5 Steps to managing sanctions risk in a rapidly changing geopolitical landscape
Geopolitical tensions such as at the Russian-Ukrainian border have thrown sanctions risk management challenges into the spotlight in recent months. Foreign policy responses to crises of this kind usually involve a fresh package of sanctions requirements. Sanctions risk management is going to become ever more complicated, as the world takes a step back from political globalisation, and the fines for breaches of sanctions rules are not getting any smaller. As the difficulty in maintaining compliance is set to increase, the cost of getting sanctions risk management wrong is too high not to take practical action now.
When designing a fit for purpose sanctions risk management framework, the best starting point is the guidance published in the Office of Foreign Assets Control (OFAC) Whitepaper – “A framework for OFAC compliance commitments”. While this document provides important and necessary direction for a risk-based program, there are some crucial actions you must take to ensure that compliance is maintained in a changing geopolitical landscape.
We set out below what we believe are the five most important practical steps to take to ensure that your sanctions risk management framework is robust and remains that way in a changing sanctions landscape.
Jurisdictional requirements map – where in the world do you do business?
The first step on the journey to sanctions compliance is understanding which sanctions regimes apply to your business (and where). To determine this, legal guidance may be beneficial to understand the specific regulatory requirements. However, to assist any conversations with your legal counsel it is important to have a full and clear picture of where in the world you do business, where your suppliers are, and any other relevant information which could create a sanctions obligation.
Each sanctions regime can be slightly different, and this means that there can be multiple requirements for each jurisdiction in which you operate. This can generate confusion in the business as the compliance demands originate from multiple sources.
The solution to this problem is a clear jurisdictional requirements map which sets out the requirements for each relevant territory. For each jurisdiction, there has to be clarity on what rules apply, and what the source of these rules are. This map can also be broader than just sanctions requirements. You may also want to consider other relevant risks posed by your business profile so that legal and other reputational risks can be addressed using this territory specific lens.
Business requirements map – where does your business touch the outside world?
The next step is to translate the regulatory requirements for each jurisdiction into business requirements. The OFAC whitepaper recommends that every business should conduct a “holistic review of the organisation from top-to-bottom and assess its touchpoints to the outside world. This process allows the organisation to identify potential areas in which it may, directly or indirectly, engage with OFAC-prohibited persons, parties, countries, or regions.”
This is the most challenging step as it requires you to identify everywhere your business interacts with its external environment (which is not always obvious). This process will inform your risk assessment, and eventually your control design so it is crucial that you get it right. The key benefit of completing this exercise is that it ensures that there are no gaps in your risk management framework.
The approach we recommend is to structure the business mapping by business unit, teams, products, and processes so that nothing gets missed. This can then be combined with the jurisdiction mapping exercise so that you have a complete set of business requirements for each relevant territory, as well as being able to identify where in the first line of defence your controls need to sit.
Risk and control matrix – how do you go from requirement to control?
Once you have a clear picture of your requirements, the next step is to assess where your risks are. Given that you will now have mapped the applicable requirements and your touchpoints with the outside world, identifying where your risks lie should become a methodical exercise. A risk and control matrix is a key tool on the journey from requirement to control.
This will inform the control design which ensures you are compliant. Wherever there is a risk of breaching a sanctions regime, a robust control must be implemented to mitigate that risk. Furthermore, a risk and control matrix is an excellent way of evidencing that a true risk-based methodology has been used as your control design directly relates to the risk it is trying to mitigate.
In our view, the sanctions risk management framework is best supported by a three lines of defence model, and it is important to keep this in mind when designing controls and identifying where in your organisation they should sit.
Stakeholder map – how do you remain compliant in a changing landscape?
The above practical steps will help ensure that you are compliant. The next challenge is remaining compliant. If a new territory becomes sanctioned overnight (which is an ever-increasing risk in the current political climate), you will need to act fast.
Fundamental to this, is having a transparent view of who is accountable and responsible for all relevant controls and blocks and knowing who has the capability to amend these as and when required. Stakeholder mapping is essential to knowing who you need to get in the room to react to changing requirements.
RACI (Responsible Accountable Consulted Informed) matrices provide clear visibility over sanctions risk management roles and responsibilities. This makes sure that everyone who needs to respond to a changing landscape knows what their job is and knows who to contact. This will help you create a sanctions playbook so that when the rules change, you have a process to ensure that you react effectively and quickly.
This activity should also be embedded as part of your new product approval process, as a change in your business profile may require new controls or amendments to existing ones.
Key performance and risk indicators (KPI and KRIs) – how do you know you are compliant?
Finally, it is important to consider how you can obtain oversight of your sanctions risk management framework (and be able to attest to its ongoing performance). There are no excuses for not having a good data driven approach and sensible KPI/KRI design provides the necessary structure to monitoring.
One further point for consideration is that you may want to add some thresholds to your KRIs. Thresholds are a way of taking a data driven approach to knowing at what point remedial or pre-emptive action is required. They can be a good early warning system to help you identify if you are going to be exposed to more risk than you have appetite for.
These five practical steps all require careful consideration and there are no shortcuts to creating a robust and proportionate sanctions risk management framework. It is therefore vital you choose a trusted partner and advisor, who can manage the day-to-day challenges and allow you to focus on the key decisions and overall accountabilities. Our team of experts are here to help you optimise your sanctions risk management in an integrated and cost-efficient manner.