I wanted to answer your question about capturing the risk mitigation for each moderate or critical factor or at the vendor level. Regarding any risk or mitigation strategy, you should evaluate at the engagement level (product or service) vs. just the vendor. When a vendor has multiple engagements, their risk rating should default to the highest rated engagement.
As for capturing the risk mitigation, I am unclear if you are referring to specific controls that the vendor must have or other internal strategies. Generally, a vendor's control environment should be documented both in their risk assessment or due diligence questionnaire, the documentation provided by the vendor, and the documented risk review provided by your SME.
If I misunderstood your question, please let me know. I want to help you get the right answer. I would also love to hear from other members.
The level of effort and the specific actions required to manage vendor risk effectively can vary depending on the number of vendors and the risk level presented by each. However, the number of vendors is a significant factor when determining the number of staff.
When it comes down to it, every vendor engagement must undergo at least seven activities: planning, inherent risk assessment, due diligence, contracting, risk reassessment, ongoing monitoring, and offboarding. So to get the most basic idea of how many significant actions would be required, you could multiply the number of vendors you have by those seven activities. If you have 500 vendors, that would be around 3500 individual actions to be performed by the TPRM team – each requiring various levels of in-depth work. And that doesn't even include the other TPRM activities like reporting, policy and program updates, issues tracking, and management or training vendor owners.