In partnership with brickbybrick, the #1 community for modern risk managers.
RiskStack
← All posts
M&ADue DiligenceVendor Risk

Vendor Risk in M&A Due Diligence: The COI Side Nobody Examines

M&A due diligence digs into financials, contracts, and customers — but vendor compliance is often a black box. Here's why that matters and what to look for.

The RiskStack Team

In any meaningful M&A transaction, the buyer's due diligence digs deep into financials, customer contracts, intellectual property, employment matters, and regulatory exposure. Vendor relationships get attention to the extent they involve major spend or strategic dependencies. But the actual insurance compliance of the vendor base — whether the seller has been collecting and verifying COIs, whether contractual indemnification rights are properly preserved, whether claims have been undermined by gaps in the vendor compliance program — is rarely examined in any depth.

This is a gap. Vendor compliance gaps don't usually kill deals, but they do regularly create post-closing surprises that the buyer ends up absorbing. If you're advising on M&A or you're an acquirer with a meaningful vendor footprint, vendor compliance deserves at least a basic diligence pass.

What can go wrong post-closing

A few patterns we've seen surface after deals close:

Inherited claim exposure. An incident occurred pre-closing. The vendor responsible has lapsed insurance or insufficient endorsements. The buyer, now responsible for the claim, can't tender it to the vendor's coverage because the coverage doesn't exist or doesn't apply. The defense and indemnification cost falls on the new owner.

Contractual rights without enforcement records. The acquired company's contracts all require COIs, additional insured status, and waiver of subrogation. The actual compliance with those contractual requirements is patchy. The buyer inherits the right to enforce, but the practical record makes enforcement difficult — vendors will argue they were never required to comply because they weren't asked to comply for years.

Surprise non-compliance volume. Diligence assumed vendor compliance was generally fine. Post-close audit reveals that 40% of active vendors have meaningful gaps. Now the buyer needs to fund a remediation campaign that wasn't budgeted.

Workforce classification exposure. This isn't strictly COI but it's adjacent: the seller has been using 1099 contractors who may be misclassified employees. Workers comp coverage was never established. Post-close DOL audit creates liability the buyer didn't price.

Regulatory exposure. In regulated industries (healthcare, financial services, federal contracting), vendor compliance is part of the regulatory posture. Gaps create regulatory exposure that the buyer inherits.

None of these are deal-killers in isolation. Together, they can amount to meaningful post-close cost — millions of dollars in some cases — that wasn't priced into the transaction.

What basic vendor compliance diligence looks like

A reasonable diligence pass on vendor compliance includes:

1. Inventory. How many active vendors? Categorized how? What's the spend distribution and risk distribution?

2. Documentation review. Sample audit of vendor files. Pick 20-30 vendors across risk tiers and verify what's actually in the files. Are certificates current? Are endorsements documented? Are contracts on file with insurance requirements?

3. Compliance metric review. What does the seller report as their compliance rate? How is it calculated? Does the calculation match the actual file contents?

4. Platform assessment. What system is being used to track vendor compliance? Spreadsheet? Software? Which platform? Is the platform configured competently? Is data exportable?

5. Process review. Who manages the program? Are there documented procedures? Are renewals being chased? Is there a backlog?

6. Claim history. Have there been incidents where vendor coverage was tendered? Were tenders accepted? Were there disputes? This is one of the strongest indicators of actual program quality.

7. Contract review for vendor risk language. Are the contractual insurance requirements adequate? Are they being enforced? Are there major contracts with substandard requirements?

This isn't deep forensic work. It's a half-day to two-day exercise depending on company size, and it surfaces the major issues. Most diligence processes skip it entirely or treat it as "operational" rather than "risk."

The platform question

If the target company is using a real COI tracking platform (vs. a spreadsheet), the diligence is much easier. Modern platforms produce reports, surface gaps, and allow data export. A buyer can ingest the data into their own platform post-close with reasonable effort.

If the target is using a spreadsheet or an outdated legacy platform, you have two issues: assessing what's actually there (harder, because the data is messier) and migrating to the buyer's preferred platform (also harder).

This sometimes affects integration cost calculations. We've seen buyers underestimate the cost of taking on a vendor compliance program from a target with a poor system. The implementation alone can run several hundred thousand dollars depending on vendor count. Worth modeling before closing rather than after.

Red flags worth probing

A few specific red flags that warrant deeper diligence:

  • Compliance rate above 95% on paper. Either the program is exceptionally well-run (rare) or the metrics are measuring something shallow. Probe how the number is calculated.
  • No internal compliance owner. Vendor compliance distributed across procurement, legal, and operations with no clear owner usually means it's nobody's job.
  • No platform. Spreadsheet-based programs at scale (>200 vendors) almost always have meaningful gaps. Plan for remediation.
  • Recent major changes. New leadership, recent platform migration, recent acquisition — anything that would have disrupted continuity creates risk of compliance gaps that haven't surfaced.
  • High-risk vendor concentration. Construction, healthcare, or industrial vendor base with cost-pressured operations is more likely to have inherited problems.
  • Public claims history. If the target has been involved in litigation where vendor coverage was relevant, get the details. Outcomes tell you about program quality.

What to negotiate

If diligence surfaces meaningful vendor compliance issues, several mechanisms can address them:

Reps and warranties on vendor compliance. Specific reps about compliance with insurance requirements, with adequate survival period and damages cap.

Specific indemnification. For known issues, specific indemnification can carve out remediation costs from general baskets and caps.

Holdback or escrow. A portion of consideration held for a defined period to cover post-close compliance issues that surface.

Pre-closing remediation. For specific high-risk gaps, conditioning closing on remediation can avoid post-close cleanup.

RWI carve-outs and exclusions. Representations and warranties insurance often has standard exclusions for known issues; ensuring these are surfaced and addressed in the deal structure matters.

The right mechanism depends on the deal structure, the size of the gap, and the negotiating dynamics. Generally, the more specific the issue, the more specific the protection should be.

Post-close priorities

If you've closed a deal and are now responsible for the target's vendor compliance program, the first 90 days matter:

  1. Inventory. Get an accurate vendor count and categorization.
  2. Risk-weighted audit. Sample-audit high-risk vendors first. Confirm what's actually compliant.
  3. Platform decision. Stay on the existing platform, migrate to your preferred platform, or run them in parallel.
  4. Remediation campaign. Plan and resource for closing the gaps you find.
  5. Process integration. Bring the acquired vendor compliance program under your governance.

Don't underestimate the time or cost. If the target had a 70% real compliance rate and you're absorbing 1,200 vendors, that's 360 vendors needing remediation work. At even a modest hourly cost, that's a significant project.

The bigger point

Vendor compliance diligence is unsexy. It's not the part of the deal that gets press releases. But for buyers absorbing meaningful vendor footprints, it's a real source of post-close cost and risk that can be managed if examined.

The same logic applies in reverse: if you're a seller, having a clean, well-documented vendor compliance program — running on a credible platform with good metrics — increases buyer confidence and reduces the diligence ammunition for price reductions. Investing in compliance program quality before going to market is one of the higher-ROI clean-up activities.

See how platforms compare on M&A-relevant capabilities — particularly data exportability, audit readiness, and migration support.

Find your COI tracker in three minutes.

Eight questions, personalized shortlist. No sales calls.

Start My Comparison