Building a COI Compliance Program From Scratch: A Six-Month Plan
Starting a COI compliance program from zero is overwhelming. Here's a structured six-month plan that gets you from no program to a functioning, audit-ready operation.
Some companies have COI compliance programs that have evolved over a decade. Some companies don't. If you're in the second category — newly created risk role, recent regulatory pressure, audit finding from a customer — and you're staring at a blank page, this post is for you.
Six months is realistic. Less is too rushed. More is procrastination disguised as thoroughness. Here's the plan.
Month 1: Inventory and assessment
You can't manage what you don't know. The first month is mapping the territory.
Vendor inventory. Pull every vendor your company pays. AP records are the right starting point. Categorize by type (subcontractor, supplier, professional services, tenant, other), by spend tier, by risk tier (does this vendor work onsite? touch sensitive data? have customer interactions?).
Contractual requirements review. What does your standard MSA require for vendor insurance? Pull the template, read it, document the requirements. If different vendor categories have different requirements, document those. If the requirements are inconsistent across contracts (which they probably are), flag that for cleanup later.
Existing tracking review. What's currently happening? A spreadsheet maintained by someone? An informal "we ask vendors at onboarding" process? Nothing? Document the current state honestly. Don't editorialize; just describe.
Gap analysis. Compare contractual requirements against current tracking. Where are the gaps? Vendors with no insurance verification? Verified once but never refreshed? Verified but with policies that have lapsed? This list is the work.
By end of month one, you should have: a vendor list, a requirements document, an honest current-state description, and a gap list.
Month 2: Stakeholder alignment
Compliance programs fail when they're built by one person and imposed on others. Month two is alignment.
Identify stakeholders. Risk team (probably you). AP. Procurement. Legal. Project managers (in construction/professional services). Property managers (in CRE). Compliance/audit. Insurance broker. The CFO or COO. Each has a role and an opinion.
Stakeholder interviews. Talk to each. Understand their current pain points, their concerns about a new program, their constraints. The goal isn't to design the program in interviews; it's to understand the operational context you're designing into.
Process mapping. Draft the high-level process: how vendors will be added, how compliance will be verified, how exceptions will be handled, how renewals will be managed, who'll do what. Show it to stakeholders. Iterate.
Charter document. A short charter that says: this is what the program covers, this is who owns what, this is how it integrates with existing operations, this is what success looks like. Get sign-off from senior stakeholders.
By end of month two: stakeholder buy-in, draft process, signed charter.
Month 3: Platform selection
This is where most "build a program" guides start. We're putting it third on purpose — picking a tool before you understand the work creates platforms that don't fit.
Define platform requirements. Based on the inventory, the gap analysis, and the process, write down what the platform needs to do. Volume capacity. Integration requirements. Audit reporting needs. Vendor experience profile. Integration with existing systems.
Evaluate platforms. Use a structured comparison tool, online research, vendor demos, reference calls. Prioritize platforms that match your requirements rather than chasing platforms that look impressive in marketing.
Pilot or trial. If the platform supports it, run a small pilot — 20-50 vendors — before full commitment. The pilot reveals issues that demos hide.
Contract negotiation. Implementation timeline, integration costs, escalator caps, renewal terms. We've covered pricing in detail elsewhere.
Decision and signature. By end of month three, platform selected, contract signed, implementation kickoff scheduled.
Month 4: Implementation phase 1 — configuration
Implementation is structured work, not a vibe.
Platform configuration. With the vendor's implementation team, set up requirement templates, vendor categories, workflow rules, automation logic. Use the process you mapped in month two as the guide.
Initial data load. Import your vendor list and any existing certificates. Expect to find data quality issues — duplicates, typos, expired records that were never marked. Address them now.
Integration setup. Connect to Procore, NetSuite, AMS, CRM, or whichever systems matter. Test the integrations end-to-end.
Internal team training. Your operators (yourself plus 1-3 others) need to know the platform fluently. Schedule training. Practice with the test data.
Communication template review. Before any vendor sees a platform-generated email, review the templates. Personalize the tone. Remove generic language. Make sure the comms feel like your company, not the platform's.
By end of month four: configured platform, loaded data, working integrations, trained team.
Month 5: Implementation phase 2 — vendor rollout
The riskiest phase. This is when your vendors first touch the platform.
Wave 1: pilot vendors. Pick 30-50 vendors who you have strong relationships with — vendors who'll tolerate some friction and provide feedback. Onboard them first. Watch what breaks. Fix what breaks.
Wave 2: low-risk vendors. Expand to the next tier — vendors with stable insurance, predictable renewals, minimal complexity. Onboard them next.
Wave 3: full rollout. Once waves 1 and 2 are working, roll out to the rest of your vendor base. Set a hard deadline for migration so vendors don't drift indefinitely.
Monitor and adjust. Watch the metrics: onboarding completion rate, time-to-compliance, support inbound volume, exception rate. Tune the platform configuration based on what you observe.
Communicate proactively. Brief your stakeholders weekly on rollout progress. Surface issues early. Don't let surprises accumulate.
By end of month five: 80%+ of vendors onboarded, working operational rhythm.
Month 6: Production operations and audit prep
You're in production. The last month is locking in operational discipline.
Operational rhythm. Weekly status review of compliance metrics. Monthly review with stakeholders. Quarterly review with executives. Build the cadence.
Exception handling. Document the exception workflow: who reviews, what the SLAs are, how exceptions get resolved. The exception process is where most programs leak; documenting it locks in discipline.
Reporting and audit prep. Generate the standard reports the platform produces. Validate them against expectations. If your audit calendar includes anything in the next 12 months, do a dry run of audit prep using the platform's reports.
Continuous improvement loop. Establish a regular cycle for reviewing program effectiveness, identifying issues, and iterating. Programs that don't iterate decay.
By end of month six: production-stable, audit-ready, with a forward roadmap.
What goes wrong
Three common failure modes:
1. Skipping stakeholder alignment. A program designed in isolation gets quietly ignored. Don't skip month two.
2. Picking the wrong platform. Marketing-driven platform selection produces post-implementation regret. Use real comparison data, real demos, real reference calls.
3. Going too fast on vendor rollout. Wave-based onboarding is slower but produces durable adoption. Big-bang rollouts produce angry vendors and high failure rates.
A note on tooling
The platform you pick affects the program quality more than any other decision. A great platform makes the program possible; a weak platform makes the program harder than it should be. Spend the time to pick well.
Our comparison tool is one input. Industry research is another. Reference calls with peer companies are the most valuable. Use all three.
Six months from blank page to functioning program is realistic. Don't shortcut it. Don't drag it out. Run the plan, hit the milestones, and you'll have something solid by month seven.