Why compliance tracking falls through the cracks
Most facility managers have a general sense of which vendors carry insurance and which ones have current certifications. But a "general sense" is exactly the kind of gap that creates liability.
A vendor shows up to a job with expired workers' compensation coverage. A subcontractor completes electrical work without a current licence. A cleaning company fails a health inspection because a staff member wasn't trained to the required standard. None of these problems are exotic, they happen regularly in facilities that rely on informal compliance tracking.
The issue isn't negligence. It's that compliance tracking across multiple vendors and multiple requirements is genuinely hard to maintain without a system. This guide walks through what vendor compliance actually covers, where the typical gaps are, and how to build a tracking process that catches issues before they become incidents.
What vendor compliance actually covers
Compliance tracking for facility vendors spans several distinct categories, each with different update frequencies and consequences for failure.
Insurance and liability coverage. Every vendor working on your premises should carry general liability insurance, and depending on the work, workers' compensation and professional indemnity coverage. Certificates expire. Policies change. A certificate on file from 18 months ago may not reflect current coverage.
Licensing and certification. Many facility services, electrical, HVAC, fire safety, pest control, require vendor staff to hold specific licences or certifications. These expire, and in regulated industries, using an unlicensed vendor creates direct regulatory exposure for the building owner or manager.
Regulatory and safety compliance. Depending on your sector, vendors may need to comply with occupational health and safety regulations, food safety standards, environmental requirements, or industry-specific codes. In healthcare, education, and government facilities, the requirements are typically more stringent.
Contractual compliance. Beyond regulatory requirements, vendors have obligations defined in their service contracts, staffing levels, response times, reporting requirements, background check standards. These obligations are often defined through service level agreements, and contractual compliance is often the first type to slip, because it's the least formally monitored.
The compliance tracking gap in most facility teams
Most teams have some compliance documentation, usually a folder of vendor certificates collected when contracts were signed. The gap is in what happens after that.
Certificates are rarely reviewed again until a renewal conversation prompts someone to check, an incident creates a liability question, or an auditor asks for documentation.
By that point, you may be discovering that a vendor's insurance lapsed six months ago, or that a certification wasn't renewed after it expired. The exposure was there the whole time, it just wasn't visible.
The second gap is breadth. Teams typically track the most obvious compliance items (insurance certificates) and have less systematic coverage of licensing, regulatory, and contractual requirements.
Building a compliance tracking calendar
The most practical starting point is a compliance calendar, a structured overview of every requirement, every vendor, and every expiry date.
For each vendor, document:
- What types of insurance are required, the minimum coverage amounts, and the current certificate expiry date
- Which licences or certifications are required for the work being performed, who holds them, and when they expire
- Any regulatory compliance requirements specific to your sector or location
- Key contractual obligations you intend to monitor (staffing ratios, response times, reporting)
Set reminders at 90, 60, and 30 days before each expiry. This gives vendors enough lead time to renew before a gap occurs, and gives you visibility to escalate if they don't.
What to check at each vendor touchpoint
Compliance tracking shouldn't only happen at a calendar level. Build compliance checks into your regular vendor interactions.
Onboarding. Before a new vendor performs any work, confirm that all required documentation is current and on file. Don't start the relationship with exceptions.
Annual reviews. Use each annual review as an opportunity to run a full compliance audit for that vendor, including a structured vendor site audit, refresh certificates, confirm licence renewals, review any regulatory changes that affect the relationship.
Contract renewals. Treat renewal as a clean-slate compliance check. Confirm that everything is current before signing.
After incidents. If a vendor incident occurs, regardless of severity, run a compliance check as part of the incident review. Compliance gaps often co-occur with performance issues.
Escalation: what to do when compliance fails
When a compliance issue surfaces, the response should be proportionate to the risk.
Low-risk issues, minor administrative gaps, documentation delays with an active renewal in progress, can typically be managed with a documented notification and a firm deadline for resolution.
Medium-risk issues, expired certificates where renewal hasn't been initiated, licensing gaps for non-safety-critical work, warrant a work suspension for the affected activities until documentation is current. Don't allow work to continue while you're waiting.
High-risk issues, uninsured work completed, unlicensed work on safety-critical systems, regulatory violations, require immediate escalation. Suspend all work, notify your legal or risk team, and document everything. Depending on the nature of the violation, you may have notification obligations to regulators or insurers.
The worst response to any compliance issue is to wait and hope it resolves quietly. Document the issue, the notification, and the resolution, regardless of the outcome.
The case for a centralised compliance system
Managing compliance tracking in a spreadsheet is workable for a small portfolio. As the number of vendors, sites, and requirements grows, the spreadsheet approach creates its own risk, data gets stale, updates get missed, and no one has a reliable view of the full picture.
A platform like Evalystar centralises vendor compliance documentation alongside performance data, so you can see a vendor's compliance status and their performance record in the same place. When a certificate is approaching expiry, the system flags it, rather than relying on someone to remember to check a spreadsheet.
For facility teams managing five or more vendors across multiple sites, that centralisation isn't a convenience, it's a meaningful reduction in liability exposure. See how Evalystar works.