The importance of an SCP
Your sanctions compliance program (SCP) should be a comprehensive set of policies and controls tailored to your organization’s risks and means of operation. The aim of an SCP is constant improvement to avoid and safeguard against costly sanctions violations in an ever changing environment. The lack of an SCP is a risk and is often a root cause of sanctions violations, as many breaches are committed due to simple misunderstanding of sanctions regulations and how the organization ensures compliance. The first step in achieving an SCP is to set the “tone from the top” and in this first post, we will guide you through what management commitment means in practice.
The most frequent questions we receive on management commitment:
- What is management commitment?
- How do we demonstrate management commitment?
- How much is enough?
What is management commitment and how do we show it?
Management Commitment means that senior management ensures the organization’s compliance with applicable sanctions programs by promoting a “culture of compliance” within the organization. This means that senior managers ensure that employees are aware of their responsibilities, inspire them to be compliant, and allocate adequate resources to enable the organization to be compliant.
Management Commitment means that senior managers sign their name to guarantee the company’s approach to sanctions through a risk tolerance approach that is clearly defined, explained, and understood by all employees. It means that senior management lead by example by “rolling up their sleeves” to ensure compliance, and not by simply outsourcing the role and responsibility for compliance to the units and personnel with compliance in their title.
Management Commitment means that all personnel should be aware of the consequences and seriousness of violating sanctions. Personnel, senior management in particular, need to be informed that they can be held accountable for violations by authorities which possibly could include jail time. Locally in the Nordics, the Dan Bunkering verdict is a case in point, showcasing that management all the way up to the CEO have personal liability and responsibility for the sanctions compliance of an organization and its employees because leaders “set the tone” of the organization.
How to ensure management commitment?
“How much is enough management commitment?” you may ask, and while there is no set benchmark for how much is enough, that does not mean there are no requirements to show it. Management Commitment is an overarching assessment of the approach and actions of an organization. Regulators and enforcement bodies have left the requirements broadly defined to allow for their discretion to “know it when you see it” for how much is enough for your organization. What is certain however, is that a lack of management commitment will lead to failure and enforcement action.
In our experience, demonstrating management commitment means that senior management ensures that decisions are made by the appropriate personnel with the right knowledge, authority and autonomy to take the measures needed to manage the risk. It means that there is a formal escalation process all the way “to the top ” as a key component of management commitment is clear decision-making with clear definitions of who takes responsibility for decisions, and who has that responsibility is understood throughout the organization.
To ensure management commitment it is generally easiest for your organization to have a dedicated sanctions compliance officer as a point of contact for advice and instruction on how to handle sanctions matters. In larger organizations, there may be a team with a clear leader dedicated solely to this task, while in smaller organizations the officer may occupy multiple responsibilities in addition to being the sanctions subject matter expert. Whether it is an individual or a unit, the personnel ensuring sanctions compliance must have technical knowledge and expertise about the sanctions risks that are relevant for your organization, and understand senior management’s risk appetite to instruct employees on what specific actions to take. In addition, decision makers and compliance units must be allocated adequate financial, technical, and human resources to ensure sufficient and effective risk control for today and the changes that will come tomorrow. Budgets and tools alone do not ensure compliance, but without them failure is guaranteed.
Senior management, decision-makers, and compliance units must be aware of activities and transactions that are not in line with policy. This means senior management must be willing and able to demonstrate that business which is not in line with policy has been rejected in the past and will be in the future.
Management commitment also means that senior management are aware of when breaches and violations occur and take appropriate action to support the organization and employees to ensure they do not occur again. By fostering a culture of compliance, senior management must discourage misconduct, and create a space where employees are not afraid to report misconduct or wrongdoings. As a part of the compliance culture, reviewing the status of sanctions compliance within the company is as much a part of “business as usual” as reviewing other benchmarks of your business’ performance as is done on a regular basis within your organization.
Questions to ask to evaluate your organization’s management commitment
The following questions are useful to ask when assessing if your organization has the necessary management commitment. The answers to these questions will allow you to know if your organization has a management commitment to sanctions compliance or not.
- Who takes responsibility for decisions? Is the “decision tree” clearly understood?
- What truly happens when there is a breach of sanctions regulations or policy? Does anything in the organization change when there is a breach?
- What are the real resources spent to control sanctions risk and what is the trend for allocating resources to sanctions compliance?
- How much business (deals, transactions, etc.) have we turned down because of sanctions risk?
- How many exceptions to our risk appetite and policy do we issue to take on business that should be prohibited?