Where Industry and Security Intersect
What's New | Sitemap | Search
These Guidelines are divided into three different sections, referred to as Elements:
1. Administrative Elements;
2. Order Processing Element; and
3. Screening Elements.
This is done to communicate individual principles, but does not necessarily mean that YOUR company EMS should be implemented in this same format. You may find that you can combine some elements to work more efficiently and effectively within you operations. You are not restricted to this format or these elements described in these Guidelines. You may want to develop an element that is unique to your specific product line and the respective risks.
Exporters, as well as companies that facilitate exports or engage in other controlled activities, need a working knowledge of the regulations and their applications. It is strongly recommended that to develop such an understanding, company personnel responsible for export controls attend one of the many seminars offered by BIS.
A company’s EMS should be appropriate to the scope of its export and reexport activities and to its business situation. Several factors may affect how an EMS may be structured. All of the factors noted below are important to consider as you develop an EMS; however, the most significant are volume of exports, location of customers, product sensitivity or restrictions, and the order processing system.
A. Exporter Type
B. Nature of Item Exported
C. Source of Item Exported
D. Item Sensitivity, Dual-Use Risk and Restrictions
E. Distribution Points
F. Exporter Size
G. Customer Type
H. Use of Product by Customer
I. Location of Customers (See Part 740, Supplement No. 1, to the EAR.)
J. Subsequent Transfers/Reexports
K. Exporter/Customer Relationships
L. Order Processing System
M. U.S. Person Participation in support activities by which a person facilitates an export, reexport or transfer that will assist proliferation activities described in Part 744:
The various principles (elements) described in the Guidelines offer tools and compliance options that a company might choose to use in developing a compliance program uniquely suited to its particular operational features. No one compliance program will be appropriate for every company. The following examples may help illustrate this point.
- A small company with only two or three employees will probably not need a list of the names, phone numbers, and responsibilities of persons involved in export control issues. However, such a list may be essential for large companies and may be even more effective if posted on a company intranet site when various geographic locations are involved.
- Likewise, a small company will not necessarily develop its’own formalized training program. Rather, the company’s employees or owners may familiarize themselves with the EAR and one of the employees will take on export compliance duties in addition to several other duties. In contrast, a large company might find it extremely valuable to develop its’ own ongoing training program to educate a large number of employees on evolving export control requirements. In a company with various geographic locations involved, a training module on a company intranet site or training videos might be more effective.
- A company that exports bacterial agents may develop a compliance program that includes an extensive screen of end-uses. The company would want to ensure that no exports/reexports of the bacterial agents will be used in any of the prohibited end-uses described in Section 744.4. However, a compliance program for such an exporter need not necessarily include a screen to identify, for instance, nuclear end-uses because their transactions do not involve prohibited nuclear end-uses.
- A company may have determined that no end-uses/end-users activities described in Part 744 apply to its transactions. Therefore, it does not need to include extensive nuclear, missile or chemical and biological screens. However, it should still set up procedures for Denied Persons , Entity List, and Diversion Risk Red Flags screening.
- A bank or other financial institution need only be concerned with end-use and end-user screens to avoid prohibited financing or other participation in the design, development, production, stockpiling and use of missiles or chemical/biological
weapons and financing certain transactions with Denied Persons.
The size, organizational structure, and production/distribution network of a company will determine the location of activities where EMS controls would be useful. In small companies, one individual at one location may perform almost all of the activities. In large or
medium-sized companies, these activities may be performed in different organizational areas (comptroller, accounting, sales, marketing, contracts, general counsel, customer service, traffic, corporate audits, order processing, etc.) and/or at different geographical locations (product center, regional office, headquarters, shipping points, etc.).
Some companies choose to designate a single employee responsible for the administration,
performance and coordination of these activities (e.g., EMS Administrator). Some large companies decentralize export control responsibilities throughout the organization but with corporate oversight to ensure essential standards are set and maintained.
Regardless of the method of export control coordination or the size of the exporting company, the person responsible should be sufficiently senior in the management hierarchy to impose and maintain a strong commitment to export controls for the entire company. In instances
where export control activities are decentralized, it is paramount to have knowledgeable staff trained in export control issues at each location or in each function where orders are received and shipped.
Many companies centralize the administration of training, record keeping, dissemination of regulatory material, notification of non-compliance, and internal reviews. However, the actual screening activities in some companies of the Denied Persons Lists, end-use and end-user activities, and Diversion Risk may be performed by personnel throughout the company, (e.g., sales and marketing, order entry, or shipping) where firsthand knowledge and information on the consignee is available.
If a company decides to adopt an EMS, BIS recommends that the export control program be formalized into a written format. This format, an EMS Manual, should describe detailed operational procedures implemented to ensure compliance with the EAR. Further, it should hold appropriate personnel accountable for the performance of the compliance operations as well as describe what, where, when and how export control checks are conducted.
Sometimes the toughest part of any job is getting started. This section is intended to offer you a starting point that has worked for many companies, and to help guide you with the development of your EMS.
These guidelines are divided into three different sections of Elements: Administrative, Order Processing and Screening. This is done to communicate individual principles, but does not necessarily mean that YOUR company EMS should be implemented in this format. You may find that you can combine some of the elements to work more efficiently and effectively within your operations. Do not feel that you are restricted to this format and only to these elements described in these guidelines. For example, many companies have implemented elements to deal with deemed exports and the transfer of technology. You may want to develop an element that is peculiar to your specific product line and risks associated with those items.Developing Administrative Elements
The Administrative Elements are considered to be the foundation of the EMS. Consider what is already in place within your company for each of the Administrative Elements. This will probably require some interviewing of personnel in different departments or perhaps distributing a survey to identify existing resources and procedures that may need to be enhanced or amended.Step Two: Determine which employees are involved in the day-to-day export functions and identify specific, currently performed responsibilities for each of these employees. Then, identify the most experienced employee(s) in the area of export control and appoint an Export Control Administrator and backup person (or a team) who will be responsible for oversight of the system. Determine whether your current organizational charts can be used to communicate the export control structure of your system (Element 2).
Step Three: Review your export control documents (records) and evaluate whether required documents are maintained, location(s) they are kept, and period of retention (Element 3).Step Four: Evaluate whether you are able to blend export administration regulation and EMS training into those current company training programs that you have in place.
Step Five:. Determine whether your company has annual audits and if so, whether they are performed by independent, outside companies. If at all possible, use the resources for reviews that you already have in place and add an EMS review module.Step Seven: Formalize your Administrative Elements by developing written procedures for each element.
Developing The Order Processing and Applying Screening Elements
The Order Processing Element assists companies in combining all of the screens into one comprehensive flow chart and allows a company to identify what screens are addressed during order processing. Your order processing flow may involve both manual and electronic processes that you will need to chart. The key steps where internal controls should be implemented include: prior to order entry, at order entry, in the processing stage within the system, and at the end of the process. If you have an integrated process with manual and electronic stages, you may want to include a manual order processing flow that shows where the human tasks are performed and a systems logic flow chart that describes the electronic internal controls that are performed.
Beginning with the Order Processing element is like building the foundation of a building. Once you have the concept drawn on a blueprint, you can begin to build brick by brick. Once the order processing flow has been established and formalized, you can begin to build the internal controls screen by screen. The following steps should help you lay the Order Processing foundation and begin to place the screening elements into the each vulnerable stage of the process where a violation of the EAR could occur.
Step One: In narrative form, describe each step of the company's order entry procedure and order processing through shipping and receipt of the goods. Include names (or position titles) of responsible personnel, levels of approvals required, and precautions taken prior to order entry (for example, by sales representatives). Who is held accountable, for what task, when are they supposed to do it and what do they do with it?
Step Two: Create a flow chart that visually displays the company's order processing system. If the flow becomes too complex, you may need to divide the flow into other subordinate flows that supplement the main flow.
Step Four: Implement "Cancel Order," "Hold Order" and "Release Order" functions if any screens fail at various vulnerable steps in the process. The "hold" function is triggered by red flags that arise in any of the screens. "Release" is when the red flag has been resolved and the Export Control Administrator authorizes the further processing of the order. The red flag triggers might include certain key words and destinations of concern as well as "yes/no" type failures in the process.
Step Five: Once all relevant screening elements have been placed on the flow chart, a more detailed description of those elements should be described and formalized within the individual elements of the EMS.Verify the System is Accurate and Operationally Realistic
Step One: Walk through the process from beginning to end, with all personnel involved in the process.