At many companies, export compliance is a part-time job. But it can grow out of control quickly if it’s not managed under the structure of an export compliance program.

The purpose of an export compliance program is twofold:

  1. To create a repeatable process to manage export control procedures, identify loose ends, and ensure that applicable regulatory requirements are being met every time and for every item shipped.
  2. To demonstrate the exporter’s commitment to export compliance and, potentially, to mitigate penalties in the event of a violation – particularly one revealed through operation of the program itself.

There is no regulatory requirement to maintain an export compliance program. What the regulations say is it’s your own responsibility to comply with the rules; how to do so is left largely up to you.

If you’re exporting at any level of scale, particularly involving more sensitive items or destinations, you’re unlikely to be successful at compliance for very long without an effective export compliance program.

Where to Start

There are some key resources for embarking on an export compliance program:

  1. BIS Guidelines: For items subject to the EAR – which is the vast majority of U.S. exports – the Bureau of Industry and Security (BIS) provides guidelines for an effective compliance program.
  2. DDTC Guidelines: For exports subject to the ITAR, the Directorate of Defense Trade Controls (DDTC) provides its own set of guidelines.
  3. Nunn-Wolfowitz Task Force Report: In 1999, Hughes Electronics Corp. (then owned by General Motors and now part of The DIRECTV Group) commissioned a task force to report on best practices “for complying with the letter and spirit of U.S. export control laws and regulations.”

At the time, Hughes and Boeing Co. were being investigated for violations related to launching communications satellites on Chinese rockets. DIRECTV was eventually fined $5 million, while Boeing paid $32 million for a finding it had illegally transferred sensitive U.S. space technology to China, the Washington Post reported.

While the task force report is now more than 20 years old, it remains a fundamental roadmap for corporate export compliance programs.

Anyone working to build or improve an export compliance program is well advised to start with these resources as they apply to your company.

In addition, organizations with a mature export compliance competency often look at enforcement actions for insights about what kind of export violations the government is prioritizing for investigation.

And, of course, the Export Compliance Training Institute has a curriculum of live seminars and on-demand training courses to make sense of these resources and help you build a program that’s customized to the particular needs and nuances of your company.

See related article: Overseeing Your Organization’s Export Compliance Program – Where to Begin?

Components of an Export Compliance Program

The BIS guidelines establish eight elements of an effective program:

  1. Management commitment
  2. Risk assessment
  3. Export authorization
  4. Recordkeeping
  5. Training
  6. Audits
  7. Handling export violations and taking corrective actions
  8. Building and maintaining an export compliance manual

Management commitment

In an investigation, regulators will look for evidence of genuine commitment through tangible and ongoing activity, such as:

  • Assigning enough people to do the necessary work
  • Funding ongoing training
  • Making necessary improvements in IT systems
  • Budgeting for outside consulting and legal expertise
  • Regular activities among senior management to coordinate, review and take accountability for issues related to export compliance

Risk assessment

The purpose of risk assessment is to determine how likely a company is to run afoul of export regulations. It depends on:

  • The type of goods, services and technologies a company exports
  • Export destinations
  • How the items are ultimately used – and by whom
  • The level of the company’s existing export compliance competency

For example, a company that sells over-the-counter medicine to Canada and Mexico will have a different level of risk than a company selling advanced machine tools around the world.

Some organizations are able to conduct a risk assessment internally, but those that are just starting out and those that deal in sensitive industries often engage outside expertise to help assess risk.

Export authorization

This component of an export compliance program is the day-to-day work of classifying items for export and obtaining licenses, or using license exceptions/exemptions as needed, and itself is the subject of entire training programs such as those offered by ECTI.


While a compliance program itself is not obligatory under the ITAR or EAR, recordkeeping is mandated. In addition, if you’re exporting under licenses, a compliance program should include a process for managing those licenses – knowing when they expire, volume limits and other restrictions and requirements specific to an individual export license.

It can also mean marking products and documents to flag them as potentially sensitive. Limiting the flow of information that’s subject to export control can be difficult if people don’t know what is and isn’t controlled. Documents can be identified with alerts on the documents themselves, and notes for products can be attached to their internal files in the company ERP system, if one is used.

Training and education

Who needs training and what kind of training do they need?

Visualize a pyramid.

At the top is a small number of subject matter experts, such as a compliance expert in the legal department, manager of the export compliance program and members of the team who work in export compliance on a daily or routine basis. Training is deep and broad for knowledgeable decision-making around routine issues and an ability to address exceptions as they arise.

In the middle is a larger number of people who don’t work directly in export compliance, but who come in contact with export-related issues. Training is deep and narrow, providing detailed knowledge as it relates to a specific discipline. For instance, are customer support staff able to identify and handle documents that contain sensitive information that might be subject to export controls? Do sales reps know when it is and isn’t OK to provide technical specifications to prospects in other parts of the world?

At the bottom, the largest number of people need general awareness of the compliance issues involved in the products, technologies and services the company exports. Training is shallow and wide to assure that employees recognize a potentially sensitive issue and know how to escalate it.

It may also be necessary to educate customers so they’re aware of the export issues involved with the products they buy and use.

Export compliance manual

A manual is an important part of an export compliance program, but it’s not a program unto itself. It should contain written procedures and define areas of responsibility for the circumstances that may arise in day-to-day compliance work.

Long manuals in big binders that rarely get pulled off the shelf aren’t very helpful at directing routine processes or at reducing risk. An effective manual is specific to the way a company operates, and is concise enough to be a regular reference to those who need it.

Contact the Export Compliance Training Institute
Do you have questions about developing or improving your export compliance program? Visit to learn about our company, our faculty, our staff and our esteemed Export Compliance Professional (ECoP®) certification program. To find upcoming e-seminarslive seminars and live webinars and browse our catalog of 80-plus on-demand webinarsvisit our ECTI Academy. You can also call the Export Compliance Training Institute at 540-433-3977 for more information.

Scott Gearity is President of ECTI, Inc.

New call-to-action