Most organizations have a version of this problem. Legal drafts the vendor contracts. Compliance manages the ongoing vendor relationships. And somewhere in between, nobody has clear ownership of the insurance and indemnity language that connects the two.
The result is predictable. Contracts get signed with nonstandard indemnification clauses that nobody on the compliance team reviewed. Limitation of liability caps quietly undercut the insurance requirements that compliance spent weeks negotiating. And when a claim hits, everyone discovers that the contract language and the certificate of insurance tell two very different stories.
This is not a failure of either team. It is a structural gap between two functions that rarely have a shared framework for managing vendor risk transfer.
The Core Problem: Proximity vs. Context
Lawyers are typically the ones closest to vendor contracts. They negotiate the terms, draft the indemnification provisions, and approve the limitation of liability language. This makes sense on the surface. These are legal instruments, and legal should own legal instruments.
But here is where the dynamic breaks down. Most in house counsel, even strong commercial lawyers, are not insurance specialists. They understand indemnification as a contractual concept but may not fully grasp how it interacts with the vendor’s actual insurance program. They know what a limitation of liability clause does in theory but may not recognize when a $500,000 liability cap renders a $2 million insurance requirement effectively meaningless.
Compliance managers, on the other hand, live in the operational reality of vendor risk. They see the certificates every day. They know which vendors consistently fall short on coverage. They understand that a waiver of subrogation is only useful if the underlying policy actually includes the endorsement, and that a COI is an informational document that does not amend the policy itself.
The compliance team has the context that legal often lacks: what happens after the contract is signed.
Who Should Set Minimum Standards
Minimum insurance requirements should be owned by compliance, with legal input on enforceability.
Compliance teams are best positioned to define the baseline because they understand the operational risk profile of each vendor category. A janitorial services vendor and a technology consulting firm present fundamentally different risk exposures, and the insurance requirements should reflect that. Compliance managers work with these categories daily and can calibrate requirements based on real patterns: which coverage types matter most, what limits are realistic for the vendor’s industry, and where gaps tend to appear.
Legal should review the minimum standards for contractual enforceability and consistency with the organization’s broader risk framework. But the substance of what gets required (coverage types, minimum limits, endorsement requirements) should originate from the team that manages ongoing vendor compliance.
A practical approach is to create tiered vendor risk categories with corresponding minimum insurance templates. Standard vendors might require basic general liability and workers’ compensation. Enhanced risk vendors add professional liability and higher limits. Critical vendors require umbrella coverage, specific endorsement packages, and potentially policy review beyond the certificate level.
Who Should Approve Nonstandard Indemnity Language
Exceptions to standard indemnification clauses are where the legal and compliance collaboration becomes essential, and where it most often breaks down.
When a vendor pushes back on your standard indemnification language, legal typically handles the negotiation. That is appropriate. But the decision to accept modified language should not rest with legal alone, because the downstream consequences land squarely on the compliance team.
Consider a common scenario. A vendor’s counsel proposes narrowing the indemnification from broad form to intermediate form, limiting the vendor’s obligation to indemnify only for their own negligence rather than for all claims arising from their work. Legal may view this as a reasonable concession during contract negotiation. But compliance needs to evaluate whether the vendor’s insurance program can cover the gap that narrower indemnification creates.
The same logic applies to limitation of liability clauses. A vendor proposing a $1 million aggregate liability cap on a contract where your insurance requirements specify $5 million in coverage is creating an internal contradiction. The liability cap effectively tells the vendor they will never need to pay more than $1 million regardless of what their insurance covers. Compliance managers who understand the relationship between contractual liability limits and insurance requirements are better positioned to flag this disconnect.
The approval workflow for nonstandard language should require sign off from both legal and compliance. Legal confirms the language is enforceable and consistent with the organization’s legal risk tolerance. Compliance confirms the modified terms do not create gaps in the vendor’s insurance program or undermine the minimum standards.
The Limitation of Liability Trap (And When It Is Not a Trap at All)
This deserves specific attention because it is one of the most commonly overlooked interactions between contract language and insurance requirements. It is also one of the areas where the gap between legal reasoning and compliance reasoning is most visible.
A limitation of liability clause caps the maximum amount a vendor will pay for damages under the contract. On its own, this is a standard and reasonable provision. The problem emerges when the liability cap is significantly lower than the insurance limits the compliance team requires and nobody has explained why.
If your minimum standards require $2 million in general liability coverage but the contract includes a $500,000 limitation of liability, that can look like a contradiction. The vendor still carries the policy, and the certificate still shows the correct limits. But the contractual cap means the vendor’s direct obligation to your organization maxes out far below what the insurance would actually pay.
Here is where it gets nuanced. A sophisticated legal counsel might accept a low liability cap deliberately, knowing that the real recovery path runs through the vendor’s insurance policy rather than through the contract itself. For example, legal might agree to a $500,000 contractual liability cap while requiring $5 million in cyber liability insurance, because a data breach is likely to affect multiple parties simultaneously and the insurance policy will pay the claim directly to the additional insured regardless of what the contract says about the vendor’s own liability. In that scenario, the liability cap governs what the vendor pays out of pocket, but the insurance program is the actual mechanism for making the organization whole.
This is a perfectly valid risk transfer strategy. The problem is that it only works if compliance understands the reasoning behind it. If compliance sees a $500,000 cap next to a $5 million insurance requirement and nobody explains the logic, they might flag it as an error. Or they might assume the insurance requirement is aspirational rather than the actual recovery mechanism the organization is relying on.
This is precisely why these decisions cannot happen in silos. Legal may be making a calculated trade off that looks like an oversight to compliance without shared context. And compliance may be enforcing insurance requirements without understanding whether the contract language is designed to complement them or contradict them.
The Reality of Fast Moving Deals
In theory, every deviation from standard terms should go through a structured review. In practice, deals move quickly. Sales is pushing to close. Operations needs the vendor onboarded by next quarter. Legal is negotiating terms on a compressed timeline with the vendor’s counsel pushing back on indemnification scope and liability caps simultaneously.
In that environment, getting legal, risk, compliance, sales, and operations on the same page for every contract decision is difficult. The coordination challenge is real, and acknowledging it matters more than pretending it can be solved with a policy memo.
Legal typically has the puck during contract negotiation. They are the ones on the call with the vendor’s counsel, redlining the indemnification provision, and deciding whether to accept a reduced liability cap to keep the deal moving. That is their role, and they should own it. But legal cannot negotiate insurance and risk transfer provisions effectively without insight from the risk and compliance teams who understand the downstream implications of those decisions.
A lawyer who has never reviewed a certificate of insurance may not recognize that accepting a claims made professional liability policy instead of an occurrence form creates a coverage gap the moment the contract ends. A compliance manager who has never sat in on a contract negotiation may not understand why legal accepted a mutual indemnification clause instead of the one sided language that compliance prefers.
The strongest organizations address this through cross training rather than through more approval gates. When legal understands the basics of insurance programs, endorsements, and how COIs actually work, they negotiate more effectively without needing compliance on every call. When compliance understands how indemnification provisions interact with limitation of liability clauses, they can review signed contracts and flag real issues instead of raising false alarms.
Cross training does not mean turning lawyers into insurance specialists or compliance managers into contract attorneys. It means building enough shared vocabulary and foundational knowledge that each team can recognize when a decision in their domain has implications for the other. That shared competency is what turns a slow, bureaucratic approval process into a fast, informed one.
Building a Shared Framework
Closing this gap does not require reorganizing your department structure. It requires three things.
First, create a shared reference document that maps your standard insurance requirements to the corresponding contract provisions. When legal sees a vendor push back on indemnification scope, they should be able to quickly check what the insurance implications are. When compliance sees a certificate that looks adequate, they should know what the contract says about the vendor’s actual liability exposure.
Second, establish a mandatory cross review for any deviation from standard terms. If legal is considering accepting a modified indemnification clause or a reduced liability cap, compliance should review the change before it is finalized. If compliance wants to waive an insurance requirement for a specific vendor, legal should confirm the contractual protections are sufficient to justify the exception.
Third, track the relationships between contract terms and insurance coverage at the vendor level. A vendor’s compliance status is not just about whether their certificate is current. It is about whether their entire risk transfer package (contract language, indemnification, liability limits, insurance coverage, and endorsements) works together as intended.
The Bottom Line
Legal and compliance are not adversaries in this process. They are two halves of the same risk transfer equation. The dysfunction happens when each team operates in isolation, optimizing for their own domain without visibility into how their decisions affect the other.
Compliance should own the minimum standards because they understand the operational risk landscape. Legal should own the enforceability review because that is their expertise. And exceptions to standard language should require both teams to sign off, because the consequences of getting it wrong belong to everyone.
This also points to a broader truth about the compliance manager’s role. Managing vendor risk cannot stop at reviewing and tracking certificates of insurance. The contract is the starting point. It defines what coverage the vendor must carry, what indemnification obligations exist, and what liability limits apply. The endorsements attached to the vendor’s policy are the end goal. They are what actually deliver the protection that the contract requires: additional insured status, primary and noncontributory coverage, waiver of subrogation.
The COI sits between those two anchors. It is an evidentiary document that summarizes what the policy covers at a point in time. It does not create an obligation, amend a policy, or guarantee that the endorsements are in place. A compliance program that begins and ends with the certificate is verifying the middle of the chain without seeing either end.
The organizations that get vendor risk transfer right are not the ones with the best lawyers or the most experienced compliance managers. They are the ones where both teams share a common framework, where compliance professionals understand the full arc from contract to endorsement, and where every contract provision, every indemnification clause, and every insurance requirement is tracked as part of a connected whole.
Clarita helps compliance teams track vendor insurance requirements alongside the contract terms and indemnification provisions that govern them, so gaps between what the contract requires and what the certificate shows are visible before they become a problem. If your program manages vendor risk transfer across legal and compliance teams, request early access to get early access.