Customs & Trade Compliance –Assessing and controlling risk

Amber Road Conference28-06-2016

Agenda

2

Agenda Item

1 What is risk? Some definitions

2 Where does risk sit?

3 Risk basics

3 Risk assessment methodology

4 Internal Control Frameworks

5 Risk and control matrices

6 Complexity?

7 M&S controls

8 Summary

What is risk? Some definitions…..

3

Risk: A probability or threat of damage, injury, liability, loss, or any othernegative occurrence that is caused by external or internal vulnerabilities, andthat may be avoided through pre-emptive action.

Recklessness: When someone is actually aware of the risk potentially adverseconsequences to the planned actions, but has gone ahead anyway, exposinganother party to the risk of suffering the foreseen harm

Experienced operators: the following are regarded as experienced operators:

– professional specialists in customs clearance or international trade

– holders of authorisations for simplified customs clearance procedures, customsprocedures with economic impact or end-use procedures, insofar as possessionof these authorisations implies a certain amount of professional experience inthe customs field

– operators who had carried out several similar import operations in the past onwhich duties had been correctly calculated

Obvious Negligence: If an experienced operator makes an error in a field inwhich they are deemed to be experienced then they may be found obviouslynegligent, with little or no defence.

Procedures and regimes change; risk less so….

4

The requirements for AEO look the same as many other controls

AEO requirements include ‘other taxes’

SAO has a clear indirect tax requirement

Export controls have clear requirements

Excise controls have clear requirements

UCC changes haven’t changed what the risk looks like

Financial controls should be looking for risk

You should be looking for risks AND opportunities

How do you reconcile all these different requirements and the increasing compliance demand?

Is there a single approach that might work?

…..possibly….

5

Authorised Economic Operator

Senior Accounting Officer signoff

Increasing testing and auditing

Future legal/procedural changes

Value-add projects

Where does risk assessment fit?

Where does risk sit in your business or business area?

6

Can’t exist in a vacuum. Ideally the model ‘tree’ could look like this:

– Business model defined

– Strategy defined

– Policy defined

– Risk assessment #1

– Gap analysis/Risk review #1

– Procedures, tools, measures implemented

– Risk assessment #2

– Gap analysis/Risk review #2

– Final adjustments – further implementations etc.

– Audits (internal/external, peer, senior etc.), scorecards

– Impose metrics & ongoing monitoring

– Annual risk review

Where does risk sit in your compliance program?

7

You’re unlikely ever to start with a clean slate:

– Business Model, Strategy, Policy may be set.

– There will be existing, possibly entrenched, practises and processes

– Anything else should be capable of adjustment – according to what the risk says

– If the risk is great enough, everything can be/has to be changed

The risk assessment will likely have to be inserted into existing practises and then move up and down the ’tree’ as best it can.

– Be Legal, but be prepared to compromise or trade-off operations against that

Everything should be aligned:

– Everything supports the business model and the strategy

– Can be set at whatever level is required

So how do we do that?

Generic (1st Tier)

– These are top level areas of risk. General risk, if you like.

– E.g. Misclassification of goods is a generalised risk.

– These do not require individual control actions if they are fully controlled by actions applied to 2nd Tier risks

– Useful for generic discussions and top level (e.g. SAO)

Specific (2nd Tier)

– These are the more detailed breakdowns of the Tier 1 risk.

– E.g. the classification issue above could be broken down into: information held on database, customs rulings sought, risk of more than one heading being applied to the same goods etc.

– These are the individual questions identified under each of the top level sections in Tier 1.

These two risks are usually sufficient to assess against

Risk basics – 4 types of risk (1)

8

Dynamic

– This is an attempt to look pro-actively at risks that may not be current but that might be expected given changes in circumstance.

– It can be used to assess risks in upcoming legislative changes e.g. UCC implementation – loss of First Sale.

– Do not overuse at the expense of the generic and specific risk – these are risks now.

Human Factors

– This is a 'soft' risk and should be used with caution as it can prove to be a ‘rabbit hole’.

– It can form part of the specific risk (2nd Tier) and typically relies on training and awareness, tools, automation and process, metrics and KPIs to mitigate the risk of someone not understanding, not implementing or skimping checks etc.

Risk basics – 4 types of risk (2)

9

Identify the risks (or hazards) associated with a given task, activity or area of work

Identify what is at risk - the scope of the risk, what it would affect

Quantify the following items using a weighting system

– Severity - What is the level of harm that may occur as a result of exposure to the risk?

– Likelihood - What is the probability that exposure to the risk will arise?

– Population - What is the spread of impact? Is it limited, widespread or in-between?

– Use 1, 4, 7, 10 weighting to avoid dithering. Use 0 for N/A.

Risk assessment methodology (1)

10

Unless the nature of the risk changes (and the risk assessment needs to reflect such changes) then the only item that can change is Likelihood.

A 'Risk Rating' is auto-generated (from the weighted score) for the current control measures. Make it visual to enhance impact:

Risk assessment methodology (2)

11

Severe Immediate Action is required

High Immediate Action is required

Medium-High Actions required to minimise the risk within 3-6 weeks

Medium Actions required to minimise the risk within 3-6 months

Low-Medium Actions required to minimise the risk within 6-9 months

Low or None Monitor & Review

Identify and prioritise risks for additional control measures.

Describe/enter the additional control measures required

Re-assess the risk as at point 4) above. This will give the 'Residual Risk Rating‘.

– The Severity & Population will not change (unless there is a change in the nature of the work or task giving rise to the risk), the Likelihood should reduce as a result of the additional controls and the Residual Risk Rating should lower accordingly.

Record

Make an action plan – who will do what, by when

Monitor & Review all risk. Include this as part of a regular formal review cycle or audit plan.

Risk assessment methodology (3)

12

A mnemonic

13

E Eliminate the Risk

R Reduce the Risk

I Isolate the Risk

C Control the Risk

Adding Mitigation makes it CRIME…..?

As before, you are unlikely to start with a clean slate.

So how to implement the controls?

Look at what you already do and how you do it?

Map it

Break it down into manageable sub-processes

Identify the risk you face in each process and sub-process. Document them

Ask the question “How do I mitigate the risk?”

Build that mitigation into your map right there

Watch where it changes the map and others that connect.

Identify the procedures, processes and controls required to control the risk

Internal Control Framework (ICF)

14

ICF process mapping – simple version

15

ICF process mapping – complex version

16

Top level risk and control matrix

17

This is an example of a financial control model showing the headers that might be used.

It is a slightly simpler than might be used for strict compliance but covers the major markers

Combine with the detailed trade compliance risk matrix that appears next?

Adapt it to fit your needs!

Example of a Trade Compliance risk-focussed matrix (1)

18

Example of a Trade Compliance risk-focussed matrix (2)

19

This is unavoidably a complex area – the moment you get away from headlines you’re into detail.

The devil IS in the detail

What is your audience? Horses for courses…..

HMRC and OGDs will likely want the detail – and it helps to give it to them to clearly demonstrate your control over risk.

Downside – does it allow them too good a view of what you do and invite inspection?

– Is this something you should be afraid of? Shouldn’t you be capable of inviting inspection!

Your senior finance management will need the ICF level work for SAO but likely not below that unless asked for.

Senior management in general will likely only want a one-page summary but they also want to know that this area will not be a problem for them. The existence of this level of risk control will give them assurance.

– It’s also likely an improvement of anything they’re likely to have had introduced by accountants etc.

– It will be targeted specifically to your business rather than being a boilerplate set of risks

Too complex?

20

M&S risk assessment (1)

21

• The M&S ICF covers 21 broad processes such as:

– GM Import process

– CFSP processes

– Excise receipts at various warehouses

– Use of consultants

• On the trade compliance risk matrix, M&S assess 20 generic (tier 1)risk areas such as:

– Customs & Trade Compliance Organisation

– Internal Controls

– Classification, Valuation, Origin

– Supply Chain Security

– Documented Procedures & Processes

• Below that there are 216 specific (tier 2) risks identified

– These are very variable – Import licensing has just 2 specific risks, classification has 15, Supply chain security has 32, Excise has even more.

M&S risk assessment (2)

22

• Even then, we recognise that in key areas such as Import Valuation, Classification, Excise, AEO or Export Controls this is insufficient so even more detailed assessments are made as required.

– Similar format but may be simplified as needed.

– Tend to be ad hoc.

• M&S assess 500+ detailed level requirements

What regimes or controls do you need to meet?

Do you have a compliance program – does this type of risk assessment fit?

Where are you in the maturity scale for risk assessment?

What level of assessment is suitable for your business?

Have you documented or mapped your processes?

How much detail do you want or need to go into?

Do you see any value-add in doing the assessment and implementing the controls?

Can you handle it in-house?

What tools are available to assist?

Summary

23

Questions?

Mark Corbymark.corby@marks-and-spencer.com

Thank you for listening!

24