Which key questions to ask while vetting an incident response company?

When vetting a company where you are unqualified to assess the service they would provide, the main thing to ask for are references where you can talk to their own customers.

As for your list of risks that you want to mitigate:

The biggest mitigation is the contract, not the qualifying questions you ask.

Company does not have someone available for us right when we need them

If you need a certain availability, that should be in the SLA, not a question on a vetting list.

Company sends someone lacking experience & competence to help us

This is also an SLA issue. The maximum level of the expertise in the company is determined by the vetting process, but who they ultimately send needs to be covered in an SLA.

Our understanding of how much it costs to involve Company is way off

This isn’t a vetting question at all, but a contract question.

we lack experience & competence to efficiently communicate with essentially unknown contractors during a crisis

we lack appropriate documentation and credential-sharing procedures to get them setup quickly

These are not vetting questions at all, but completely separate issues. I’m not sure why they are on the list.