Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Partners
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Careers
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Blogs
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
FAQs
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
9 May 2023

Sanctions compliance: Best practices for avoiding penalties and reputational damage

Not long ago a German online magazine published an article about a German company shipping a hydraulic hammer to Russia. This hydraulic hammer was used by Russia for the construction of the Crimean Bridge.

The construction work was completed, but a penalty order was issued against the company itself and a responsible employee based on permitted actions regarding existing sanctions regulations. The penalty in this case was 1.3 million euros for the company and 18,000 euros for the employee responsible.

In this blog, we don't want to deal with the question of why such an incident occurred, but we will be investigating the considerations companies should be making to counteract such cases happening in the future.

It's worth mentioning in advance that we do not have more details about that specific case and therefore we do not want to draw any conclusions on that situation. We are more concerned about the general best-practice approaches for a topic which is much more complex than it used to appear.

 

From our point of view, it would be wrong to only analyse the process chain of this particular shipping, or to determine who has made which mistake and when (intentionally or not) in the whole shipping-process. Sanctions Compliance should be a cross-company effort affecting every single employee. Only a collective system for the avoidance of violations against legally binding sanction requirements represents an effective compliance programme. 

The most important element of a company is and remains its governance regarding such complex compliance topics. The top management of any company should always define global policies which are mandatory for every employee of the organisation. It is recommended to clearly define areas of responsibility, internal control mechanisms (such as a 4-eyes principle) and to document them for each individual employee.

As a consulting company, Turnkey always advises companies to discuss a global risk appetite individually for every corporate area based on the applicable regulations. In case of amendments to such regulations, companies should act immediately to ensure an appropriate reaction. Especially in a time of growing globalisation and successive crises, this should be a basic requirement of every company.

Once the global policies of a company are defined, areas of responsibility are identified and general guidelines are established based on the company’s risk appetite, the next step is to formulate processes which are in compliance with recent global policies for each corporate area and each individual.

Therefore, we would also advise designing these processes in cooperation with each subject area individually, because only in these areas are daily business and compliance are compatible. The resulting process chains, as well as the global policies, should be documented in a way that ensures constant access for every person and/or every employee. 

Due to the dynamics of the world political events and the constantly changing conditions in the area of sanctions, companies should ensure they are properly communicating with new establishments, and keeping up to date with changes and renewals of regulations. Periodic and mandatory employee-training is essential because it not only protects the company, but also ensures protection through knowledge for every employee. 

Despite all the definitions and guidelines fixed in writing, technical implementations and innovations are basic requirements for an effective compliance programme. The introduction of a screening tool is a must for every company, with the equipment for this being individually selected based on the risk appetite previously defined.

The screening tool should be considered as a central point for every corporate area. There will always be a subdivision (e.g. operational units) supplying the tool with data, and at least one other subdivision which is assessing the entered data based on the global policies and recent subdivisional processes. The evaluation of the data is then the basis for the processing of all transactions carried out by the company.

Comparing the best-practice approaches published by different sanctions regimes, like the EU-Commission, OFAC and others, it is always recommended to always evaluate the whole situation within a company before analysing a single case.

In order to prevent further sanctions violations, a company must make changes to their existing compliance program, depending on the result of the investigation. These additional costs should be added to the payments from the existing penalty order.

Therefore we always recommend to pre-arrange everything you can to ensure security in relation to sanctions compliance before being sued to pay such penalties. Furthermore, the reputational damage caused by articles like the one mentioned earlier are difficult to quantify and can lead to further significant losses and may be threatening the existence of a company.

True to the motto: “If you think Compliance is expensive, try non-compliance"

 

Turnkey Virtual Event Banner Template 2023 5-9-23 (2)