Due Diligence and Ongoing Monitoring

We are enhancing our TPRM program and policy and moving to risk based due diligence.  Is anyone willing to share what documents they request for a third party that poses a consumer compliance risk?

A few that came to mine was privacy policy, compliant policy, incident response, audit and monitoring rights...

Assessments should be risk-based and aim to exclude inherently low-risk vendors. Understanding the Inherent Risk associated with a vendor-without any controls in place-is crucial for establishing your due diligence requirements. This process helps narrow down the list of vendors that require due diligence and control reviews. Based on your inherent risk assessment, you should request documentation to verify that the vendor has sufficient controls in place to address the identified risks. Once these controls are confirmed, you can evaluate the Residual Risk, guiding your decision to accept, reject, or take further action to mitigate the risk. Conducting the Inherent Risk evaluation early is essential to allow adequate time for developing a clear risk profile.