Although enterprises in a variety of sectors――including finance, counseling and even manufacturing――have discussions on “sanctions compliance risk management,” it lacks an academic definition.
In the risk management toolkit, the “classical risk model” that has been used for decades explains various risk management strategies in the modern business community and guides decision-makers in their efforts to manage risk――sanctions compliance risk management is no exception.
This article defines sanctions compliance risk by the “classical risk model” and presents characteristics of sanctions compliance risk by analyzing some cases.
What is risk?
In his 1984 paper “Foundations of Risk Measurement. I. Risk as Probable Loss,” Peter C. Fishburn claimed that the possibility and the impact of loss are two essential risk factors that should be considered in the risk assessment process. In addition, he believed that the suitability of such an assessment approach is axiomatic. This belief established the foundation of the classical risk model that was widely accepted by academic circles.1
According to traditional theories in risk management, risk can be defined as the multipli- cation of “possibility of risk occurrence” and “consequence of risk.” In other words, the classical risk model can be expressed by the following equation: risk = possibility x impact.2
What is sanctions compliance risk?
In accordance with the classical risk model, sanctions compliance risk can be defined as the possibility of causing direct or indirect loss due to a violation or suspected violation of sanctions terms by an entity.
Onset
The onset of sanctions compliance risk must be the violation or suspected violation of a certain sanctions’ term by an entity.
Consequences
The consequences of sanctions compliance risk are inevitably direct or indirect losses. If no loss arises from the violation of sanctions terms by an entity, it will bear no responsibility of managing such a risk.
Possibility
Considering possibility is indispensable from the onset of violation or suspected violation of sanction terms, to the finishing point of causing direct or indirect losses. After an entity violates or is suspected of violating sanctions terms, it is uncertain whether any direct or indirect loss will follow or how much could be lost. This depends on whether sanctions- issuing entities detect the violations of regulations, whether they regard the violations to be serious enough and whether those violators are competent enough to manage risk.
Classification of sanctions compliance risk
Sanctions compliance risk (direct loss risk)
On May 17, 2019, the Bureau of Industry and Security (BIS) added HH Technologies Co., Ltd (a Chinese technology company) to the Export Administration Regulations (EAR) Entities List due to this company violating U.S. law by making transactions with Iran and doing business with Iran-based telecom companies.3
  [ ASPECTS OF APAC ]
After several delays, BIS’ sanctions on HH Technologies came into effect officially on September 15, 2020. HH Technologies was denied access to chip manufacturing equipment and techniques administered by the U.S. government, thus suffering stagnation in its business.
Banks and other entities may face sanctions compliance risk from countries or districts where their branches are located or from their business related to the U.S. Compared to the management process of money laundering risk, a more extensive scope of risk compliance may pose a greater challenge to international risk management.
Reputational risk (indirect loss risk)
In June 2019, the Washington Post reported that three Chinese banks refused to implement the subpoenas issued by the U.S. court to investigate the violation of sanctions on North Korea at the risk of being cut off from the dollar clearing system.4
The three banks were not listed as objects of the investigation, nor did they violate any sanctions terms. Instead, they were simply listed as witnesses during the investigation. During the trial, the three Chinese banks refused to provide data on customers in China directly, and asked the U.S. court to work through diplomatic channels.
Despite a lack of substantial progress after the incident, the relevant reports still took a toll on the reputation of these banks. According to the open market data, their stock prices all plummeted after the incident, among which China Merchants Bank’s fell for eight consec- utive trading days.
Unlike compliance risk, there is no way to appeal in the process of reputational risk management. The entity cannot seek reconciliation from the supervisory authority, nor can it file a lawsuit to the judicial department. Compared with direct compliance risk, reputational risk has a more extensive and far-reaching impact.
[ JUNE-AUGUST 2021 ] 79