Customs & Trade Compliance Assessing and controlling risk. Amber Road Conference

Transcription

1 Customs & Trade Compliance Assessing and controlling risk Amber Road Conference

2 Agenda Agenda Item 1 What is risk? Some definitions 2 Where does risk sit? 3 Risk basics 3 Risk assessment methodology 4 Internal Control Frameworks 5 Risk and control matrices 6 Complexity? 7 M&S controls 8 Summary 2

3 What is risk? Some definitions.. Risk: A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through pre-emptive action. Recklessness: When someone is actually aware of the risk potentially adverse consequences to the planned actions, but has gone ahead anyway, exposing another party to the risk of suffering the foreseen harm Experienced operators: the following are regarded as experienced operators: professional specialists in customs clearance or international trade holders of authorisations for simplified customs clearance procedures, customs procedures with economic impact or end-use procedures, insofar as possession of these authorisations implies a certain amount of professional experience in the customs field operators who had carried out several similar import operations in the past on which duties had been correctly calculated Obvious Negligence: If an experienced operator makes an error in a field in which they are deemed to be experienced then they may be found obviously negligent, with little or no defence. 3

4 Procedures and regimes change; risk less so. The requirements for AEO look the same as many other controls AEO requirements include other taxes SAO has a clear indirect tax requirement Export controls have clear requirements Excise controls have clear requirements UCC changes haven t changed what the risk looks like Financial controls should be looking for risk You should be looking for risks AND opportunities How do you reconcile all these different requirements and the increasing compliance demand? Is there a single approach that might work?..possibly. 4

5 Where does risk assessment fit? Authorised Economic Operator Senior Accounting Officer signoff Increasing testing and auditing Future legal/procedural changes Value-add projects 5

6 Where does risk sit in your business or business area? Can t exist in a vacuum. Ideally the model tree could look like this: Business model defined Strategy defined Policy defined Risk assessment #1 Gap analysis/risk review #1 Procedures, tools, measures implemented Risk assessment #2 Gap analysis/risk review #2 Final adjustments further implementations etc. Audits (internal/external, peer, senior etc.), scorecards Impose metrics & ongoing monitoring Annual risk review 6

7 Where does risk sit in your compliance program? You re unlikely ever to start with a clean slate: Business Model, Strategy, Policy may be set. There will be existing, possibly entrenched, practises and processes Anything else should be capable of adjustment according to what the risk says If the risk is great enough, everything can be/has to be changed The risk assessment will likely have to be inserted into existing practises and then move up and down the tree as best it can. Be Legal, but be prepared to compromise or trade-off operations against that Everything should be aligned: Everything supports the business model and the strategy Can be set at whatever level is required So how do we do that? 7

8 Risk basics 4 types of risk (1) Generic (1st Tier) These are top level areas of risk. General risk, if you like. E.g. Misclassification of goods is a generalised risk. These do not require individual control actions if they are fully controlled by actions applied to 2nd Tier risks Useful for generic discussions and top level (e.g. SAO) Specific (2nd Tier) These are the more detailed breakdowns of the Tier 1 risk. E.g. the classification issue above could be broken down into: information held on database, customs rulings sought, risk of more than one heading being applied to the same goods etc. These are the individual questions identified under each of the top level sections in Tier 1. These two risks are usually sufficient to assess against 8

9 Risk basics 4 types of risk (2) Dynamic This is an attempt to look pro-actively at risks that may not be current but that might be expected given changes in circumstance. It can be used to assess risks in upcoming legislative changes e.g. UCC implementation loss of First Sale. Do not overuse at the expense of the generic and specific risk these are risks now. Human Factors This is a 'soft' risk and should be used with caution as it can prove to be a rabbit hole. It can form part of the specific risk (2nd Tier) and typically relies on training and awareness, tools, automation and process, metrics and KPIs to mitigate the risk of someone not understanding, not implementing or skimping checks etc. 9

10 Risk assessment methodology (1) Identify the risks (or hazards) associated with a given task, activity or area of work Identify what is at risk - the scope of the risk, what it would affect Quantify the following items using a weighting system Severity - What is the level of harm that may occur as a result of exposure to the risk? Likelihood - What is the probability that exposure to the risk will arise? Population - What is the spread of impact? Is it limited, widespread or inbetween? Use 1, 4, 7, 10 weighting to avoid dithering. Use 0 for N/A. 10

11 Risk assessment methodology (2) Unless the nature of the risk changes (and the risk assessment needs to reflect such changes) then the only item that can change is Likelihood. A 'Risk Rating' is auto-generated (from the weighted score) for the current control measures. Make it visual to enhance impact: Severe High Immediate Action is required Immediate Action is required Medium-High Actions required to minimise the risk within 3-6 weeks Medium Actions required to minimise the risk within 3-6 months Low-Medium Actions required to minimise the risk within 6-9 months Low or None Monitor & Review 11

12 Risk assessment methodology (3) Identify and prioritise risks for additional control measures. Describe/enter the additional control measures required Re-assess the risk as at point 4) above. This will give the 'Residual Risk Rating. The Severity & Population will not change (unless there is a change in the nature of the work or task giving rise to the risk), the Likelihood should reduce as a result of the additional controls and the Residual Risk Rating should lower accordingly. Record Make an action plan who will do what, by when Monitor & Review all risk. Include this as part of a regular formal review cycle or audit plan. 12

13 A mnemonic E R I C Eliminate the Risk Reduce the Risk Isolate the Risk Control the Risk Adding Mitigation makes it CRIME..? 13

14 Internal Control Framework (ICF) As before, you are unlikely to start with a clean slate. So how to implement the controls? Look at what you already do and how you do it? Map it Break it down into manageable sub-processes Identify the risk you face in each process and sub-process. Document them Ask the question How do I mitigate the risk? Build that mitigation into your map right there Watch where it changes the map and others that connect. Identify the procedures, processes and controls required to control the risk 14

15 ICF process mapping simple version 15

16 ICF process mapping complex version 16

17 Top level risk and control matrix This is an example of a financial control model showing the headers that might be used. It is a slightly simpler than might be used for strict compliance but covers the major markers Combine with the detailed trade compliance risk matrix that appears next? Adapt it to fit your needs! 17

18 Example of a Trade Compliance risk-focussed matrix (1) 18

19 Example of a Trade Compliance risk-focussed matrix (2) 19

20 Too complex? This is unavoidably a complex area the moment you get away from headlines you re into detail. The devil IS in the detail What is your audience? Horses for courses.. HMRC and OGDs will likely want the detail and it helps to give it to them to clearly demonstrate your control over risk. Downside does it allow them too good a view of what you do and invite inspection? Is this something you should be afraid of? Shouldn t you be capable of inviting inspection! Your senior finance management will need the ICF level work for SAO but likely not below that unless asked for. Senior management in general will likely only want a one-page summary but they also want to know that this area will not be a problem for them. The existence of this level of risk control will give them assurance. It s also likely an improvement of anything they re likely to have had introduced by accountants etc. It will be targeted specifically to your business rather than being a boilerplate set of risks 20

21 M&S risk assessment (1) The M&S ICF covers 21 broad processes such as: GM Import process CFSP processes Excise receipts at various warehouses Use of consultants On the trade compliance risk matrix, M&S assess 20 generic (tier 1)risk areas such as: Customs & Trade Compliance Organisation Internal Controls Classification, Valuation, Origin Supply Chain Security Documented Procedures & Processes Below that there are 216 specific (tier 2) risks identified These are very variable Import licensing has just 2 specific risks, classification has 15, Supply chain security has 32, Excise has even more. 21

22 M&S risk assessment (2) Even then, we recognise that in key areas such as Import Valuation, Classification, Excise, AEO or Export Controls this is insufficient so even more detailed assessments are made as required. Similar format but may be simplified as needed. Tend to be ad hoc. M&S assess 500+ detailed level requirements 22

23 Summary What regimes or controls do you need to meet? Do you have a compliance program does this type of risk assessment fit? Where are you in the maturity scale for risk assessment? What level of assessment is suitable for your business? Have you documented or mapped your processes? How much detail do you want or need to go into? Do you see any value-add in doing the assessment and implementing the controls? Can you handle it in-house? What tools are available to assist? 23

24 Thank you for listening! Questions? Mark Corby 24