User:
not logged in
Help

 

 

     Elements of an ICP

 

In order to support companies to maintain strict compliance with relevant laws and regulations, the ICP guide provides a framework to identify and manage dual-use trade controls' impact and mitigate associated risks.

 

The guidance contains 7 core elements that should not be considered as an exhaustive list, nor should their order be perceived as ranking from very important to less important. They are identified as cornerstones for a company's tailormade ICP and aim at assisting companies in their reflections on the most appropriate means and procedures for compliance with relevant/EU and national dual-use trade control laws and regulations.

 

At a general level, the most important aspect of developing an ICP is:

Ø   to keep it relevant to the company's organization and activities and to make sure that internal processes are easy to understand and follow, and capture the day-to-day operations and procedures.

 

f5LhHFF+2xLfWpFbMzVlrah6wgSJuH2+8+320ioR9Hvn20W0RRoCBFj6AuWkqZocf8PipygjhXHRRoAAAAASUVORK5CYII=

 

1. Top-level management commitment to compliance

 

Effective ICPs reflect a top-down process whereby the company’s top-level management gives significance, legitimacy, and organizational, human and technical resources for the corporate compliance commitments and compliance culture.

 

What is expected from dual-use companies?

Top-level management commitment aims to build compliance leadership (lead by example) and corporate compliance culture for dual-use trade control.

 

This element is materialized by a written statement and support from top-level management to internal compliance procedures that promote the company’s awareness of and compliance with the EU and Member State laws and regulations relating to dual-use trade controls.

 

The commitment indicates clear, strong and continuous engagement and support by top-level management. It results in sufficient organizational, human and technical resources for the company’s commitment to compliance. The management communicates clearly and regularly to employees about the corporate commitment in order to promote a culture of compliance.

 

What are the steps involved?

 

xAAAAAElFTkSuQmCC

 

TEMPLATES: Management policy statement

 

EXAMPLES: Excerpts from Toshiba’s and Ericsson’s management policy statement

 

CHECKLIST: Management commitment self-assessment

 

TOOL:  The U.S. Bureau of Industry and Security (BIS) "Management commitment policy statement tool" (see pages 20-28).

 

2. Organization structure, responsibilities and resources

 

Sufficient organizational, human and technical resources are essential for effectively developing and implementing compliance procedures. Without a clear organization structure and well-defined responsibilities, an ICP risks suffering from lack of oversight and undefined roles. Having a strong structure helps organizations work out problems when they arise and prevent unauthorized transactions from occurring.

 

What is expected from dual-use companies?

The company has an internal organizational structure that is set down in writing (for instance in an organizational chart) and that allows for conducting internal compliance controls. It identifies and appoints the person(s) with the overall responsibility to ensure the corporate compliance commitments. Please be aware that in some Member States this must be a member of the top-level management.

 

All compliance related functions, duties and responsibilities are defined, assigned and connected to each other in an order that ensures the management that the company conducts overall compliance. Where necessary, duties (but not the overall responsibility) relating to export control may be delegated.

 

The company adequately staffs all areas of the business that are related to dual-use foreign trade with employees who demonstrably have the required skills. At least one person in the company is (not necessarily exclusively) entrusted with dual-use trade control.

 

Dual-use trade control staff is protected as much as possible from conflicts of interest. It is entitled to directly report to the person(s) with the overall responsibility for dual-use trade controls and should additionally have the power to stop transactions.

 

Dual-use trade control staff must have access to the relevant legislative texts including the latest lists of controlled goods and lists concerning embargoed or sanctioned destinations and entities. A compliance manual that describes the operational and organizational processes relevant for dual-use trade control is drawn up and distributed to the dual-use trade control staff. The company should consider the need for IT support for internal compliance procedures based on its business volume.

 

What are the steps involved?

 

9k=

 

EXAMPLES: ICP organizational structure

 

TEMPLATE: ICP organizational table

 

CHECKLIST: Organizational structure self-assessment

 

3. Training and awareness raising

 

Training and awareness raising on dual-use trade control is essential for staff to duly perform their tasks and take compliance duties seriously.

 

What is expected from dual-use companies?

The company ensures via training that the dual-use trade control staff is aware of all relevant export control regulations as well as the company’s ICP and all amendments to them. Examples of training material are external seminars, subscription to information sessions offered by competent authorities, in-house training events, etc.

Furthermore, the company carries out awareness raising for the employees at all relevant levels.

 

What are the steps involved?

 

wvDhKPLNLtZOAAAAAASUVORK5CYII=

 

TEMPLATE: Training course description

 

TEMPLATE: Training schedule

 

TEMPLATE: Training attendance record

 

TEMPLATE: STC training implementation guide

 

TEMPLATE: STC compliance news update

 

EXAMPLE: Recommended STC compliance training system (Japan)

 

CHECKLIST: Training self-assessment

 

4. Transaction screening process and procedures

 

In terms of operational implementation, transaction screening is the most critical element of an ICP. This element contains the company’s internal measures to ensure that no transaction is made without the required license or against any relevant trade restriction or prohibition.

The transaction screening procedures collect and analyze relevant information concerning item classification, transaction risk assessment, license determination and application, and post-licensing.

Transaction screening measures also allow the company to develop and maintain a certain standard of care for handling suspicious enquiries or orders.

 

What is expected from dual-use companies?

The company establishes a process to evaluate and determine whether or not a transaction involving dual-use goods, software or technology is subject to national or EU dual-use trade controls. In case of recurring transactions, the process takes into account that transaction screening needs to be performed periodically.

 

9k=

                                                                                                                                                                                                                                              Transaction screening can be done manually or with the support of automated tools, depending on your company’s needs and available resources.

 

What are the steps involved?

 

Z

* Council Regulation (EC) No 428/2009 of 5 May 2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items.

 

Z

https://eeas.europa.eu/topics/sanctions-policy/8442/consolidated-list-of-sanctions_en

* Sensitive destinations and entities are not embargoed or sanctioned, but the shipment of (certain) dual-use items thereto can be critical in individual cases, for example because of proliferation or human rights concerns.

Member State governments can implement their own approach on this matter. Whenever in doubt, be sure to contact your competent authority.

 

Z

 

9k=

 

9k=

 

Z

 

2Q==

TEMPLATE: Customer profile

 

TEMPLATE: Customer purchase survey

 

TEMPLATE: STC risk matrix

 

TEMPLATE: STC license determination table

 

TEMPLATE: Product inventory classification database

 

GRAPHIC: Consolidated control list graphic

 

CHECKLIST: Evaluating customer bona fides

 

CHECKLIST: Diversion risk checklist

 

QUESTIONNAIRE: Red flag indicators

 

QUESTIONNAIRE: Transaction screening questions

 

 

5. Performance review, audits, reporting and corrective actions

 

An ICP is not a static set of measures and therefore must be reviewed, tested and revised if proven necessary for safeguarding compliance.

Performance reviews and audits verify whether the ICP is implemented to operational satisfaction and is consistent with the applicable national and EU export control requirements.

A well-functioning ICP has clear reporting procedures about the notification and escalation actions of employees when a suspected or known incident of non-compliance has occurred. As part of a sound compliance culture, employees must feel confident and reassured when they raise questions or report concerns about compliance in good faith.

Performance reviews, audits and reporting procedures are designed to detect inconsistencies to clarify and revise routines if they (risk to) result in non-compliance.

 

What is expected from dual-use companies?

The company develops performance review procedures to verify the day-to-day compliance work within the company and to check whether the export control operations are implemented appropriately according to the ICP. It is executed internally, it enables for early detection of noncompliance and follow-up measures for damage control and it reduces related risks for the company.

The company has procedures in place for audits, being systematic, targeted and documented inspections to confirm that the ICP is correctly implemented. Audits can be performed internally or by an independent auditor. If resources allow, it is a good business practice to periodically deploy an outside auditor. External audits can provide an unbiased, third-party evaluation, and validation, of an organization’s overall export compliance program and practices.

Reporting is the set of procedures for dual-use trade control staff and other relevant employees regarding the notification and escalation measures to take in the event of suspected or known incidents of dual-use trade non-compliance.

Corrective actions are the set of remedial actions to guarantee the proper implementation of the ICP and the elimination of identified vulnerabilities in the compliance procedures.

 

What are the steps involved?

 

9k=

 

TEMPLATE: ICP audit module

 

CHECKLIST: ICP audit checklist

 

CHECKLIST: ICP pre and post audit checklist

 

CHECKLIST: ICP self-evaluation checklists

 

EXAMPLE: Government of Japan recommended audit mechanisms

 

CHECKLIST: Reporting and corrective action self-assessment checklist

 

6. Recordkeeping and documentation

 

Proportionate, accurate and traceable recordkeeping of dual-use trade control related activities is essential for your company’s compliance efforts. A comprehensive recordkeeping system will help your company with conducting performance reviews and audits, complying with national documentation retention requirements and it will facilitate cooperation with competent authorities in case of a dual-use trade control enquiry.

 

What is expected from dual-use companies?

Recordkeeping is the set of procedures and guidelines for legal document storage, record management and traceability of dual-use trade control related activities. Some documents are required to be maintained by law, others are not. But some documents (e.g. an internal document describing the technical decision to classify an item) may be in your company’s best interest to maintain. If all required records are captured and correctly filed, this allows for more efficient search and retrieval during the day-to-day dual-use trade control activities but also during the periodic audits.

 

What are the steps involved?

 

2Q==

 

TEMPLATE: Recordkeeping statement

 

EXAMPLES: Government recommended recordkeeping best practices (South Africa and U.S. BIS)

 

CHECKLIST: Recordkeeping self-assessment

 

7. Physical and information security

 

Trade controls of sensitive items, including software and technology, occur for reasons of (inter)national security and foreign policy objectives. Therefore, having appropriate security measures contributes to containing the risks concerning unauthorized removal of controlled dual-use items.

Because of its very nature, ensuring compliance with dual-use trade regulations for controlled software or technology in electronic form can be particularly challenging.

 

What is expected from dual-use companies?

Physical and information security refer to the set of internal procedures that are designed to ensure the prevention of unauthorized removal of dual-use items by employees, contractors, suppliers or visitors. These procedures cultivate a security culture within the company ensuring that dual-use items including software and technology do not get lost, are easily stolen or exported without a valid license.

 

What are the steps involved?

 

Z