In Part I, we analysed the reasons why economic sanctions, export controls, and associated investigation risks should be prioritised by every board. We also outlined key compliance questions for board members to consider. In Part II, we will highlight the significance of developing a comprehensive crisis response plan for incidents related to sanctions and setting up robust investigation frameworks.
How to react to a Crisis – ensuring effective Crisis Management
Despite a strong risk management system, compliance risks persist. If sanctions or export controls are violated, boards must act quickly to address the situation and fulfil regulatory obligations. Key steps for managing these crises are detailed in the following contingency framework.
Immediate risk assessment and crisis triage: The first hours after detecting a potential violation are critical. The board and senior leadership must promptly conduct a structured risk assessment, including:
- Clarifying the scope and nature of the issue by identifying whether it involves a sanctioned entity or individual, restricted goods or technologies, or unauthorised financial transactions.
- Evaluating potential legal exposure and relevant frameworks. This involves determining whether the breach falls under administrative, civil, or criminal law according to the applicable laws of the EU, UK, or US.
- Assessing regulatory reporting obligations, including determining if immediate notification or self-disclosure to authorities is required.
- Assessing potential supply chain disruptions and determining if impacted transactions could lead to operational risks or violate existing contractual agreements.
- Implementing immediate measures for crisis containment if the violation is deemed significant, including:
- Freezing high-risk or suspect transactions and placing a hold on pending exports or financial transfers involving restricted parties.
- Restricting further communications with parties related to the breach to prevent inadvertent self-incrimination.
- Preserving all relevant records and communications to ensure legal and forensic integrity.
Internal coordination and corrective measures: Boards should ensure a structured and coordinated response across all key functions to prevent regulatory exposure and operational disruptions, including:
- Legal and Compliance teams: Assessing legal exposure, preparing regulatory responses, and enforcing protections for employees reporting potential violations under whistleblower programmes.
- Finance and Treasury teams: Freezing transactions associated with sanctioned entities.
- HR and Employment Law teams: Determining the necessary disciplinary measures for employees involved in unauthorised transactions.
- Data Protection and IT teams: Securing relevant records while ensuring adherence to data protection laws (e.g., the GDPR).
- Investor Relations and Communications teams: Ensuring a consistent communication strategy that is closely coordinated with the legal department.
Engaging with regulatory authorities and managing legal exposure: Engaging with authorities is crucial in crisis management. Boards should ensure:
- Relevant enforcement bodies are determined according to the involved jurisdictions. Authorities responsible for sanctions and export controls may collaborate across different regions. When multiple authorities engage, it is essential to implement a well-organised and harmonised strategy for their interaction.
- Mandatory reporting obligations are evaluated to ascertain if there is a requirement to notify financial or sanctions regulators, export control agencies, or other enforcement bodies. Consideration should also be given to voluntary self-disclosures with the aim of potentially reducing penalties.
- Interactions with authorities are handled by carefully evaluating the scope and timing of disclosures, considering potential privilege provisions, and ensuring the protection of sensitive information during regulatory proceedings.
- Consistent communication across authorities and jurisdictions is maintained to avoid contradictions in regulatory filings and cross-border enforcement actions.
- Interim crisis containment measures are implemented to prevent additional breaches, minimise regulatory scrutiny, and safeguard the company’s reputation.
Establishing coherent global communications and clearing strategy: Boards should implement a global communication and clearing strategy within the organisation, with clients, and with the public. They should appoint responsible contacts, define clear guidelines for legal documents, and establish a robust confidentiality policy. Ensuring accurate, consistent, and legally compliant communications will help preserve trust and transparency.
How to conduct an investigation
Regulators expect companies to quickly investigate potential sanctions or export control violations, establish the facts and root cause, and if confirmed, stop and fix the issue. The framework below outlines key factors for effective investigations:
- Defining scope and objectives: A sanctions or export control investigation should answer five questions: Was there a violation? What was its nature? Who was involved or aware? Which countries are impacted? What compliance weaknesses led to the incident?
- Evidence collection and data preservation: When identifying, securing, and collecting all relevant data, it is important to follow a robust evidence preservation strategy to ensure forensic integrity and legal defensibility. Depending on the context, key documents and data that should be regularly secured include financial transaction records, shipping and export documents, contractual agreements and due diligence records, internal communications, and compliance system logs. It is crucial to maintain the chain of custody of the evidence and ensure compliance with applicable data protection laws. Additionally, interviews with key personnel may provide further insight or understanding of the background and could include individuals responsible for approving transactions, or members of the sales and procurement teams.
- Forensic analysis: Investigators are required to reconstruct events and identify irregularities, such as those found in financial and contractual records. This process may involve tracing payment flows, identifying structured payments, and evaluating connections to sanctioned entities. Typical red flags include transactions involving shell companies and intricate trust arrangements, the employment of intermediaries in sanctions-sensitive jurisdictions, and inconsistent or ambiguous contract terms.
- Legal and regulatory assessment: Upon collecting evidence, companies must evaluate the legal and regulatory consequences and decide whether self-reporting is required. Considerations should involve strict liability versus intent-based enforcement, jurisdictional exposure, and mandatory versus voluntary disclosure.
- Implementing corrective actions: Effective management of an investigation should result in substantial measures to prevent recurrence. Critical steps include enhancing due diligence processes, rigorously applying labour law measures, improving monitoring systems, strengthening escalation procedures, providing targeted training, and updating contractual protections. Regulators expect companies to exhibit corrective actions following an investigation. A well-documented remediation plan will facilitate future compliance and reduce the risk of enforcement actions.
Conclusion
Board members are required to develop and execute a robust response strategy to effectively handle regulatory interactions and mitigate legal and reputational risks associated with sanctions or export control violations. Additionally, they should maintain well-defined investigation frameworks to address issues promptly and enhance overall operational integrity.