Third-Party Risk Management in Construction: A GC's Playbook

TL;DR: A construction TPRM program runs in four lifecycle stages: pre-contract due diligence (licensing, insurance adequacy, EMR, bonding capacity), contract documentation (indemnification, AI, PNC, Waiver of Subrogation), active project monitoring (expiration tracking, incident logs), and post-completion closeout (warranty, completed operations, final lien waivers). Each sub inherits seven risk categories (liability, insurance gap, tax misclassification, regulatory, schedule, financial, reputational) that the GC owns until risk transfer is documented.

Every subcontractor your general contracting company hires is a third party, and every third party brings risk. Third-party risk management (TPRM) is the discipline of identifying, assessing, and mitigating the risks that come with working through people and companies you don't directly employ. In construction, TPRM is mostly about subcontractor compliance, but it extends further into safety, legal, financial, and reputational exposure.

This post walks through a practical TPRM framework for general contractors.

What Third-Party Risk Actually Looks Like in Construction

When a GC hires a subcontractor, the GC inherits several categories of risk:

• Liability risk if the sub's work causes bodily injury or property damage
• Insurance gap risk if the sub lacks adequate coverage or the coverage doesn't respond
• Tax and compliance risk if the sub is misclassified as an independent contractor
• Regulatory risk if the sub violates OSHA, labor law, or environmental regulations on the project
• Schedule risk if the sub fails to perform on time
• Financial risk if the sub becomes insolvent mid-project
• Reputational risk if the sub's work is defective or their conduct embarrasses the GC

Each of these requires different controls, but all of them share a common root cause: choosing and managing third parties.

The 4-Stage TPRM Framework

A useful way to structure third-party risk management is by project lifecycle stage.

Stage 1: Pre-Contract Due Diligence

Before signing a subcontract, verify:

• Business entity status and good standing
• Contractor licensing (state and local where required)
• Insurance program adequacy (CGL, WC, Auto, Umbrella limits and endorsements)
• Financial stability (bonding capacity, references, payment history)
• Safety record (EMR, OSHA citations, loss runs)
• Legal history (litigation, liens, regulatory actions)

For larger or riskier subs, this diligence is formal and documented. For small, low-risk subs (a handyman picking up a $2,000 job), the diligence is lighter but never zero.

Stage 2: Contract and Documentation

Every sub needs a signed subcontractor agreement with specific risk transfer provisions: indemnification, insurance requirements, Additional Insured and PNC language, Waiver of Subrogation, and default/termination clauses. The contract is where most of your risk transfer actually lives.

At this stage, also collect the full onboarding documentation package: COI with endorsements, W-9, license, business entity proof.

Stage 3: Active Project Management

Once the sub is on site, TPRM shifts to monitoring:

• Insurance documentation stays current (no lapses mid-project)
• Actual work conforms to scope and quality standards
• Sub's safety performance meets project standards
• Change orders are documented and priced properly
• Payments flow per the contract's payment terms
• Lien waivers are collected with each payment

Stage 4: Closeout and Retention

At project closeout, collect final lien waivers, warranties, O&M manuals, and as-builts. Retain sub compliance documentation for the statute of repose (typically 6 to 10 years for construction) so that if a claim emerges later, you can prove what insurance was in place when the work was performed.

Risk Tiering

Not every sub requires the same level of scrutiny. A mature TPRM program tiers subs based on:

• Contract value: larger contracts justify deeper diligence
• Risk exposure: structural, electrical, high-elevation work carries more risk than finish trades
• Sub's track record: new subs need more verification than subs you've worked with for years
• Project criticality: critical-path subs need more oversight than non-critical work

A common approach is three tiers:

• Tier A (high risk): full diligence including financial review, reference checks, detailed insurance verification including endorsement pages, and active project monitoring
• Tier B (moderate risk): standard compliance documentation plus basic diligence
• Tier C (low risk): minimum required documentation (COI, W-9, WC, license where applicable)

The Documentation Moat

Third-party risk management produces a lot of paper: contracts, certificates, endorsements, lien waivers, pay applications, safety reports, change orders. Without a system to organize it, TPRM becomes a giant email archive.

PaperBoss is built for the compliance documentation side of TPRM. Every sub's COI, W-9, WC, and license documents live in a searchable vault organized by sub and project, with automated expiration tracking. You can pull a full compliance file for any sub in seconds, which matters when a claim surfaces 18 months after the work is done and you need to prove coverage was in place.

For larger projects requiring deeper diligence (financial review, references, safety records), supplement with dedicated TPRM tools or attorney-led diligence.

Start a 14-day free trial, no credit card required.

Common TPRM Mistakes

1. Treating every sub the same. Without tiering, you either over-scrutinize small subs (wasting time) or under-scrutinize large ones (taking risk).
2. Relying on verbal assurances. "They said they're insured" is not TPRM. Verify the actual documents.
3. Stopping at project start. TPRM is a lifecycle, not a checklist. Monitoring during the project catches gaps that pre-contract diligence misses.
4. Not documenting the diligence. If a sub-caused claim hits, your insurance carrier will want evidence that you performed reasonable diligence. Keep records.
5. Treating TPRM as paperwork. The documents are evidence of the process. The process is about choosing good partners, setting clear expectations, and monitoring performance.

Frequently Asked Questions

Is TPRM the same as subcontractor compliance?

Subcontractor compliance is a subset of TPRM. Compliance focuses on documentation (COI, W-9, etc.). TPRM is broader and includes financial diligence, safety performance, and project management oversight.

Do small GCs need a formal TPRM program?

Yes, though the level of formality should match the size and risk profile of the operation. A small GC with 10 subs doesn't need a 50-page TPRM policy manual, but does need a consistent process for vetting and documenting subs.

How does TPRM relate to construction defect claims?

Construction defect claims often surface years after work is completed. Strong TPRM (including documentation retention) is what lets you prove what insurance was in place when the work was performed, which determines whether the sub's policy responds.

Who owns TPRM in a GC organization?

Usually the project manager for each project, with oversight from a risk manager or operations leader. In smaller firms, it may fall to the owner or office manager.

Can I outsource TPRM to a third party?

Some GCs use insurance brokers or dedicated TPRM services for parts of the diligence process. Core monitoring and documentation still live internally because they're tied to daily project operations.

---

This article is for educational purposes only and does not constitute legal or insurance advice. Consult a construction attorney or risk management professional for specific TPRM program design.