The Annual Business
Insurance Risk Review

Start with the physical and operational reality of your business, not with your current policies. The question is: what exists today that would need to be replaced or defended if something went wrong? Build three lists:

• Physical assets: equipment, vehicles, computers, furniture, inventory, and any leasehold improvements. Note approximate replacement values — not book value or original purchase price, but what it would cost to replace each item at today's prices. Equipment and construction costs have risen significantly since 2020; policies written at 2021 values are systematically underinsured.
• Contractual obligations: every active contract, lease, grant agreement, or vendor agreement that requires you to carry insurance. Note the required coverage type, minimum limits, and any additional insured or waiver of subrogation requirements.
• Activities that create liability: every category of work your business performs, including any new service lines added since last review. For nonprofits, include volunteer programs, events, food service, transportation, and any activities involving vulnerable populations.
• Data and digital assets: what personal data does your business hold? Customer PII, payment card data, employee records, health information — each category creates regulatory exposure under Virginia's data breach notification law and the VCDPA.

Now compare what you found in Step 1 against what your current policies actually cover. Pull the declarations page and the exclusions section of each policy. For each policy, answer five questions:

• Are the coverage limits still adequate? Compare property limits against current replacement values. Compare general liability limits against the highest limit required in any active contract. If you added significant equipment or expanded your physical space, limits may need adjustment.
• Are there new exclusions that conflict with current operations? If you have started a new service, hired employees of a new classification, or expanded into a new geographic area, check whether the exclusions section now applies to something you are actively doing.
• Is every active COI current and on file? COIs expire with the policy. If any policy has renewed since you last provided a COI to a client, landlord, or funder, the prior COI is no longer valid. Every required party should have a COI reflecting current policy terms.
• Is your professional liability policy occurrence or claims-made? If claims-made, confirm continuous coverage with no gaps and note what a tail endorsement would cost if you ever need to change carriers.
• Have your premium levels changed in ways that signal a policy review is needed? A significant premium increase at renewal often reflects a carrier's view that your risk profile has changed. Understanding why premiums moved is as important as accepting or rejecting the renewal.

Compare the Step 1 inventory against the Step 2 policy review. A gap is any situation where your current operations, assets, or contractual obligations are not adequately covered by existing policies. Common gaps found in Virginia small business reviews:

• Flood coverage: any business in Hampton Roads, along a Virginia river community, or in a historically flood-prone area. Standard commercial property policies exclude flood. The NFIP has a 30-day waiting period on new policies — flood coverage gaps cannot be fixed reactively.
• Cyber liability: any business holding customer PII, payment card data, employee records, or health information. Virginia's VCDPA penalties reach $7,500 per violation; breach notification costs run $1 to $3 per affected individual before legal fees.
• Professional liability scope: any new service added since the policy was written. A consulting firm that has begun providing implementation services, or an accounting firm that has added financial advisory work, may have activity that falls outside the policy's defined scope of services.
• Workers' compensation headcount: any business that has crossed the two-employee threshold since last review, including through subcontractors performing work in your trade.
• Required coverage for new contracts: any contract or grant award that specifies coverage types or limits you do not currently meet.
• Nonprofit-specific gaps: D&O, EPLI, volunteer accident, and fidelity coverage for any nonprofit that has added programs, staff, or volunteers since last review.

Bring your Step 1 inventory and Step 3 gap list to a broker meeting. This is not a renewal conversation — it is a coverage strategy conversation. The documents you bring determine the quality of the outcome. A broker who receives a complete inventory and a specific gap list can provide targeted recommendations; one who receives “I just want to make sure we're covered” will produce a generic renewal.

Specific questions to ask at this meeting:

• Are there endorsements that could close identified gaps without adding a separate policy? Flood endorsements (for some inland properties), hired and non-owned auto, and data compromise endorsements are examples of coverage improvements that can be added to existing policies at lower cost than standalone policies.
• What does a BOP look like versus my current standalone policies? If you carry general liability and commercial property separately, ask whether bundling would reduce cost and close any gaps.
• What are the current market conditions for my industry and risk class? Carrier appetite for specific risk classes shifts. A broker with a broad market can identify whether your current carrier is competitive or whether a better product exists elsewhere for your profile.
• What would a tail endorsement cost on my professional liability policy? Know this number annually, even if you never need it. It informs the true cost of switching carriers.
• Has anything in Virginia's regulatory environment changed that affects my coverage requirements? The 2026 VWC reporting penalty changes effective January 1, 2026 are one example of a regulatory shift that may affect required coverage structures.

The review produces value only if it is documented and acted on. Create or update a single master policy register that contains all policy information in one place. This document is what your operations team, your board, and any new leadership will need in a crisis — when the claim has occurred, no one should be searching through email for a policy number.

• Master policy register fields: policy type, carrier name, policy number, coverage limits, deductible, premium, policy period start and end date, broker name and contact, claims contact number.
• COI log: list every party that requires a COI from you, the coverage type and limit they require, and the date their current COI expires.
• Gap action list: record any gap identified in Step 3 that was not fully resolved through the broker conversation, with a target resolution date and assigned owner.
• Renewal calendar: set 90-day and 30-day advance reminders before each policy renewal date. The 90-day reminder triggers next year's risk review; the 30-day reminder confirms that any changes from this year's review have been implemented.
• Secondary trigger calendar: note any known future events that should prompt a targeted review — a planned hire, a lease renewal, an anticipated contract award, or a program expansion planned for later in the year.