Why you might have several engagements with a single third party

  • Release version: Xanadu
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Why you might have several engagements with a single third party

    This content explains why organizations may need multiple engagements with a single third party, particularly during the onboarding process. Each engagement corresponds to a distinct type of relationship, necessitating separate risk assessments tailored to the specific services provided.

    Show full answer Show less

    Key Features

    • Distinct Engagements: Each engagement is unique, requiring its own risk assessment based on the nature of the services and associated risks.
    • Risk Assessment Levels: Varying levels of risk assessments are needed depending on factors such as access to sensitive data, integration with critical systems, and potential infrastructure impacts.
    • Active and Inactive Engagement States: Engagements start in an inactive state and transition to active when a contract is established or an active relationship is formed.

    Key Outcomes

    By conducting separate risk assessments for different engagements, organizations can implement more effective risk management strategies. For example:

    • Software Development Engagement: Higher risk due to access to sensitive data, system integration challenges, and the need for robust change management practices.
    • Facilities Management Engagement: Lower risk profile focused on physical security and maintenance, with more predictable and manageable risks compared to software development.

    Understanding these distinctions helps organizations mitigate risks associated with each relationship effectively.

    While onboarding a particular third party, you might conduct a separate engagement for each distinct type of relationship that you have with the third party. One engagement is to assess the risk involved in the third party's development of software for your organization and a separate engagement is for the facilities management service that they provide.

    Different engagements of the same third party might require varying levels of risk assessment

    Note:
    The first internal step after an engagement request is approved is to start the IRQ process to scope the risk by determining the third party's risk score. An engagement starts in the inactive state. An engagement moves to the active state when a contract is in place or you take part in an active relationship with the third party.

    Different engagements of the same third party can require different levels of risk assessment due to variations in the nature of the services provided, the level of access to sensitive data or critical systems, and the potential impact on your organization's infrastructure. By conducting a separate risk assessment for each engagement, you can tailor your risk management strategies and controls to address the risks associated with each engagement effectively.

    Example — the third party will provide two distinct services

    In this example, Your organization engages with a third party for two distinct services:
    Service: Software Development Engagement
    The third party is responsible for developing a custom software application for the financial institution. This engagement involves the third party accessing and processing sensitive customer data, integrating with critical systems, and potentially introducing changes to the organization's infrastructure.
    Service: Facilities Management
    The third party is also responsible for managing the physical security and maintenance of the financial institution's office buildings. This engagement involves providing security personnel, managing access control systems, and confirming the overall safety and maintenance of the facilities.
    The services present different risk profiles and require separate risk assessment engagements:
    Engagement for the software development service

    This engagement involves a higher level of risk due to the following factors:

    • Access to sensitive data: The third party has access to customer data, which requires strict data protection and privacy controls to help prevent unauthorized access or data breaches.
    • System integration: The third party's software must integrate with critical systems, potentially impacting the stability, availability, or security of those systems. Proper testing and quality assurance procedures are crucial to minimize the risk of system failures or vulnerabilities.
    • Change management: The introduction of new software or changes to existing systems can introduce risks, such as compatibility issues, system disruptions, or software vulnerabilities. Robust change management practices and code review processes are necessary to mitigate these risks.
    Engagement for the facilities management service

    Even though this engagement also involves the same third party, the risk profile is lower when compared to the software development engagement:

    • Physical security: The focus here is on managing physical security measures, such as access control and surveillance systems. While still important, the risks associated with physical security are typically more straightforward and easier to manage compared to cybersecurity risks.
    • Maintenance and safety: The third party's responsibility is primarily related to general maintenance and promoting a safe working environment. While there are still risks associated with building maintenance (for example, safety hazards), they might be more predictable and manageable compared to the complex cybersecurity risks in the software development engagement.