what do these engagements focus on?
The primary focus here is to identify the primary cyber risks that you company carries.
The ultimate goal of all information security programs is to lower the cyber risk of a company.
Risk = The likelihood that something bad would happen resulting in monetary or reputational loss to your company. The risk equation = an exploitation of a vulnerability by a threat against an asset.
For example working backwards, you have a computer system (the asset) that is attacked by a hacker (the threat) who takes advantage (exploits) of a flaw in your system or security (a vulnerability). That incident results in either the monetary or reputational loss to your company.
Another example - You have a server with sensitive data on it (the asset) that is changed by an internal employee (the threat) who mishandles the change and destroys data (exploits) in the absence of a policy, procedure, or system to prevent this type of result (vulnerability). Yes, human error is also a major threat to the security of your company.
Determining your level of risk and how best to mitigate it is what a risk assessment is supposed to accomplish. Much of this is determined and bubbled up by conducting a security posture examination (more on that here).