U.S. export controls regulations encompass the transfer of tangible items, software, and technical data, outside and within the country. The handling of export controlled commodities is not limited to commercially available items. Developmental products still in the R&D phase that are transferred for testing purposes and no-charge customer samples face the same requirements as commercial products. The in-country transfer of export controlled technology is rooted in the “deemed export rule” where the recipient’s citizenship is a key factor in determining government license requirements. This applies to employees within the same company. Given the complexity of the export controls regulations, a wide range of functions must work together to ensure compliance.
Many potential compliance gaps can be identified via a systematic risk assessment. Risk assessments are meaningful and truly add value when the organization as a whole is held accountable for actually closing out the identified risks. Stakeholders for export controls compliance can
include the more obvious (e.g. engineering, manufacturing, and shipping departments) to the less obvious (e.g. human resources, finance, and IT). Many times the relevant departments have distinct reporting lines that do not intersect. Thus, for an export compliance officer who may report up through another separate team, it can be a daunting task to successfully execute an export controls risk assessment. Where does one begin?
This article touches on five guiding principles to keep in mind when designing and executing a risk assessment. It assumes that a clear, written scope of the risk assessment has been developed and senior leaders sponsoring the assessment are aligned with the objectives.
A thorough risk assessment requires a deep dive into week-to- week business operations. An in- depth analysis of a process cannot be done effectively without the participation of both key process owners and their senior leaders. The sustained involvement of all associated personnel “on the ground” often necessitates buy-in from the managers who are ultimately responsible for metrics associated with the processes. The process owners hold the tactical knowledge about each step – the inputs, outputs, associated IT systems, and potential sources of error. They understand the specific business process at-hand and its associated flow. Furthermore, the users of a given process also provide valuable input when it comes to risk mitigation efforts and process changes.
Informal one-on-one reach out with the stakeholders is a great way to begin driving awareness around export controls. Stakeholders are then more receptive when they are approached to support a risk assessment. More formal training, encompassing process changes, can be provided down the road.
What is your ability to detect an export controls compliance failure?
Utilize Data Analysis Tools
Before gathering any information about operational business processes, it’s best to have a systematic approach, tools, and/or templates lined up. One effective tool that is also used in Lean Six Sigma quality management can be utilized – a failure mode and effects analysis (FMEA).
In an FMEA, the export controls compliance risks are systematically quantified in a thorough manner. Two aspects are specified for each identified risk – the related business process and the failure mode. Then three factors are given a numerical rating: the degree of severity, the likelihood of occurrence, and the ability to detect the failure.
It’s critical to work from a pre- defined numerical scale when rating these three factors. A total riskscore for each failure mode is calculated by multiplying the individual ratings. A higher total score reflects a greater risk of non-compliance.
For example, in an organization’s new employee hiring process, an export controls compliance “failure mode” might be a new hire’s lack of authorization to access controlled technology that is critical to the job function, leading to a deemed export violation. The degree of severity is likely to be a high number (due to the violation aspect), the likelihood of occurrence will, perhaps, depend on the frequency by which non-U.S. persons are hired, and the detectability will depend on the frequency of internal audits or managerial oversight around deemed export compliance.
Who should complete an FMEA? Is it a solo activity that the export compliance officer takes on alone? Definitely not. A team approach should be taken where representatives from all the key relevant departments participate in both identifying the risks and assigning the values. It often helps to have a non-biased facilitator who can guide the discussions.
Document Gaps & Mitigation Plans
Findings can be captured in a variety of ways. The key is to follow a consistent approach across the full risk assessment. Utilize the one that fits best in your company or institution’s culture. The working file for an FMEA might be an effective document. Or perhaps the findings need to be pulled together into a more formal report for senior leadership. Either way, a comprehensive description of potential compliance gaps should be accompanied by the planned risk mitigation actions. Clear records that show due diligence and corrective action are important from the ￼perspective disclosures of voluntary self-disclosures and government enforcement.
Prioritize Risk Mitigation Actions
Most organizations don’t have the resources to tackle all the compliance gaps at one time. How are the top risks identified? The FMEA approach described above is inherently quantitative where the risks with the greatest total risk score should be tackled first.
However, there may be risks with lower total scores, but are easy to address. Consider closing out this “low hanging fruit” in the early stages of the mitigation efforts. These relatively simple changes can serve as moral boosters for the broader team and help keep stakeholders engaged in the overall compliance effort.
How do all involved parties “know” that the changes in business process actually had the intended effect? At a pre-determined future date, the team should regroup to assess and document the new scores. For example, in the previous example around a deemed export violation related to a new hire, has the likelihood of occurrence been reduced due to new systematic touch points between hiring managers and human resources? It’s important to give the new process sufficient time to operate in “pilot” mode where feedback is then gathered from process owners and impacted users.
Additional changes to the process may be identified during the pilot that will further reduce the risk of non-compliance, while supporting the required business output. The effects on business efficiency must be considered, too. For lasting change, the new process changes must support the business operations and growth.
How do you measure and document the reduction in risk?
For instance, did the new communication mechanisms between the hiring manager and human resources significantly delay the hiring process? If so, what can speed things up without compromising compliance?
Upon regrouping, the team can assign post-remediation values to the likelihood of occurrence or ability to detect the failure mode. In some cases, perhaps the regulations have changed and there’s a change in the degree of severity. The reduction in the total score for each risk can be calculated, providing a quantitative measurement of improvement.
These concepts can serve as a framework upon which to conduct an export controls risk assessment. With the right foundation, a comprehensive risk assessment can lead to a robust export controls compliance program that is effective, efficient, and supports business growth.
About the Author
Dr. Jennifer Saak is a consultant based in Philadelphia whose practice focuses on export controls services for technology and research organization in the public and private sector. To learn about Dr. Saak and her services visit www.Traliance.com. For more information on this subject, you may contact: Dr. Saak at info@Traliance.com or at 215.237.6612