When it comes to vendors, sometimes we can get distracted by trying to customize our TPRM approach to the product or service types. But this should not be necessary as your standardized processes for identifying, assessing, and managing risks should help you determine the right levels of due diligence, risk re-assessment, risk and performance monitoring, and contract structure for every potential vendor.
Your inherent risk assessment should be able to help your organization understand where the risks are by asking standardized questions. Your due diligence should be based on the risks present. So here are two examples.
Where there is a risk, there should also be control. It doesn't matter what type of vendor it is; it is all about the risks present in the product and service. And the higher the risks, the more intensive your due diligence efforts are. The caveat is that the due diligence must be relevant to the risks presented. This approach works for every type of vendor. And prevents you from second-guessing how to manage the relationship.
So for your architect and environmental site assessors, put them through an inherent risk assessment. It should be clear how to handle the relationship once you can identify the risks.
I hope that helps, but I would love to hear from other members on this topic.