Many organizations and third-party risk management (TPRM) programs build their reassessment plans based on the apparent risk of each vendor relationship.
This means many programs use precious resources to assess the same inherently high-risk vendors annually, many of whom have effective controls, rather than focusing their attention on vendors with fewer controls in place.