Third party risk certification is the process of evaluating, verifying, and documenting the risk profile of every subcontractor before they perform work on your construction projects. In 2025, a Willis Towers Watson study found that 47% of construction claims originated from subcontractor-related risk exposures that the GC could have identified during pre-qualification. Certification programs catch these exposures before they become claims.

This pillar guide covers the full scope of third party risk certification, from initial evaluation through ongoing monitoring and re-certification.

What Third Party Risk Certification Means for GCs

Third party risk certification in construction goes beyond checking a box. It is a structured evaluation of a subcontractor's ability to perform work safely, maintain adequate insurance, meet financial obligations, and comply with regulatory requirements.

Insurance verification. Confirm that the sub carries all required coverages at adequate limits. Verify endorsements including additional insured and waiver of subrogation. Monitor expiration dates throughout the project.

Safety performance. Review the sub's experience modification rate (EMR), OSHA recordable incident rate, and safety program documentation. An EMR above 1.0 signals higher-than-average claims frequency. An EMR above 1.3 should trigger additional scrutiny or disqualification.

Financial stability. Assess the sub's financial capacity to complete the work. Review bonding capacity, credit reports, and references from recent projects. A sub who fails mid-project creates cascading delays and costs.

Regulatory compliance. Verify licensing, workers' compensation coverage, and compliance with state and federal regulations. Check OSHA violation history and any debarment from government work.

Legal history. Review litigation history for patterns of claims, disputes, or judgments. Frequent litigation can indicate quality or safety problems.

The Certification Framework

A structured certification framework ensures consistent evaluation across all subcontractors. Use a scoring system that weights each risk category.

Risk Category	Weight	Evaluation Criteria	Data Sources
Insurance compliance	25%	Coverage limits, endorsements, claims history	Certificates, loss runs, carrier verification
Safety performance	25%	EMR, OSHA rates, safety program	EMR letter, OSHA logs, program documentation
Financial stability	20%	Bonding capacity, credit, references	Financial statements, surety letter, references
Regulatory compliance	15%	Licensing, WC coverage, OSHA history	State license board, OSHA database, WC verification
Experience and capacity	15%	Similar project experience, current workload	Project references, backlog analysis

Subcontractors who score below your minimum threshold do not receive certification. Those who score above it are certified and eligible for project award. Tiered certification (gold, silver, bronze) allows different levels of access based on risk tolerance.

Building a Certification Program

Implementing a risk management certification program requires investment in process, technology, and people.

Step 1: Define requirements. Establish minimum standards for each risk category. These should align with your insurance program, your owners' requirements, and industry benchmarks. Document the requirements in a pre-qualification manual.

Step 2: Create evaluation tools. Build questionnaires, checklists, and scoring rubrics that capture the data needed for certification. Standardize the format so evaluations are consistent across all applicants.

Step 3: Set up data collection. Create a portal or system for subcontractors to submit their documentation. Automated systems reduce processing time and improve data accuracy. Manual collection via email works for small programs but breaks down past 50 active subs.

Step 4: Train evaluators. The staff reviewing certification applications must understand insurance, safety metrics, financial analysis, and regulatory requirements. Cross-train at least two people to prevent bottlenecks.

Step 5: Establish review cycles. Certification should not be a one-time event. Set re-certification intervals (annually at minimum) and define triggers for interim reviews such as safety incidents, financial changes, or ownership transitions.

Insurance Verification in the Certification Process

Insurance verification is the most operationally demanding component of third party risk certification.

Certificate review. Every certificate must be reviewed against the subcontract requirements. Check policy numbers, effective dates, coverage limits, and named insured accuracy. Flag any discrepancies immediately.

Endorsement verification. Additional insured and waiver of subrogation endorsements must be verified by reviewing the actual endorsement pages, not just the certificate notation. The endorsement page is the legally binding document.

Claims history analysis. Request three to five years of loss run data. Analyze claim frequency, severity, and trends. A subcontractor with increasing claim frequency presents growing risk. Evaluate whether claims indicate systemic safety problems or isolated incidents.

Carrier quality. Verify that the sub's insurance carrier has an AM Best rating of A- or better. Carriers with lower ratings may lack the financial strength to pay large claims.

Safety Certification Standards

Safety performance is the strongest predictor of future claims. GCs should set clear safety certification thresholds.

EMR thresholds. Set maximum EMR levels for certification. Common thresholds are 1.0 for standard certification and 0.85 for preferred status. Subs with EMRs above 1.3 should be reviewed case by case or excluded.

OSHA compliance. Review the sub's OSHA 300 log for the past three years. Calculate the Total Recordable Incident Rate (TRIR) and the Days Away, Restricted, or Transferred (DART) rate. Compare against industry averages for the sub's trade classification.

Safety program documentation. Require a written safety program that covers hazard communication, fall protection, excavation safety, and trade-specific hazards. The program should include documented training records and a designated safety officer.

Financial Risk Assessment

Financial failure during a project creates massive disruption. Certification should include financial verification.

Surety bond capacity. A subcontractor's bonding capacity reflects the surety's assessment of their financial health. Request a surety letter confirming the sub's single project limit and aggregate capacity. Subs without bonding capacity may lack the financial stability for large projects.

Credit evaluation. Review the sub's commercial credit report. Look for liens, judgments, tax debts, and payment patterns. A sub with deteriorating credit may be under financial stress that affects project performance.

Reference checks. Contact references from recent projects of similar size and scope. Ask about payment to suppliers and lower-tier subs, quality of work, and adherence to schedule. Financial problems often surface first in late payments to suppliers.

Ongoing Monitoring After Certification

Certification is not a one-time event. Risk profiles change throughout the project lifecycle.

Continuous insurance monitoring. Track policy expiration dates. Send renewal requests 30 days before expiration. Flag non-compliant subs immediately when coverage lapses.

Safety incident tracking. Monitor each sub's safety performance on your projects. An increase in incidents may warrant a certification review even before the scheduled re-certification date.

Financial triggers. Watch for signs of financial distress including slow payment to suppliers, subcontractor liens filed by lower-tier subs, and requests for accelerated payment. Any of these triggers should prompt a financial review.

Re-certification. Conduct full re-certification annually. Re-evaluate all risk categories using updated data. Adjust certification status based on current performance.

Use Our EMR Calculator

Evaluate subcontractor safety performance as part of your certification program. Our EMR Calculator Tool provides risk scoring and benchmarking for every trade classification.

FAQs

What is third party risk certification in construction? Third party risk certification is a structured process for evaluating and documenting the risk profile of subcontractors before they work on your projects. It covers insurance compliance, safety performance, financial stability, regulatory compliance, and experience. The certification confirms that the sub meets your minimum risk standards.

How long does the certification process take? Initial certification for a new subcontractor typically takes 10-20 business days from document submission to final review. The timeline depends on how quickly the sub provides complete documentation. Renewal certifications take 5-10 days because baseline data is already on file.

What happens if a certified subcontractor's risk profile changes mid-project? Trigger an interim review. If the sub's insurance lapses, their EMR increases significantly, or they experience a serious safety incident, review their certification status immediately. Depending on the severity, options include additional monitoring, corrective action requirements, or suspension of certification.

How does third party risk certification affect project insurance costs? GCs who use certification programs report 15-25% lower claims frequency compared to those who do not pre-qualify subcontractors. Lower claims frequency translates to better loss experience, which leads to lower insurance premiums at renewal. The certification program pays for itself through reduced claims costs.

Should GCs use third-party services or manage certification in-house? Both approaches work. In-house management provides more control but requires dedicated staff. Third-party services offer specialized expertise and technology platforms. Most mid-size GCs use a hybrid approach with in-house oversight and third-party data collection and verification.

How often should subcontractors be re-certified? At minimum, annually. Re-certification should include updated insurance documentation, current EMR, recent financial data, and a review of project performance. Event-driven re-certification should occur after safety incidents, financial changes, or ownership transitions regardless of the scheduled cycle.

Centralize Your Risk Certification Program

SubcontractorAudit provides the tools to evaluate, certify, and monitor subcontractor risk from a single platform. Request a demo to see how the system supports your certification program.