Geopolitical tensions, such as on the Russian-Ukrainian border, have highlighted sanctions-related risk management issues in recent months. Foreign policy responses to crises of this type usually involve a new set of sanctions demands. Sanctions risk management will become more and more complicated as the world takes a step back from political globalization, and the fines for violating sanctions rules do not diminish. While the difficulty of maintaining compliance is set to increase, the cost of failing to manage sanctions risk is too high not to take practical action now.
When designing a fit-for-purpose sanctions risk management framework, the best starting point is the guidance published by the Office of Foreign Assets Control (OFAC)
white paper – “A Framework for OFAC Compliance Commitments”. While this document provides important and necessary guidance for a risk-based program, there are some critical steps you need to take to ensure compliance is maintained in an evolving geopolitical landscape.
Below we outline what we believe are the five most important practical steps you can take to ensure that your sanctions risk management framework is strong and stays that way in an evolving sanctions landscape.
1. Map of jurisdictional requirements – where in the world do you do business?
The first step on the path to sanctions compliance is to understand which sanctions regimes apply to your business (and where). To determine this, legal advice may be helpful to understand the specific regulatory requirements. However, to facilitate any conversation with your legal counsel, it is important to have a complete and clear picture of where in the world you do business, where your suppliers are located, and any other relevant information that could create an obligation of penalties.
Each sanctions regime may be slightly different, which means that there may be several requirements for each jurisdiction in which you operate. This can cause confusion in the business, as compliance requirements come from multiple sources.
The solution to this problem is clear map of jurisdictional requirements which defines the requirements for each territory concerned. For each jurisdiction, there must be clarity about the rules that apply and the source of those rules. This card can also be broader than just the penalty requirements. You may also want to consider other relevant risks posed by your business profile so that legal and other reputational risks can be addressed using this territory-specific lens.
2. Business needs map – where does your business touch the outside world?
The next step is to translate each jurisdiction’s regulatory requirements into business requirements. OFAC’s white paper recommends that every company conduct a “holistic review of the organization from top to bottom and assess its points of contact with the outside world. This process allows the organization to identify potential areas in which it may, directly or indirectly, engage with persons, parties, countries or regions prohibited by OFAC.
This is the most difficult step because it forces you to identify where your business interacts with its external environment (which is not always obvious). This process will inform your risk assessment, and eventually your control design, so it is crucial that you do it correctly. The main benefit of this exercise is that it ensures that there are no gaps in your risk management framework.
Our recommended approach is to structure activity mapping by business unit, team, product, and process so you don’t miss a thing. This can then be combined with the jurisdiction mapping exercise so that you have a full set of
business needs for each territory involved, as well as being able to identify where in the first line of defense your checks should sit.
3. Risk and control matrix – how to move from requirement to control?
Once you have a clear idea of your needs, the next step is to assess where your risks lie. Since you will now have mapped the applicable requirements and your points of contact with the outside world, identifying where your risks lie should become a methodical exercise. A risk and control matrix is a key tool to move from requirement to control.
This will inform the design of the control which ensures that you are compliant. Wherever there is a risk of violation of a sanctions regime, strong monitoring should be in place to mitigate that risk. Additionally, a
risk and control matrix is a great way to prove that a true risk-based methodology was used, because the design of your control is directly related to the risk it is trying to mitigate.
In our view, the sanctions risk management framework is best supported by a three lines of defense model, and it is important to keep this in mind when designing controls and identifying where where they need to be in your organization.
4. Stakeholder map – how do you stay compliant in a changing landscape?
The practical steps above will help you ensure that you are compliant. The next challenge is
remaining compliant. If new territory becomes sanctioned overnight (which is an ever-increasing risk in today’s political climate), you’ll need to act quickly.
For this, it is essential to have a transparent view of who is responsible for all relevant checks and blocks and who has the ability to change them when needed. Stakeholder mapping is key to knowing who you need to bring into the room to respond to changing requirements.
Responsible Accountable Consulted Informed (RACI) matrices provide clear visibility into roles and responsibilities for sanctions risk management. This ensures that everyone who needs to respond to a changing landscape knows what their job is and knows who to contact. It will help you create a sanctions manual so that when the rules change, you have a process to ensure you respond effectively and quickly.
This activity should also be incorporated as part of your new product approval process, as a change in your company profile may require new controls or modifications to existing ones.
5. Key performance and risk indicators (KPIs and KRIs) – how do you know you are compliant?
Finally, it’s important to consider how you can get oversight of your sanctions risk management framework (and be able to attest to its ongoing performance). There is no excuse for not having a good data driven approach and a sensible KPI/KRI design provides the necessary structure for tracking.
Another point to consider is that you can add thresholds to your KRIs. Thresholds are a way to take a data-driven approach to knowing when corrective or preventive action is required. They can be a good early warning system to help you determine if you are going to be exposed to more risk than you want.
These five practical steps all require careful consideration and there are no shortcuts to creating a robust and proportionate sanctions risk management framework.
It is therefore essential that you choose a trusted partner and advisor who can handle the day-to-day challenges of designing your sanctions risk management framework and allow you to focus on key decisions and overall responsibilities. At Be UK, our team of experts are here to help you optimize your sanctions risk management in an integrated and cost-effective way.