Sanctions risk assessment is important to every organization. Risks in sanctions compliance are potential threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC’s regulations and negatively affect an organization’s reputation and business. OFAC recommends that organizations take a risk-based approach when designing or updating an SCP.
One of the central tenets of this approach is for organizations to conduct a routine, and if appropriate, ongoing “risk assessment” to identify potential OFAC issues they are likely to encounter. As described in detail below, the results of a risk assessment are integral in informing the SCP’s policies, procedures, internal controls, and training to mitigate such risks.
Sanctions Risk Assessment
While there is no “one-size-fits-all” risk assessment, the exercise should generally consist of a holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world. This process allows the organization to identify potential areas in which it may, directly or indirectly, engage with OFAC-prohibited persons, parties, countries, or regions.
The organization conducts or will conduct, an OFAC risk assessment in a manner, and with a frequency, that adequately accounts for the potential risks. Such risks could be posed by its clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization. As appropriate, the risk assessment will be updated to account for the root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business.
For example, an organization’s SCP may conduct an assessment of the following:
- Customers, supply chain, intermediaries, and counter-parties.
- The products and services it offers including how and where such items fit into other financial or commercial products, services, networks, or systems.
- The geographic locations of the organization, as well as its customers, supply chain, intermediaries, and counter-parties. Risk assessments and sanctions-related due diligence are also important during mergers and acquisitions, particularly in scenarios involving non-U.S. companies or corporations.
The organization has developed a methodology to identify, analyze, and address the particular risks it identifies. The risk assessment is updated to account for the conduct and root causes of any apparent sanction compliance violations identified by the organization during the business, for example, through independent testing or audit.
While each sanctions risk assessment is unique, some general development and execution approaches can and should be considered. Most importantly, in order to be effective, the SRA must be kept up to date. The assessment of sanction risk is a key regulatory expectation, but it is not a regulatory requirement. Sanction risk is defined as direct exposure to embargoed jurisdictions or entities on sanction lists.