THIRD-PARTY & VENDOR DUE DILIGENCE

[THIRD PARTY / ENGAGEMENT - REF]

This report is the multi-domain, risk-tiered Third-Party Risk Management (TPRM) onboarding product. It assesses a vendor, supplier, agent, or partner the client intends to onboard or is already using; calibrates due-diligence depth and ongoing oversight to the third party’s inherent-risk tier (criticality of service, data/system/premises access, spend/dependency, geography, regulatory sensitivity); evaluates risk across integrity/compliance, financial viability, information security & data privacy, operational resilience, regulatory/legal/licensing, ESG/labor/modern-slavery/supply-chain, and fourth-party/subcontractor domains; specifies required contractual controls; and produces an onboarding decision (approve / approve-with-conditions / remediate-then-reassess / reject / offboard). It is not the integrity/compliance SCREEN of Vendor & Third-Party Integrity Vetting - that product is the sanctions/ABAC/AML/UBO/adverse-media/ESG integrity verdict on a counterparty; this product consumes that screen by reference, integrates its verdict, and escalates fresh gaps back to it rather than re-performing the deep integrity work. It is not the baseline standing-entity survey of the Standard Corporate Due Diligence Report; not the heightened-risk resolution of the Enhanced Due Diligence (EDD) Report; not the transaction/deal-scoped analysis of M&A Due Diligence; and not the standalone deep reputational/field investigation of Reputational Due Diligence. It does not perform ongoing monitoring - it RECOMMENDS the re-assessment cadence and ROUTES ongoing watch to Continuous Counterparty Monitoring. Where those needs surface, raise them as RFIs in §21 and escalate - do not perform them here.


Document Control

FieldValue
Report Reference[REF-YYYY-###]
Date of Report[YYYY-MM-DD]
Reporting Period / As-Of Date[YYYY-MM-DD]
Classification / Handling[CONFIDENTIAL - CLIENT EYES ONLY / TLP:AMBER]
Client[CLIENT NAME]
Requesting Party[CONTACT - ENGAGEMENT REF]
Third Party[LEGAL NAME - registration no. / jurisdiction]
Service / Relationship[What the third party provides to the client]
Inherent-Risk Tier[Critical / High / Medium / Low - see §6]
Data / System Access[None / Limited / Sensitive / Privileged]
Engagement Status[Pre-onboarding / Active vendor / Renewal / Offboarding]
Scope / Depth[Risk-tiered multi-domain TPRM onboarding DD - see §2 and §6]
Prepared By[ANALYST NAME / ID]
Reviewed By[REVIEWER NAME / ID]
Approving Officer[APPROVER NAME / ID]
Version[1.0]
Distribution[NAMED RECIPIENTS]

Handling: [Classification/TLP]. Disseminate only to the named authorized recipients. Reproduction or onward sharing prohibited without originator approval. May contain personal data on third-party personnel, owners, and counterparties - store and transmit per the client data-processing agreement.

Nature of this product (READ FIRST): This is a due-diligence intelligence and third-party risk assessment prepared to support a vendor onboarding or ongoing-oversight decision. It is not a consumer report (FCRA does not apply), and it is not an audit, a SOC 2 / ISO certification, a legal opinion, a financial opinion, or a guarantee of the third party’s performance, solvency, security posture, or ongoing compliance. It is one analytic input; the client remains responsible for its own final onboarding decision and for satisfying its regulatory obligations.

Regulatory framing: Where the relationship implicates the client’s own AML/KYC and counterparty due-diligence obligations; sanctions/export-control screening; anti-bribery & corruption (including liability for acts of third-party intermediaries, agents, and suppliers under the FCPA, UK Bribery Act, and equivalents, with required flow-down of controls to subcontractors); data-protection processor/controller duties (GDPR/UK GDPR/CCPA) where the third party processes client data; sector third-party risk-management rules (e.g., FFIEC/OCC, EBA, DORA for regulated financial clients); or modern-slavery / supply-chain statutes - the applicable regime set and evidentiary standard must be confirmed with client counsel/compliance per engagement. This report informs, but does not satisfy, those obligations.

Sanctions & restricted-party caveat: Any apparent sanctions, export-control, debarment, or ownership exposure is reported as a potential match requiring client confirmation and, where indicated, competent-authority guidance before any dealing or onboarding; [FIRM] does not authorize, license, clear, or approve transactions or relationships.

Sourcing & verification: Findings derive from open and licensed sources, client-provided information, and third-party-supplied questionnaires, attestations, and evidence (e.g., SOC 2 reports, certifications, policies). Vendor self-attestation and questionnaire responses are treated as lower-reliability inputs and graded accordingly (typically C-range or lower unless independently corroborated); absence of an adverse finding is not assurance of absence. Findings are time-sensitive - re-verify before any consequential action.

Data protection / reliance: Personal data processed under [legal basis]; EU/UK data handled per GDPR/UK GDPR; retained per [RETENTION REF]. Reliance is limited to the named client for the stated third-party onboarding/oversight purpose; no third-party reliance without originator consent.

Third-Party Snapshot

FieldValue
Third Party (Legal)[Legal name - registration no. / jurisdiction]
Primary Identifiers[DBA / website / primary address / LEI]
Inherent-Risk Tier[Critical / High / Medium / Low - see §6]
Data / System Access[None / Limited / Sensitive / Privileged]
Service / Relationship[Description]
Engagement Status[Pre-onboarding / Active / Renewal / Offboarding]
Integrity & Compliance (from Integrity Vetting)[Clear / Conditional / Adverse - REF-YYYY-###]
Financial Viability[Stable / Watch / Stressed / Distressed - see §9]
InfoSec & Data Privacy Posture[Strong / Moderate-with-gaps / Weak / Critical - see §10]
Operational Resilience[Robust / Adequate / SPOF present / Inadequate - see §11]
Regulatory / Licensing Standing[Compliant / Gaps / Material issues - see §12]
ESG / Labor / Modern-Slavery[Adequate / Partial / Material exposure - see §13]
Fourth-Party / Subcontractor Concentration[Low / Moderate / Elevated / Critical - see §14]
Material Red Flags[Count by severity: Crit / High / Med / Low]
Overall Residual Risk (post-controls)[LOW / MODERATE / ELEVATED / HIGH / CRITICAL - see §22]
Onboarding Recommendation[APPROVE / APPROVE WITH CONDITIONS / REMEDIATE THEN REASSESS / REJECT / OFFBOARD - see §22]

Table of Contents

  1. BLUF
  2. Executive Summary & Scope
  3. Key Judgments
  4. Priority Intelligence Requirements (PIRs)
  5. Third-Party Profile & Relationship Context
  6. Inherent-Risk Tiering & Scope Calibration
  7. Entity Standing & Beneficial Ownership
  8. Integrity & Compliance Screen
  9. Financial Viability & Dependency / Concentration
  10. Information Security & Data Privacy Posture
  11. Operational Resilience & Business Continuity
  12. Regulatory, Legal & Licensing Standing
  13. ESG, Labor & Modern-Slavery / Supply-Chain
  14. Fourth-Party / Subcontractor & Concentration Risk
  15. Contractual Controls & Risk-Mitigation Requirements
  16. Lifecycle & Ongoing Oversight
  17. Verified Findings Summary
  18. Red Flags & Notable Indicators
  19. Analysis of Competing Hypotheses (ACH)
  20. Key Assumptions Check (KAC)
  21. Collection Gaps & RFIs
  22. Risk Assessment & Recommendations
  23. Annex A - Sources & Methodology
  24. Annex B - Appendices

(Page numbers populate on export to Word/PDF.)


1. BLUF

2–3 sentences. Lead with the onboarding recommendation and the overall residual third-party risk after controls, then the single most decision-relevant finding. Written so a procurement, legal, or compliance officer can act on this line alone. Maintain independence from any client preference to onboard (ICD 203).

[BLUF]

2. Executive Summary & Scope

Triggering requirement (new vendor, renewal, material change, regulatory expectation); the commercial relationship and why TPRM DD was commissioned; scope in/out stated explicitly (domains reviewed per tier; what was deferred or routed). Name adjacent products consumed or deferred (integrity screen → Integrity Vetting; baseline entity → Standard Corporate DD; EDD → EDD Report; reputational → Reputational DD; ongoing monitoring → Continuous Counterparty Monitoring). Narrative of key findings by domain to the ICD 203 floor - reporting separated from analytic judgment, uncertainty drivers and change indicators named.

[EXECUTIVE SUMMARY & SCOPE]

3. Key Judgments

The analytic bottom line on onboarding viability, residual risk by domain, and the sufficiency of proposed controls and cadence. Likelihood and analytic confidence as separate columns (never combined - ICD 203); a change-indicator column stating what would shift the judgment.

#Key JudgmentLikelihoodAnalytic ConfidenceChange Indicator (what would shift it)
KJ-1[e.g., The third party presents acceptable residual risk for onboarding at the proposed tier once specified contractual controls and pre-onboarding remediation are implemented][ICD 203 term][HIGH/MOD/LOW][ ]
KJ-2[e.g., Information-security posture is adequate for the data-access level after remediation][ ][ ][ ]
KJ-3[e.g., Financial viability/concentration does not create unacceptable dependency][ ][ ][ ]
KJ-4[e.g., The contractual controls are sufficient to manage identified risks if executed][ ][ ][ ]
KJ-5[e.g., The recommended oversight tier and re-DD cadence are proportionate to the risk][ ][ ][ ]

4. Priority Intelligence Requirements (PIRs)

Collection-management spine for TPRM onboarding. State each PIR, the answer, key evidence, and analytic confidence. Summarize in the matrix.

  • PIR-1 - Tier & scope calibration: What is the third party’s inherent-risk tier, and does the depth of review match the tier-driven requirements? [Answer / evidence / confidence]
  • PIR-2 - Integrity & compliance baseline: Does the third party (and its controlling parties) present sanctions, ABAC, AML, UBO-opacity, or material adverse-media exposure that should block or condition onboarding? (Integrated from Integrity Vetting.) [ ]
  • PIR-3 - InfoSec & data-privacy adequacy: Are information-security and data-privacy controls, certifications, and breach history commensurate with the sensitivity/volume of client data or systems accessed? [ ]
  • PIR-4 - Resilience & concentration: Are there single-points-of-failure, untested BCP/DR, or fourth-party/subcontractor concentrations creating unacceptable continuity or hidden-risk exposure? [ ]
  • PIR-5 - Contractual controls sufficiency: Does the existing/proposed contract contain enforceable right-to-audit, security/data-protection, ABAC flow-down, SLA, insurance, and exit/data-return provisions adequate to the risks? [ ]
  • PIR-6 - Lifecycle & oversight proportionality: What onboarding decision, re-DD cadence, offboarding triggers, and continuous-monitoring enrollment (Continuous Counterparty Monitoring) are proportionate to the tier and residual risk? [ ]
  • [Add engagement-specific PIRs.]
PIRAnswer (summary)ConfidenceKey Gap
PIR-1[ ][H/M/L][ ]
PIR-2[ ][H/M/L][ ]
PIR-3[ ][H/M/L][ ]
PIR-4[ ][H/M/L][ ]
PIR-5[ ][H/M/L][ ]
PIR-6[ ][H/M/L][ ]

5. Third-Party Profile & Relationship Context

Establish the commercial and operational context: exactly what service/function the third party provides, its criticality to client operations, the client’s dependency (spend, substitutability, switching cost), and the nature/extent of data, system, or premises access granted or proposed. Include key identifiers, relationship history/duration, and any recent material change (ownership, scope, access expansion). State entity-resolution confidence. Source and grade each entry.

AttributeFindingSource Grade
Legal name / registration / jurisdiction[ ][A–F/1–6]
Trading / other names[ ][ ]
Service provided to client[ ][ ]
Criticality to client operations[Mission-critical / Important / Ancillary][ ]
Client spend / % of category[ ][ ]
Vendor dependency on client (% of its revenue)[ ][ ]
Data / system access level (specifics)[None / Limited / Sensitive / Privileged][ ]
Premises / personnel access[ ][ ]
Relationship duration & status[ ][ ]
Recent material changes[ ][ ]

6. Inherent-Risk Tiering & Scope Calibration

The organizing spine of the report. Score each inherent-risk factor against the criteria in Annex A, aggregate to the Inherent-Risk Tier, and state how the assigned tier set the depth of review performed here and the recommended ongoing oversight / re-DD cadence. No domain findings belong in this section - only the tiering logic and calibration statement.

Inherent-risk factorRatingRationale / evidenceSource Grade
Criticality of service[Low/Med/High/Crit][ ][ ]
Data / system / premises access[ ][ ][ ]
Client spend / dependency[ ][ ][ ]
Geographic / jurisdiction risk[ ][ ][ ]
Regulatory sensitivity[ ][ ][ ]
Relationship type (intermediary/agent vs. direct)[ ][ ][ ]

Inherent-Risk Tier assigned: [Critical / High / Medium / Low].

DD depth applied (per tier): [State the review depth this tier required - domains covered, evidence standard, whether enhanced collection / fourth-party mapping / technical or on-site assessment was in scope or escalated.]

Oversight cadence recommended (per tier): [State the re-DD cycle, continuous-monitoring enrollment (Continuous Counterparty Monitoring), right-to-audit frequency, and event-driven triggers proportionate to the tier - see the tier→cadence standard in §16.]

7. Entity Standing & Beneficial Ownership

Relationship-relevant entity standing (good standing, licensing existence, basic corporate health) and beneficial-ownership/control transparency. Flag any opacity affecting the risk assessment. Integrate the baseline entity survey (Standard Corporate DD) and the integrity screen (Integrity Vetting) by reference; do not duplicate the full CDD or integrity work here. State entity-resolution confidence.

AttributeFindingSource Grade
Legal existence & good standing[ ][ ]
Entity-resolution confidence[Confirmed / Probable / Possible / Unresolved][ ]
Beneficial-ownership transparency[Clear / Partial / Opaque][Integrity Vetting / registry]
Control / ownership changes (last 3 yrs)[ ][ ]
Adverse ownership / control flags[None / PEP / sanctions-adjacent / other - escalate to Integrity Vetting][Integrity Vetting]

8. Integrity & Compliance Screen

Integrate the verdict and key findings of the Vendor & Third-Party Integrity Vetting report by reference. Do not re-perform sanctions, ABAC/FCPA-UKBA, AML, UBO, or adverse-media deep screening here. Summarize the integrity verdict, any conditional findings, and the required ABAC/compliance flow-down obligations to subcontractors. Escalate any fresh gap back to Integrity Vetting via RFI (§21).

DomainVerdict (from Integrity Vetting)Key findings / conditionsFlow-down requirementSource Grade
Sanctions / restricted parties[Clear / Potential / Confirmed][ ][Required / Present / Gap][Integrity Vetting REF]
ABAC / FCPA-UKBA (incl. intermediaries)[ ][ ][ ][Integrity Vetting]
AML / counter-financing[ ][ ][ ][Integrity Vetting]
UBO / ownership opacity[ ][ ][ ][Integrity Vetting]
Adverse media (integrity-relevant)[ ][ ][ ][Integrity Vetting]
Overall integrity & compliance verdict[Clear / Clear-with-conditions / Adverse - do not onboard][ ][Specified in §15][Integrity Vetting]

9. Financial Viability & Dependency / Concentration

Assess the third party’s financial health (credit/distress signals, liquidity, profitability trend, going-concern/insolvency indicators) and the bilateral concentration risk (client’s spend concentration in this vendor; the vendor’s revenue concentration on the client). Note any dependency that would make disruption or vendor distress material to the client. Defer forensic financial work to EDD.

FactorFindingSource Grade
Credit / distress indicators[ ][ ]
Liquidity / going-concern indicators[ ][ ]
Client spend concentration[ ][ ]
Vendor revenue concentration on client[ ][ ]
Switching cost / substitutability[Low / Medium / High][ ]
Overall financial / dependency risk[Low / Moderate / Elevated / High][ ]

10. Information Security & Data Privacy Posture

Evaluate the third party’s information-security and data-privacy controls, independent assurance (SOC 2 Type II, ISO 27001, or equivalent), questionnaire evidence, breach/incident history, data-residency / cross-border processing, and controls around any privileged or sensitive access. Tie directly to the data-access level in §5/§6. Mark self-attested evidence as lower-reliability.

Control / areaStatus / evidenceGaps or issuesSource Grade
SOC 2 Type II (or equivalent) - currency & scope[ ][ ][ ]
ISO 27001 / other certifications[ ][ ][ ]
Security questionnaire (SIG / custom)[ ][ ][ ]
Breach / incident history (last 5 yrs)[ ][ ][ ]
Data residency & cross-border transfers[ ][ ][ ]
Privileged-access controls & logging[ ][ ][ ]
Overall InfoSec & privacy posture for the access level[Strong / Moderate-with-gaps / Weak / Critical][ ][ ]

11. Operational Resilience & Business Continuity

Assess BCP/DR posture (plans, testing cadence, RTO/RPO commitments), single-points-of-failure (technical, geographic, personnel, supplier), and service-continuity risk given the criticality and access level in §5/§6.

FactorFindingSource Grade
BCP / DR documentation & commitments (RTO/RPO)[ ][ ]
Last independent test / exercise[ ][ ]
Single-points-of-failure (technical / geographic / people)[ ][ ]
Service continuity / failover capability[ ][ ]
Overall operational-resilience risk[Low / Moderate / Elevated / High][ ]

Confirm the third party holds the licenses, permits, and authorizations required to lawfully provide the service at the scale and in the jurisdictions involved. Note material regulatory actions, enforcement, licensing restrictions, or compliance gaps relevant to the client’s use of the service.

AreaFindingSource Grade
Required licenses / authorizations for the service[ ][ ]
Recent regulatory actions / enforcement (last 5 yrs)[ ][ ]
Compliance-program maturity (relevant to service)[ ][ ]
Overall regulatory / legal standing risk[Low / Moderate / Elevated][ ]

13. ESG, Labor & Modern-Slavery / Supply-Chain

Assess ESG policy/performance, labor practices, modern-slavery / human-trafficking risk and due-diligence statements (per applicable statutes), and supply-chain responsibility posture. Focus on risks that could create reputational, legal, or operational exposure for the client through the relationship.

FactorFindingSource Grade
ESG policy & reporting[ ][ ]
Modern-slavery statement & due-diligence / supply-chain mapping[ ][ ]
Labor / workforce risk indicators[ ][ ]
Supply-chain responsibility (Tier-1 focus)[ ][ ]
Overall ESG / labor / modern-slavery risk[Low / Moderate / Elevated / High][ ]

14. Fourth-Party / Subcontractor & Concentration Risk

Map the third party’s critical subcontractors, suppliers, and service providers that support the client’s service or data flows (fourth-party / Nth-party). Identify concentration (single/limited sources for key components, shared upstream providers across the client’s vendors, geographic concentration) and assess the client’s indirect exposure. Note any contractual requirement for the third party to maintain and share an accurate fourth-party register and to flow down equivalent controls.

Fourth party / subcontractorService / component to the third party% of serviceRisk notes (integrity / resilience / data / geography)Client exposure via this pathSource Grade
[ ][ ][ ][ ][ ][ ]

Overall fourth-party / concentration risk: [Low / Moderate / Elevated / Critical] - [drivers].

15. Contractual Controls & Risk-Mitigation Requirements

Gap analysis between the current contractual framework (MSA, SOW, DPA, etc.) and the controls required for the inherent-risk tier and identified residual risks. Cover right-to-audit, security & data-protection clauses, ABAC/compliance flow-down to subcontractors, SLAs/performance, insurance minimums, exit/termination assistance, and data return/destruction. State the specific clauses or amendments required before onboarding or renewal.

Required controlCurrent statusGapRecommended clause / actionPriority
Right-to-audit (security, data processing, compliance)[Present-with-limits / Absent][ ][ ][H/M/L]
Security & data-protection addendum / DPA[ ][ ][ ][ ]
ABAC / compliance flow-down to subcontractors[ ][ ][ ][ ]
SLA / service performance & remedies[ ][ ][ ][ ]
Insurance (cyber, E&O, professional, etc.)[ ][ ][ ][ ]
Exit / termination assistance & data return/destruction[ ][ ][ ][ ]
Overall contractual-controls posture[Adequate-with-amendments / Material gaps - remediate pre-onboard][ ][List required amendments as conditions in §22][ ]

16. Lifecycle & Ongoing Oversight

State the recommended onboarding decision, the re-DD cadence by inherent-risk tier, offboarding triggers, and the routing of continuous monitoring to Continuous Counterparty Monitoring. Define event-driven triggers that accelerate re-assessment or offboarding.

Recommended onboarding decision: [APPROVE / APPROVE WITH CONDITIONS / REMEDIATE THEN REASSESS / REJECT / OFFBOARD] - (detailed in §22).

Tier → re-DD cadence (firm standard; adjust for residual risk):

Inherent-risk tierRe-DD cycleContinuous monitoring (Continuous Counterparty Monitoring)
Critical[≈12 months]Enrolled; [highest-frequency] risk-delta reporting
High[≈18 months]Enrolled; [periodic] risk-delta reporting
Medium[≈24–36 months]Event-driven; enrolled if sensitive data access
Low[≈36+ months]Event-driven only

Offboarding / accelerated-review triggers: [e.g., adverse integrity or sanctions finding from Integrity Vetting / Continuous Counterparty Monitoring; material breach of security, data-protection, or ABAC obligations; sustained SLA/resilience failure; change of control to a high-risk party; failure to complete required remediation by deadline; material financial or fourth-party deterioration.]

Continuous-monitoring routing: [State which tiers/access levels must be enrolled in Continuous Counterparty Monitoring and the specific watch indicators for this relationship - e.g., sanctions/PEP hits on the entity or UBOs; integrity/ESG adverse media; financial distress; breach notifications; ownership/key-personnel changes; lapse of required certifications; SLA degradation.]

17. Verified Findings Summary

#FindingStatusConfidenceMateriality
1[ ][Verified / Unverified / Contradicted][H/M/L][ ]

18. Red Flags & Notable Indicators

#Red FlagDomain (§)SeverityBasisDisposition
1[ ][ ][Crit/High/Med/Low][ ][Reject / Remediate / Condition / Monitor / Note]

Severity definitions (tied to the onboarding decision): Critical - material risk that cannot be adequately mitigated by contractual controls or monitoring; supports REJECT or immediate OFFBOARD. High - material risk requiring remediation or additional controls before onboarding; supports APPROVE WITH CONDITIONS or REMEDIATE THEN REASSESS. Medium - manageable with conditions, monitoring, or contractual protections. Low - note and monitor; does not alter the decision by itself.

19. Analysis of Competing Hypotheses (ACH)

Apply to the central question - whether the third party represents acceptable residual risk under the recommended controls and cadence, versus whether material risk (integrity, security, resilience, or concentration) is concealed or unmitigated. State the hypotheses, the diagnostic evidence for/against each, and the most consistent explanation. If no genuine ambiguity exists, state that and omit the ceremony - do not pad.

Evidence / IndicatorH1: [ ]H2: [ ]H3: [ ]
[ ][C/I/N][C/I/N][C/I/N]

(C = consistent · I = inconsistent · N = neutral.) Most consistent hypothesis: [ ] - [rationale + what would change it].

20. Key Assumptions Check (KAC)

#AssumptionBasisConfidenceImpact if Wrong
1[e.g., Vendor questionnaire responses and attestations are materially accurate on security, fourth-party, and compliance posture][ ][H/M/L][ ]
2[e.g., The integrity & compliance screen (Integrity Vetting) remains current and complete as of the as-of date][ ][ ][ ]
3[e.g., Client-provided spend/access/criticality data accurately reflects the actual and proposed relationship][ ][ ][ ]

21. Collection Gaps & RFIs

GapImpact on assessmentRecommended collectionEscalation targetPriority
[ ][ ][ ][Integrity Vetting / EDD / Reputational / Continuous Monitoring / security-assessment / legal / procurement][H/M/L]

22. Risk Assessment & Recommendations

22.1 Residual Third-Party Risk Matrix

Score governing domains for residual risk (after the recommended controls in §22.2). Likelihood of a materially adverse outcome (1–5) × Impact on the client (1–5) = 1–25. The overall row sets the Third-Party-Snapshot assessment.

Domain / risk areaLikelihood (1–5)Impact (1–5)Score (1–25)Band
Integrity & compliance[ ][ ][ ][Low/Mod/Elevated/High/Critical]
Financial viability & dependency[ ][ ][ ][ ]
Information security & data privacy[ ][ ][ ][ ]
Operational resilience & continuity[ ][ ][ ][ ]
Regulatory, legal & licensing[ ][ ][ ][ ]
ESG, labor & modern-slavery[ ][ ][ ][ ]
Fourth-party / concentration[ ][ ][ ][ ]
Overall residual[ ][ ]

22.2 Recommendations

  • Onboarding decision: [APPROVE / APPROVE WITH CONDITIONS / REMEDIATE THEN REASSESS / REJECT / OFFBOARD]. [Conditions/remediation are mandatory pre-onboarding or pre-renewal unless explicitly time-phased with compensating controls.]
  • Required contractual controls (minimum, pre-go-live/renewal): [Right-to-audit; updated DPA / security addendum; ABAC/sanctions/data-protection flow-down to subcontractors; SLA with remedies; insurance minimums; exit assistance + data return/destruction; fourth-party register maintenance & attestation.]
  • Remediation items & deadlines: [Item - owner - deadline (pre-onboarding unless noted).]
  • Assigned oversight tier & re-DD cadence: [Tier; re-DD interval; enrollment in Continuous Counterparty Monitoring; right-to-audit frequency.]
  • Escalations / RFIs: [Open gaps from §21 to close before sign-off; route to Integrity Vetting, EDD, Reputational DD, security-assessment, or legal/procurement as needed.]
  • Ongoing monitoring: [Route to Continuous Counterparty Monitoring with the watch indicators from §16; material adverse change or lapse of required certifications/compliance triggers immediate re-assessment and potential offboarding review.]

23. Annex A - Sources & Methodology

Collection methods and scope; the handling/reliability grading of vendor self-attestation and questionnaire evidence; the source register graded with the Admiralty two-axis code; the reference scales (below); the likelihood-vs-confidence separation statement; entity-resolution-confidence definition; screening-list-governance note; and the inherent-risk-tiering methodology (criteria → tier).

Vendor self-attestation reliability: vendor questionnaire responses, attestations, and self-reported data (fourth-party registers, breach history, control descriptions) are treated as self-attestation and graded at C (fairly reliable) or lower unless independently corroborated by primary documentation or third-party assurance (e.g., a current SOC 2 Type II from a qualified auditor). Self-attestation is caveated at point of use; absence of adverse information from the vendor is not evidence of absence.

Source reliability (Admiralty, A–F): A Completely reliable · B Usually reliable · C Fairly reliable · D Not usually reliable · E Unreliable · F Reliability cannot be judged.

Information credibility (Admiralty, 1–6): 1 Confirmed by other sources · 2 Probably true · 3 Possibly true · 4 Doubtful · 5 Improbable · 6 Truth cannot be judged. (Each sourced datum carries a two-character grade, e.g., B2.)

Estimative probability / likelihood (ICD 203): almost no chance / remote (01–05%) · very unlikely (05–20%) · unlikely (20–45%) · roughly even chance (45–55%) · likely (55–80%) · very likely (80–95%) · almost certain (95–99%).

Analytic confidence (evidence base - kept separate from likelihood): HIGH (multiple independent reliable sources, primary documentation, no significant contradiction) · MODERATE (some corroboration, gaps, minor unresolved inconsistency) · LOW (single/uncorroborated source, significant gaps, plausible alternatives open). Never combine a likelihood term and a confidence level in the same sentence.

Risk scoring: Likelihood (1–5) × Impact (1–5) = 1–25; key: 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical.

Entity-resolution confidence: Confirmed / Probable / Possible / Unresolved - with matched identifiers (registration number, LEI, address, key officers/UBOs, website/domain) stated; disambiguation explicit, never assumed.

Screening-list governance: every list screened is recorded with provider and version/as-of date; matches dispositioned (true/false/inconclusive) with discriminating identifiers; apparent hits are potential matches only, requiring client confirmation and, where indicated, competent-authority guidance before any action or onboarding.

Inherent-risk-tiering methodology (criteria → tier): each factor is scored Low / Medium / High / Critical against the criteria below; the aggregate profile sets the tier (Critical = multiple High/Critical factors, or privileged access + high dependency; High = ≥2 High factors or one Critical; Medium = balanced default; Low = minimal exposure across all factors). The tier directly sets DD depth and oversight cadence (§6, §16).

  • Criticality of service: Low = easily substitutable / low impact · Medium = material but replaceable · High = difficult to substitute / high disruption impact · Critical = mission-critical, no practical substitute or a regulatory continuity requirement.
  • Data / system / premises access: Low = none · Medium = limited / non-sensitive · High = sensitive data or systems · Critical = privileged access, large-scale PII/health/financial data, or unescorted access to sensitive areas.
  • Client spend / dependency: Low = small spend / low switching cost · Medium = moderate spend or dependency · High = high spend or high % of category · Critical = single-source, or client concentration material to vendor viability.
  • Geographic / jurisdiction risk: Low = low-corruption / strong rule-of-law · Medium = moderate indices · High = high-corruption or elevated sanctions exposure · Critical = sanctioned or high-risk jurisdiction with material operations.
  • Regulatory sensitivity: Low = unregulated · Medium = standard regulated activity · High = regulated data / critical infrastructure / financial-services support · Critical = direct regulatory obligation or systemic importance.
  • Relationship type: Low = direct supplier of goods/services · High/Critical = acts as agent/intermediary or processes client funds/data on the client’s behalf (higher ABAC and flow-down exposure).

24. Annex B - Appendices

  • Appendix A - Entity & Identifier Index: legal/trading names, registration number(s), LEI, addresses, websites, key contacts, prior names/jurisdictions.
  • Appendix B - Beneficial-Ownership Chart: UBO structure pointer (or reference to Integrity Vetting / Standard Corporate DD output); identified UBOs with % and control type.
  • Appendix C - Inherent-Risk-Tiering Worksheet: factor-by-factor scoring with raw evidence and rationale (backup to §6).
  • Appendix D - Integrity-Screen Reference: cross-reference to Integrity Vetting - Report Reference, date, overall verdict, key conditions/escalations.
  • Appendix E - Security / Data-Privacy Evidence Log: certifications, questionnaires, audit reports, attestations, and data-flow diagrams received, with dates, scopes, validity.
  • Appendix F - Fourth-Party / Subcontractor Register: critical subs (name, service, % exposure, risk notes, flow-down status, last attestation).
  • Appendix G - Contractual-Control & Remediation Tracker: current vs. required controls (backup to §15); remediation items with owner and deadline.
  • Appendix H - Screening-Hit Log: lists screened, versions/dates, hits and dispositions.
  • Appendix I - Full Source Register: every source, Admiralty grade, access date, reference (open/licensed and client/vendor-provided).
  • Appendix J - Glossary & Abbreviations: TPRM, fourth-party/Nth-party, flow-down, right-to-audit, inherent vs. residual risk, RTO/RPO, DPA, SCC, ABAC, modern slavery, and other key terms.
  • Appendix K - Revision History.

END OF REPORT.

Verification disclaimer: This report is a point-in-time intelligence and third-party risk assessment based on open and licensed sources, client-provided information, and vendor-supplied evidence current as of the as-of date; it is not an audit, a SOC 2 / ISO certification, a legal/financial opinion, or a guarantee of any third party’s future performance, compliance, security, or solvency. Screening hits are potential matches requiring client confirmation and, where indicated, competent-authority guidance before any dealing or onboarding. Absence of an adverse finding is not assurance of absence. The client remains responsible for its own due-diligence, procurement, legal, compliance, and risk decisions and for satisfying its regulatory obligations. Verify findings before any consequential onboarding or oversight decision.

Document control footer: [REF-YYYY-### · Version · Classification/TLP · Prepared/Reviewed/Approved · Distribution].

Model wiring

Generated from cell frontmatter at publish time.