A well-defined third party risk management program does not require conducting onsite or virtual assessments for all third parties, as this would be impractical, costly, and inefficient. Instead, a TPRM program should adopt a risk-based approach to determine the frequency, scope, and depth of assessments based on the inherent and residual risks posed by each third party. This means that some third parties may require more frequent and comprehensive assessments than others, depending on factors such as the nature, scope, and criticality of their services, the sensitivity and volume of data they access or process, the regulatory and contractual obligations they must comply with, and the results of previous assessments and monitoring activities. A risk-based approach to assessments allows an organization to allocate its resources and efforts more effectively and efficiently, while also ensuring that the most significant risks are adequately addressed and mitigated.Reference:

Shared Assessments,CTPRP Job Guide, page 9: ''The frequency, scope, and depth of assessments should be determined by the inherent and residual risks posed by each third party.''

OneTrust, [What is Third-Party Risk Management?]: ''A risk-based approach to third-party risk management means that you prioritize your efforts and resources based on the level of risk each vendor poses to your organization.''

[Deloitte], [Third Party Risk Management: Managing Risk]: ''A risk-based approach to third-party risk management helps organizations prioritize their efforts and resources based on the level of risk each third party poses to the organization.''