Risk Maturity Self-Assessment for General Contractors

TL;DR: GC risk maturity falls on a five-stage curve: Reactive, Ad Hoc, Documented, Managed, and Optimized, with most small and mid-size GCs sitting between Stage 2 and Stage 4. A 20-question self-assessment scored 0/1/2 per question takes about 20 minutes and surfaces the biggest gaps, which are usually ownership (no single compliance owner), exception handling, and leadership visibility into compliance status.

Every general contractor has a risk management program, whether it's intentional or accidental. The question is how mature that program actually is. Some GCs have airtight compliance, documented procedures, and active monitoring. Others have a spreadsheet, a handshake culture, and a prayer. Most are somewhere in between and don't know exactly where.

This post is a practical self-assessment you can run on your own operation in about 20 minutes to identify where your risk management sits on a maturity curve, what the biggest gaps are, and what to work on first.

The Maturity Curve

A useful way to think about risk management maturity is a five-stage curve:

Stage 1: Reactive

Compliance happens when something goes wrong. No standard process, no defined roles, no documentation beyond basic files.

Stage 2: Ad Hoc

Some informal processes exist but are applied inconsistently. Spreadsheets track some vendors but not others. Compliance is "whoever remembers this week."

Stage 3: Documented

Written procedures exist. One person owns compliance. Spreadsheets or basic software track all active vendors. Processes are followed most of the time.

Stage 4: Managed

Software supports the workflow. Expiration tracking is automated. Exceptions are formally handled. Monthly reviews happen. Leadership has visibility into compliance status.

Stage 5: Optimized

Continuous improvement based on data. Metrics are tracked and reviewed. Compliance is integrated into the broader risk management program. The team treats compliance as a strategic asset.

Most small and mid-size GCs sit somewhere between Stage 2 and Stage 4. Moving up the curve is a process, not a switch.

The Self-Assessment

Rate your operation on each of the following 20 questions. Give yourself 0, 1, or 2 points for each based on this scale:

0: we don't do this at all
1: we do this sometimes or partially
2: we do this consistently

Process and Ownership

Is there one person who owns subcontractor compliance in your organization?
Do you have a written checklist of required documents for every sub?
Does every sub receive a formal onboarding workflow before work begins?
Is there a written procedure for handling compliance exceptions?
Do you have a written retention policy for compliance records?

Documentation

Do you have a current COI on file for every active subcontractor?
Do you have a signed W-9 on file for every subcontractor you've paid?
Do you have a signed subcontractor agreement for every active sub?
Do you have the actual Additional Insured endorsement pages (not just COI references) for subs on moderate- or high-risk work?
Are your compliance records searchable and organized by sub and project?

Monitoring

Do you receive automated alerts when subcontractor documents are approaching expiration?
Do you actively track expiration dates rather than checking manually?
Do you prevent work from starting on a project until subcontractor compliance is verified?
Do you know, right now, which of your active subs have any compliance gaps?
Do you conduct regular (monthly or more frequent) compliance reviews?

Integration and Reporting

Can you produce a full compliance report for any project within 30 minutes?
Do you retain historical sub compliance records for at least 6 years?
Is compliance status visible to project managers as well as the compliance owner?
Do you track compliance metrics (percentage current, exceptions open, response times) over time?
Do you discuss compliance status in regular operations meetings with leadership?

Scoring

Add up your points:

0 to 15 points: Stage 1 or 2 (Reactive or Ad Hoc). Significant risk exposure. Priority: establish ownership, write a basic procedure, adopt software that automates the worst pain points.
16 to 25 points: Stage 3 (Documented). You have the basics but inconsistent execution. Priority: close the exceptions, tighten the workflow, move to active monitoring.
26 to 35 points: Stage 4 (Managed). Solid program with room to grow. Priority: improve reporting, integrate compliance into broader risk management, track metrics.
36 to 40 points: Stage 5 (Optimized). You're in the top tier. Priority: continuous improvement, sharing best practices, leveraging compliance as a differentiator.

What to Work On First

Regardless of your current score, a few improvements have outsized impact.

Improvement 1: Name an Owner

If compliance doesn't have one clear owner, this is the highest-leverage change you can make. Ownership creates accountability; accountability creates execution.

Improvement 2: Write the Standard

A one-page document listing the required compliance documents for every sub, with specific criteria (minimum limits, required endorsements, licensing requirements). Reference it at onboarding and in training.

Improvement 3: Automate Expiration Tracking

This is where manual processes fail most often. Automated alerts at 90, 60, and 30 days before expiration eliminate the single biggest category of compliance failure.

Improvement 4: Retain Historical Documentation

Set up a retention policy that keeps sub compliance records for the statute of repose applicable to your jurisdiction (typically 6 to 10 years). Most spreadsheet-based systems silently lose older data.

Improvement 5: Regular Review Cadence

Weekly or monthly compliance review meetings keep the program active. Without a cadence, compliance becomes invisible and degrades.

From Stage to Stage

Stage 1 or 2 to Stage 3

Establish ownership. Write the procedure. Move from spreadsheets to basic software. Expected timeline: 30 to 60 days.

Stage 3 to Stage 4

Automate expiration tracking. Establish a weekly or monthly review cadence. Implement exception management with documented decisions. Expected timeline: 60 to 90 days after reaching Stage 3.

Stage 4 to Stage 5

Track compliance metrics over time. Integrate compliance into broader risk management. Share compliance status with leadership. Use compliance data to improve vendor selection and contract terms. This is an ongoing journey rather than a one-time project.

How PaperBoss Fits Each Stage

PaperBoss is designed for GCs moving from Stage 2 or 3 to Stage 4. It automates the document collection, expiration tracking, and reporting that manual systems struggle with, while keeping the workflow simple enough that small GCs can actually use it.

For larger operations that need Stage 5 capabilities (custom metrics, integration with ERP systems, advanced reporting), PaperBoss provides the foundation while specialized enterprise tools handle the deeper analytics. For most small and mid-size GCs, reaching solid Stage 4 is enough to eliminate the majority of compliance risk.

Start a 14-day free trial, no credit card required.

Frequently Asked Questions

How long does it take to move from one stage to the next?

Typically 30 to 90 days per stage, depending on the size of the operation and leadership commitment to the change.

Can I skip a stage?

Generally no. Each stage builds on the previous one. A GC at Stage 1 trying to jump to Stage 4 usually ends up with software that nobody uses because the underlying process and ownership weren't in place.

What's the cost of staying at Stage 2?

Hard to quantify in advance, but it usually surfaces in insurance claims denied for missing documentation, tax penalties for missing W-9s, and audit findings that drive up insurance premiums. Over a few years, the cumulative cost often exceeds what mature programs pay for software and process.

Does maturity scale matter for small GCs?

Yes. A 5-sub operation can reach Stage 4 easily with the right tool and a little discipline. Scale is not a prerequisite for mature risk management.

How do insurance carriers view risk maturity?

Sophisticated carriers and brokers look for evidence of mature risk management when underwriting GC insurance. Higher maturity can translate to better rates at renewal.

This article is for educational purposes only and does not constitute legal or insurance advice.

The Maturity Curve

A useful way to think about risk management maturity is a five-stage curve:

Stage 1: Reactive

Compliance happens when something goes wrong. No standard process, no defined roles, no documentation beyond basic files.

Stage 2: Ad Hoc

Some informal processes exist but are applied inconsistently. Spreadsheets track some vendors but not others. Compliance is "whoever remembers this week."

Stage 3: Documented

Written procedures exist. One person owns compliance. Spreadsheets or basic software track all active vendors. Processes are followed most of the time.

Stage 4: Managed

Software supports the workflow. Expiration tracking is automated. Exceptions are formally handled. Monthly reviews happen. Leadership has visibility into compliance status.

Stage 5: Optimized

Continuous improvement based on data. Metrics are tracked and reviewed. Compliance is integrated into the broader risk management program. The team treats compliance as a strategic asset.

Most small and mid-size GCs sit somewhere between Stage 2 and Stage 4. Moving up the curve is a process, not a switch.

The Self-Assessment

Rate your operation on each of the following 20 questions. Give yourself 0, 1, or 2 points for each based on this scale:

0: we don't do this at all
1: we do this sometimes or partially
2: we do this consistently

Process and Ownership

Is there one person who owns subcontractor compliance in your organization?
Do you have a written checklist of required documents for every sub?
Does every sub receive a formal onboarding workflow before work begins?
Is there a written procedure for handling compliance exceptions?
Do you have a written retention policy for compliance records?

Documentation

Do you have a current COI on file for every active subcontractor?
Do you have a signed W-9 on file for every subcontractor you've paid?
Do you have a signed subcontractor agreement for every active sub?
Do you have the actual Additional Insured endorsement pages (not just COI references) for subs on moderate- or high-risk work?
Are your compliance records searchable and organized by sub and project?

Monitoring

Do you receive automated alerts when subcontractor documents are approaching expiration?
Do you actively track expiration dates rather than checking manually?
Do you prevent work from starting on a project until subcontractor compliance is verified?
Do you know, right now, which of your active subs have any compliance gaps?
Do you conduct regular (monthly or more frequent) compliance reviews?

Integration and Reporting

Can you produce a full compliance report for any project within 30 minutes?
Do you retain historical sub compliance records for at least 6 years?
Is compliance status visible to project managers as well as the compliance owner?
Do you track compliance metrics (percentage current, exceptions open, response times) over time?
Do you discuss compliance status in regular operations meetings with leadership?

Scoring

Add up your points:

0 to 15 points: Stage 1 or 2 (Reactive or Ad Hoc). Significant risk exposure. Priority: establish ownership, write a basic procedure, adopt software that automates the worst pain points.
16 to 25 points: Stage 3 (Documented). You have the basics but inconsistent execution. Priority: close the exceptions, tighten the workflow, move to active monitoring.
26 to 35 points: Stage 4 (Managed). Solid program with room to grow. Priority: improve reporting, integrate compliance into broader risk management, track metrics.
36 to 40 points: Stage 5 (Optimized). You're in the top tier. Priority: continuous improvement, sharing best practices, leveraging compliance as a differentiator.

What to Work On First

Regardless of your current score, a few improvements have outsized impact.

Improvement 1: Name an Owner

If compliance doesn't have one clear owner, this is the highest-leverage change you can make. Ownership creates accountability; accountability creates execution.

Improvement 2: Write the Standard

Improvement 3: Automate Expiration Tracking

This is where manual processes fail most often. Automated alerts at 90, 60, and 30 days before expiration eliminate the single biggest category of compliance failure.

Improvement 4: Retain Historical Documentation

Improvement 5: Regular Review Cadence

Weekly or monthly compliance review meetings keep the program active. Without a cadence, compliance becomes invisible and degrades.

From Stage to Stage

Stage 1 or 2 to Stage 3

Establish ownership. Write the procedure. Move from spreadsheets to basic software. Expected timeline: 30 to 60 days.

Stage 3 to Stage 4

Automate expiration tracking. Establish a weekly or monthly review cadence. Implement exception management with documented decisions. Expected timeline: 60 to 90 days after reaching Stage 3.

Stage 4 to Stage 5

How PaperBoss Fits Each Stage

Start a 14-day free trial, no credit card required.

Frequently Asked Questions

How long does it take to move from one stage to the next?

Typically 30 to 90 days per stage, depending on the size of the operation and leadership commitment to the change.

Can I skip a stage?

What's the cost of staying at Stage 2?

Does maturity scale matter for small GCs?

Yes. A 5-sub operation can reach Stage 4 easily with the right tool and a little discipline. Scale is not a prerequisite for mature risk management.

How do insurance carriers view risk maturity?

Sophisticated carriers and brokers look for evidence of mature risk management when underwriting GC insurance. Higher maturity can translate to better rates at renewal.

This article is for educational purposes only and does not constitute legal or insurance advice.

The Maturity Curve

Stage 1: Reactive

Stage 2: Ad Hoc

Stage 3: Documented

Stage 4: Managed

Stage 5: Optimized

The Self-Assessment

Process and Ownership

Documentation

Monitoring

Integration and Reporting

Scoring

What to Work On First

Improvement 1: Name an Owner

Improvement 2: Write the Standard

Improvement 3: Automate Expiration Tracking

Improvement 4: Retain Historical Documentation

Improvement 5: Regular Review Cadence

From Stage to Stage

Stage 1 or 2 to Stage 3

Stage 3 to Stage 4

Stage 4 to Stage 5

How PaperBoss Fits Each Stage

Frequently Asked Questions

How long does it take to move from one stage to the next?

Can I skip a stage?

What's the cost of staying at Stage 2?

Does maturity scale matter for small GCs?

How do insurance carriers view risk maturity?

Ready to automate your compliance tracking?

Related articles

The 2026 1099-NEC Threshold Change: What the $2,000 Rule Means for General Contractors

How to Handle a Workers' Comp Audit as a General Contractor

30/60/90 Day Implementation Plan for COI Tracking Software

The Maturity Curve

Stage 1: Reactive

Stage 2: Ad Hoc

Stage 3: Documented

Stage 4: Managed

Stage 5: Optimized

The Self-Assessment

Process and Ownership

Documentation

Monitoring

Integration and Reporting

Scoring

What to Work On First

Improvement 1: Name an Owner

Improvement 2: Write the Standard

Improvement 3: Automate Expiration Tracking

Improvement 4: Retain Historical Documentation

Improvement 5: Regular Review Cadence

From Stage to Stage

Stage 1 or 2 to Stage 3

Stage 3 to Stage 4

Stage 4 to Stage 5

How PaperBoss Fits Each Stage

Frequently Asked Questions

How long does it take to move from one stage to the next?

Can I skip a stage?

What's the cost of staying at Stage 2?

Does maturity scale matter for small GCs?

How do insurance carriers view risk maturity?

Ready to automate your compliance tracking?

Related articles

The 2026 1099-NEC Threshold Change: What the $2,000 Rule Means for General Contractors

How to Handle a Workers' Comp Audit as a General Contractor

30/60/90 Day Implementation Plan for COI Tracking Software