Why you might have several engagements with a single third party

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Why You Might Have Several Engagements with a Single Third Party

    When onboarding a third party, it is essential to conduct separate engagements for different types of relationships. Each engagement requires tailored risk assessments based on the distinct services provided, access to sensitive information, and potential impacts on your organization’s infrastructure.

    Show full answer Show less

    Key Features

    • Separate Risk Assessments: Each engagement needs its own risk assessment to effectively manage the unique risks associated with different services.
    • Engagement States: Engagements start in an inactive state and move to active once a contract is established or a relationship with the third party is initiated.
    • Varied Risk Profiles: Different services may present varying levels of risk, necessitating different management strategies and controls.

    Key Outcomes

    By conducting individual risk assessments for each engagement, organizations can:

    • Implement tailored risk management strategies that address specific risks effectively.
    • Enhance data protection protocols when sensitive information is involved.
    • Ensure proper testing and change management practices for system integrations to mitigate potential vulnerabilities.
    • Manage physical security risks more straightforwardly in engagements like facilities management.

    While onboarding a particular third party, you might conduct a separate engagement for each distinct type of relationship that you have with the third party. One engagement is to assess the risk involved in the third party's development of software for your organization and a separate engagement is for the facilities management service that they provide.

    Different engagements of the same third party might require varying levels of risk assessment

    Note:
    The first internal step after an engagement request is approved is to start the IRQ process to scope the risk by determining the third party's risk score. An engagement starts in the inactive state. An engagement moves to the active state when a contract is in place or you take part in an active relationship with the third party.

    Different engagements of the same third party can require different levels of risk assessment due to variations in the nature of the services provided, the level of access to sensitive data or critical systems, and the potential impact on your organization's infrastructure. By conducting a separate risk assessment for each engagement, you can tailor your risk management strategies and controls to address the risks associated with each engagement effectively.

    Example — the third party will provide two distinct services

    In this example, Your organization engages with a third party for two distinct services:
    Service: Software Development Engagement
    The third party is responsible for developing a custom software application for the financial institution. This engagement involves the third party accessing and processing sensitive customer data, integrating with critical systems, and potentially introducing changes to the organization's infrastructure.
    Service: Facilities Management
    The third party is also responsible for managing the physical security and maintenance of the financial institution's office buildings. This engagement involves providing security personnel, managing access control systems, and confirming the overall safety and maintenance of the facilities.
    The services present different risk profiles and require separate risk assessment engagements:
    Engagement for the software development service

    This engagement involves a higher level of risk due to the following factors:

    • Access to sensitive data: The third party has access to customer data, which requires strict data protection and privacy controls to help prevent unauthorized access or data breaches.
    • System integration: The third party's software must integrate with critical systems, potentially impacting the stability, availability, or security of those systems. Proper testing and quality assurance procedures are crucial to minimize the risk of system failures or vulnerabilities.
    • Change management: The introduction of new software or changes to existing systems can introduce risks, such as compatibility issues, system disruptions, or software vulnerabilities. Robust change management practices and code review processes are necessary to mitigate these risks.
    Engagement for the facilities management service

    Even though this engagement also involves the same third party, the risk profile is lower when compared to the software development engagement:

    • Physical security: The focus here is on managing physical security measures, such as access control and surveillance systems. While still important, the risks associated with physical security are typically more straightforward and easier to manage compared to cybersecurity risks.
    • Maintenance and safety: The third party's responsibility is primarily related to general maintenance and promoting a safe working environment. While there are still risks associated with building maintenance (for example, safety hazards), they might be more predictable and manageable compared to the complex cybersecurity risks in the software development engagement.