An article in the September, 2011 issue of Compliance Week, entitled, “How Tyco Turned Around Third-Party Risk Program” by author Karen Kroll, reported on the program initiated and developed by Tyco International, assisted by Navigant Consulting, to enable Tyco to develop and initiate a “comprehensive program to gain a better control over the activities of third parties.” This task seemed particularly daunting as Tyco initially identified over 66,000+ third party vendors and this group needed to be risk assessed to determine the high risk third parties which could be handled in the first pass.
Key First Step
Interestingly a key first step in the process was that Tyco set up a specific project team in the company to handle the task. This is different to such assignments in a Compliance or Legal Department where a project is added to an employee’s existing portfolio of assignments. The Chief Compliance Counsel, Matthew Tanzer made the decision to assign a “small group of dedicated employees to the job”. Scott Moritz, Managing Director of Navigant, who worked with Tyco on the project, said this was an important early decision and was quoted as saying “You need to develop bench strength to deal with this, and staffing that’s proportional to the third party population.”
The Seven Steps
Tyco developed a process to identify, risk assess, contract with and then compliance train its third parties in this project. Tyco distilled this process into the following seven steps.
- Business Sponsor – Initially identify a business sponsor or primary contact for the third party within your company. This requires not only business unit buy-in but business unit accountability for the business relationship or as Moritz was quoted as saying, “This puts the onus on each stakeholder.”
- Business Justification – The business unit must articulate a commercial reason to initiate or continue to work with the third party. You need to determine how this third party will fit into your company’s value chain and whether they will become a strategic partner or will they be involved in a one-off only transaction?
- Third-Party Questionnaire – This requirement is not only a key step but a mandatory step for any third party which desire to do work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk but run away from doing business with such a party. The minimum information which should be obtained is basic business information, disclosures of all direct and beneficial owners, politically exposed persons (PEPs) and both commercial and compliance references.
- FCPA Certification – You should require a representative of the third party to attest that it will comply with all relevant anti-corruption laws and will not pay bribes, “either directly or indirectly.”
- Risk Assessment – The above information should be analyzed which leads to a risk score. This risk assessment will be used to determine the appropriate level of due diligence that should be performed on the third party. In Tyco’s system, the higher the risk assessment score, the more due diligence should be performed.
- Written Agreements – This requirement mandates that, in addition to commercial terms, compliance terms and conditions are appended to each third party contract. This is now Item 12 in the Department of Justice’s (DOJ) minimum best practices as set out in Deferred Prosecution Agreements (DPA) since at least November 2010.
- Training – Your company should require all third parties to complete an online training module which discusses your company’s values and its approach to bribery and corruption. You should also consider live training for the highest risk third parties.
The Tyco Seven Step Process does end at training. Tyco continues to manage these risks through an ongoing monitoring program which they developed in the course of this exercise. This monitoring includes both substantive compliance and transactional monitoring. Both of these monitoring systems can be reviewed by a committee or group dedicated to ongoing management of third parties within Tyco.
The task of getting a handle on your company’s third parties may often seem daunting. However, the Tyco Seven Step Process provides an excellent framework for the compliance professional to develop a program for his/her company. I recommend the article for your review and the program for your consideration.
If you are going to be in Houston on December 7, myself, Mike Volkov and the Bribery Act guys, Richard Kovalevsky QC and Barry Vitou will be making their only US appearance this year. Mike and I will review some of the more significant enforcement matters of 2011 and discussion lessons which may be drawn from them. Richard and Barry will discuss the Bribery Act. Best of all the event is free and CLE will be provided. Event details and registration are found at http://events.r20.constantcontact.com/register/event?llr=myqi4pcab&oeidk=a07e55t5re06e78f1e3. I hope you can make it!
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2011