A Series on Export Compliance Essentials


A risk analysis is the key to getting your business
ready for export compliance

As we noted in our previous post, there’s no such thing as a one-size-fits-all corporate export compliance system. Processes and procedures that are absolutely critical components of someone else’s compliance strategy might be impracticable and pointless for your company. Yet a compliance program with the wrong focus could weaken your competitive advantage by wasting time, money, and personnel on “protection” you don’t need, while leaving you exposed to being blindsided by severe penalties and crippling financial losses in areas where you actually are vulnerable.

Why Risk Analysis Is the Right Place to Start

Getting a business ready for export compliance is a challenging project. Before you can effectively address the real risks your company faces, you first need to know exactly what those risks are. You need to know how likely it is that you will be involved in a violation of the U.S. export laws, and how serious the consequences of such a violation would be. For that reason, the decision to conduct a comprehensive strategic risk analysis of your business from an export-compliance standpoint — preferably alongside an outside expert — is an indispensable prerequisite to all other compliance decision-making.

The first step in your analysis is an objective evaluation of your current information assets, systems, processes, procedures, people, and documentation. The company’s past, present, and future export customers, products, and services; the relevant U.S. laws and regulations; the likelihood of certain kinds of violation occurring; the nature and adequacy of the internal controls and personnel currently in place; the present regulatory environment and enforcement trends; the potential severity of penalties and fines, as well as other possible consequences for your business — all these issues and others need to be discussed in detail, analyzed, and evaluated before written policies and procedures can be formulated and put in place.

What’s the Difference?  “Risk Assessment” vs. “Directed Compliance Audit”

A directed export compliance audit is usually the outcome of a compliance issue that an exporter has experienced with the U.S. Government, one in which the requirement for an independent compliance audit has been levied or required as part of a settlement. The scope, focus, and completion date are mandated by the regulatory agency with which the issue is being adjudicated—either the DDTC, BIS, or OFAC. The report provided to the company by the auditor must be submitted to the agency, usually within a brief time span.

An export compliance risk assessment is a company-initiated examination of the efficiency and effectiveness of its export control process. The output from such an assessment includes a summary of the applicable U.S. export control requirements, an overall review and commentary on the existing compliance program (if any), and a detailed, process-by-process evaluation, typically presented in traffic-signal format (red, yellow, and green), with process “gaps” highlighted. The report on the findings of a risk assessment always includes recommendations for improvement and/or suggested corrective actions for potentially non-compliant activities that were found in the course of the assessment.

Following those recommendations and implementing those corrective actions is the best way to avoid a directed compliance audit.

What Do These Terms Mean? “Periodic” and “Independent”

The term “risk assessment” implies a formal, systematic process—something more than just an informal sizing-up or casual take on your compliance efforts. Industry “best practices” for ensuring corporate export compliance call for periodic independent compliance risk assessments.

“Periodic,” in this case, starts with annual assessments as a baseline.

“Independent” means that your risk level and the effectiveness of your current program need to be evaluated by a competent outside party.

“Competent” is simply common sense: the individual or team conducting the assessment needs to have the appropriate qualifications and specialized know-how, including a thorough familiarity with U.S. export controls and current risk assessment methodology. Competence may be established through relevant training and/or extensive experience. In the case of a directed compliance audit, the regulatory agency will require evidence of the qualifications of the person you have engaged to perform the audit. The U.S. Government won’t trust just anyone to assess corporate export compliance, and neither should you. So, here’s a hint: if you want to be sure you’re engaging a competent professional to conduct your risk assessment, look for someone whose résumé includes performing directed compliance audits.

“Outside” usually means that the review should be conducted by a person who is not a direct employee of your company. This is crucial, because you need an unbiased, impartial assessment of both the seriousness and likelihood of the non-compliance risks you are facing and the effectiveness of your current program and personnel. You need accurate results and recommendations you can rely on. Plainly, conflicts of interest could impair the objectivity of the findings. Common sense dictates that the more attached someone is to a situation—the more he or she has at stake—the more likely it is that the reliability of the assessment will be affected.

The Four Stages of the Risk Assessment Process

Although the details of every export compliance risk assessment are unique, the overall review process is similar in most cases, and typically involves four stages:

Stage 1:  Advance planning and preparation.

Stage 2:  An on-site visit.

Stage 3:  A report of the findings. This report should include quantitative ratings of your company’s risk of export violations in each area of your business operations. It should conclude with practical recommendations of corrective actions and procedural enhancements to address problem areas and mitigate the risks. The report’s recommendations should be summarized in a step-by-step, actionable plan that highlights the place to start in each business area.

Stage 4:  A scheduled follow-up review.

Why Assessing Compliance and Identifying Risks Is Not a Waste of Time

Perhaps you’re thinking that all this sounds like a significant investment of time, money, manpower, and energy, and wondering whether the investment is justified.  Are risk assessments really all that important? Will they truly add value to my business, or are they just a waste of time?

If you’re a U.S. exporter, periodic export compliance risk assessments, far from being a waste of time and corporate resources, are a valuable strategic tool that’s critical to your company’s continued survival in today’s global marketplace and regulatory environment. Let’s look at some of the reasons why that’s true.

Risk assessments can help you avoid severe penalties and fines. Violations of U.S. export laws can—and often do—result in stiff penalties. Criminal penalties can reach $1,000,000 and 20 years’ imprisonment per violation. Administrative penalties for civil violations are less severe, but can reach the greater of $250,000 per violation or twice the amount of the transaction—and a single non-compliant export transaction typically results in multiple violations.

In addition to fines, individuals and companies that fail to comply with export controls are subject to other administrative sanctions, including denial of their export privileges and suspension of their right to contract with the U.S. Government—penalties that would spell ruin for many U.S. companies.

Perhaps those are some of the reasons no company looks forward to being visited by officials from the BIS’s Office of Export Enforcement or the DDTC’s Office of Defense Trade Controls Compliance, or the Treasury Department’s OFAC.

“Be prepared” is not just a good motto for Boy Scouts; it’s good policy for U.S. exporters, too. The most effective measure you can take to minimize the likelihood of a visit by enforcement officials is to budget for regular export compliance risk assessments of your firm and to take the action recommendations in the assessment report very seriously. Furthermore—and equally important—if your company has been conducting its own comprehensive assessments of its compliance processes all along, and an official visit by government agents does occur, you can be sure that you and your employees will undergo a minimum of stress. You’ll be confident that you can produce any records and documents requested without delay, and you’ll be primed to answer any questions with accurate and up-to-date information. The likelihood of penalties will be small, and the cost in staff time and lost productivity will be greatly reduced.

And while you’re weighing up the negative consequences of non-compliance, here are a few more to put on the scale: avoiding hefty fines and penalties and lessening the chance of official visits and directed audits are not the only reasons you’ll be doing yourself a favor by conducting periodic independent compliance risk assessments and implementing their recommendations. A history of export violations can (1) adversely affect your company’s financial position; (2) hold up or block a sale, merger, or acquisition; (3) scare off potential foreign customers; (4) tarnish your firm’s image and business reputation; and (5) damage your business in many other ways as well.

This is definitely a case where a relatively small investment can save big over future costs and consequences.

The regulatory agencies have made it plain that they don’t consider risk assessments a waste of time. If your company should need to make a Voluntary Disclosure of an export violation you’ve discovered, one of the standard questions the DTCC and OEE will ask when reviewing your case is whether any audits or reviews of your company’s export compliance have been conducted during the past five years. Do you really want to answer “No” to that question? In most settlement agreements, the regulatory agencies require the company to have its export compliance program independently audited and send them a copy of the report within a narrow time frame. Rather than wait for that to happen, doesn’t it seem wiser to be proactive?

Risk assessments produce effective compliance programs—a valuable business asset. An export controls risk assessment by a compliance professional is bound to result in improved compliance. And a good track record and strong reputation for compliance are good for your business. Especially in the defense trade sector, a robust global trade compliance program is recognized as a competitive asset, one that some firms even list on their web sites. Recent studies of the most successful U.S. companies agree on one characteristic they have in common: compliance is part of their corporate culture.

Risk assessments can help your whole business run more efficiently. The compliance risk assessment process and your company’s follow-up on its findings and recommendations will highlight better ways to integrate export-control processes and “best practices” for export compliance into the rest of your business operations, including quality assurance SOPs and other regulatory compliance programs. The likely result will be an uptick in the overall efficiency of all your company’s operations. In particular, the implementation of Restricted Parties Screening (RPS) software and the challenge of integrating screening into your ERP software offers an opportunity to streamline your entire internal structure (including distribution process and supply chain management, inventory control, project planning, services knowledge base, and other critical business management processes). In the course of conducting an export controls risk analysis, many firms have discovered loopholes in their cybersecurity that badly needed strengthening and areas where significant improvement was possible in the networking of company resources.

Stage 1:  Getting Ready for Your Export Compliance Risk Assessment

Step back and think about your whole business.  An export compliance risk assessment should not take place in a bubble. To be fully effective, it needs to be part of a review and examination of your company’s overall business operations. What other week-to-week business processes are likely to be impacted by modifications to your export compliance system? How do you plan to integrate the findings and remediation measures that will be prescribed into your overall quality assurance and regulatory compliance system? What are your long-term corporate goals? How could improvements in your export process help you accomplish them?

Formulate some risk-mitigation proposals of your own.  Consider discussing the risk of export violations and setting down your ideas, suggestions, and tentative plans to improve your company’s export process before the risk assessment, based on your own past experiences and observations. Talk over your ideas with the reviewers before or during the on-site visit stage of the risk assessment. Later on, you can list those ideas side-by-side with the action recommendations in the assessment report, and consider how to combine the two lists into a more successful and export-compliant business.

Find out who’s who when it comes to exports.  Identify the actors within your company. Which individuals or departments are actually responsible for export compliance on a daily basis? Which employees are the points of contact within each department? Having a clear understanding of the role each person plays in export transactions is essential, because commonly, depending on the size of the company, one person may wear multiple hats with regard to export responsibilities. Being able to provide the names and contact information for key actors dealing with exports in your company will help the risk assessment run smoothly and without a hitch.

During the on-site visit phase of the risk assessment, every employee involved with exports in any way should be available and prepared to speak about his or her role, answer any questions the outside reviewer may have about the company’s internal processes, and provide examples of paperwork or electronic records related to exports upon request. Because these employees understand the specific business process and its associated flow firsthand, they can give valuable input when it comes to process improvements and risk mitigation efforts.

Seriously question your cybersecurity.  Controlled technical data stored in electronic form is always an area of potentially high risk that must be scrutinized carefully, because such data and information is easily accessed, copied, and transferred elsewhere. For that reason, some probing questions need to be asked about data storage and access control. Where is your controlled technical information and data stored? What physical and electronic security measures are in place to protect it? What company policies govern data storage? What controls exist to ensure that the granting of access to the company’s export-restricted data is consistent with U.S. regulatory requirements?

Pay attention to documentation and recordkeeping.  Review your company’s recordkeeping system and export documentation in advance of the on-site visit. Many U.S. exporters seem unaware that, according to U.S. export control regulations, recordkeeping and reporting are a very big deal, and a frequent cause of export violations. Exporters are legally required to maintain certain specific documents related to export transactions, and have them accessible for inspection, for at least five years. How and where are your records currently stored? Are they physically stored in an on-site location, or are they accessed electronically through the company servers? How conveniently and quickly can they be accessed? By whom? Each person involved in export compliance processes needs a clear understanding of the mandatory recordkeeping requirements and the company’s recordkeeping policy and practices. Make sure your export-related records will be conveniently available for review during the assessment visit, and consider how your system for saving, storing, and accessing them might be improved.

In the next post of this blog series on export compliance essentials, “EDUCATE!” we’ll discuss employee training—what it needs to cover and why it is critically important to the success of any corporate export compliance program.  


(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)