In partnership with brickbybrick, the #1 community for modern risk managers.
RiskStack
← All posts
CareerBest PracticesRisk Management

Inheriting a Broken COI Program: A Survival Guide for New Risk Managers

Just took over a vendor compliance program that's a mess? Here's a 90-day plan to triage, stabilize, and improve it without burning yourself out.

The RiskStack Team

You've just taken over a vendor compliance program. It's a mess. The previous person either left, got pushed out, or got promoted and washed their hands of it. Documentation is scattered. The platform — if there is one — is half-configured. Compliance rates are alarming when you actually look at them. And leadership thinks everything's fine because the previous person told them everything was fine.

Welcome to one of the most common situations in risk management.

The good news: this is recoverable. The other good news: there's a reasonably standard playbook. The bad news: it'll take 6-12 months of focused work to fully stabilize, and you'll need to manage expectations carefully along the way.

Here's the playbook we'd recommend, broken into 30, 60, and 90-day windows.

Days 1-30: Diagnosis without panic

Resist the urge to fix things in the first month. You don't yet know what's actually broken vs. what just looks broken. Spend the first 30 days listening, mapping, and assessing.

Map the current state.

  • What platform (if any) is in use? What version, configuration, integrations?
  • What's the vendor count? What categories?
  • Who are the internal stakeholders? Procurement, legal, operations, finance?
  • Who's the executive sponsor? Do they care about this program?
  • What's the contract template situation? Are insurance requirements consistent across contracts?
  • What's the broker relationship? Is there one? Are they helpful?

Audit honestly.

  • Pull a sample of 30 vendors across risk tiers. Verify what's actually on file.
  • Compare actual coverage to contractual requirements.
  • Note the patterns — is the gap mostly missing endorsements? Expired certificates? Wrong limits? The pattern points to where the previous program failed.

Talk to people.

  • The procurement team that interacts with vendors.
  • The legal team that drafts and reviews contracts.
  • Operations folks who actually use vendors.
  • The broker, if there is one.
  • Anyone in finance who's been tracking vendor risk-related costs (litigation, claims, premium impacts).

Don't commit to anything yet. When leadership asks what you're going to do, your answer is "I'm getting a clear picture before making recommendations." Buy yourself the diagnostic month.

Days 31-60: Triage and stabilize

By day 30 you should know what you're dealing with. Days 31-60 are about stopping the bleeding without trying to fix everything.

Identify the highest-risk gaps.

  • Vendors doing high-risk work with major compliance issues.
  • Major contracts where the insurance terms create exposure.
  • Specific vendors where you'd want coverage tendered if something happened today.

Triage these specifically. Don't try to fix the whole vendor base — fix the riskiest 10-20% first. This is where exposure actually lives, and fixing the high-risk vendors first generates the biggest risk reduction per hour of work.

Stabilize the workflow. If renewals are slipping, get them caught up. If documents are being misfiled, set up a clear process. If the platform is wrongly configured, make targeted fixes — but don't try to redesign yet.

Establish baseline metrics. Whatever the program is actually doing right now — capture it. You'll want to show progress against this baseline later. Real metrics, not vanity metrics. Endorsement compliance separately. Time-to-resolution. Verification depth.

Build leadership communication. Find your executive sponsor. Have an honest conversation about what you've found. Lead with risk-reduction priorities, not platform complaints. "Here are the three things creating the most exposure, and here's what I'm doing about them" is more useful than "the previous person did everything wrong."

Days 61-90: Plan the rebuild

By day 60 you've stopped the worst bleeding and have a baseline. Now plan the longer-term improvements.

Decide on platform direction. The biggest decision: stay on the current platform, optimize the configuration, or replace it?

  • If the platform is fundamentally adequate but badly configured: invest in reconfiguration.
  • If the platform is structurally insufficient (workflow-only, no real verification, weak vendor experience): plan a migration.
  • If you're on a spreadsheet at any meaningful scale: plan a platform implementation.

Our platform comparison resource is built specifically for this kind of decision.

Build the case for resources. You probably need budget — for platform, for implementation, possibly for headcount. The case has to be in business terms, not compliance terms. Risk reduction translated to financial impact. Operational efficiency translated to time savings. Audit readiness translated to regulatory cost avoidance.

Set realistic timelines. Tell leadership how long it'll take to get to a strong program. Be honest. 6-12 months for a serious turnaround. Faster timelines tend to produce ghost migrations and unconfigured workflows.

Identify quick wins. While the bigger plan is being built and approved, find a few quick wins — things you can fix in 30 days that produce visible improvement. Cleaning up the top 50 vendor records. Getting renewal processing current. Producing a clean compliance report for the next audit. These build credibility for the bigger ask.

A few patterns worth knowing

Pattern 1: The "everything is fine" inheritance. Your predecessor told leadership everything was fine. Now you're going to tell leadership it isn't. This is a relationship management challenge. Frame the gap as "I've been doing deeper analysis than the previous reports surfaced," not "the previous person was wrong." This is true (you are doing deeper analysis) and avoids creating an organizational defensive reaction.

Pattern 2: The platform-blame trap. The previous person blamed the platform. The platform might actually be the problem — but it might also have been used badly. Before recommending replacement, confirm that better usage wouldn't fix most of the issues. Sometimes the answer is reconfiguration, not replacement.

Pattern 3: The vendor revolt. If you tighten compliance requirements aggressively, you'll get pushback from procurement and operations. Vendors will complain. Plan for this. Communicate the timeline. Phase tightening rather than turning everything on at once.

Pattern 4: The audit ambush. Sometimes a regulatory or insurance audit lands during your turnaround. This is brutal but recoverable. Be transparent about the state of the program and your turnaround plan. Auditors usually respond better to honesty than to attempted cover-ups.

What success looks like

In 12 months, a successful turnaround usually looks like:

  • Compliance rates at 90%+ on certificates, with endorsement compliance growing.
  • Verification depth meaningfully improved — more broker and carrier verification, less PDF-only.
  • A platform that's properly configured, well-adopted internally, and reasonably accepted by vendors.
  • Documented processes that don't rely on you personally being in the loop.
  • Trust with leadership built through honest reporting and visible progress.
  • A team or set of stakeholders who understand their role.

You probably won't be perfect at 12 months. Risk programs don't get to "done." But you'll have moved the program from a failed state to a functioning one, and the trajectory will be visible.

On the personal side

Inheriting a broken program is professionally stressful. A few things that help:

  • Don't carry the previous person's mistakes as your own. Their gaps are not your failures.
  • Document your starting point. You'll want the record when you talk about progress.
  • Find peers. Other risk managers have done this. Industry groups, podcasts like Brick by Brick, peer networks all help.
  • Push back on unrealistic expectations. Leadership sometimes wants the turnaround done in 90 days. That's not realistic. Set the timeline you can defend.
  • Take credit for the recovery. When the program is in good shape in 12 months, that's your work, not your predecessor's.

The closing thought

Inheriting a broken vendor compliance program is one of the most common situations in this profession. It's also one of the highest-leverage opportunities. A program in good shape protects the company from real risk and saves real money. The person who turned around the broken program is usually a more credible risk leader afterward than they were before.

Take the time to do it right. The program you build will be the program your company actually relies on.

When you're evaluating platforms as part of the rebuild, our research is here to help.

Find your COI tracker in three minutes.

Eight questions, personalized shortlist. No sales calls.

Start My Comparison