The Board of Directors and CEO nervously waited for the decision from the Department of State’s Directorate for Defense Trade Controls Office. Would they receive a charging letter describing the details of their violations and then be assigned Civil penalties not to exceed $1,094,010 per violation, in accordance the Arms Export Control Act (AECA) and the International Traffic in Arms Regulations (ITAR)? Would they be prohibited from engaging in business opportunities related to the violations? How would the company’s violations impact the security of our Nation? How would the members of the Board, stockholders, customers, and the public view over 200+ violations? How would that impact our stock value, our employees, their jobs, our current contracts, and future business? Will I have a job tomorrow?
The consequences of companies not “owning” trade compliance risks are far reaching. Organizations do not “own” risk very well. Leaders within these organizations require knowledge, visibility, and resources to manage their organizational risks. As U.S. company’s globalize, good corporate governance must include trade compliance risk within their strategic risk management process. Trade Compliance Risk Management (TCRM) is a business imperative. As enterprise risk management frameworks recognize common organizational risks, “’Strategic risks’ are those risks that are most consequential to the organization’s ability to execute its strategies and achieve its business objectives. These are the risk exposures that can ultimately effect shareholder value or the viability of the organization. Strategic risk management is focused on those most consequential and significant risks to shareholder value, an area that merits the time and attention of Executive management and the Board of Directors.” Source
Often within companies, a precious few people worry about trade compliance risks. Unfortunately, the brutal impact of violations on an organization is far greater than those precious few. Sanctions, fines, and prohibitions not only impact shareholder value, but may also disrupt core revenue streams. Reducing trade compliance risk is a complex leadership challenge, especially across large organizations. Many compliance professionals understand compliance risks, but few understand how to shape and reduce risk across the organization.
A lack of standardization across the compliance industry often results in training inconsistencies and disparities in expertise among compliance professionals. False confidence conceals widening compliance gaps. Compliance departments often have limited authority to address risks, and poor executive visibility across the entire organization to understand root causes. Inconsistent policies and incomplete procedures also exacerbate compliance shortfalls across organizations. Companies fail to automate compliance processes and missing metrics leave Executive leaders and the Board of Directors blind to growing strategic risks.
The demand for trade controlled goods and services requires strict adherence to complex regulations that are detailed, unforgiving, time-consuming, and often not well understood. Foreign interests aggressively target controlled technologies through a variety of surreptitious means. Even for the most vigilant companies, urgent business pressures distract well-intentioned leaders, managers, and employees, pushing their concerns about compliance risks to a distant priority…until it’s too late. Trade Compliance Risk Management (TCRM) acknowledges strategic risks, the necessity of risk governance, and applies an enterprise risk management framework to reduce risk beyond compliance departments and across the entire organization. The path toward managing trade compliance risks is not easy, so what do we do now? We lead.
Leading A New Path: Risk Governance for Trade Compliance
Corporate governance establishes the strategic direction and ensures the necessary discipline a company requires to meet shareholder demands, drive shareholder value, and meet regulatory and compliance standards. Risk governance is the deliberate process of managing critical corporate risks. Small and large companies in global markets expose themselves to trade compliance risks extending far beyond sales and shipping concerns. Ortin Renn in his treatise on risk governance states, “The unintended and often unforeseeable negative side effects of collective decisions, particularly those pertaining to the use of large-scale technology and industrial processes, outweigh the intended positive consequences or, at least, threaten to outweigh them.” Source Trade compliance creates risks and vulnerabilities across an organization from data transfer, data management, manufacturing, materials, supply chain management, logistics, and even physical security.
Risk governance is an essential function of corporate governance. Risk governance applies the principles of sound corporate governance to the identification, measurement, monitoring, and controlling of risks to ensure that risk-taking activities are in line with the (Board’s) strategic objectives and risk appetite. Risk governance is the (Board’s) approach to risk management and includes the policies, processes, personnel, and control systems that support risk-related decision-making. Source Enterprise risk management is a process, led by an entity’s Board of Directors, senior management, and other personnel, designed to identify, manage, and mitigate potential risks within the risk appetite, resources, and objectives of the company.
Trade Compliance Risk Management (TCRM) program functions within the current enterprise risk management framework as the Board and Executives assess risks, gaps, and seek to ensure a unified and integrated effort reduces compliance risks across the company. TCRM provides the necessary visibility, oversight, and accountability required to conduct, support, and protect the core business from individual, managerial, and systemic trade compliance risks. An effective TCRM program requires a healthy path to the Board that condenses and accurately speaks to organizational trade compliance risks, separating technical jargon from trade compliance core business impact in terms of risk, operations, and vulnerabilities, liabilities, and costs.
In response to the aggressive rise in cyber risk the Federal Deposit Insurance Corporation (FDIC) announced changes to elevate the visibility of cyber risks directly to the Board of Directors for oversight. Much like cyber, trade compliance endures risks created by aggressive nation states and other foreign interests. An adaptation of the FDIC’s enhanced risk standards and expectations provides a model to dramatically increase TCRM effectiveness across high-risk organizations.
Active Threat: Trade compliance risk is far greater than admin mistakes.
Trade compliance risk is an organizational challenge for many reasons. Trade compliance restrictions help prevent the proliferation of vital U.S. technologies to foreign nations with competing national security and economic interests. Foreign interests aggressively leverage illicit and surreptitious means to acquire or gain access to U.S. trade controlled goods, materials, and services. Defense Security Services (DSS) oversees the protection of U.S. sensitive and classified technologies within the cleared U.S. industrial base. DSS publishes an annual report reviewing the trends in targeting of U.S. technologies. U.S. trade controlled technologies, materials, knowledge, data, and processes reach far beyond classified systems and cleared contractors. Risk governance must consider the national security implications of compliance gaps across their corporate organization. Though the DSS report focuses on the U.S. cleared industrial base, it provides a window of insight into the reality of aggressive economic and national security threat actors and their methods, which place companies at risk to violating statutory and regulatory trade controls.
“We might wish that we could simply brandish a scepter or issue a command and bring to a halt the wave of attacks on our “shores”—the U.S. cleared industrial base. Seemingly like an inexorable tide, reported foreign collection attempts to obtain unauthorized access to sensitive or classified information and technology resident in the U.S. cleared industrial base continue to rise. In fiscal year 2013, there were over 30,000 reports of suspicious activity, and the number of suspicious contact reports industry submitted concerning foreign collection attempts increased by 33 percent from the previous year” Source
Standardized training across the organization helps prevent illicit activities and foreign interests from acquiring controlled knowledge, data, technology, and materials. Compliance professionals rely on a vigilant compliance culture to safeguard the company and identify compliance risks. As the DSS study reveals, threat actors exploit employee behavior and human nature, advantaging themselves further through poor training, misaligned organizational practices, and procedures.
Leadership is required to assess, mitigate, and reduce organizational trade compliance risks. An over-reliance on policies to compensate for trained and knowledgeable employees is a failed strategy. The larger the organization, the greater focus is needed on combing a “back to the basics approach” with an aggressive TCRM strategy. A compliance-minded corporate culture, and vigilant realignment of company wide procedures and practices will significantly reduce trade compliance risks for most companies.
Who Leads Trade Compliance Risk Mitigation?
Trade compliance risks are strategic business risks, which require Board oversight, and the leadership of the entire C-suite. Typically, the institutional home for risk mitigation has been led by the CFO or consolidated within the authority of the Risk Mitigation Officer. Global trade compliance departments battle three realities: 1) Root cause analysis of compliance violations often reveal systemic and managerial weaknesses beyond compliance specialists. 2) When organizations do not recognize trade compliance as a strategic risk, compliance managers lack the authority address compliance gaps across the organizations where they are greatest. 3) Organizational trade compliance vulnerabilities are often beyond the expertise of compliance managers to diagnose, control, and improve, so they often manage the growing hazards downstream by crisis.
It often takes the more than the senior trade compliance manager to map the organization to a sustainable risk-reducing TCRM framework. An Executive leader with broad-based organizational influence, who understands organizational risk management is needed to lead a TCRM program. Successful approaches integrate a TCRM strategy with the dynamics inside the organization’s culture and builds a “Coalition of the Willing” whose best interest is aligned with trade compliance risk reduction, beyond mandates. This is no easy task.
Successful approaches will also need to recognize the existing investment, pride, and interests resisting trade compliance risk reduction. Align risk governance, the TCRM strategy, and supporting technology acquisition with operations plan, and risk transfer strategies to reflect ground truth realities and identify an achievable path toward risk reduction…from ‘As is…To be’. This is also no easy task.
Once the organization is realigned, it is sustainable. It’s necessary for leaders responsible for managing enterprise risks to come to terms with the trade compliance vulnerabilities and forge a path forward that’s effective. A formal trade compliance risk assessment is an effective vehicle for leaders at all levels to identify risks across the organization.
Engage and embrace the organizational and people-centric realities or ignore them at your peril. Assessing, understanding, and mapping trade compliance risks organizationally is a business leadership imperative, not a compliance manager driven effort, or at least not for now in most organizations. Effective trade compliance risk reduction requires the leadership of all. Leaders drive the maturity of the organization to understand, manage, mitigate, and reduce trade compliance risks.
In the TCRM Maturity Model (Levels 1-5), we see the growth of business trade compliance risk unfold with the evolution of the company, demand expands opportunities, organizational complexity limits visibility, attracts illicit actors, compliance requirements intensify, and areas of potential vulnerability magnify. The typical TRCM risk chain starts with Business Development—>Sales—>Compliance—>Licensing delays—>Results in aging accounts receivable, aging inventory, and unrecognized revenue...missed quarterly and annual numbers. Organizational risk is correlated with business growth, which increases the number of people, frequency, and markets involved. The demands on internal policies, procedures, technologies, regulatory changes, geo-political changes, organizational behavior, and many other specific factors influence trade compliance risk. Leaders must drive organizational maturity in order to manage and reduce trade compliance risks. Risk governance must also demand transparency, drive the priority, and ensure accountability from top to bottom.
In 2017, globalization increases economic competitive pressures from slow growth and escalating national security interests require the need to aggressively manage business ecosystem trade compliance risk by asserting greater cross-organizational authority in support of risk reducing measures. We believe Boards of Directors and Executive leaders who embrace the Level 6 Maturity Model will drive TCRM objectives, improving trade compliance risk reducing outcomes.
As the “Defense in Depth” strategy adapted from U.S. military doctrine, so do we adopt and adapt “Unity of Effort” as an appropriate concept to describe the actions required across the C-suite to reduce trade compliance risk. A common broad based definition: “Unity of effort is the state of harmonizing efforts among multiple organizations working towards a similar objective. This prevents organizations from working cross-purposes, such as “sales vs. compliance”. Multiple business organizations across a large company can achieve unity of effort through shared common objectives.” Unity of effort is the empowering core of enhanced risk governance and an effective principle of an effective trade compliance risk management strategy. Unity of effort is also the catalyst for enduring trade compliance risk reduction. Unity of effort acts as the cohesive glue that holds organizations together in crisis, and resilient during growth. It is entirely leadership driven, and can strengthen a compliance culture across processes, procedures, technology choices, and other internal and external dependencies.
The Five Elements of Trade Compliance Risk Management
As unity of effort plays an essential role within companies to reduce trade compliance risk, so must leaders develop a robust tool-kit to support TCRM strategies.
Unique to the trade compliance industry there is no government-approved training standard. A lack of training standardization is wrought with inconsistent levels of experience and obscured risk when empowered officials need to make strategic decisions. In absence of knowledge, expertise, and the confidence to lead, risk aversion permeates compliance organizations, and grinds many companies to a halt. Onerous or ineffective compliance managers often become the adversary of business progress. Critical sales linger in aging accounts receivable and parts and technologies sit on shelves on indefinite hold wait, and waiting for critical tasks to be approved by regulatory bodies. Sales goals bare the weight of indecision, needless redundancy, critical licensing and procedural mistakes. Critical procedures are circumvented or ignored. Poor performance, onerous processes, and a lack of expertise are hidden behind a compliance veil of tightly controlled knowledge like black magic. Frustrated leaders begin gambling with risk in order to make their numbers until their luck runs out. Compliance is left to reactively “clean up the mess” of violations. Standardized training is essential to baseline trade compliance risk and implement an effective TCRM program. Boards and C-suite leaders need the internal perspectives of compliance experts who are trained and capable of seeing the risk and challenges at three critical levels: organizationally, functionally, and technically. The goal of an effective TCRM training program is to field a compliance team that understands the corporate mission, compliance requirements, and ready to provide the insight and capabilities to fluidly integrate both them for the strategic decision-makers, through the operational challenges, and down to the technical regulatory requirements.
As industry driven certifications like, Certified Information Security Systems Professional (CISSP) have become “de facto” standards through high quality standards, so can leaders significantly impact trade compliance through Trade Compliance Risk Management professional and organizational certification. High quality curriculum, progressive training, and certification testing dramatically transforms an unimpressive “check the box” professional development class through a rigorous curriculum taught by subject matter experts based on tested and verified knowledge standards. Certification is designed to clearly demonstrate the knowledge and skill level of compliance professionals who are prepared to support TCRM programs, meet regulatory requirements, and reduce organizational risks.
Trade compliance risk management requires risk awareness. Organizations have the data that reveals their risk. They just have to know where to look and implement the means to present their trade compliance risk in a meaningful dashboard that allows leaders to monitor, assess, and make good decisions. Automation in trade compliance requires the integration of people, process, and tools to leverage knowledge against widening gaps in compliance, regulatory requirements, and critical timelines. Automation in trade compliance should be mandated by corporate policy in order to reduce cradle to grave risks across all business transactions.
Trade compliance software and tools are critical to reducing risks by:
- Identifying product trade jurisdiction classifications
- Screening potential customers and visitor to the facility
- Centralizing compliance record keeping and capturing data from external systems
- Applying for license applications and managing approvals
- Handling requests for client reviews and TCRM incident response
- Supporting crucial audit requirements
- Metrics that drive actions across all TCRM stake holders across the organization
- Metrics that drive transparency beyond compliance managers to senior leaders
Training is absolutely essential to proper implementation. Users should know and understand how to use the full features of the software. Risk governance leaders should drive full implementation of trade compliance software tools, alignment of company policies, and procedures to remove legacy spreadsheets, data hoarders, and disparate data tools that do not meet TCRM risk reduction goals and objectives. Failure to take this critical step is a critical weakness in many large organization’s efforts to reduce trade compliance risk.
As Steve Jobs once said, “The first rule for any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.” Trade compliance risk is no exception and disparate software tools present the highest risk to hidden and widening risks.
Coherently integrated experience, services, and technologies offers remarkable value to companies seeking to reduce trade compliance risks. Once assembled and proven, an industry approach is scalable. Boards and Executive leaders also need the outside assistance and perspectives of quality consulting organizations who can see the TCRM challenges organizationally, functionally, and technically.
Mapping consulting capabilities to a trade compliance risk reduction framework whose purpose is to mature the organization, bridges capabilities and risk reduction objectives. Connecting consulting capabilities to risk reducing outcomes provides the roadmap for the Board and key leaders see dollars committed to TCRM as a risk reducing investment. Corporate leaders with authority and TCRM consultants working together to leverage findings from root cause analysis to drive risk reducing outcomes across the organization and better results will outperform legacy “passive recommendations” made by typical consultants.
Boards and corporate leaders need to embrace those consulting firms whose reputation is tied to results, not just beautifully bound and printed documents. Comprehensive trade compliance risk assessments combined with root cause analysis should also reveal managerial and systemic trade compliance vulnerabilities hidden from current approaches. Consulting success must be tied to reducing organizational-wide trade compliance risks: Assess, Understand, Prioritize, Enable. What are the keys to the kingdom at risk and other vulnerable business essential components? How are they vulnerable? What are the critical elements to comprehensively reducing their trade compliance risk?
Corporate leaders and their Boards need help to understand, manage, and reduce their organizational trade compliance risk. They do not want a hodge-podge collection of incoherent approaches, unfulfilled expectations, and canned consultant reports. This non-solution plagues the industry now. Boards want a trade compliance risk-reducing OUTCOME… a sustainable TCRM program with feasible risk transfer options, and an acceptable level of residual risk.
This new approach towards reducing trade compliance risks integrates the five sides of the trade compliance risk management program into a bundled turn-key solution. In a global market place, at-risk companies must engage the strategic risks of trade compliance with a comprehensive approach. The U.S. trade compliance industry must be prepared to provide standardized and effective risk reducing solutions.
So what do we do now? We lead.