When the U.S. State Department late last month announced the administrative debarment of a former senior export compliance officer from Honeywell International, Inc. (“Honeywell”), reports on and analyses of the event focused on the multiple allegations of what went wrong. This was with good reason: any time a significant case of export noncompliance comes to light, the immediate response should strive to determine exactly what happened and how it happened (and thus how to keep it from happening again).
Though we run the risk of having our readers consider us to be Pollyannas, we’d like to suggest that some things also may have gone right. In particular, we view this as an opportunity to revisit a few of the nine “Core Elements” of an effective export compliance management program (“ECMP”), and how they contribute to the detection and remediation of export violations. In the interest of full disclosure, Reed Smith has no knowledge of Honeywell’s ECMP, nor is Honeywell a client of the firm. Here we are not focused on a particular company’s ECMP, but rather on particular elements that are recommended as part of a successful compliance program.
The Core Elements to which we refer are published by the U.S. Department of Commerce (“Commerce”), but apply broadly to export compliance, not just compliance with the controls maintained by Commerce. They include fundamental (and more obvious) components like written compliance policies and procedures, regular training and awareness programs, and adherence to recordkeeping requirements. They also include internal mechanisms for reporting and addressing potential or actual violations. Commerce notes, and we agree, that companies should anticipate a broad range of potential types of export violations, and develop the appropriate mechanisms for identifying, investigating, and resolving each. The chain for reporting actual or suspected violations may not be the same in all cases, especially if an individual in a supervisory or management role is involved in the questionable conduct. Commerce also recommends internal and external monitoring and periodic audits of one’s ECMP. We believe the importance of external reviews cannot be underestimated, even of an ECMP that contains the other eight Core Elements. Some chinks in the armor, particularly if individuals with greater compliance responsibility are involved, are significantly more likely to be detected from outside than in.
The very first Core Element is senior management involvement in compliance, with the commensurate allocation of resources and responsibility. While we agree that the “tone at the top” is essential to a company’s commitment to compliance, the “tone at the middle” is key to the propagation of that commitment. It goes without saying that middle and lower-level managers should have the authority and incentive to lead their supervisees toward compliance. Perhaps less obviously, but just as importantly, they should also have the ability to manage up or manage around, particularly in situations where those in positions of higher authority are tempted not to comply. While the overall size and shape of a company’s ECMP will depend on the company’s needs and risks, the most successful ECMPs will hold individuals at all levels accountable for export compliance, and will anticipate that violations can originate at any level.