Run Your Third Party
Risk MANAGEMENT
Program In
AUTO-PILOT MODE

INTEGRATED THIRD-PARTY RISK MANAGEMENT PLATFORM

  • OVERVIEW
  • FEATURES
  • Custom Assessments
  • Benefits
  • See IT. Believe IT
  • Standards & Regulations
ENGAIZ’s Third-Party Risk Management – A fully customizable risk assessment framework

Any robust risk management program should consider both inherent and residual risks. Inherent Risk is the level of risk in place before any actions are taken to alter the risk’s impact or likelihood. Residual Risk is the remaining level of risk following the development and implementation of the controls or any response to the risk.

The risks included in the preliminary risk identification process are usually referred to as a “risk universe” – a listing of the risks that organization faces. These risks are typically organized by standard risk categories such a strategic, financial, operational, compliance.

The steps between the assessment of inherent risk and the final evaluation of residual risk may vary somewhat from organization to organization. ENGAIZ Third-Party Risk Management module provides you with the ability to customize the risk scoring mechanism.
    • Vendor Preliminary Assessment
    • Categorize Vendors based on Criticality & Inherent Risks
    • Assess around 20+ Risk Dimensions, Potential Impact & Likelihood of occurrence
    • ENGAIZ - Inherent Risk Scoring Algorithm
    • Detailed Information Gathering & Self Assessments
    • Controls Mapping
    • Controls Testing & Assessment (150+ Standard Controls)
    • Controls Effectiveness
    • Remediation Plan
    • ENGAIZ - Residual Risk Scoring Algorithm
    • Continuous Monitoring & Reviews
    • Key Risk Indicators (KRIs)

The platform employs a holistic set of industry best practices for gathering and assessing critical risk domains of vendors including information technology, cybersecurity, privacy, resiliency and data security risks.

    • Privacy Risk
    • Regulatory & Compliance
    • Strategic Risk
    • Reputational Risk
    • Operational Risk
    • Insurance Risk
    • Human Resources
    • Transactional / Performance Risk
    • Financial Risk
    • PEP, Sanctions & Adverse Media
    • Geography / Country Risk
    • Concentration Risk
    • Legal Risk
    • Cyber Security Risk
    • Physical, Application, Infrastructure & Network Access
    • Business Resiliency Risk
    • Cloud Hosting Risk
  • CRITICALITY & INHERENT RISK
  • DUE-DILIGENCE & SELF ASSESSMENT
  • DESIGN & ASSIGN CONTROLS
  • TEST & ASSESS CONTROLS
  • RESIDUAL RISK & SCORING
  • MONITORING
  • KEY RISK INDICATORS (KRI)

CRITICALITY ASSESSMENT


Categorize your vendor ecosystem based on criticality. It is important for your organization to know which vendor is providing a critical service which if disrupted will have internal or external impacts to your customer. Also, how difficult is it to transition or replace your current provider?


INHERENT RISK ASSESSMENT & SCORING


Inherent Risk is the level of risk in place before any actions are taken to alter the risk’s impact or likelihood. ENGAIZ has a fully customizable framework to identify and do a preliminary assessment of the various risk dimensions.

We have a customizable scoring mechanism based on likelihood of occurrence and impact.

AUTOMATED SELF-ASSESSMENT


The ENGAIZ Third-Party Risk Management module allows risk managers to initiate risk assessments automatically based on certain events or at will. The platform provides a centrally manageable dashboard to track all vendor assessments. Third-Parties will have secure vendor portal access to access and complete the assessments.


REVIEW, EVALUATE & SCORE SELF-ASSESSMENT RESPONSE


Vendor self-assessments are automatically evaluated and any exceptions are highlighted for the attention of the risk managers.

STANDARD CONTROLS & CUSTOM CONTROLS


The platform comes with a set of standard controls and also allows your organization to design and establish custom or compensatory controls.


MAP CONTROLS TO INHERENT RISKS


The Third-Party Risk Management module has the capability to map relevant controls to the inherent risks identified. This way you are fully assured that every risk identified has an associated mitigating control.

INITIATE CONTROL ASSESSMENTS


The platform has the capability to initiate Standard Control Assessments for your third-parties. This sends a notification to your vendor contacts allowing them to prepare and share key documents ahead via the secure vendor portal.


CONDUCT ONSITE CONTROL ASSESSMENTS


To ensure that controls are operating efficiently, testing and assessment of controls is usually necessary, particularly in automated processes. The testing provides confidence that controls have reduced risk to a tolerable level.

Our platform helps your vendor risk assessment teams with the testing procedures required to evaluate the effectiveness of third-party controls.


ASSESS EFFECTIVENESS OF CONTROLS


Designing of controls and establishing it is just one side of the equation whereas testing if the controls put in place are functioning effectively in controlling the risk is another side.

Our platform helps with clearly tracking all effective to non-effective controls.

RESIDUAL RISK SCORING


Residual Risk is the remaining level of risk following the development and implementation of the controls. Upon successful completion of the control’s assessment, our platform can provide a view of the residual risk levels and if they are within the organization’s tolerance limit.


REVIEW & APPROVE


Any risk that remains needs to be reviewed and approved by the business. Our platform allows for periodic reviews.

CYBER SECURITY


The platform obtains Cyber Security related data from third-party data and risk monitoring service providers. Get notifications on any change of risk ratings, breaches.


FINANCIAL HEALTH


The platform obtains financial health data of all your key vendor partners to ensure you stay on top.


ADVERSE MEDIA INSIGHTS, PEP, SANCTIONS


The platform screens vendors and their executive management team for Adverse Media Insights, PEP and ensures they are not part of any sanctions list.


REPUTATION


The platform screens vendors for any Adverse Media, Good and Bad press and monitors the reputation.


COUNTRY


The platform keeps an eye on any potential economic, social and political unrest, or events in a country if the vendor provides service from a foreign country and is a Foreign Based Technology Service Provider.

According to Risk IT framework by ISACA, Key Risk Indicators (KRIs) are metrics capable of showing that the organization is subject or has a high probability of being subject to a risk that exceed the defined risk appetite.

ENGAIZ has a set of pre-defined KRIs that can be tracked.

setting

Bring-on your own customized risk assessment kit.

We recognize that every organization has their own assessment questionnaires that is internally approved by their management.

Tired of having to deal with excel sheets? Not any more!

With the ENGAIZ Third-Party Risk Management platform, you can easily upload your assessment questionnaires, establish custom controls and leverage all the great features that ENGAIZ has to offer.

We provide you the Flexibility

Customize your Risk Assessment Questionnaires

Establish Custom Controls

Easily add a new Risk Dimension or a Regulatory body

ENGAIZ provides an Integrated Third-Party Governance and Risk Management platform.

Faster Time to Maturity

Our platform will help you accelerate the third-party governance and risk management program.

If your organization has no standard framework and best practice, our out-of-box fully customizable solution can help you get started quickly and propel you towards higher levels of maturity.

Mitigate Risk

Show you are compliant to your internal and external auditors, senior management and the board.

Increase Efficiency; Cut Cost

Save resource efforts and time.

Thanks to the platforms digital and cognitive capabilities. Your organization will reduce the amount of operational challenges running a third-party risk management program.

Cut silos

A centralized approach to manage and mitigate risks of all your third-parties

Drive Excellence & Innovation

Move from a focus on ‘Cost Savings’ to a focus on ‘Risk Sharing’ partnerships that fosters a culture of Innovation.

We are glad to schedule an exclusive demo before you are able to experience a no-obligation free trial subscription to ENGAIZ.

Platform Overview – A Sneak Preview

ENGAIZ’s Third-Party Risk Management can help accelerate your organization TRM maturity.

Coming Soon.

Third-Party Risk Management Maturity

How mature is your Third-Party Risk Management program?

Coming Soon.

  • STANDARDS
  • PRIVACY
  • FINANCIAL SERVICES
  • HEALTHCARE

NIST is the National Institute of Standards and Technology,a unit of the U.S. Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standards

Supports the NIST SP800-53 and Cyber Security Framework.

International Organization for Standardization : ISO/IEC 27001:2013 Information technology - Security techniques - Information security Management systems – Requirements

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

EU General Data Protection Regulation (GDPR)

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

OECD Privacy Framework

Two themes run through the updated Guidelines:
A focus on the practical implementation of privacy protection through an approach grounded in risk management, and the need to address the global dimension of privacy through improved interoperability.
The Organization for Economic Cooperation and Development (OECD) is a unique forum where the governments of 34 democracies with market economies work with each other, as well as with more than 70 non-member economies to promote economic growth, prosperity, and sustainable development.

Canadian Personal Information And Electronic Documents Act

PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.

NIST Privacy Framework

The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy.

California Consumer privacy Act

The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.

New York State Department Of Financial Services 23 NYCRR 500

Summary Of The HIPAA Privacy Rules

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).1 The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

Childrens Online Privacy Protection Rule (COPPA)

COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

APEC Privacy Framework

The Framework, which aims at promoting electronic commerce throughout the Asia Pacific region, is consistent with the core values of the OECD’s Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data (OECD Guidelines), and reaffirms the value of privacy to individuals and to the information society.

Federal Financial Institutions Examination Council (FFIEC), USA

The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions.

Various sections of the Handbook cover third-party risk.

The Office of the Superintendent of Financial Institutions (OSFI), Canada

The Office of the Superintendent of Financial Institutions (OSFI) is an independent agency of the Government of Canada, established in 1987 to contribute to the safety and soundness of the Canadian financial system. OSFI supervises and regulates federally registered banks and insurers, trust and loan companies, as well as private pension plans subject to federal oversight.

OSFI’s B10 regulation on Outsourcing of Business Activities, Functions and Processes.

The NAIC Insurance Data Security Model Law

The National Association of Insurance Commissioners is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia, and five U.S. territories.

“(1) A Licensee shall exercise due diligence in selecting its Third-Party Service Provider; and
(2) A Licensee shall require a Third-Party Service Provider to implement appropriate administrative,
technical, and physical measures to protect and secure the Information Systems and Nonpublic
Information that are accessible to, or held by, the Third-Party Service Provider. “

The healthcare industry is known for tight regulations after the financial services industry. Health Insurance Portability and Accountability Act (HIPAA). The Health Information Technology for Economic and Clinical Health Act (HITECH).

ENGAIZ’s Third-Party Risk Management – A fully customizable risk assessment framework

Any robust risk management program should consider both inherent and residual risks. Inherent Risk is the level of risk in place before any actions are taken to alter the risk’s impact or likelihood. Residual Risk is the remaining level of risk following the development and implementation of the controls or any response to the risk.

The risks included in the preliminary risk identification process are usually referred to as a “risk universe” – a listing of the risks that organization faces. These risks are typically organized by standard risk categories such a strategic, financial, operational, compliance.

The steps between the assessment of inherent risk and the final evaluation of residual risk may vary somewhat from organization to organization. ENGAIZ Third-Party Risk Management module provides you with the ability to customize the risk scoring mechanism.
    • Vendor Preliminary Assessment
    • Categorize Vendors based on Criticality & Inherent Risks
    • Assess around 20+ Risk Dimensions, Potential Impact & Likelihood of occurrence
    • ENGAIZ - Inherent Risk Scoring Algorithm
    • Detailed Information Gathering & Self Assessments
    • Controls Mapping
    • Controls Testing & Assessment (150+ Standard Controls)
    • Controls Effectiveness
    • Remediation Plan
    • ENGAIZ - Residual Risk Scoring Algorithm
    • Continuous Monitoring & Reviews
    • Key Risk Indicators (KRIs)

The platform employs a holistic set of industry best practices for gathering and assessing critical risk domains of vendors including information technology, cybersecurity, privacy, resiliency and data security risks.

    • Privacy Risk
    • Regulatory & Compliance
    • Strategic Risk
    • Reputational Risk
    • Operational Risk
    • Insurance Risk
    • Human Resources
    • Transactional / Performance Risk
    • Financial Risk
    • PEP, Sanctions & Adverse Media
    • Geography / Country Risk
    • Concentration Risk
    • Legal Risk
    • Cyber Security Risk
    • Physical, Application, Infrastructure & Network Access
    • Business Resiliency Risk
    • Cloud Hosting Risk

CRITICALITY ASSESSMENT

Categorize your vendor ecosystem based on criticality. It is important for your organization to know which vendor is providing a critical service which if disrupted will have internal or external impacts to your customer. Also, how difficult is it to transition or replace your current provider?

INHERENT RISK ASSESSMENT & SCORING

Inherent Risk is the level of risk in place before any actions are taken to alter the risk’s impact or likelihood. ENGAIZ has a fully customizable framework to identify and do a preliminary assessment of the various risk dimensions.

We have a customizable scoring mechanism based on likelihood of occurrence and impact.

AUTOMATED SELF-ASSESSMENT

The ENGAIZ Third-Party Risk Management module allows risk managers to initiate risk assessments automatically based on certain events or at will. The platform provides a centrally manageable dashboard to track all vendor assessments. Third-Parties will have secure vendor portal access to access and complete the assessments.

REVIEW, EVALUATE & SCORE SELF-ASSESSMENT RESPONSE

Vendor self-assessments are automatically evaluated and any exceptions are highlighted for the attention of the risk managers.

STANDARD CONTROLS & CUSTOM CONTROLS

The platform comes with a set of standard controls and also allows your organization to design and establish custom or compensatory controls.

MAP CONTROLS TO INHERENT RISKS

The Third-Party Risk Management module has the capability to map relevant controls to the inherent risks identified. This way you are fully assured that every risk identified has an associated mitigating control.

INITIATE CONTROL ASSESSMENTS

The platform has the capability to initiate Standard Control Assessments for your third-parties. This sends a notification to your vendor contacts allowing them to prepare and share key documents ahead via the secure vendor portal.

CONDUCT ONSITE CONTROL ASSESSMENTS

To ensure that controls are operating efficiently, testing and assessment of controls is usually necessary, particularly in automated processes. The testing provides confidence that controls have reduced risk to a tolerable level.
Our platform helps your vendor risk assessment teams with the testing procedures required to evaluate the effectiveness of third-party controls.

ASSESS EFFECTIVENESS OF CONTROLS

Designing of controls and establishing it is just one side of the equation whereas testing if the controls put in place are functioning effectively in controlling the risk is another side.
Our platform helps with clearly tracking all effective to non-effective controls.

RESIDUAL RISK SCORING

Residual Risk is the remaining level of risk following the development and implementation of the controls. Upon successful completion of the control’s assessment, our platform can provide a view of the residual risk levels and if they are within the organization’s tolerance limit.

REVIEW & APPROVE

Any risk that remains needs to be reviewed and approved by the business. Our platform allows for periodic reviews.

CYBER SECURITY

The platform obtains Cyber Security related data from third-party data and risk monitoring service providers. Get notifications on any change of risk ratings, breaches.

FINANCIAL HEALTH

The platform obtains financial health data of all your key vendor partners to ensure you stay on top.

PEP, SANCTIONS & ADVERSE MEDIA

The platform screens vendors and their executive management team for AML, PEP and ensures they are not part of any sanctions list.

REPUTATION

The platform screens vendors for any Adverse Media, Good and Bad press and monitors the reputation.

COUNTRY

The platform keeps an eye on any potential economic, social and political unrest, or events in a country if the vendor provides service from a foreign country and is a Foreign Based Technology Service Provider.

According to Risk IT framework by ISACA, Key Risk Indicators (KRIs) are metrics capable of showing that the organization is subject or has a high probability of being subject to a risk that exceed the defined risk appetite.
ENGAIZ has a set of pre-defined KRIs that can be tracked.

setting

Bring-on your own customized risk assessment kit.

We recognize that every organization has their own assessment questionnaires that is internally approved by their management.

Tired of having to deal with excel sheets? Not any more!

With the ENGAIZ Third-Party Risk Management platform, you can easily upload your assessment questionnaires, establish custom controls and leverage all the great features that ENGAIZ has to offer.

We provide you the Flexibility

Customize your Risk Assessment Questionnaires

Establish Custom Controls

Easily add a new Risk Dimension or a Regulatory body

ENGAIZ provides an Integrated Third-Party Governance and Risk Management platform.

Faster Time to Maturity

Our platform will help you accelerate the third-party governance and risk management program.

If your organization has no standard framework and best practice, our out-of-box fully customizable solution can help you get started quickly and propel you towards higher levels of maturity.

Mitigate Risk

Show you are compliant to your internal and external auditors, senior management and the board.

Increase Efficiency; Cut Cost

Save resource efforts and time.

Thanks to the platforms digital and cognitive capabilities. Your organization will reduce the amount of operational challenges running a third-party risk management program.

Cut silos

A centralized approach to manage and mitigate risks of all your third-parties

Drive Excellence & Innovation

Move from a focus on ‘Cost Savings’ to a focus on ‘Risk Sharing’ partnerships that fosters a culture of Innovation.

We are glad to schedule an exclusive demo before you are able to experience a no-obligation free trial subscription to ENGAIZ.

Platform Overview – A Sneak Preview

ENGAIZ’s Third-Party Risk Management can help accelerate your organization TRM maturity.

Coming Soon.

Third-Party Risk Management Maturity

How mature is your Third-Party Risk Management program?

Coming Soon.

NIST is the National Institute of Standards and Technology

a unit of the U.S. Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standards
Supports the NIST SP800-53 and Cyber Security Framework.

International Organization for Standardization :

ISO/IEC 27001:2013 Information technology - Security techniques - Information security Management systems – Requirements

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

EU General Data Protection Regulation (GDPR)

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.



OECD Privacy Framework

Two themes run through the updated Guidelines: A focus on the practical implementation of privacy protection through an approach grounded in risk management, and the need to address the global dimension of privacy through improved interoperability. The Organization for Economic Cooperation and Development (OECD) is a unique forum where the governments of 34 democracies with market economies work with each other, as well as with more than 70 non-member economies to promote economic growth, prosperity, and sustainable development.



Canadian Personal Information And Electronic Documents Act

PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.



NIST Privacy Framework

The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy.



California Consumer privacy Act

The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.



New York State Department Of Financial Services 23 NYCRR 500



Summary Of The HIPAA Privacy Rules

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).1 The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.



Childrens Online Privacy Protection Rule (COPPA)

COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.



APEC Privacy Framework

The Framework, which aims at promoting electronic commerce throughout the Asia Pacific region, is consistent with the core values of the OECD’s Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data (OECD Guidelines), and reaffirms the value of privacy to individuals and to the information society.

Federal Financial Institutions Examination Council (FFIEC), USA

The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions.

Various sections of the Handbook cover third-party risk.

The Office of the Superintendent of Financial Institutions (OSFI), Canada

The Office of the Superintendent of Financial Institutions (OSFI) is an independent agency of the Government of Canada, established in 1987 to contribute to the safety and soundness of the Canadian financial system. OSFI supervises and regulates federally registered banks and insurers, trust and loan companies, as well as private pension plans subject to federal oversight.

OSFI’s B10 regulation on Outsourcing of Business Activities, Functions and Processes.

The NAIC Insurance Data Security Model Law

The National Association of Insurance Commissioners is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia, and five U.S. territories.

“(1) A Licensee shall exercise due diligence in selecting its Third-Party Service Provider; and
(2) A Licensee shall require a Third-Party Service Provider to implement appropriate administrative,
technical, and physical measures to protect and secure the Information Systems and Nonpublic
Information that are accessible to, or held by, the Third-Party Service Provider. “

The healthcare industry is known for tight regulations after the financial services industry. Health Insurance Portability and Accountability Act (HIPAA). The Health Information Technology for Economic and Clinical Health Act (HITECH).