Today, in the sixth article in the hands-on practical advice series on Internal Compliance Programs for Export Control:
Part 6: Start with the Risk Assessment
You have had a look on guidelines issued by licensing authorities. You have structured your ICP into different chapters. What is the first chapter to cover?
A proper risk assessment will give you the foundation to customize your ICP
We recommend to start with the risk assessment. During this process, you shall carefully assess the product range, customer base and business activity that are or could be affected by trade control measures. It should identify relevant vulnerabilities and risks so that the company can incorporate ways to mitigate them under the ICP. Even though this risk assessment cannot identify all vulnerabilities and risks your company may face in future, it will give the company a better base to develop or review its ICP.
If you already have internal control processes in place, you will not need to start from scratch when designing your ICP. The exercise will then support you to assess your existing corporate policies and procedures against export control related risks and come up with a course of action for adapting them, if necessary.
In addition, promoting synergies between existing policies and export control requirements is a further step to consider from the beginning. For instance, it is a good practice to insert cross references to export control principles and requirements in your code of conduct, if available. The outcomes of this risk assessment will affect the necessary actions and appropriate solutions for developing or implementing your company’s specific compliance procedures.
There is no “one-size-fits-all” template
The risk assessment should review the company from top-to-bottom and assess its touch points to the outside world. The goal is to identify potential areas of risk.
It should at least :
describe company profile and corporate structure, including locations, activities or business partnerships outside your country of head office ;
indicate the business activity & type of customers, supply chain, intermediaries, consignees and end-users ;
detail the geographical location of the customers and the destination of exports or services provided ;
describe (all) the goods and services handled or provided by the company, even those not listed in relevant export control lists (catch-all !) ;
expose the end-use (military/civil/dual) of the company products;
describe how the company has organized its export process (starting with the initial customer request until shipment) ;
indicate how the company has set-up and ensured compliance with export control regulations in the country of its head office and abroad (destination countries of exports and services, location of business partners).
While implementing this risk assessment, it is advisable to be transparent and better show risks and measures taken or to be implemented to master them, than hiding relevant information. In order to allow licensing authorities to get a true and entire overview of the company, its products and customers, it gains to be complete (regarding companies part of the group, customers, business partners, goods ....). Demonstrate here professional approach in order to gain trust. Be concrete, and do not use general wording.