The following diagram shows the process of documenting engagements.
Note: Tasks 1 and 2 must be performed in sequential order. Tasks 3 to 6 can be performed in any order that suits your business processes.
Here are the tasks to document engagements:
-
Create a prospective engagement, including selecting the Third Party being evaluated for the engagement and the engagement type. The engagement type determines which insurance certificates are required for the prospective engagement. For more information, see Managing Certificates of Insurance.
-
Perform engagement risk assessments, which are a multi-step process that involves evaluating the inherent risk of an engagement by risk category, generating and distributing a questionnaire for the third party to complete, and evaluating the residual risk. Inherent risk is the impact and likelihood of a risk in the absence of controls and risk transfer. Measure residual risk to evaluate controls that are in place to mitigate inherent risk for each risk category.
-
Use the Financial Viability Risk Assessment allows you to evaluate the financial ratios of third parties and engagements, and to ensure that they conform to your organization's standards for acceptable on-going risk. This assessment provides insight into the financial state of your third party, and can help you make an educated decision about moving into a contractual relationship with a prospective third party.
-
Collect insurance requirements. Document your third party’s proof of insurance and to monitor and manage any omissions and exceptions to your insurance requirements.
-
Monitor subcontractor dependencies. If you have the Archer Third Party Risk Management use case licensed, you can calculate the subcontractor exposure for engagements. The subcontractor Governance Rating is a measure of the adequacy of a third party's governance of its supply chain risk.
-
Respond to RFPs.