Ukraine Compliance Risks: A List

In our previous post we paused to consider some of the larger, more existential challenges to corporate ethics programs raised by Russia’s invasion of Ukraine. Today I want to shift to some of the practical compliance challenges — because those challenges are many and diverse, and compliance professionals need to start putting them into a logical structure immediately.

My friend and fellow compliance thinker Tom Fox raised that exact question earlier this week as we recorded our latest Compliance Into the Weeds podcast episode. With such an overwhelming and fast-moving situation at hand, he asked me, how can a compliance officer start putting together a response plan? 

“One step at a time,” I blurted out, for lack of a more prepared answer. Begin with the most immediate issue first, and then look at what comes after that. 

When compliance officers follow that principle, a logical sequence does start to emerge. 

First are health and safety issues. Are your people in Ukraine physically safe? If not, what can the company do to provide assistance? Can you get them out of the country? Can you provide financial assistance? 

Second are cybersecurity issues. Is the company prepared for possible Russian attacks against your operations? Have you taken steps recommended by CISA, such as separating industrial controls from the internet and implementing two-factor authentication for all remote access and privileged user access? 

Third are sanctions issues. The U.S. Office of Foreign Assets Control and similar agencies around the world rolled out full blocking sanctions against numerous Russian banks last week, and other sanctions against Russian nationals personally. The U.S. Bureau of Industry & Security rolled out export control sanctions to prevent a wide range of tech products and other goods reaching Russian shores. Can your sanctions compliance program digest those changes quickly? Do you even have a sanctions compliance program, or are the actions against Russia your first brush with this branch of compliance? 

Fourth are disclosure risks. Public companies will need to consider what to say about their exposure to Russia in the next quarterly filing — and for retailers or others with a quarter that ends on Jan. 31, that next filing deadline is March 14. What will you say in the Management Discussion & Analysis? What impairments might you record for assets you’ll need to abandon in Russia? 

We already have one good example of this from Citigroup, which coincidentally filed its latest 10-K report on Monday. The bank flagged roughly $10 billion in exposure to Russia. That’s not material to Citi, which has more than $2.3 trillion in assets — but given the high political risks related to Russia, it’s still an issue most companies will need to discuss somehow. 

Fifth are policies for cooperation with law enforcement. Now that the Justice Department and other law enforcement agencies are mounting a hunt for oligarch assets around the world, how will your company respond to that? Does the company have clear, strong policies on voluntary self-disclosure of corruption or sanctions issues? What about capability for internal investigations, if law enforcement approaches you with concerns about customers or business partners? 

Also, we all know that even today, plenty of companies still prefer not to self-disclose corruption to regulators. That seems like a singularly bad idea in this moment, when so many people are so moved by the courage of Ukrainians. Employees will feel even more emboldened to take their concerns directly to regulators, and the reputation damage a company might suffer — “These guys knew they were dealing with Putin, and were too eager for profits to care!” — could be nightmarishly high. 

Sixth are new due diligence risks, which will emerge as we all adjust to a new world order that excludes Russia. Eventually businesses will reorient their supply chains, enter new markets, and find new business partners. You’ll need to assure that your due diligence procedures and internal controls can accommodate whatever new ventures and business partners come along.

That looks like the logical sequence of compliance risks coming over the horizon to me. (Supply chain risks are also a real concern, but I consider them more operational risks for the procurement team rather than compliance risks for you.) If I missed any big issues, drop me a note at mkelly@radicalcompliance.com. 

Other Compliance Thoughts

If we want to think more broadly about how to prepare compliance and risk management programs for the challenges ahead, a few other concerns come to mind too. 

Foremost, compliance, risk, and audit leaders will need to reevaluate the structure of their teams and programs to assure that you have all needed capabilities at hand.

For example, clearly sanctions and export control compliance will be much higher priorities for months (and possibly years) to come. Sanctions compliance was never easy in the first place, so now compliance officers will need to revisit the expertise on your staff, the structure of your sanctions compliance program (OFAC generally recommends one enterprise-wide program reporting to one chief sanctions compliance officer, rather than different divisions doing their own screening), and even the screening vendors and technology you use. (This is especially important given that Russia uses a non-English alphabet, so matching names and sanctioned parties is all the more difficult.)

Supply chain issues could also be much more difficult, including price shocks that might up-end existing financial models and cost management programs. So you’ll need supply chain risk management capabilities that can identify your most critical components and allow scenario-planning so that you can discern potential trouble as far in advance as possible. 

And for all the internal audit executives who’ve read this far: put your enterprise risk assessment plan in a drawer, and prepare to tackle all these new issues as soon as possible. Everyone will need to devise their own risk assessment priorities, but my audit list would probably first address cybersecurity, then supply chain risk management capabilities, then the sanctions compliance program. 

Again, if you see other risk and compliance concerns related to the Ukraine crisis that I’m not, let me know at mkelly@radicalcompliance.com.