You’ve just been assigned the job of managing your company’s export compliance program. Where should you begin?
If your organization’s program has been operating for some time, you’ll want to start by gaining a baseline understanding of how it functions. Areas to review include your company’s written export policies and procedures including systems and automation, employee work assignments and training, and past audits and assessments. Let’s look at a few of these components in greater detail.
Reviewing Policies and Procedures
Starting with a review of export control policies, procedures and work instructions enables you to quickly grasp the level of complexity for your organization. Documents that you should review include:
- All export compliance program documents including policies, procedures, manuals, work instructions, and licenses. These may be in hardcopy, softcopy, or incorporated into the workflow of systems.
- Export control jurisdiction and classification matrixes and tables, including documentation of controls which apply to different products, components, materials, software, and technologies. Typically, most of these documents will have been created internally, but there also may be some government determinations such as Bureau of Industry and Security (BIS) classifications or Directorate of Defense Trade Controls (DDTC) commodity jurisdictions.
- Copies of recent internal or external audits or assessments (if available).
Every organization that exports physical goods, technology, or software should have written export policies and procedures in place. Although it’s not a requirement, U.S. export regulators strongly recommend this important component. But to be effective, you need to ensure that the written policies and procedures are being followed in a consistent manner by all departments or business units.
As you review your organization’s current policies and procedures, ask the following questions:
- Are existing policies and procedures sufficient to address export risks? Policies and procedures can easily become outdated. Risks are a moving target because what an organization exports can change over time and export regulations may change. You may find that it’s time to update your company’s policies and procedures.
- Does your organization follow its own procedures and are employees consistent in adhering to them? For example, you may have risk-appropriate controls in place regarding exports to Russia. If the regulations change and you weren’t monitoring those changes, perhaps your organization didn’t adjust those processes to stay compliant. Or if you have current policies and procedures that address Russia and have been adapted to regulatory changes. However, if you have high turnover and new employees who aren’t trained sufficiently, chances are that the correct and sufficient procedures aren’t being followed.
Record-keeping is a critical element of a sound export compliance program. Regulators generally require that records should be kept for a minimum of five years from the date of export and some require even longer periods of time. Part of the assessment of your organization’s current program is to determine whether record keeping is sufficient for meeting both internal policies and applicable government regulatory requirements. You’ll also need to understand how policies are being implemented and how records are being maintained. Sometimes companies depend on third party intermediaries or agents such as freight forwarders or distribution vendors to keep records, but they may not understand your expectations or have good procedures in place. You will need to investigate and see if improvements are required.
Remediating and Reporting Problems
Another important component of an effective export compliance program is having procedures in place to remediate or report a problem or violation. U.S. regulatory agencies such as BIS recommend this as a core element of an effective compliance program.
Your organization should have a policy in place that outline the process for internal disclosure of violations or suspected violations. The policy should encourage employees to alert the compliance manager or general counsel if they think there’s a problem. The policy also should clearly state that employees are encouraged to make this kind of notification and that they will face no retaliation for doing so.
Your policies should include a clear process for taking actions once you have been notified of an incident. If there really is a problem and perhaps a violation, you’ll need to take corrective action to prevent it from occurring again. You’ll want to put a temporary hold or fix on the issue to prevent repetition. You’ll also need to investigate what occurred, get to the root cause, and find ways to resolve the issue. You’ll need to determine if the incident requires voluntary disclosure to a regulatory agency (which is encouraged). Regardless of whether you disclose the incident or not, you’ll want to ensure that you’ve fixed the underlying problem.
Assessing Work Assignments and Training
Talking to your new colleagues, direct reports, and peers who have export control responsibilities will give you insight into what is going well with the export compliance program, as well as spotlight those areas that need improvement or present risks. These conversations will help you form an accurate picture of your program’s current state.
A new compliance program professional will want to review the type of training that is currently being provided to employees in critical roles. You’ll also want to see what funds are budgeted for ongoing training. The human resources department often controls the budget and approval process for training programs, so that’s the best place to start. Some business units also may have separate budgets and programs for training if none are offered centrally.
Many companies have in-house training programs or subscribe to e-learning systems and training modules that focus specifically on export control compliance. These learning sources provide baseline awareness training and some may offer specialized training as well. You can determine which roles within your organization require advanced training and work with human resources to ensure subject matter experts get the specialized training they require.
Screening Employees and Business Partners
Employees, contractors, and business partners such as overseas vendors, customers, channel partners, and freight forwarders should be screened against the various regulatory agencies’ restricted parties lists. Some companies also screen employees and contractors against these lists to prevent any issues if they transfer any technology or conduct any financial transactions with them. Business partners and counter-parties are equally important for baseline screening, especially as there are more government lists now and the number of entities on those lists has increased.
Should You Conduct an Audit?
You may wish to conduct an audit of your organization’s current export compliance program to assess its effectiveness, especially if the program hasn’t been evaluated for some time. An audit, conducted internally by you and your team, or externally by a consultant or law firm, can help you identify the areas of export risk throughout your company. These areas may include sending items to customers outside the U.S., downloading software, having foreign national employees who have access to technology, and other areas of business that are regulated.
An audit enables you to look at what your company is doing that may require export controls across the entire organization. It helps you determine the relative level of risk for each of these areas, which can vary quite a bit across organizations and from company to company. An audit also helps you prioritize activities and procedures to implement controls and reduce risks.
If an audit has not been performed recently, you may wish to engage a law firm or consultant to do the assessment. This is especially helpful if there are many unknowns, if the program hasn’t been managed or maintained, or if the organization has had some recent problems or violations that haven’t been fully remediated. An external audit can help you accurately assess and take steps to correct any issues or gaps, as well as decide where to focus scarce resources.
Obtaining Management Support to Make Program Changes
Management support for export control compliance is essential to a well-run program. It’s hard to make any needed changes without the support and commitment of senior management. If you don’t have executive support, it will be hard to make substantial improvements to your export compliance program.
It is good business practice to assess how much management support there is and whether it is robust and substantive. If you find that management support is not strong for your program, then you will want to work with senior leaders to educate them about export compliance, the potential risks the company may be facing, and how you can strengthen the program and mitigate risks. Obtaining management buy-in will ease the way for making changes, implementing improvements, or adding procedures that you deem as necessary.
Where to Go for More Training and Information
Many people who are new in export control compliance come to the role with little or no actual background in the area. They need more in-depth training on what the export rules are and how to implement an effective export compliance program. That’s where ECTI can help – our training programs are geared to compliance practitioners, subject matter experts, and those with specific oversight or management responsibilities. We provide the advanced training on particular topics that are relevant to your role. ECTI seminars give you a solid grounding in the entire scope of the export rules and how they can impact your organization’s export operations.
ECTI covers export compliance in all of our live seminars and many of our on-demand e-seminars. We can help you easily stay current with the ever-changing landscape of export regulations.
Visit www.learnexportcompliance.com to learn about ECTI, our faculty, our staff and our esteemed Export Compliance Professional (ECoP®) certification program. Check out our latest tools & resources here. To find upcoming e-seminars, live seminars and live webinars and browse our catalog of 80-plus on-demand webinars, visit our ECTI Academy. You can also call the Export Compliance Training Institute at 540-433-3977 for more information.
Scott Gearity is President of ECTI, Inc.