Skip to content

Risk Register (FTC v. Wyndham Worldwide Corp.)

Purpose

This register captures material risks highlighted by FTC v. Wyndham Worldwide Corp. with severity, impact pathway, mitigation plan, and evidence expectations. It is intended for ongoing governance and audit use so risk acceptance, remediation progress, and accountability remain explicit over time.

Risk Register

FRAN-CONN-01 — Franchise connectivity governance gaps

  • Severity: High
  • Description: Property-to-corporate connectivity remains heterogeneous across franchise environments.
  • Impact: Inconsistent controls and repeated risk findings under order expectations.
  • Mitigation: Connectivity inventory ownership, segmentation baselines, and exception controls.
  • Evidence: Connectivity inventory, baseline configs, exception register, audit results.

PAY-ACCESS-02 — Cardholder environment privileged access risk

  • Severity: High
  • Description: Over-broad privileged paths can expose payment environments.
  • Impact: High fraud and regulatory impact from unauthorized access.
  • Mitigation: Least-privilege redesign, PAM enforcement, and access recertification.
  • Evidence: Access attestations, PAM reports, entitlement diffs, approval logs.

DETECT-03 — Insufficient cross-property monitoring

  • Severity: High
  • Description: Distributed hospitality systems can create detection blind spots.
  • Impact: Delayed breach detection and greater loss/event duration.
  • Mitigation: Centralized telemetry and detection content for lateral movement and exports.
  • Evidence: Coverage metrics, alert efficacy reports, incident response timelines.

ASSESS-04 — Assessment closure slippage

  • Severity: Medium
  • Description: Repeated open findings weaken confidence in compliance execution.
  • Impact: Order compliance risk and reputational harm.
  • Mitigation: Owner-accountable remediation schedule with aging-based escalation.
  • Evidence: Assessment finding tracker, closure evidence, committee status reports.

GOV-05 — Board oversight signal dilution

  • Severity: Medium
  • Description: Reporting without actionable metrics obscures true risk posture.
  • Impact: Decision latency and weak challenge function.
  • Mitigation: KPI-based reporting cadence and explicit risk acceptance governance.
  • Evidence: Board packs, metric definitions, risk acceptance records.
© 2026 Yi Zhang. Licensed under the MIT License.
Last updated: 2026 April 17 9:37 AM