folders, or filing cabinets
• Compliance is checked only when a claim occurs or an audit finds gaps
• No dedicated staff — compliance is a side task for office managers or project coordinators
• No defined requirements — different projects may have different (or no) standards
• No tracking of expirations — expired certificates go unnoticed for months

Risk exposure: Maximum. At Level 1, you have no reliable way to know whether any vendor is properly insured. Claims that should be covered by vendor insurance end up on your own policy or out of pocket.

Typical organizations: Small property management firms, individual building owners, startups, organizations that have never had a claim.

Level 2: Structured / Spreadsheet

Characteristics:

• Formal requirements exist and are documented
• A spreadsheet (typically Excel or Google Sheets) tracks vendor names, coverage types, limits, and expiration dates
• One or more people are responsible for collecting and reviewing certificates
• Certificates are stored in a shared drive or document management system
• Expiration tracking exists but is manual (someone checks the spreadsheet weekly or monthly)
• Follow-up on gaps and expirations happens but is inconsistent
• Basic reporting exists (compliance rate, number of expired certificates)

Risk exposure: Moderate. Level 2 catches many gaps but misses others due to manual processes, human error, and scale limitations. As the vendor population grows, spreadsheets become unwieldy, and compliance degrades.

Typical organizations: Mid-size property management companies, general contractors with 50-200 subcontractors, organizations that have experienced a claim and recognized the need for tracking.

Level 3: Automated / Proactive

Characteristics:

• Dedicated COI compliance platform replaces spreadsheets
• AI or OCR extracts data from certificates automatically
• Automated notifications alert vendors before certificates expire
• Automated escalation when gaps are not resolved within defined timelines
• Defined workflows for onboarding new vendors, handling non-compliance, and managing renewals
• Integration with procurement or property management systems
• Comprehensive dashboard with real-time compliance metrics
• Compliance audits are proactive — gaps are identified and addressed before they become claims

Risk exposure: Low. Level 3 programs catch the vast majority of gaps and resolve them before they matter. The remaining risk is in edge cases: certificates that misrepresent coverage, endorsements that were never issued, or mid-term policy changes that are not reflected on the certificate.

Typical organizations: Large property management companies, institutional REITs, large general contractors, organizations with regulatory compliance requirements.

Level 4: Optimized / Data-Driven

Characteristics:

• All Level 3 capabilities plus advanced analytics
• Risk-tiered requirements that adjust automatically based on vendor classification
• Historical compliance data is used to predict which vendors are likely to lapse
• Vendor compliance scoring influences procurement decisions
• Benchmarking against industry standards and peer organizations
• Continuous improvement cycle: compliance data feeds back into requirement optimization
• Full audit trail for regulatory and legal documentation
• Integration with insurance carrier systems for real-time coverage verification

Risk exposure: Minimal. Level 4 programs reduce compliance risk to near-zero for known risk categories. Residual risk comes from novel situations or systemic failures (carrier insolvency, mass fraud).

Typical organizations: Enterprise REITs, Fortune 500 companies, large institutional owners, organizations with dedicated risk management departments.

Staffing Benchmarks

How many people do you need to run a compliance program? The answer depends on your maturity level, vendor population size, and the complexity of your requirements.

Level 2 Staffing (Spreadsheet-Based)

Benchmark: 1 compliance analyst per 400-600 active vendors

At Level 2, every certificate must be manually reviewed, data must be manually entered into spreadsheets, and follow-up communications must be manually sent. A competent analyst can review approximately 15-25 certificates per day (including data entry and follow-up), which means:

• 500 vendors with annual renewals = ~500 reviews per year + initial onboarding reviews
• Spread across 250 working days = ~2 reviews per day just for renewals
• Add new vendor onboarding, re-reviews, follow-up, and reporting
• Total workload supports approximately 500 vendors per analyst

This does not account for complexity. If your requirements are multi-tiered, if you require endorsement review, or if your vendor population has high turnover, you may need a lower ratio.

Level 3 Staffing (Automated Platform)

Benchmark: 1 compliance analyst per 1,500-2,500 active vendors

Automation eliminates most manual data entry and routine follow-up. The analyst's role shifts from processing certificates to managing exceptions — reviewing flagged certificates that the system could not fully verify, handling escalations, and making judgment calls on borderline cases.

• AI extraction handles data entry
• Automated notifications handle vendor communication
• Automated expiration tracking handles renewals
• The analyst focuses on: flagged exceptions, complex endorsement review, vendor disputes, reporting, and program improvement

Level 4 Staffing

Benchmark: 1 compliance analyst per 2,000-4,000 active vendors, plus 1 compliance manager per 5,000-10,000 vendors

At Level 4, the analyst role becomes more specialized. Analysts handle complex cases and program optimization. Managers focus on strategy, reporting, and cross-functional coordination with legal, procurement, and risk management.

Supporting Roles

Beyond frontline analysts, a mature compliance program may need:

• Compliance Manager / Director: Overall program strategy, stakeholder communication, budget management. Typically needed once the program exceeds 2,000 vendors or spans multiple business units.
• Vendor Relations Coordinator: Dedicated to vendor communication — helping vendors understand requirements, coordinating with brokers, resolving disputes. Useful when vendor satisfaction is a priority (e.g., tenant compliance programs).
• Data / Reporting Analyst: Produces compliance reports, analyzes trends, maintains dashboards. Useful at Level 3+ when the data volume is sufficient for meaningful analytics.
• Quality Assurance: Reviews a sample of completed audits for accuracy. Prevents standard drift and catches systematic errors.

Key Performance Indicators (KPIs)

You cannot manage what you do not measure. The following KPIs provide a comprehensive view of your compliance program's performance.

Compliance Rate

Definition: Percentage of active vendors that are fully compliant with all requirements at a point in time.

Formula: (Number of fully compliant vendors / Total active vendors) x 100

Targets:

• Level 2: 60-75%
• Level 3: 80-90%
• Level 4: 90-97%

Why it matters: This is your headline metric. It tells you, at any given moment, what percentage of your vendor population is properly insured. A compliance rate below 70% means more than a quarter of your vendors have known insurance gaps.

Collection Rate

Definition: Percentage of vendors from whom you have received a certificate (regardless of whether it is compliant).

Formula: (Vendors with certificate on file / Total active vendors) x 100

Targets:

• Level 2: 75-85%
• Level 3: 90-97%
• Level 4: 97-99%

Why it matters: Collection rate measures your program's reach. A vendor without a certificate on file is a complete unknown — you have no visibility into their insurance status. The gap between collection rate and compliance rate represents vendors who have submitted certificates but are non-compliant.

Average Resolution Time

Definition: Average number of days from gap identification to gap resolution.

Formula: Sum of (resolution date - identification date) for all resolved gaps / Number of resolved gaps

Targets:

• Level 2: 20-35 days
• Level 3: 10-20 days
• Level 4: 5-12 days

Why it matters: Faster resolution means shorter exposure windows. If it takes 30 days to resolve a gap, your organization is exposed for 30 days. At scale — hundreds of vendors with rotating gaps — long resolution times create persistent portfolio-wide exposure.

Gap Density

Definition: Average number of compliance gaps per non-compliant vendor.

Formula: Total open gaps / Number of non-compliant vendors

Targets:

• Level 2: 2.5-3.5 gaps per vendor
• Level 3: 1.5-2.5 gaps per vendor
• Level 4: 1.0-1.5 gaps per vendor

Why it matters: Gap density reveals the nature of your compliance problems. High gap density (3+ gaps per vendor) suggests vendors fundamentally do not understand your requirements. Low gap density (1-1.5 gaps) suggests minor mismatches — maybe a limit is slightly below the requirement or an endorsement is missing. Different gap densities require different interventions.

Renewal Rate

Definition: Percentage of expiring certificates that are renewed (new certificate received) before or within a defined grace period after expiration.

Formula: (Certificates renewed within grace period / Total expired certificates) x 100

Targets:

• Level 2: 50-65%
• Level 3: 70-85%
• Level 4: 85-95%

Why it matters: Renewal is the most predictable compliance event — you know exactly when every certificate will expire. A low renewal rate means your follow-up process is failing, and vendors are operating with expired insurance coverage.

Additional KPIs for Mature Programs

• First-time compliance rate: Percentage of new vendor submissions that are compliant on first review (target: 40-60%). Low rates indicate poor requirement communication.
• Escalation rate: Percentage of gaps that require escalation beyond standard follow-up (target: below 15%).
• Vendor response time: Average days for vendor to respond to a gap notification (target: under 7 days).
• Audit accuracy rate: Percentage of audited certificates that pass quality assurance review (target: above 95%).

Monthly Reporting Template

A monthly compliance report should include:

Executive Summary (1 page)

• Current compliance rate and trend (3-month chart)
• Number of vendors: total, compliant, non-compliant, no certificate
• Top 3 risks or issues requiring attention
• Key actions taken this month

Compliance Dashboard

• Compliance rate by project / property / business unit
• Compliance rate by vendor tier (high-risk, standard, low-risk)
• Gap distribution by type (expired coverage, insufficient limits, missing endorsements, missing coverage types)
• Resolution pipeline: gaps opened this month, gaps resolved this month, net change

Vendor Activity

• New vendors onboarded this month
• Vendors offboarded / deactivated
• Certificates received this month (new and renewals)
• Certificates pending review

Trending and Forecasting

• Certificates expiring in the next 30 / 60 / 90 days
• Vendors with recurring non-compliance (3+ consecutive non-compliant periods)
• Compliance rate forecast based on pending renewals and known gaps

Action Items

• Vendors requiring escalation
• Requirement changes proposed or implemented
• Technology or process improvements planned

Training Program: 30-Day Onboarding for New Auditors

A new compliance analyst needs structured onboarding to become effective. Sending someone a stack of certificates and telling them to "check compliance" produces inconsistent results and embeds bad habits.

Week 1: Foundations

Days 1-2: Insurance fundamentals

• How insurance policies work (premium, limit, deductible, exclusion, endorsement)
• Coverage types: GL, WC, Auto, Umbrella, Professional Liability
• The role of brokers and carriers
• ACORD forms and what they represent

Days 3-4: Your program's requirements

• Requirement templates by vendor tier
• Coverage types, limits, and endorsements required for each tier
• Certificate holder and additional insured requirements
• Acceptable carriers and rating requirements
• Review the underlying contract language that drives requirements

Day 5: System training

• How to use the compliance platform (or spreadsheet, if Level 2)
• Data entry procedures
• Filing and naming conventions
• Communication templates

Week 2: Audit Methodology

Days 6-7: The audit process

• Step-by-step certificate audit methodology
• Identity verification (insured name, producer, carrier)
• Coverage verification (types, limits, dates)
• Provision verification (AI, WOS, P&NC, cancellation)
• Certificate holder verification

Days 8-9: Supervised auditing

• Audit 20 certificates with a senior analyst reviewing each one
• Discuss each finding and the rationale behind the determination
• Focus on the gray areas: DBA names, umbrella supplementation, blanket AI, endorsement form interpretation

Day 10: Quality calibration

• Review a set of pre-audited certificates and compare results
• Identify and discuss any discrepancies
• Establish shared standards for subjective determinations

Week 3: Communication and Escalation

Days 11-12: Vendor communication

• How to write gap notifications that are clear, professional, and actionable
• How to communicate with insurance brokers
• How to handle pushback from vendors who disagree with your assessment
• Email templates and communication standards

Days 13-14: Escalation procedures

• When to escalate to a manager
• How to handle vendors who are persistently non-compliant
• The process for waiving or modifying requirements (who approves, documentation required)
• Emergency procedures (vendor discovered on-site with no insurance)

Day 15: Independent auditing begins

• Analyst audits certificates independently with spot-check QA for the first 30 days

Week 4: Reporting and Continuous Learning

Days 16-17: Reporting

• How to generate and interpret compliance reports
• How to identify trends and anomalies in the data
• Preparing information for stakeholder meetings

Days 18-20: Advanced topics

• Claims-made vs. occurrence coverage
• State-specific requirements
• Multi-entity structures and naming conventions
• Professional liability and cyber liability review
• Reading and interpreting endorsement schedules

Scaling Across Multiple Projects

As your compliance program grows from a single project or property to a portfolio, new challenges emerge:

Requirement Standardization vs. Customization

Every project wants customized requirements. The janitorial company at a medical office needs different coverage than the janitorial company at a warehouse. But excessive customization creates administrative overhead, vendor confusion, and audit complexity.

Best practice: Create 3-5 tiered requirement templates based on vendor risk category (not project). High-risk vendors (construction, hazardous materials, heavy equipment) use Tier 1 requirements regardless of which project they serve. Low-risk vendors (office supplies, consulting, IT support) use Tier 3 requirements everywhere. Project-specific customizations are limited to specific endorsements or coverage additions that the project contract requires.

Vendor Overlap

A large vendor may serve multiple projects in your portfolio. This creates two questions:

1. Do they need separate certificates for each project? Ideally, yes — each certificate should reference the specific project and list the correct certificate holder entity. But practically, many vendors provide a single certificate covering all projects.
2. Which project "owns" the vendor relationship? Assign each vendor a primary project for compliance purposes. The primary project is responsible for collection, review, and follow-up. Other projects inherit the compliance status.

Centralized vs. Decentralized Management

• Centralized: A single compliance team manages all vendors across all projects. Ensures consistency, leverages specialist expertise, and enables cross-project analytics. Works well for organizations with dedicated compliance staff.
• Decentralized: Each project or property manager manages their own vendor compliance. Closer to the day-to-day operations but creates inconsistency, duplicates effort, and lacks portfolio-wide visibility.
• Hybrid: A central compliance team sets standards, provides technology, and handles reporting. Local project teams handle day-to-day collection and basic review. Complex or escalated cases go to the central team. This is the most common model for large organizations.

Compliance During Mergers and Acquisitions

When your organization acquires another company or portfolio, you inherit their vendor relationships — and their compliance gaps. Integrating acquired compliance programs is a common and frequently botched process.

The Integration Playbook

Phase 1: Assessment (Days 1-30)

• Inventory all vendors from the acquired entity
• Assess the current compliance program (maturity level, tools, staffing)
• Identify the gap: how many vendors have current, compliant certificates?
• Review the acquired entity's requirement standards against yours

Phase 2: Communication (Days 30-60)

• Notify all acquired vendors of new ownership and new compliance requirements
• Provide clear documentation of what is required and by when
• Offer a reasonable transition period (typically 60-90 days) for vendors to come into compliance with new standards

Phase 3: Migration (Days 60-120)

• Migrate vendor data into your compliance platform
• Collect new certificates that meet your standards
• Audit all certificates against your requirements
• Flag vendors who have not responded

Phase 4: Enforcement (Days 120+)

• Begin standard enforcement procedures for non-compliant vendors
• Escalate vendors who have not responded to communications
• Establish ongoing monitoring under your standard program

Annual Review Checklist

Every compliance program should undergo an annual review to ensure it remains effective and aligned with organizational needs.

Requirements Review

• Are coverage type requirements still appropriate for each vendor tier?
• Are limit requirements aligned with current industry benchmarks and inflation?
• Are endorsement requirements still necessary and achievable?
• Do new business activities (new property types, new geographies, new vendor categories) require new or modified requirements?
• Have contract templates been updated to reflect current requirements?

Process Review

• Is the audit methodology still effective? Are auditors following it consistently?
• Are communication templates clear and professional?
• Is the escalation process working? Are escalated cases resolved?
• Is the onboarding process for new vendors efficient?
• Are waivers and exceptions properly documented and approved?

Technology Review

• Is the compliance platform meeting needs? Are there feature gaps?
• Is data extraction accuracy acceptable? What is the error rate?
• Are integrations with other systems (procurement, property management) working?
• Are reports and dashboards providing the information stakeholders need?

People Review

• Is staffing adequate for the current vendor population?
• Do analysts need additional training?
• Is quality assurance catching errors? What is the QA pass rate?
• Are roles and responsibilities clearly defined?

Performance Review

• What is the current compliance rate? How does it compare to last year?
• What is the average resolution time? Is it improving?
• What are the most common gap types? Are there systemic issues?
• Were there any claims where compliance gaps were a factor?

Technology Stack by Maturity Level

Level 1: Ad Hoc

• Email (for receiving certificates)
• File system (for storage, if any)
• No dedicated tools

Level 2: Structured

• Spreadsheet (Excel, Google Sheets) for tracking
• Shared drive (Google Drive, SharePoint, Dropbox) for certificate storage
• Email templates for vendor communication
• Calendar reminders for expirations

Level 3: Automated

• Dedicated COI compliance platform with AI extraction
• Automated notification and escalation workflows
• Vendor self-service portal for certificate submission
• Dashboard and reporting
• API integration with procurement or property management systems

Level 4: Optimized

• All Level 3 capabilities
• Advanced analytics and predictive modeling
• Vendor compliance scoring
• Integration with insurance carrier data feeds
• Custom reporting for stakeholders at every level
• Audit trail and regulatory compliance documentation
• Multi-entity, multi-geography support

Key Takeaways

1. Know your maturity level. Honest assessment of where you are determines what to invest in next. Do not buy Level 4 technology if you do not have Level 2 processes.
2. Staff appropriately. Compliance is a full-time function, not a side task. Underfunding compliance is a false economy — one uninsured claim costs more than years of compliance staffing.
3. Measure everything. Compliance rate, collection rate, resolution time, gap density, and renewal rate are the five KPIs that tell you whether your program is working.
4. Invest in training. A well-trained analyst operating with spreadsheets outperforms an untrained analyst with the best technology. Training is the highest-ROI investment in any compliance program.
5. Standardize requirements. Tiered requirement templates reduce complexity for your team and your vendors. Customize by risk category, not by project.
6. Review annually. Requirements, processes, technology, and people all need periodic evaluation. What worked last year may not work this year.
7. Technology is an enabler, not a solution. The right platform multiplies the effectiveness of good processes and good people. It does not substitute for either.