Third Party Risks


My notes, live, from Third Party Risks with Matt Tanzer of Tyco International and Chris Nowak of Wyndham Worldwide.

For Tyco they have 110,000 employees around the world, most outside the United States.  Their first step was to identify all of the third parties. This was a big task. They went to their master vendor lists and master customer lists. The the broke them into groups based on risks.

Then they conducted a preliminary risk assessment using a few factors, such as geography, types of payments and payment structure.  With all of that information they took the next step of rationalization and consolidation of the third parties. In higher risk areas, they want to reduce the number of third parties they work with. They will conduct enhanced due diligence on high risk third parties.

They have imposed stricter payment procedures. They require a valid tax invoice, wire transfers (no cash), and only to the actual service provider. It is key to look at the underlying contract to verify the payment amount and type of service.

They have a new program for new vendors:

  • Business Sponsor
  • Business Justification
  • FCPA Certification
  • Questionnaire
  • Risk Assessment/DD
  • Written Agreements
  • Training

Not all elements are required for all third parties. If it is a low-risk type of vendor in a low risk country, they will not require all. High risk parties in high risk parties get an enhanced look.

Chris took over to give his perspective. His company is dealing with land owners, hotel owners, time share owners and employees around the world.

Know your third party:

  • Screen the parties against the OFAC’s SDN list
  • Conduct reviews of their financial statements
  • Learn their reputation
  • Investigate litigation
  • Check for current licenses
  • Understand their Culture

Chris offered some mitigation techniques:

  • SAS 70 Certifications
  • Code of Conduct – The are putting together a code specifically for vendors
  • Other Policies – You want to make sure you understand local law
  • Good Behavior Certification – Failure to certify is a warning sign.
  • Training – You need face to face training to get attention, especially as you move up in corporate seniority
  • Contract language
  • Insurance
  • Stay Involved!!! You need to keep emphasizing the importance of good behavior.

Make sure that the questions you ask are questions that you are also willing to answer. Simply things to make sure you could certify if someone asked you.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)