How well do you know your vendor
When you contract with a third party you become responsible for any risk posed by their activities. Therefore, the first step in every new relationship should be to do the necessary background checks and research to know your vendor, ensure they meet regulatory requirements and are protecting your most valuable asset, your reputation.
You should be vetting a vendor regardless of risk level because inherent risk (the initial risk impression) is never equivalent to zero. A reputational risk is posed whether it’s a critical technology vendor or a non-critical vendor. Having no due diligence on file during the vetting process is very risky and probably won’t pass muster with your regulator.