Tyco International takes great care to ensure that it does not hang out with the wrong crowd.
The $17 billion provider of security, fire safety, and a multitude of other products and services works with more than 32,000 outside parties: resellers, distributors, and other partners. It must monitor all of them to ensure that they adhere to ethical business practices. Tyco isn't simply concerned about being judged by the company it keeps; Rather, the company can't afford the legal risks of any violation of the law by the third parties that it does business with.
While most people will associate Tyco's past legal problems with the sensational trial of former CEO Dennis Kozlowski (who now sits in prison) among the lesser headlines was a $ 50 million settlement with the Securities and Exchange Commission over violations of the Foreign Corrupt Practices Act by a newly acquired company in 2003. That settlement included a permanent injunction against future violations. In short, Tyco is forever on a short leash with regulators, forcing it to institute air-tight compliance systems. One of the many steps Tyco has taken since then: a comprehensive program to gain better control over the activities of third parties.
The task required an extensive effort to build its third-party monitoring system to get better control over the activities of resellers and distributors, led by Matthew Tanzer, vice president and chief compliance counsel.
About three years ago, Tanzer began working with other members of the company's compliance teams around the world to develop a program for working more effectively with third parties. First up was simply gathering the names of all those third parties—a task much more complicated than anyone would have predicted. Tyco's business units worked on a variety of information systems, and many lacked any sort of master list. Obtaining accurate information was difficult, Tanzer says. “There was no easy way to pull this out.”
The team needed about six months just to assemble an initial inventory of agents and distributors using spreadsheets sent from offices around the globe. The list topped 4,000 names, but Tanzer knew the information still wasn't completely reliable and would need further refining. Rather than adding that chore to the tasks of several people to work on it part-time, Tanzer assigned a small group of dedicated employees to the job of perfecting the list.
That was in important decision, says Scott Moritz, managing director for global investigations and compliance at Navigant Consulting; Moritz worked with Tyco to develop its third-party program. “You need bench strength to deal with this, and staffing that's proportional to the third-party population.”
Among the people selected to work on the system, Anne Kennedy joined as project manager. One of her first steps was to begin pulling information, such as names and contact data, from the master vendor and customer files of the business units. Because the initial requests generated tens of thousands of names, Kennedy and Tanzer decided to focus on entities with which Tyco transacted at least $50,000 in business during the preceding two years.
In the end, the team identified 66,000-plus third parties. Of those, about 18,000 were deemed outside the scope of the project; most were customers with little legal risk. Another 16,000 were culled from the list; generally, they were so small that going through the process of investigating their business and relationship with Tyco wasn't worth the effort. That still left about 32,000 third parties for Tyco to examine.
“What's key is the triage at the beginning. When you decide the relationship type—agent? distributor? sub-contractor?—that sets all the wheels in motion for what happens to the party.”
—Keller Arnold,
Chief Financial Officer,
Tyco Flow Control
Tanzer and Kennedy began by classifying the ways that Tyco worked with third parties. The resulting 22 classifications range from accounting and audit firms to environmental consultants, distributors, resellers, freight forwarders, and law firms.
“What's key is the triage at the beginning,” says Keller Arnold, chief financial officer with Tyco Flow Control. “When you decide the relationship type— agent, distributor, or sub-contractor, for example—that sets all the wheels in motion for what happens to the party.”
“It was a lot of effort on their part, but it's proven to be invaluable,” Moritz says. Much of the risk that comes when working with third parties varies with the relationship, he notes. For instance, an agent paid on commission likely is a higher risk than a company that simply installs phone lines for an office.
Qualifying Partners
Over time, the group working on the project developed a set of seven steps designed to qualify each of the third parties doing business with Tyco (See “Seven Steps to Third-Party Qualification,” below.) Most third parties that are deemed higher risk proceed through all seven steps, while those identified as lower risk might only complete a portion of the steps.
The first step is identifying a business sponsor, or primary contact for the third party within Tyco. “This is an incredibly important component of the program,” Moritz says. In many compliance programs, the compliance and legal departments are aware of what needs to be done, but interest levels across the rest of the organization can lag. “This puts the onus on each stakeholder,” he says. “You get them to engage with the third party.”
The next steps involve justifying the need for the partner, identifying its principles, certifying that it will comply with Tyco's FCPA policies, and assigning each partner a risk score, based on several factors including volume, region, and type of business.
Some companies may warrant additional investigation, using information available in online databases. Tyco also works with Navigant to search proprietary databases that Navigant has built up over several years. When a company's risk score is at the high end of the range, Tyco arranges for someone to physically visit its offices to help ensure that the operation is legitimate.
QUALIFYING THIRD PARTIES
Below are Tyco's key steps for qualifying third parties:
Source: Tyco International.
Since the on-site reviews can be costly, Tyco uses discretion about which ones truly need a visit. It has also forced Tyco to exit some relationships with high-risk business partners. When the program first started, Tyco was working with about 5,000 companies whose score was high enough to prompt a visit. Over time, Tyco has moved the expense of those in-person reviews out to the relative business units. Perhaps not surprisingly, many business-unit leaders dropped some riskier third-party relationships.
Of the 32,000 third parties currently working with Tyco, only about 1,800 (or 5.6 percent) are considered high risk, Tanzer says. That's consistent with other companies, he adds.
In the past, it wasn't unusual for Tyco to work with third parties without having a written agreement in place. No more. Tyco developed contract templates to cover a dozen different relationship types, and has had them drawn up in 22 languages and for 50 jurisdictions. Each contract is in both English and the local language.
Tyco also asks the bulk of its third-party business partners to complete an online training on Tyco's values and approach to bribery and corruption. Many Tyco employees also undergo the training.
Continuous Monitoring
An effective anti-bribery program needs to be an ongoing operation, rather than a one-time project. To that end, Tyco developed a “business sponsor verification” (BSV) tool, software that helps manage the range of information, such as the third parties and their business sponsors, as well as the steps leading to the signing of a contract, says Donal Sullivan, Tyco's third-party program leader. That moves some of the monitoring up front and gives Tyco a baseline to work from going forward. The verification process must be completed in the 90-day window that contracts have to be signed. “We think it's a reasonable amount of time to get training and certification,” he says.
Tyco also has put in place controls that help ensure its relationships with its third parties remain above board. For instance, payments to third parties must be made to the legal entity rather than any individual working there, and to the country in which the company is located. Previously, these measures weren't always in place.
QUALIFYING STEPS
Below are Tyco's “Seven Steps to Third-Party Qualification”:
1. Business Sponsor: First identify a business sponsor or primary contact for the third party within Tyco. “Someone in the company has to be responsible for the relationship,” Tanzer says. Associating every third party with a Tyco employee provides accountability.
2. Business Justification: Next, the Tyco business unit had to identify a commercial reason to continue working with the firm. “We ask how they fit into the total value chain and whether they will become a strategic partner,” says Robert Roche, chief financial officer with Tyco Fire Protection. For instance, is the relationship likely to be ongoing, or a single transaction?
3. Third-Party Questionnaire: Each third party completes a questionnaire that asks, among other things, the identities of the company's principals, and what the organization does. Tyco also asks if the company has ever paid a bribe. A few have said yes, Tanzer says. “While we appreciate their honesty, we don't do business with them.”
4. FCPA Certification: A representative from the third party signs a statement that it will comply with the law and won't pay bribes, either directly or indirectly.
5. Risk Assessment: The information on each third party is analyzed and the company is then assigned a risk score. Several factors determine the score, including the nature of its relationship with Tyco, the volume of business the two companies are doing together, and the region of the world in which its located, says Donal Sullivan, Tyco's third party program leader. The higher the score, the more due diligence that will be carried out on the company.
6. Written Agreements: Tyco and the third party sign a contract or other agreement. In addition to the typical commercial terms, such as the payment schedule, the agreements include language stipulating that the company won't pay bribes.
7. Training: Tyco's third parties also complete an online training module that discusses Tyco's values and approach to bribery and corruption. Many Tyco employees also participate in training.
Source: Tyco International.
All of this hasn't come easily or cheaply; the company has spent millions on the program so far, Tanzer says.
Although quantifying the success that Tyco's program for managing third parties has had is difficult—after all, it's difficult to know what improper activities never happened as a result of this initiative—it does appear to be providing a number of benefits.
For starters, “it's dramatically changed the culture of the organization,” Tanzer says. Employees and others associated with the company know about the program and its goals. In addition, through the program, Tyco has uncovered a few instances in which third parties were acting improperly, and management believes it's helped prevent others, Tanzer adds. “We've definitely had examples where we prevented improper things through the program.”
In addition, the company now has a better handle on its third-party relationships, so the system provides value to the business. “We have much more visibility into what we're paying third parties,” Tanzer says. When Tyco started its journey, for example, it wasn't unusual to find that the company was paying significantly different commissions for the same product, sold in the same part of the world.
The business benefits, although a by-product of Tyco's efforts to mitigate the risk of working with third parties, have become clear, Roche says. The company now has a disciplined process for adding new third parties. Before adding one, the management team will assess the potential business benefit and cost, and determine how the potential partner fits into the overall value chain. “It limits risk and keeps the size of the distribution network to an optimal level,” he says.
As Arnold's teams got further involved in the program, they saw a number of benefits, she says. “We can look in the database and see that we have 25 sales agents in a country, and ask if we need them all.” In addition, the business units are better able to match their internal audit resources to the geographic areas most likely to need them.
To be sure, Tyco had to navigate several obstacles to achieve these benefits. The size and scope of the program presented challenges; many of the businesses within Tyco work on different platforms and ERP systems. Trying to extract the needed information and classify the relationships was difficult. A team of individuals spent hundreds of hours sifting through data to compile the new database of third-party relationships.
Getting the business units' support was also important, and required demonstrating the business value of what they were being asked to do. This wasn't about just risk mitigation, although that was a key concern. In addition, “the visibility into how a business operates was tremendous," Tanzer says. Also key to the businesses' buy-in was creating a process that was easy for them to implement, he adds.
Arnold generated some competition between different business units to build interest. “Business people are naturally competitive,” she notes. If one sees that a colleague's division is further along in the project, that's competitive.
Business unit support was critical in driving the program throughout the company, Kennedy says. “The program touches all aspects of our business,” she says. “It has far-reaching tentacles.”
Varying standards and cultural norms between different areas of the world also can pose challenges. However, Tyco's position is that “as a company, we have one set of values that we apply globally,” Tanzer says. “We have walked away from deals and partners and turned down profitable business because we couldn't do it the right way.”
No comments yet