Help Minimize Risk Through Third-Party Risk Transfer

Teacher with Students

There is risk associated with any operation. Some levels of risk are acceptable while others are not. Adequately identifying and determining the level of risk associated with an activity is a key factor in the transfer of risk.

To adequately assign risk levels, your organization should conduct a thorough evaluation of all operational areas and identify where risk is present. Once identified, consideration of frequency and severity should factor into risk level assignments.

Frequency is the number of times the risk is anticipated to occur during a given timeframe. Severity is the anticipated result of the risk and how severe the outcome will be. High frequency and severity risks should take top priority.

Why Risk Transfer?

We rely on third-party organizations to deliver services and resources every day. This interaction creates a business relationship that can sometimes establish liability for the actions of a third party for the initial party. Often the legal complaint is an allegation of negligence by the initial party.

Here are some scenarios when third-party liability could potentially exist.

A building owner leases a portion of the building to a third-party organization that has agreed to provide childcare services for employees of the building owner. The third party fails to implement adequate controls around abuse prevention and the building owner did not specify requirements in the contract.

An allegation of abuse arises with an employee of the third party, which is investigated by law enforcement and determined to be credible. A lawsuit is filed against the third party and the building owner, alleging that the building owner had a duty to establish and verify adequate controls.

man wrapped in tickets

A property owner decides to lease out the gymnasium on their property on the weekends. The tenant decides to host semi-professional basketball tournaments in the gymnasium and invites the public onto the property without notifying the owner. Unfortunately, an attendee of one of the tournaments fell from the bleachers and suffered severe injuries that left the individual disabled and requiring care for the rest of their life.

The attendee retained counsel and filed a lawsuit against the building owner got not reasonably maintaining the bleachers in a manner consistent with the anticipated activities and won. This resulted in punitive damages that result in a very large settlement.

Due to not knowing about the tournaments, the building owner's policy limits were inadequate, and therefore, the settlement exhausted the claim payout without covering the entire dollar amount. The building owner was forced to liquidate the property to cover the remaining portion of the settlement.

outside building walk way

An assisted living facility hired a construction contractor to perform some building renovations to the aging building. One day, the contractor was taking receipt of construction materials via a tractor-trailer. The contractor’s employee was unloading the truck when the remaining load unexpectedly shifted and fell off the trailer. The truck driver was standing next to the trailer preparing to leave and was struck by the load when it fell. The truck driver died from the resulting injuries.

Because the contractor had improperly bid the work, they had allowed their general liability coverage to expire to try and control expenses related to this job.

The truck driver’s family filed a lawsuit against the owner of the assisted living facility because the contractor did not have insurance at the time of the accident. The assisted living facility did have coverage in place, and therefore, that policy was forced to respond to the lawsuit. The family won the lawsuit and was awarded a large settlement.

Enter Risk Transfer

keyboard with green key that says risk transfer

The concept of risk transfer is not intended to include only one specific control measure, but rather a series of control measures, applied in layers, that work together to close gaps where your organization could be exposed to loss.

Together, these controls help your organization understand it is a liability in third-party relationships and ensures that all parties have adequate insurance coverages. Without these controls, your organization could be taking unacceptable risks that could jeopardize the ability of your organization to fulfill its mission in the community.

In its simplest form, risk transfer is planning for the worst-case scenarios and then taking steps to control the risk associated with the scenarios. The principal way that these steps address risk is by transferring all, or a portion of, risk onto a third party that is acting on behalf of an organization.

Due to circumstances associated with each unique third-party relationship, the percentage of risk that can be reasonably transferred will vary. This is largely based on the roles that each member of the relationship will play.

For instance, in the example of the gymnasium owner, it would not be reasonable for the owner to transfer accountability to the tenant for risks associated solely with the property itself, such as the building, premises, and equipment not managed by the tenant. Therefore, we must determine which party would be responsible for what, should something happen.

Without adequate risk transfer controls in place around your organization’s third-party relationships, your organization and people could be left unprotected should an accident occur.

Factors, such as frequency and duration of the time a third party will spend on your premises should be considered when determining the level of controls implemented. Other factors to consider include the following:

  • Risk associated with the activity the third party will perform. Will the activity be dangerous?
  • Who will be exposed to the activities that the third party conducts?
  • How severe would the result be of an unintended exposure to the third party’s activities?
  • Based on these factors, your organization should consider one, or more, of the following controls.

Best Practices for Risk Transfer

Waivers of Liability

Most people have probably signed a liability waiver at some point. Perhaps when you signed up for a gym membership, rented skis, went horseback riding, or allowed your child to go on a school field trip. A “waiver” is the voluntary relinquishment or abandonment of a legal right. A liability waiver is a binding contract by which a person acknowledges the risks of participating in an activity and agrees to relinquish the right to sue to recover damages arising out of the activity. Waivers are written documents, usually signed before the activity in question takes place.

waiver with glasses

It is important to understand that many rules and restrictions apply to liability waivers. Some states limit or prohibit the use of liability waivers. States that allow them may require waivers to meet specific standards to be enforceable. Obtaining legal advice is important to ensure an accurate understanding of your state’s rules for liability waivers.

Despite the restrictions and limitations, waivers may be an important risk management tool that can help an organization control its liability exposures when properly used. Waivers help inform customers of potential risks and may prevent or deter lawsuits. In the event of a lawsuit, a waiver may also support the assertion of an "assumption of the risk" defense – i.e., the injured person may not recover damages because he or she was fully aware of the risks and undertook the activity anyway.


paper contract

Contracts are written agreements that, once signed, are legally binding between one or more entities. Written contracts include legal language that spells out exactly what should be done as part of this agreement, and exactly what each entity is responsible for. This includes responsibility for risk. Contracts also can specify exactly what insurance coverages the entities are required to have, and what limits the policies must include. Most importantly, contracts can specify actions and/or behaviors that, if they occur, would void the contract and transfer all liability onto the entity that broke the contract requirements.

Contractual risk transfer can also include language such as “hold harmless” and/or “indemnification.” These legal terms mean that the entity agreeing to the contractual terms would hold the other entity harmless for any loss that arises from their activities. It also means that this same entity agrees to not legally pursue the other entity for financial restitution for the same loss.

It is vitally important that your organization never signs a contract without a review from an attorney who specializes in general liability law and is authorized to practice law in your state. Without this important stopgap, your organization could be assuming all the risks associated with the third-party business relationship.

Certificates of Insurance

car purchase contract

Certificates of Insurance (COIs) are insurance documents that are provided by an insurance agent representing the business entity. COIs list all the active insurance policies that are in force, as well as the policy limits (i.e., the cap that the policy would payout for losses) for each of the policies, on the date the COI was completed.

COIs are a quick way for your organization to verify that a third party has proper insurance coverages for the activity they are expected to perform. You should have your insurance agent review COIs to help you determine if the coverages are adequate. In general, COIs should be collected from every third-party business that will have visitors on your premises. This is to help guarantee that the third-party entity does have insurance coverage that will potentially respond to a loss.

It is important to periodically update the COIs for each third party to ensure that the coverages are being maintained. In general, this should be done at least annually. However, you might need to do this more frequently based on specific circumstances associated with the business relationship. Consult your insurance agent or an attorney for assistance with determining the frequency of COI checks.

Additional Insured Status

red umbrella

Your organization can also request “additional insured status” with third-party entities. Being an “additional insured” means that the third-party entity agrees to add your organization to their existing insurance policy. This status means that, provided the policy provides coverage for the loss type, the third party agrees that coverage will be extended to your organization for a loss arising from their activities. This is done through an insurance agent and the Underwriter at the insurance carrier who writes the policy.

It is important to note that, in most cases, the third party will also ask to be added as an additional insured to your organization’s policy as a result. This helps to ensure that adequate insurance is in place for both parties.

Follow Up

car purchase contract

It is important to note that your organization should regularly follow up on these controls with each third-party relationship. This is because circumstances change over time, therefore your organization needs to verify that the controls are in place over time as well.

Follow up on third-party relationships:

  • Any time the dynamics of the relationship change.
  • Any time there is a significant change at the third-party organization.
  • Any time there is a change in the scope of the activities to be performed.
  • Any other changes to the relationship occur.
  • If there are no changes, these follow-ups should be conducted at least annually.

Documentation and Recordkeeping

digital touch screen art

Equally important, are your organizational efforts to document the controls and activities, and retain all records associated with the business relationship. These practices will be vital to your organization’s defense in the event of a loss related to the third-party business relationship. Be sure to consult your attorney for guidance on the length of time these records should be kept.

Visitor Controls

Controlling visitors to your premises is an important control measure. The level of visitor controls should meet the level of access the visitor will have to your programs and premises, as well as their familiarity with the premises and buildings.

three employees at a desk

Adequate signage should be prominently displayed informing visitors of unauthorized areas and properly moving through the building. Ensure that you identify all areas that visitors should not occupy and restrict their access to these areas.

Based on your programs, you might also want to conduct visitor screening before allowing access to programs including children or at-risk populations.

If visitors will occupy restricted areas, they should always be escorted by an employee of your organization until they leave your building.


The time to take third-party risk transfer steps to control risks is before your organization enters into a business relationship with any third party. Allow for adequate time to properly install necessary controls. More complex and complicated relationships may require even greater time to prepare. You should create a team within your organization to consider the risks and determine adequate required controls for third parties. With the proper third-party risk transfer controls in place, you can rest easy in knowing that your organizational mission is properly protected for the future.

For additional Loss Control guidance, please visit the Plan & Protect safety hub.

Loss Control Categories

Take proactive action to prepare for different types of loss.