EXPORT COMPLIANCE IN 11 WORDS (Part 2 of 12):
A Series on Export Compliance Essentials

Analyze!

A risk analysis is the key to getting your business
ready for export compliance

As we noted in our previous post, there’s no such thing as a one-size-fits-all corporate export compliance system. Processes and procedures that are absolutely critical components of someone else’s compliance strategy might be impracticable and pointless for your company. Yet a compliance program with the wrong focus could weaken your competitive advantage by wasting time, money, and personnel on “protection” you don’t need, while leaving you exposed to being blindsided by severe penalties and crippling financial losses in areas where you actually are vulnerable.

Why Risk Analysis Is the Right Place to Start

Getting a business ready for export compliance is a challenging project. Before you can effectively address the real risks your company faces, you first need to know exactly what those risks are. You need to know how likely it is that you will be involved in a violation of the U.S. export laws, and how serious the consequences of such a violation would be. For that reason, the decision to conduct a comprehensive strategic risk analysis of your business from an export-compliance standpoint — preferably alongside an outside expert — is an indispensable prerequisite to all other compliance decision-making.

The first step in your analysis is an objective evaluation of your current information assets, systems, processes, procedures, people, and documentation. The company’s past, present, and future export customers, products, and services; the relevant U.S. laws and regulations; the likelihood of certain kinds of violation occurring; the nature and adequacy of the internal controls and personnel currently in place; the present regulatory environment and enforcement trends; the potential severity of penalties and fines, as well as other possible consequences for your business — all these issues and others need to be discussed in detail, analyzed, and evaluated before written policies and procedures can be formulated and put in place.

What’s the Difference?  “Risk Assessment” vs. “Directed Compliance Audit”

A directed export compliance audit is usually the outcome of a compliance issue that an exporter has experienced with the U.S. Government, one in which the requirement for an independent compliance audit has been levied or required as part of a settlement. The scope, focus, and completion date are mandated by the regulatory agency with which the issue is being adjudicated—either the DDTC, BIS, or OFAC. The report provided to the company by the auditor must be submitted to the agency, usually within a brief time span.

An export compliance risk assessment is a company-initiated examination of the efficiency and effectiveness of its export control process. The output from such an assessment includes a summary of the applicable U.S. export control requirements, an overall review and commentary on the existing compliance program (if any), and a detailed, process-by-process evaluation, typically presented in traffic-signal format (red, yellow, and green), with process “gaps” highlighted. The report on the findings of a risk assessment always includes recommendations for improvement and/or suggested corrective actions for potentially non-compliant activities that were found in the course of the assessment.

Following those recommendations and implementing those corrective actions is the best way to avoid a directed compliance audit.

What Do These Terms Mean? “Periodic” and “Independent”

The term “risk assessment” implies a formal, systematic process—something more than just an informal sizing-up or casual take on your compliance efforts. Industry “best practices” for ensuring corporate export compliance call for periodic independent compliance risk assessments.

“Periodic,” in this case, starts with annual assessments as a baseline.

“Independent” means that your risk level and the effectiveness of your current program need to be evaluated by a competent outside party.

“Competent” is simply common sense: the individual or team conducting the assessment needs to have the appropriate qualifications and specialized know-how, including a thorough familiarity with U.S. export controls and current risk assessment methodology. Competence may be established through relevant training and/or extensive experience. In the case of a directed compliance audit, the regulatory agency will require evidence of the qualifications of the person you have engaged to perform the audit. The U.S. Government won’t trust just anyone to assess corporate export compliance, and neither should you. So, here’s a hint: if you want to be sure you’re engaging a competent professional to conduct your risk assessment, look for someone whose résumé includes performing directed compliance audits.

“Outside” usually means that the review should be conducted by a person who is not a direct employee of your company. This is crucial, because you need an unbiased, impartial assessment of both the seriousness and likelihood of the non-compliance risks you are facing and the effectiveness of your current program and personnel. You need accurate results and recommendations you can rely on. Plainly, conflicts of interest could impair the objectivity of the findings. Common sense dictates that the more attached someone is to a situation—the more he or she has at stake—the more likely it is that the reliability of the assessment will be affected.

The Four Stages of the Risk Assessment Process

Although the details of every export compliance risk assessment are unique, the overall review process is similar in most cases, and typically involves four stages:

Stage 1:  Advance planning and preparation.

Stage 2:  An on-site visit.

Stage 3:  A report of the findings. This report should include quantitative ratings of your company’s risk of export violations in each area of your business operations. It should conclude with practical recommendations of corrective actions and procedural enhancements to address problem areas and mitigate the risks. The report’s recommendations should be summarized in a step-by-step, actionable plan that highlights the place to start in each business area.

Stage 4:  A scheduled follow-up review.

Why Assessing Compliance and Identifying Risks Is Not a Waste of Time

Perhaps you’re thinking that all this sounds like a significant investment of time, money, manpower, and energy, and wondering whether the investment is justified.  Are risk assessments really all that important? Will they truly add value to my business, or are they just a waste of time?

If you’re a U.S. exporter, periodic export compliance risk assessments, far from being a waste of time and corporate resources, are a valuable strategic tool that’s critical to your company’s continued survival in today’s global marketplace and regulatory environment. Let’s look at some of the reasons why that’s true.

Risk assessments can help you avoid severe penalties and fines. Violations of U.S. export laws can—and often do—result in stiff penalties. Criminal penalties can reach $1,000,000 and 20 years’ imprisonment per violation. Administrative penalties for civil violations are less severe, but can reach the greater of $250,000 per violation or twice the amount of the transaction—and a single non-compliant export transaction typically results in multiple violations.

In addition to fines, individuals and companies that fail to comply with export controls are subject to other administrative sanctions, including denial of their export privileges and suspension of their right to contract with the U.S. Government—penalties that would spell ruin for many U.S. companies.

Perhaps those are some of the reasons no company looks forward to being visited by officials from the BIS’s Office of Export Enforcement or the DDTC’s Office of Defense Trade Controls Compliance, or the Treasury Department’s OFAC.

“Be prepared” is not just a good motto for Boy Scouts; it’s good policy for U.S. exporters, too. The most effective measure you can take to minimize the likelihood of a visit by enforcement officials is to budget for regular export compliance risk assessments of your firm and to take the action recommendations in the assessment report very seriously. Furthermore—and equally important—if your company has been conducting its own comprehensive assessments of its compliance processes all along, and an official visit by government agents does occur, you can be sure that you and your employees will undergo a minimum of stress. You’ll be confident that you can produce any records and documents requested without delay, and you’ll be primed to answer any questions with accurate and up-to-date information. The likelihood of penalties will be small, and the cost in staff time and lost productivity will be greatly reduced.

And while you’re weighing up the negative consequences of non-compliance, here are a few more to put on the scale: avoiding hefty fines and penalties and lessening the chance of official visits and directed audits are not the only reasons you’ll be doing yourself a favor by conducting periodic independent compliance risk assessments and implementing their recommendations. A history of export violations can (1) adversely affect your company’s financial position; (2) hold up or block a sale, merger, or acquisition; (3) scare off potential foreign customers; (4) tarnish your firm’s image and business reputation; and (5) damage your business in many other ways as well.

This is definitely a case where a relatively small investment can save big over future costs and consequences.

The regulatory agencies have made it plain that they don’t consider risk assessments a waste of time. If your company should need to make a Voluntary Disclosure of an export violation you’ve discovered, one of the standard questions the DTCC and OEE will ask when reviewing your case is whether any audits or reviews of your company’s export compliance have been conducted during the past five years. Do you really want to answer “No” to that question? In most settlement agreements, the regulatory agencies require the company to have its export compliance program independently audited and send them a copy of the report within a narrow time frame. Rather than wait for that to happen, doesn’t it seem wiser to be proactive?

Risk assessments produce effective compliance programs—a valuable business asset. An export controls risk assessment by a compliance professional is bound to result in improved compliance. And a good track record and strong reputation for compliance are good for your business. Especially in the defense trade sector, a robust global trade compliance program is recognized as a competitive asset, one that some firms even list on their web sites. Recent studies of the most successful U.S. companies agree on one characteristic they have in common: compliance is part of their corporate culture.

Risk assessments can help your whole business run more efficiently. The compliance risk assessment process and your company’s follow-up on its findings and recommendations will highlight better ways to integrate export-control processes and “best practices” for export compliance into the rest of your business operations, including quality assurance SOPs and other regulatory compliance programs. The likely result will be an uptick in the overall efficiency of all your company’s operations. In particular, the implementation of Restricted Parties Screening (RPS) software and the challenge of integrating screening into your ERP software offers an opportunity to streamline your entire internal structure (including distribution process and supply chain management, inventory control, project planning, services knowledge base, and other critical business management processes). In the course of conducting an export controls risk analysis, many firms have discovered loopholes in their cybersecurity that badly needed strengthening and areas where significant improvement was possible in the networking of company resources.

Stage 1:  Getting Ready for Your Export Compliance Risk Assessment

Step back and think about your whole business.  An export compliance risk assessment should not take place in a bubble. To be fully effective, it needs to be part of a review and examination of your company’s overall business operations. What other week-to-week business processes are likely to be impacted by modifications to your export compliance system? How do you plan to integrate the findings and remediation measures that will be prescribed into your overall quality assurance and regulatory compliance system? What are your long-term corporate goals? How could improvements in your export process help you accomplish them?

Formulate some risk-mitigation proposals of your own.  Consider discussing the risk of export violations and setting down your ideas, suggestions, and tentative plans to improve your company’s export process before the risk assessment, based on your own past experiences and observations. Talk over your ideas with the reviewers before or during the on-site visit stage of the risk assessment. Later on, you can list those ideas side-by-side with the action recommendations in the assessment report, and consider how to combine the two lists into a more successful and export-compliant business.

Find out who’s who when it comes to exports.  Identify the actors within your company. Which individuals or departments are actually responsible for export compliance on a daily basis? Which employees are the points of contact within each department? Having a clear understanding of the role each person plays in export transactions is essential, because commonly, depending on the size of the company, one person may wear multiple hats with regard to export responsibilities. Being able to provide the names and contact information for key actors dealing with exports in your company will help the risk assessment run smoothly and without a hitch.

During the on-site visit phase of the risk assessment, every employee involved with exports in any way should be available and prepared to speak about his or her role, answer any questions the outside reviewer may have about the company’s internal processes, and provide examples of paperwork or electronic records related to exports upon request. Because these employees understand the specific business process and its associated flow firsthand, they can give valuable input when it comes to process improvements and risk mitigation efforts.

Seriously question your cybersecurity.  Controlled technical data stored in electronic form is always an area of potentially high risk that must be scrutinized carefully, because such data and information is easily accessed, copied, and transferred elsewhere. For that reason, some probing questions need to be asked about data storage and access control. Where is your controlled technical information and data stored? What physical and electronic security measures are in place to protect it? What company policies govern data storage? What controls exist to ensure that the granting of access to the company’s export-restricted data is consistent with U.S. regulatory requirements?

Pay attention to documentation and recordkeeping.  Review your company’s recordkeeping system and export documentation in advance of the on-site visit. Many U.S. exporters seem unaware that, according to U.S. export control regulations, recordkeeping and reporting are a very big deal, and a frequent cause of export violations. Exporters are legally required to maintain certain specific documents related to export transactions, and have them accessible for inspection, for at least five years. How and where are your records currently stored? Are they physically stored in an on-site location, or are they accessed electronically through the company servers? How conveniently and quickly can they be accessed? By whom? Each person involved in export compliance processes needs a clear understanding of the mandatory recordkeeping requirements and the company’s recordkeeping policy and practices. Make sure your export-related records will be conveniently available for review during the assessment visit, and consider how your system for saving, storing, and accessing them might be improved.

In the next post of this blog series on export compliance essentials, “EDUCATE!” we’ll discuss employee training—what it needs to cover and why it is critically important to the success of any corporate export compliance program.  

 

EXPORT COMPLIANCE IN 11 WORDS:
Introducing a Twelve-Part Blog Series on Export Compliance Essentials

If you’re a newcomer to the world of U.S. export controls and you’ve just been charged with setting up an export compliance program for your firm, we wouldn’t at all be surprised to hear that you’re feeling a little overwhelmed right now. Does “bewitched, bothered, and bewildered” describe your state of mind as you struggle to make sense of the export laws and regulations and sort out which ones apply to your company? Are you wondering where to start?

If you’re finding export compliance to be a daunting task, rest assured that you’re not alone. The ever-changing complexities of U.S. export laws and regulations, licensing requirements, economic and trade sanctions, arms embargoes, and other legal and regulatory constraints present unique challenges to U.S. exporters as they strive to meet their business objectives while remaining compliant. Actually, taking on those challenges successfully without the proper training and support is more than just daunting, it’s impossible.

At Export Compliance Solutions, we’ve gained quite a lot of experience over the years helping our customers — small and medium-sized businesses and organizations of all kinds, and some of the big guys, too — identify, analyze, resolve and mitigate the regulatory issues and risks of selling in the international marketplace. Based on that experience, we’ve prepared a brand-new blog series for you, in which we share the most important lessons we’ve learned, condensed and summed up in 11 key words. The twelve posts (including this one) that you’ll be reading over the next several weeks will by no means cover everything there is to know, nor will they answer all your questions about export controls. What this series will do for you is lay a solid groundwork for understanding how to protect your business against export violations. “Export Compliance in 11 Words” will provide you with a sound starting-point for formulating an intelligent and practicable export compliance plan tailored to the needs and realities of your business.

Here’s an overview of what’s ahead:

ANALYZE – Because every business is different, there is no such thing as a generic, all-purpose, one-size-fits-all corporate export compliance program. Processes and procedures that are critical components of another company’s compliance strategy may be impracticable in scope and inappropriate in subject matter for yours. A program that doesn’t fit your needs will waste time, money, and personnel, and may even weaken your competitive advantage, while providing little or no protection against violations, fines, and penalties in the areas where your business is actually most vulnerable. But you can’t design a program that effectively addresses the real risks your company faces until you are confident you know what those risks are. That’s why conducting a strategic risk analysis of your business from an export-compliance standpoint — preferably alongside an outside expert — is an indispensable prerequisite to everything else. The company’s past, present, and future export customers, products, and services; the likelihood of certain kinds of violations; the controls and personnel already in place; the current regulatory environment and trends; the potential severity of fines and other consequences — all these issues and others need to be discussed in detail, analyzed, and evaluated before written policies and procedures are formulated and put in place.

EDUCATE – The oversight and management of corporate export compliance in today’s world requires substantial and ongoing professional training, including — but by no means limited to — a thorough familiarity with all the applicable U.S. Government laws and regulations. Once you’ve acquired the necessary training and knowledge yourself, your number one priority as a compliance officer should be training others in your company. The goals of this training should be (1) instilling and maintaining a high level of export compliance awareness company-wide and (2) ensuring that management and employees at all levels understand their export control responsibilities and have the appropriate competencies and skills to carry them out effectively, so that exports are made in compliance with both U.S. laws and regulations and the company’s best interests.

CLASSIFY – Export compliance personnel must know their company’s products and services, clearly identify, flag, and classify those categories of products, services, or technical data which are subject to export controls, and fully understand which regulatory requirements apply to each category. They must also know their company’s customers and be able to pinpoint risks and vulnerabilities from a regulatory standpoint.

SECURE – Responsible information-handling practices are critical to export compliance. You are responsible to protect your company’s controlled technical data and information against access by unauthorized persons, both on the ground and in the cloud, not only inside your facilities, but wherever your business and its workforce interfaces with the global marketplace. Your employees need to know that if they’re sharing technical data, such as plans and blueprints, even within the U.S., or if they’re allowing the visual inspection of ITAR-controlled articles by foreign nationals, they’re exporting technology; and if they’re doing these without proper authorization, they’re committing an export violation.

SCREEN – “Screening” is the process of checking and cross-referencing the parties involved in an export transaction against the many, continually updated lists of restricted or denied parties maintained by various governments and government agencies. If you’re a frequent or regular exporter (or are actively seeking to market your goods and services more widely overseas) and you aren’t routinely using some kind of Restricted-Party Screening (RPS) software to screen your customers, consignees, suppliers, employees, etc., you’re a fool. But you’re an even bigger fool if you are relying on RPS software alone to flag high-risk transactions and detect potential compliance problems. Even with the necessary screening software in place and properly configured to your company’s needs, the dictum remains true: your company’s employees are your ultimate line of defense — which is why their training and motivation is absolutely critical to compliance.

DOCUMENT – Certain specific recordkeeping for export transactions is mandated by the EAR, the ITAR, and the various OFAC Sanctions programs. But an effective corporate compliance program ought to be tracking and documenting much more than that bare minimum. Not only do transaction and licensing records need to be complete, accurate, and secure, they also need to be readily accessible in case of a compliance audit or other investigation.

COMMUNICATE – Proper communications are essential to export compliance. Critical compliance communications include the timely filing of the multiple reports mandated by U.S. export laws and regulations, enforced by the regulatory agencies, as well as having procedures in place for making prompt voluntary disclosures when violations or possible violations are discovered. It also means developing a communications strategy for keeping management, employees, suppliers, and customers in the loop about regulatory changes and all other compliance-related concerns and issues, as needed.

MONITOR – Even the most carefully formulated policies and procedures are meaningless if actual, real-life compliance with them is not checked and verified, and if instances of possible or actual non-compliance are not reported and promptly addressed. Moreover, if the monitoring of internal compliance processes is only sporadic, occasional, or random at best, it is not likely to be effective, and consequently the risk of violations occurring will be high. But reliable, continuous monitoring and control of processes and procedures necessitates building and maintaining an appropriate infrastructure.

ASSESS – A corporate export compliance program is properly focused on identifying and mitigating risks and vulnerabilities. To evaluate the effectiveness of your compliance efforts, frequent internal assessments and audits of processes and procedures are indispensable. So are periodic independent outside reviews of your overall compliance policies and program. It is critically important that the findings and recommendations of these reviews be reported to top management. Short-term and long-term follow-up on the implementation of corrective measures and program improvements should be an integral part of the review process.

ADAPT – Regulatory, technological, and business environments are rapidly and continually changing, and those changes are unavoidably impacting your company. “Innovate or die” is a common adage in the business world, and, while it may sound a bit melodramatic, it expresses a simple truth. If your company is surviving — and, we hope, thriving! — it’s safe to say you’ve made some significant changes over the last couple of years, and that’s all to the good. But if your export compliance program isn’t changing and adapting along with the rest of your business, your company’s survival may be at risk.

OWN – An effective export compliance program requires buy-in, visible involvement, and credible commitment on the part of top management — communicated, among other ways, by the allocation of adequate personnel and resources to the compliance function. When this sort of management commitment is perceived, when employees see that management is taking compliance seriously, company-wide engagement and employee motivation are likely to follow. Your compliance standards and policies, as well as the rationale behind them, should not only be spelled out explicitly in writing, but also well understood and acknowledged by each employee. Individual export compliance responsibilities need to be clearly articulated and included in job descriptions to ensure personal accountability and ownership. Moreover, your employees need to know that rules and procedures will be strictly enforced. The predictable result of not clearly assigning ownership of a process is a failed implementation of the process.

It is often said that without a top-down, pervasive corporate culture of compliance, no export compliance program will ultimately succeed. That may sound trite, and perhaps a bit corny, but it is nonetheless true, and its importance should not be underestimated. The human element remains the key to compliance. If you’re training your employees so they know how to do the right thing and motivating them so they want to do it, you’re on the way to creating a risk-aware corporate culture of compliance—the necessary foundation for any effective export compliance program.

Sound like information you need to know? If you’re new to export compliance responsibilities, or if you’re already dealing with U.S. export controls and would appreciate an update and review of the basics, you won’t want to miss a single one of the posts in this series. Sign up today for a free subscription to “An EAR . . . to the ITAR” and we’ll notify you of each new installment during the weeks ahead.