I understand that “imperfect” might induce some quease. And, yes, third party due diligence should be as close to perfect as available tools and budgets permit. But risk assessments aren’t perfect and don’t need to be to be defensible. Compliance professionals rarely agree on all criteria for a risk-ranking, much less the relative weight assigned to each.