Risk Transfer, or Contractual Risk Transfer not too long ago was solely the domain of contractors and while the construction industry is the heaviest users of risk transfer, I’d like to show businesses of all types and sizes why they need to formalize their approach to controlling business risks through contractual risk transfer.
So, to start, what is Risk Transfer?
Risk transfer is a risk control strategy that involves shifting risk from one party to another through a contractual arrangement. You probably see it in one form or another every day, at different levels of effectiveness. In many cases one party will ask another for a certificate of insurance naming them as an additional insured, in other cases a detailed indemnity agreement will be signed by the parties.
We will focus on how to create a process which effectively transfers risk back to others such as contractors, vendors and suppliers (commonly called downstream risk transfer), as well as how you accept and process requests for certificates or signatures on indemnity agreements which shift risk back to you. (commonly called upstream risk transfer).
Why even bother?
The goal of an effective risk transfer process is to efficiently place the burden of a claim or loss back to the party which originated it, is responsible for it, or is in the best position to manage/control it, so you and your insurance don’t end up paying for claims or losses. This will help control your costs over the long term and give your company leverage in negotiating future renewals.
How is Risk Transfer Accomplished?
In its simplest form a company will establish a minimum protocol which is applied to all third-party providers they do business with: contractors, vendors, suppliers, etc. That protocol will require a certificate of insurance with certain specifications as to limits of coverage, the types of coverage and additional insured status where applicable. It may also require that third-party’s general liability insurance include endorsements such as waiver of subrogation, per project aggregate limits of coverage, or other forms be attached to their policies. The protocol will also require an indemnity agreement to be signed by the third-party which will hold you harmless from any and all claims which may arise from your business relationship or the contract you are signing with them. This is commonly known as a “hold-harmless” agreement for obvious reasons.
It’s important to keep in mind that a certificate of insurance is only evidence that a certain policy exists and provides a minimum level of detail as to what is or what may not be covered. Further, a certificate does not alter the terms of a policy itemized on the certificate. If you desire a particular coverage or endorsement to be in effect by the third party, then you may need to specifically see that their policy has been properly endorsed.
Depending on what the downstream party does for you or provides to you may alter the required coverages you will mandate. For example, in food manufacturing plants it’s common to have a pest control company under contract to manage pests around the plant, so here I would recommend that professional liability and environmental liability coverages be required as part of the risk transfer. For a law firm that engages an IT Services firm to manage their network, I’d require that the IT firm have cyber insurance and professional liability as well. These are just a couple of examples, but when developing your risk transfer process, it’s best to get input from your insurance broker to customize your approach.
Limits of coverage are also something that will change from one situation to the next, in many cases $1,000,000 limits of liability coverage may suffice, but in other cases you’ll want some third parties engaged in higher risk products or services to provide liability limits of $5,000,000 or higher. And, if you’re in Manhattan and located in a Class A type building it’s important to know what types of limits your landlord expects if you’re hiring contractors for any sort of build-out or renovation work. At minimum the demands are for limits of $5,000,000 and sometimes as high as $10,000,000. Before you hire a contractor, make sure they can comply with these sorts of limits.
It’s important that any contractor you hire understands that any sub-contractor they hire will also be required to provide you the same insurance requirements mandated of the primary contractor and sign the same indemnity agreement.
Once certificates are obtained as part of your protocol they need to be reviewed for compliance. Here your insurance broker may be of assistance to lend their expertise. Certificates will also need to be put into a reminder type system so that renewal certificates are requested about 60 days before the policies identified in the certificate expire. Depending on your business these can be filed in a project file (common in construction), or an expiration file by month.
The Indemnification Agreement
The indemnification agreement or provision can be written as a stand-alone agreement, which is common for vendor type relationships; or it can be a provision contained in a larger contract or lease agreement. However it is written it’s important to deploy a competent attorney for drafting so that the agreement is equitable, and enforceable. Again, I’ll restate the objective of a risk transfer agreement – it is for your protection, intended to shield you from unwanted liability that a third party may trigger. You wouldn’t want all your protections unravel during a claim situation because of an improperly drafted agreement.
As mentioned you will be asking several different parties you work with to provide you certificates of insurance and to sign indemnification agreements. It is likely common that you are often asked for the same types of requirements from companies you sell to or provide services to. This too requires a process so that you do not accept liabilities for which you are not prepared or wish to assume.
I have found in some larger firms that agreements are signed and certificates of insurance are provided to upstream parties without upper management being aware of it. Would those agreements be enforceable since they aren’t signed by an “authorized” person within the firm? I’m not sure, but the point is that all agreements should be reviewed carefully before execution. This would include purchase agreements, rental contracts, and sales invoices which can contain indemnification provisions. I would also suggest that when you engage an attorney for drafting your downstream risk transfer protocol that they also help you establish guidelines or checklists for what are acceptable agreements and anything you are asked to sign outside of that “acceptable” standard is referred to counsel for their review and approval.
This is only a brief overview of what risk transfer is all about, it provides you some of the basics which are needed to help control risks within your firm and should be part of an overall risk management strategy deployed enterprise wide. Remember, this isn’t an added task or job. This is a strategy to protect you and your firm from unwanted and unnecessary risk, and to reduce your costs.
For help in creating and deploying a risk management strategy in your company, why not give me a call (845-474-2924) or drop me an email LINK to discuss how we can get started.