Internal Compliance Program - Series (5) - The scope of the ICP
Today, in the fifth article in the hands-on practical advice series on Internal Compliance Programs for Export Control:
Part 5: The scope of the ICP
You have read all do's and don'ts. You have possibly hired an external consultant to assist you with the set up of the Internal Compliance Program. You have obtained green light from the Management and dedicated internal resources to accompany the ICP process.
Where now to start with? Not all and everything have to be part of the Internal Compliance Program. But regulators expect seeing in your ICP a certain number of points which are covered.
Have a look on guidelines issued by licensing authorities.
You may have a look on the EU Commission Guidance (Recommendation 2019/1318/EU of 30 Jul 2019 for dual-use items, Recommendation 2011/24/EU of 11 January 2011 for defence-related products).
Please also read the guidelines issued by your national licensing authorities (e.g., Luxembourg's OCEIT, Germany's BAFA, Belgian Flanders Strategic goods Control Unit). For those interested in the US perspective, or companies affected by US legislation, you may refer to the U.S. Department of Commerce, Bureau of Industry and Security (BIS) guidance issued in January 2017. All of these guidelines indicate some core elements every ICP should have. But do no neglect as well, if your company is part of a worldwide operating business, that your group may already have some kind of ICP or compliance policy already in place.
Define the structure of your ICP.
There is no legal requirement on how to structure your ICP document. An ICP needs to be tailored to the size, the structure and the scope of the business and, especially, to your company's specific business activity and related risks. Anyway, you should structure your ICP into different chapters, and define each of these chapters being a sub-project within your ICP drafting process (and possibly, with different intervenants).
We generally recommend the following 10 points ICP structure. This does not mean that you have to start your process by dealing with point 1 and finish with point 10. In fact, we suggest to start with Risk Assessment (chapter 3, more on that topic in the next article), followed by the other topics in a more or less parallel way of working.