In this article, you will learn about the second element of an effective sanctions compliance program: The Sanctions Risk Assessment (SRA).
One of Risk Assessments’ purposes is to examine the various sanction regimes that may apply to the business a client is involved. Sanctions program is broad and could be very specific, so this makes risk assessments very important, and they may apply to industries very differently.
In any compliance regime, the starting point is a risk assessment. That is no different and certainly no surprise in the Framework. OFAC itself “recommends that organizations conduct a routine and ongoing risk assessment to inform its compliance program policies, procedures, internal controls, and training.” In this respect, OFAC explained that such a risk assessment should consist of a “holistic review of the organization from top-to-bottom and asses its touchpoints to the outside world.”
Key components of SRA
There are four key elements/components that encompass a Sanctions Risk Assessment (SRA):
- Scope and methodology
- Data acquisition
- Data analysis and risk determination
- Results sharing and stakeholder communication
Difference between general and sanctions compliance risk assessment
As you would probably expect, a sanctions compliance risk assessment should have a slightly different focus on risk than a general compliance risk assessment. In a general compliance risk assessment, you would usually assess the following elements of an organization: Customers, supply chain, intermediaries, and counter-parties; the products and services the organization offers; the geographic locations of the organization, as well as of its customers, supply chain, intermediaries and counterparties; and potential merger and acquisitions.
Sanctions compliance risk assessment considerations
Now let’s make the switch to the sanctions compliance risk assessment.
First of all, you need to consider not so much how you do business but with whom you do business with. This is a slightly different focus on risk than under the risk assessments from other compliance areas. For example, in a bribery and corruption risk assessment, you would be more focused on the use of third-party agents, distributors, or others to sell to foreign officials or state-owned enterprises.
Secondly, you need to take a much more holistic view of your products and services. This implies that you assess what you sell, where you sell it, and how you sell it. However, from an overall business impact, this is certainly a much more business impactful manner to assess risk.
Thirdly, you should consider your “customers, supply chain, intermediaries and counterparties,” but this time from their home domicile or where they are providing goods or services to you. In this era of increasing transparency around extractive and other minerals, knowing where your products and services derive has moved from a nice piece of information to a mandatory inquiry.
Finally, you should risk assessing all merger and acquisition candidates. Not only should you look at them from the ethics and compliance perspective but also from the trade sanctions perspective. Obviously, not all companies that your organization might wish to acquire might not always have implemented proper sanctions compliance or export control, so you will need to be prepared to remediate as quickly as possible.
So, the next consideration for a sanctions risk assessment is to determine a manner and a frequency that adequately accounts for the potential risks. You should update your risk assessment to account for the root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business. In addition to the M&A component, there should be a similar exercise for third parties, for example, through a Know Your Customer or Customer Due Diligence process.
This information will guide the timing and scope of future due diligence efforts. This means you should develop a protocol for the risk rating of customers, vendors, or other relationships based on the due diligence process and independent research conducted by the organization at the initiation of the relationship. This information will guide the timing and scope of future due diligence efforts.
Developing methodology for identifying risks
Last but not least, each organization should develop a methodology to identify, analyze, and address the particular risks it identifies. As appropriate, the risk assessment will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business. This can be done, for example, through a testing or audit function. In other words, you cannot sit or stand still. Just as your business is ever-evolving, your risk assessment should evolve to meet business opportunities and challenges.
When carrying out sanctions risk assessments, the likelihood that your client may be on the sanction list should be considered. Therefore, organizations must develop a methodology to identify and analyze particular risks and it should have an ability to address the particular risk it identifies.