Protect your reputation
A reputational risk is posed whether it’s a critical technology vendor or a non-critical vendor.
Having no due diligence on file during the vetting process is very risky and probably won’t pass muster with your regulator.
Avoid regulatory risks
You should be vetting a vendor regardless of risk level because inherent risk (the initial risk impression) is never equivalent to zero.
Basic due diligence