What’s Your Compliance Risk Perimeter?
We all recognize risks, consciously and unconsciously. We are careful near cliffs or driving at high speed; we watch our diet and we manage our investments. We look out for our kids before – and sometimes after – they know how to care for themselves. We understand and manage risks in virtually all aspects of our lives by staying on the prudent side of our various risk perimeters.
The same is true in business. The nature of the risks are different, depending on your role in the company, but there are a wide variety of events that can put your business in jeopardy. Fire, theft, falling sales, rising costs, changing markets, aggressive competitors—all these are obvious. Not easy but at least apparent.
Compliance risks are not always evident or easily understood but, make no mistake, they can be damaging to your company. Export control compliance is a good example. This category of compliance provides plenty of cautionary tales involving companies and individuals who have suffered crippling penalties, fines and negative publicity for violating export control regulations.
While some knowingly and deliberately skirted the regulations, many more got in trouble out of ignorance, laziness, or both. They either didn’t understand the law well enough to recognize and rectify export compliance risks or they were insufficiently motivated to take the necessary precautions. Neither reason is prudent or defensible.
The “compliance risk perimeter” is a simple concept that is diversely useful in this context. Once executives and employees understand the concepts of export controls, they learn to recognize a risk before it becomes a violation. In the industry, these risks are referred to as “red flag scenarios.” If you encounter one or even if you’re not sure, stop and ask someone with more experience in export control compliance. If in doubt, check it out.
The risk perimeter is a broad, proactive utilization of this basic awareness. It can be applied to various types of compliance risk, enabling individual employees and the company overall to better understand, and more effectively cope with, their compliance risks. Let me offer a few examples:
- R&D Risk – Certain commodity classifications require such restrictive levels of control that they impact a company’s fundamental business strategy. For example, a U.S. company with a plan to sell their new line of electronic components to China does not want to discover, after all its R&D is concluded, that these products will require export licenses, or worse, be prohibited from export. This would, at minimum, cause costly delays. Instead, a company should be proactive by first researching the technical specifications for various classifications in their target categories and then designing their products, to the extent possible, below or within the critical thresholds. This compliance-sensitive approach to design determines the compliance risk perimeter at the outset and helps the company stay within it.
- Hiring Risk – New employees or subcontractors can be lazy, incompetent, deceitful, or antagonistic—all highly undesirable traits. These criteria can be screened, of course, but there is one attribute that isn’t negative yet poses a risk anyway – foreign nationality. For companies providing products, technologies, and services subject to export controls, they have to be doubly careful to routinely check the nationalities of persons working within, or in conjunction with, their company. Why? There is an export compliance risk that the Foreign Nationals (FNs) will be provided, or exposed to, export controlled information that would otherwise require a license. Once this information enters the mind of the FN, it is “deemed” to have been exported back to the FN’s country of origin. The first step in determining the compliance risk perimeter is to identify and clearly mark all export-controlled information in the organization. Afterwards, precautions are needed to ensure that FNs will not have unauthorized access to the information. This is critically important. Part 6 of the I-129 Visa Petition for a Nonimmigrant Worker requires employers to certify either 1) that an export license is not required or 2) that they will prevent access to any controlled technology or technical data until the appropriate license has been received. Most companies end up protecting the licensable information AND restricting the access of the FN very carefully to ensure inadvertent access across the risk perimeter.
- Acquisition Risk – When considering the purchase of a company or when positioning your company for acquisition, export control issues should comprise one aspect of the diligence process. The acquiring company should investigate this fully since they will inherit all risks and liabilities, including past omissions or transgressions, with the transaction. As such, companies will want to determine the risk perimeter of the target company as it stretches across three time periods:
- Past: Are there any lingering or latent export control issues that need to be addressed? Might these require a Voluntary Disclosure to the government?
- Present: What are the current export compliance requirements, how do they impact the target company, and are they adequately addressed by existing policies, procedures & training?
- Future: Are there any plans or products in the target company’s pipeline that have export control ramifications?
- Transition Risk – Change is now a constant in all aspects of business, including export control. How well equipped is your export compliance system to adjust to external and internal changes, each with its own risk perimeter?
- Classification – Have you classified all your new products and technologies? Do you know which ones are licensable?
- Regulatory Changes – Have you verified that the jurisdiction and classifications of your products are unaffected by the ongoing Export Control Reform (ECR) initiative? Are you up to date on sanctions developments?
- Employee Turnover – Is there cross-training in export controls amongst your compliance team? Is there a single point of failure? Does one person constitute most of your corporate compliance experience? Are there complete and accurate transition plans in case of a sudden, unforeseen turnover?
- Document Vitality – Are your compliance processes “alive” and well? Are they integrated into your standard operating procedures? Are these processes documented, updated, and referenced regularly, as opposed to gathering dust on a shelf? Did your employees help develop them? Do they “buy in” to the company’s compliance plan?
We’ve cited four examples but there are many more examples of compliance risk profiles. To find your own, simply identify your various requirements then pinpoint the points/thresholds where compliance slips into non-compliance. It is not enough to know there is a risk. You need to identify the risk, study it well enough to perceive its perimeter, then design policies and procedures to avoid or address this risk in the future. Easier said than done, of course, but awareness is the first step to resolution.