12 steps to an effective compliance program
- Obtain board-level commitment. Before any compliance program can be successful, buy-in from the board of directors and senior-level staff must be secured. The U.S. Government Sentencing Guidelines state that corporate officers and board members must be knowledgeable about the content of their compliance program, exercise reasonable oversight and give compliance officers direct access to the board. Increasingly around the world, we see governments imposing a standard of care on the board and/or senior management. Senior officers risk personal liability should your compliance program fail.
- Assess processes. Hire outside trade experts to perform a compliance gap analysis on your current compliance processes. Then fill the gaps: What gates and stops have been and can be established? How are compliance records stored and located?
- Embargoed countries. Your company is not allowed to trade with certain countries. Make sure that you have established a list of embargoed countries and created effective stop measures that ensure items are not shipped to those countries directly or indirectly.
- Electronically screen names and addresses in your master customer/partner files against the various government black lists. With more than 40 international restricted party lists in existence, it is important to work with a firm that organizes these ever-changing lists into a central database that is monitored and updated daily.
- Establish an ongoing name and address screening process. Just because you have screened a customer once does not mean your name screening is done forever. Governments constantly add and delete names from the various restricted lists. In 2004 more than 14,000 updates were made to the restricted party lists, while more than 162,000 updates were made since September 11, 2001. It is vital that you remain current with list updates and modifications.
- Perform end-use and diversion risk screening. Take steps beyond mere name screening by collecting end-use information from customers and other parties in the supply chain that work with you. Be certain that your product is being purchased for its intended use. In addition to end-use screening, perform diversion risk screening. Collect information about the nature of your customer's business to determine whether your product or service is consistent with the business of your customer. Make sure that your customer is not diverting your product to another party.
- Obtain jurisdiction and classification information from each supplier. Perform jurisdiction and classification when that information is not easily obtained from a reliable supplier with a good reputation for compliance.
- Perform license determination. Develop a license determination process for list-based license requirements and perform license determination prior to each export and each re-export.
- Write and implement processes and procedures that are part of each business function. Compliance must be a key concern across the company. Processes should be in place for IT, R&D, engineering, manufacturing, sales, order entry, fulfillment, shipping, comptroller, legal, the board of directors and compliance to ensure that the proper measures are taken to control the export and re-export of goods, technology and software.
- Train, train, train. Do not develop processes and procedures only to file them away in a cabinet. Procure training for the whole company, with different levels of training based upon each job function. Train on your processes and on the ever-changing substantive rules. Train your staff until they understand how an effective compliance program can make or break a company, and then train them again.
- Follow ISO 9000 and Sarbanes-Oxley standards as well as the export control best practices recommended in the Nunn-Wolfowitz report.
- Perform audits every year. Make sure that your compliance engine is running smoothly by performing annual audits. Alternate by performing an internal audit one year and an external audit the next. It is better to be safe than sorry, and every process breaks down over time unless it is audited.
This content continues onto the next page...