Why you might have several engagements with a single third party

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Why You Might Have Several Engagements with a Single Third Party

    When onboarding a third party, it may be necessary to conduct separate engagements for each distinct type of relationship. This approach allows for tailored risk assessments based on the specific services offered, the level of access granted, and the potential impact on your organization’s infrastructure.

    Show full answer Show less

    Key Features

    • Separate Engagements: Each engagement focuses on a different service provided by the third party, enabling specific risk management strategies.
    • Risk Assessment Levels: Varying levels of risk assessment are required depending on the nature of the services and their associated risks.
    • Engagement States: Engagements start in an inactive state and transition to active once a contract is established or an active relationship begins.

    Key Outcomes

    By conducting distinct risk assessments for each engagement, organizations can effectively address the unique risks associated with each type of service. For example:

    • Software Development Engagement: Higher risk due to access to sensitive customer data, system integration complexities, and the need for robust change management practices.
    • Facilities Management Engagement: Lower risk profile, focusing on physical security and maintenance, which are generally more manageable than cybersecurity risks.

    This structured approach ensures that organizations can safeguard their critical systems and data while effectively managing third-party relationships.

    While onboarding a particular third party, you might conduct a separate engagement for each distinct type of relationship that you have with the third party. One engagement is to assess the risk involved in the third party's development of software for your organization and a separate engagement is for the facilities management service that they provide.

    Different engagements of the same third party might require varying levels of risk assessment

    Note:
    The first internal step after an engagement request is approved is to start the IRQ process to scope the risk by determining the third party's risk score. An engagement starts in the inactive state. An engagement moves to the active state when a contract is in place or you take part in an active relationship with the third party.

    Different engagements of the same third party can require different levels of risk assessment due to variations in the nature of the services provided, the level of access to sensitive data or critical systems, and the potential impact on your organization's infrastructure. By conducting a separate risk assessment for each engagement, you can tailor your risk management strategies and controls to address the risks associated with each engagement effectively.

    Example — the third party will provide two distinct services

    In this example, Your organization engages with a third party for two distinct services:
    Service: Software Development Engagement
    The third party is responsible for developing a custom software application for the financial institution. This engagement involves the third party accessing and processing sensitive customer data, integrating with critical systems, and potentially introducing changes to the organization's infrastructure.
    Service: Facilities Management
    The third party is also responsible for managing the physical security and maintenance of the financial institution's office buildings. This engagement involves providing security personnel, managing access control systems, and confirming the overall safety and maintenance of the facilities.
    The services present different risk profiles and require separate risk assessment engagements:
    Engagement for the software development service

    This engagement involves a higher level of risk due to the following factors:

    • Access to sensitive data: The third party has access to customer data, which requires strict data protection and privacy controls to help prevent unauthorized access or data breaches.
    • System integration: The third party's software must integrate with critical systems, potentially impacting the stability, availability, or security of those systems. Proper testing and quality assurance procedures are crucial to minimize the risk of system failures or vulnerabilities.
    • Change management: The introduction of new software or changes to existing systems can introduce risks, such as compatibility issues, system disruptions, or software vulnerabilities. Robust change management practices and code review processes are necessary to mitigate these risks.
    Engagement for the facilities management service

    Even though this engagement also involves the same third party, the risk profile is lower when compared to the software development engagement:

    • Physical security: The focus here is on managing physical security measures, such as access control and surveillance systems. While still important, the risks associated with physical security are typically more straightforward and easier to manage compared to cybersecurity risks.
    • Maintenance and safety: The third party's responsibility is primarily related to general maintenance and promoting a safe working environment. While there are still risks associated with building maintenance (for example, safety hazards), they might be more predictable and manageable compared to the complex cybersecurity risks in the software development engagement.