Where’s Your Sanctions Risk Assessment?
(No Seriously, it’s Required!)
Let’s pull out your sanctions-specific risk assessment, shall we?
Wait, you don’t have one?
Ah, don’t worry, there are lots of folks in that boat.
Many companies don’t have a sanctions-specific risk assessment. But you don’t want to be in that boat because it exposes your company to enormous risk.
Don’t believe me?
OFAC has been verrrrrrry clear on this point. You need a sanctions-specific risk assessment to get mitigating credit with them and you need it now.
ERM may be All the Rage, But the Regulators Don’t Care
Many companies are choosing an integrated risk approach or enterprise risk management (ERM) approach.
Some are hiring Chief Risk Officers to aggregate data.
And that can be a good thing. Holistic pictures are important.
However, too many companies rely on enterprise risk assessments to cover their compliance, bribery, and sanctions-related risk, which can create dangers not just from the point of view of regulatory exposure – it also damages (or eliminates) the compliance team’s capacity to properly allocate limited resources to reduce risk most effectively and efficiently.
OFAC Warned Us
In 2019, OFAC came out with its equivalent of the DOJ’s Evaluation of Corporate Compliance Programs. The document is called A Framework for Compliance Commitments.
It is meant to enumerate what a good sanctions compliance program looks like. A good “SCP,” as they call it throughout, can significantly reduce civil monetary penalties imposed for violators of sanctions law.
In the Framework, OFAC enumerates five elements of an effective sanctions compliance program. They’re noticeably similar to the seven elements of an effective compliance program as laid out in the U.S. Federal Sentencing Guidelines.
They are (1) management commitment, (2) risk assessment, (3) internal controls, (4) testing and auditing, and (5) training.
Imagine OFAC comes to your door and for a risk assessment, you show them a single line in the ERM risk register.
I doubt they’ll be impressed.
Or give your company much credit for its sanctions compliance program, considering it is, at best, 80% complete.
Specific Language
It may be tempting to think that sanctions can be considered in a broader risk assessment, but that’s not good enough for credit.
The Framework states that ongoing risk assessment needs to be done “for the purposes of identifying potential OFAC issues…” Later, the Framework states that testing and auditing should reflect “a comprehensive and objective assessment of the organization’s OFAC-related risk assessment and internal controls.”
This commitment to an OFAC-related risk assessment continues in enforcement actions and settlement agreements.
One recent enforcement action that is specifically called out in OFAC’s list of Selected Settlement Agreements imposes OFAC-related risk assessments as a condition of the settlement.
From AL Middle East, “Respondent represents that it conducts and will continue to conduct an OFAC risk assessment in a manner, and with a frequency, that adequately accounts for potential risks.”
Help is on the Way
OFAC helpfully gave strong guidance in the Framework about where to focus and what should be considered.
First, the bad news. The list of types of transactions to consider is fairly lengthy.
It includes:
- Clients and customers
- Products
- Services
- Supply Chain
- Intermediaries
- Counterparties
- Transactions
- Geographic Locations
The good news is that OFAC qualifies this list by saying that the company can pick and choose which entities to review “depending on the nature of the organization.”
OFAC recognizes the power of leveraging information that is already being gathered by the business.
It lists two specific times that the organization should focus on risk:
Onboarding
OFAC recommends that information from other procedures, like the Know Your Customer information-gathering exercise, be used to inform a party-specific risk assessment that will result in assigning a proper level of due diligence.
This should be a part of the onboarding process.
M&A
OFAC specifically says that “Compliance functions should be integrated into the merger, acquisition, and integration process.” Merger and acquisition targets represent large risks, as they may create successor liability, meaning the bad acts of the past will haunt the acquiring or merged company in the future if OFAC finds out about pre-M&A violations.
Special care should be taken at this time.
Other Requirements
OFAC notes that you’ll need a methodology to “identify, analyze, and address the particular risks” the assessment identifies.
Also – the risk assessment needs to be revisited and updated regularly. Critically, if failures are found in the course of the business, or during testing or auditing, the risk assessment needs to be revised to reflect the root cause leading to those failures.
You Can Do This!
It may seem daunting to put together a risk assessment specific to one set of regulations.
But it’s totally doable.
Think about the business activities that expose your company to the risk of violating sanctions laws, then catalog the mitigation/controls currently in place.
Identify the biggest areas of risk with the fewest controls. Write it all down and voila!
You’ve done it – or at least begun the exercise, which is half the battle.
P.S. We've got news...
We have a HUGE announcement coming on September 8th about compliance-related risk assessment software… that is going to be amazing!
I can’t wait to show it to you.
Send me an email if you want to be the first to see it
