In the context of CRO certification, what is the most important consideration when implementing third-party risk assessment?