At the outset, if you have a headache after reading my first two posts on the beneficial ownership issue, I apologize. The issues twist and turn depending on whether the situation involves OFAC sanctions or corruption risks, and reflects the variety of ownership situations that occur.
Given the overwhelming nature of the burden of a beneficial ownership risk mitigation strategy, we have to return to our familiar ethics and compliance strategies of risk-ranking and allocation of limited resources tailored to the company’s specific risk profile. After assessing the risk, we need to examine available mitigation strategies and design controls to apply to various situations based on risk and available resources.
As an initial step, we have to classify our third-party population among various categories: (1) representative relationships (i.e. where third parties interact with government officials on the company’s behalf); (2) vendors/suppliers that may include government owners; (3) remaining vendors/suppliers.
After classifying our third-party population into the three categories, we have to stratify/risk-rank them based on relevant factors. At this step, it is important to keep the inquiry simple, meaning use easy to apply factors to rank various entities within each category.
My recommended list includes two weighted factors – first, a country-specific ranking that can be based on the Corruption Perception Index or combination of available country-specific risk factors, e.g. industry indices for country in which the third-party operates (if one or more, then you may have to apply a weighting factor for each country to come up with a single weighted factor); second, a revenue factor that is based on the amount of money paid to the vendor/supplier. Building a weighting formula based on these two factors is a relatively simple way to stratify your third-party population.
Now, get ready to throw your hands up in the air and give up. The above categories and risk-ranking factors only address corruption risks. But at least it is a start.
OFAC Sanctions Risks
Next, we turn to OFAC sanctions risks. We need to add to the third-party population the company’s customers.
First, let’s start with a geographic factor – for SDNs and embargoed countries, a relatively accurate factor may be proximity to the prohibited or SDN-concentrated country (e.g. Iran, North Korea, Cuba).
Second, a revenue factor reflects OFAC enforcement risks – the larger the amount of revenue and number of transactions, the greater the potential OFAC penalty.
With respect to customers, the risk of redistribution to a prohibited party of a specific product may be more remote than when dealing with a third-party distributor, so the potential risk in a geographic area may be less than third-party, vendor or supplier.
Categories and Strategies
Based on the risk ranking process, and to keep things manageable on an automated platform, three or four categories are typically used to risk rank – high, medium, low and very low. Once divided into these categories, the third-party population and the customers can be subject to relevant controls.