Why you might have several engagements with a single third party

  • Release version: Zurich
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Why you might have several engagements with a single third party

    When working with a third party, your organization may establish multiple distinct engagements to address different types of relationships or services provided. Each engagement requires its own risk assessment because the nature, access levels, and potential impacts differ between services. This approach enables tailored risk management strategies for each specific engagement.

    Show full answer Show less

    Key Details

    • An engagement begins in an inactive state and becomes active once a contract is in place or an active relationship commences.
    • The Internal Risk Questionnaire (IRQ) process is initiated after an engagement request is approved to determine the third party’s risk score.
    • Different engagements with the same third party may require varying levels of risk assessment, depending on service type and associated risks.

    Practical Example

    Your organization may engage a third party for two distinct services:

    • Software Development: Involves access to sensitive customer data, integration with critical systems, and changes to infrastructure. This engagement has a higher risk profile requiring stringent data protection, system integration controls, change management, and quality assurance.
    • Facilities Management: Involves physical security, access control, and building maintenance. This engagement has a lower risk profile focused on managing physical security and safety hazards, which are generally more straightforward to control.

    Why This Matters

    By conducting separate risk assessments for each engagement, you can apply appropriate controls and safeguards that reflect the unique risks of each service. This ensures more effective risk mitigation and compliance with your organization’s risk management policies.

    While onboarding a particular third party, you might conduct a separate engagement for each distinct type of relationship that you have with the third party. One engagement is to assess the risk involved in the third party's development of software for your organization and a separate engagement is for the facilities management service that they provide.

    Different engagements of the same third party might require varying levels of risk assessment

    Note:
    The first internal step after an engagement request is approved is to start the IRQ process to scope the risk by determining the third party's risk score. An engagement starts in the inactive state. An engagement moves to the active state when a contract is in place or you take part in an active relationship with the third party.

    Different engagements of the same third party can require different levels of risk assessment due to variations in the nature of the services provided, the level of access to sensitive data or critical systems, and the potential impact on your organization's infrastructure. By conducting a separate risk assessment for each engagement, you can tailor your risk management strategies and controls to address the risks associated with each engagement effectively.

    Example — the third party will provide two distinct services

    In this example, Your organization engages with a third party for two distinct services:
    Service: Software Development Engagement
    The third party is responsible for developing a custom software application for the financial institution. This engagement involves the third party accessing and processing sensitive customer data, integrating with critical systems, and potentially introducing changes to the organization's infrastructure.
    Service: Facilities Management
    The third party is also responsible for managing the physical security and maintenance of the financial institution's office buildings. This engagement involves providing security personnel, managing access control systems, and confirming the overall safety and maintenance of the facilities.
    The services present different risk profiles and require separate risk assessment engagements:
    Engagement for the software development service

    This engagement involves a higher level of risk due to the following factors:

    • Access to sensitive data: The third party has access to customer data, which requires strict data protection and privacy controls to help prevent unauthorized access or data breaches.
    • System integration: The third party's software must integrate with critical systems, potentially impacting the stability, availability, or security of those systems. Proper testing and quality assurance procedures are crucial to minimize the risk of system failures or vulnerabilities.
    • Change management: The introduction of new software or changes to existing systems can introduce risks, such as compatibility issues, system disruptions, or software vulnerabilities. Robust change management practices and code review processes are necessary to mitigate these risks.
    Engagement for the facilities management service

    Even though this engagement also involves the same third party, the risk profile is lower when compared to the software development engagement:

    • Physical security: The focus here is on managing physical security measures, such as access control and surveillance systems. While still important, the risks associated with physical security are typically more straightforward and easier to manage compared to cybersecurity risks.
    • Maintenance and safety: The third party's responsibility is primarily related to general maintenance and promoting a safe working environment. While there are still risks associated with building maintenance (for example, safety hazards), they might be more predictable and manageable compared to the complex cybersecurity risks in the software development engagement.