Does anyone currently outsource their third-party program or pieces of it- like initial and/or annual due diligence reviews? If so, who do you use and what other considerations do we need to think about? How do you confirm their their review is correct/acceptable to your risk level? what do they review? How do they summarize/provide info back?
I don't like posting anonymously, but I think in this case it allows me to speak a bit more freely. I'm in the financial sector and my experience comes from two different banks.
If you already have a good program in place, I think you're better off adding more in house resources or finding ways to make your process more efficient. I know that's not always possible, but in my experience outsourcing any of the risk assessment process usually produces more overhead, reduced quality, and is usually considerably more expensive (and slower).
Outsourcing most/all of your due diligence efforts might make sense if you don't have a formalized program though. It at least gets you off the ground, and might help you understand the who/what/why on doing assessments.
I know others have had positive experiences and your specific situation might lend very well to having all or part of the process outsourced. I would just make sure to have very clearly defined expectations and SLAs in the contract and try to include credits for failure to meet your requirements. I would put together a solid in-house QA process to ensure the quality of the assessments/reports are still meeting your standard, and have an escalation path(s) and exit plan in place if there are issues.