Third-Party Risk Management in Construction: COI Tracking Isn't Enough

Why “Compliant” Doesn’t Mean Protected

Here’s the hard truth many teams learn too late:

Organized ≠ protected. You can have every COI on file, renewal alerts firing like clockwork, and dashboards showing green across every project—and still be exposed to a six-figure claim the moment an unverified exclusion surfaces.

It’s the reality Kier Construction faced. Their team believed their insurance compliance process was solid, until Jones’ auditors ran the first review and found that only 7% of subcontractors actually met requirements.

For the other 93%, the issue wasn’t missing certificates. It was policy language buried in endorsements and exclusions that quietly shifted the risk back onto Kier.

The certificates were there. The protection wasn’t.

Kier was fortunate. They caught these issues before a claim materialized—not by luck, but because they made a strategic decision to track exclusions and verify coverage at the policy level, not just the certificate level. That choice gave them visibility into risk gaps while there was still time to fix them.

What Third-Party Risk Transfer Really Means

Risk transfer doesn’t happen because a COI exists. It happens when contracts, coverage, and verification align:

Contract language defines responsibility
Insurance requirements fund that responsibility
Verification confirms the coverage actually matches the contract

Most teams handle the first two well. Verification is where they fail.

Common verification failures:

A subcontractor’s GL policy excludes residential work on a mixed-use project
An umbrella policy that doesn’t follow form with the primary, creating a coverage gap at the worst possible layer
An additional insured endorsement that grants status only for ongoing operations, leaving the GC exposed once work is complete

Contracts have also become more specific about risk transfer over the last decade. That means managing third-party risk is partly a documentation and workflow problem: signed agreements, insurance exhibits, COIs and the files that make responsibilities enforceable.

But most compliance systems stop at organizing paperwork—they track documents, not the coverage details that determine whether risk transfer actually holds.

That’s where even sophisticated teams discover their vulnerability: the moment a claim hits and policy language becomes the only thing that matters.

The Comfort Trap: When Compliance Looks Like Risk Transfer

Most COI tracking solutions help you collect certificates, send reminders, and check boxes.

They make insurance compliance look clean: one system to gather COIs, automate renewals, and display compliance in tidy dashboards.

For most teams, that automation genuinely saves time. But it also creates a dangerous illusion: if everything is organized, the risk must be transferred.

Where “COI tracking” stops and risk transfer breaks

COI tracking solves the logistics problem:

Collect certificates at scale
Automate renewals and reminders
Centralize documentation
Keep projects moving

Third-party risk transfer breaks in the space between what your contract requires and what the policy language actually provides. That gap isn’t process friction. It’s where uncovered claims come from.

Why tracking isn’t enough

To actually reduce risk, you need interpretation. Jones auditors have analyzed over 1.5 million COIs with 99.5% accuracy. Here’s what that work consistently shows:

The biggest compliance failures aren’t about missing paperwork. They’re about missing context.

Exclusions for residential work or labor law claims that void protection entirely
Gaps between primary and umbrella layers that turn a “compliant” dashboard into an uncovered claim
Waiver language that quietly collapses the intended transfer of risk

You won’t reliably see these issues on a COI. They’re often buried in endorsements, exclusions, and forms—the details many COI tracking solutions never validate.

A COI is not a risk transfer instrument. It’s designed to show what a policy covers, not what it excludes. It might state “Additional Insured per attached endorsement,” but the endorsement itself may not grant it.

Even the certificate warns you: the disclaimer at the top states, in bold, that listing someone as Additional Insured on a COI does not make them one. The carrier has no obligation to recognize that status unless the actual policy and endorsements confirm it.

Those details determine whether a claim is covered or denied—and whether risk transfer holds up when it matters.

Risk Transfer Enforcement: The Layer Most Teams Are Missing

If COI tracking is about collecting proof, risk transfer enforcement is about confirming that proof actually holds.

That’s where expert review comes in: checking certificates and endorsements against contract requirements, scope, and real-world exposure.

It’s the difference between “we received a COI” and “we verified this third party actually meets the contract.”

How Enforcement Changes Outcomes (Real-World Examples)

Manhattan Construction: organized, but exposed

Manhattan was tracking thousands of COIs in spreadsheets and an internal database. The process was organized, sure, but every renewal cycle meant weeks of email loops, delayed approvals, and missed renewals that left projects exposed.

It wasn’t until they switched to Jones that renewal churn stabilized and the company cut its insurance workload by 50%. Time that used to go into chasing renewals now goes into managing risk.

SavCon: from surface checks to real audits

SavCon’s previous insurance compliance software handled the basics but couldn’t go beyond surface-level verification.

After switching to Jones, they could finally conduct thorough audits, including ACORD 855 forms and complete policy reviews. Their broker could log in, review policies directly, and collaborate on findings within the same platform, cutting review time from days to minutes.

Insurance review shifted from administrative work to real risk management.

Bulley & Andrews: defensible decisions, not just faster workflows

Bulley & Andrews moved from a manual, siloed process—with weeks to reach a final status and frequent payment delays—to a streamlined flow measured in minutes.

Automation made the process scalable. Expert verification made it defensible.

Risk Transfer As Infrastructure (Not An Add-on)

For many companies, risk management lives in emails and spreadsheets—invisible until something goes wrong. Jones turns it into an operational system.

Insurance compliance isn’t static. Requirements that made sense two years ago may now be creating friction without reducing risk. The best systems don’t just enforce rules, they refine them based on portfolio-level realities.

Real portfolio optimization

Jones’ risk and compliance specialists regularly review client portfolios, identify where requirements are too strict or too lenient, and recommend targeted adjustments. That’s how one New York owner-operator cut their noncompliance rate in half—not by chasing vendors harder, but by removing three requirements that were blocking compliance without actually protecting against risk.

It’s consulting baked into software. An operating system for risk transfer.

The evolution:

COI tracking solved the logistics problem
Risk transfer enforcement solves the liability problem

When automation and expert verification work together, compliance becomes more than a status. It becomes evidence that risk is truly transferred.

That’s the shift happening across construction and real estate: forward-thinking GCs, property managers, and owner-operators are treating risk transfer enforcement not as an add-on, but as core infrastructure—because in an industry where one overlooked exclusion can cost millions, collecting COIs alone won’t shield you.

Protected is the new Compliant.

What to do next

If you’re building a third-party risk transfer program that holds up under real pressure, you need two things:

Automation that enables seamless scale for any volume of insurance documents
Expert verification to ensure the contract and coverage actually align

Jones helps construction and real estate teams operationalize risk transfer—combining AI agents trained on insurance logic, expert auditing (completed within 24 hours), and robust integrations to close the risk gap across every project.

Book a demo to see how compliance can finally mean protection.

FAQ: Third-Party Risk Transfer in Construction

What is third-party risk transfer in construction?

It’s the process of allocating responsibility for loss (from third-party work) through contracts and insurance, and confirming that coverage actually matches what the contract requires.

Is collecting COIs enough to transfer risk?

No. A COI documents insurance. It doesn’t confirm whether endorsements, exclusions, and policy language satisfy contractual requirements.

Why do “compliant” dashboards still lead to uncovered claims?

Because compliance often measures documentation completeness, not coverage adequacy. Risk transfer fails when exclusions, missing endorsements, or layer gaps aren’t identified before work begins.

What’s the difference between COI tracking and risk transfer enforcement?

COI tracking manages collection and renewals. Risk transfer enforcement verifies coverage and endorsements against the contract and project exposure.

How does expert review reduce risk?

It catches what summary documents don’t show—exclusions, endorsement limitations, waiver issues, and layer gaps—before they become claim problems.

Third-Party Risk Management in Construction: How Risk Transfer Breaks (And How To Fix It)