Meet Your Counterpart – IT and Trade Compliance
I had a recent exchange with a Trade Compliance (TC) colleague who was expressing her belief that many TC professionals don’t know their IT counterparts, or who they should be working with to ensure export controls are integrated into IT networks and systems. I agree with her, and experience has shown me the inverse is true. Outside of a company under Consent Agreement, IT professionals typically don’t know who they should go to for export control considerations…if they even know they have export control considerations in the first place. This calls for an introduction.
Since it is TC’s role to reach out to the business functions and ensure export control requirements are integrated therein, I’ll start by introducing TC to IT. However, before I make introductions, I encourage both TC and IT professionals read my Export Regulations and Cyber Compliance article. The article sets out the questions you’ll need to work together to answer. TC, spoiler alert, you’ll need to connect with the IT personnel responsible the topics described therein.
Regardless of your company size or TC/IT organization structure, it is critical that a bellybutton in TC is connected to a bellybutton in IT. This is your starting point. Make the connection and let them start figuring things out. These two IT/TC professionals must work together to translate business, IT, and trade control requirements into concepts that can be understood, implemented, maintained, and monitored.
Trade Compliance, meet IT.
In the ideal scenario, IT is a centrally-managed, corporate-driven services organization where the CIO runs a Program Management Office (PMO). Within the PMO, a specific IT professional has been assigned export control responsibilities and ensures all corporate-driven initiatives (e.g. going to the Cloud, ERP consolidation, outsourcing, offshoring, etc.) are vetted for export control considerations. This person ensures TC is actively engaged in new projects. In addition, this person is responsible for ensuring IT has and maintains the methodologies and tools the business needs to comply. This person can connect you with all the key players and should already be interfacing with them on your behalf. This approach means IT has taken responsibility AND assigned resources.
If your company operates with a model similar to that described above, you’re ahead of the curve. If your IT organization operates in a highly-decentralized model, where maverick IT organizations do what they want, you have a tougher road ahead of you.
TC professionals, you’ll want to connect with the IT professionals who have the following roles/responsibilities:
- Chief Information Officer (CIO) – in smaller organizations, the CIO may be more hands-on and accessible. In these organizations, it may be appropriate for the TC lead to interact with the CIO directly. In medium-to-large companies, you should know your CIO, but work directly with his/her generals. The CIO will set the strategic direction, so it is important he/she understand and account for export controls in the IT strategy.
- Chief Information Security Officer (CISO) – someone in your IT organization is going to be responsible for security. In your larger organizations, this will be your CISO. This person will have access to capabilities and tools that can be leveraged to address the export controls use-case. They are also responsible for breach notification. If your subject to DFARS, it is a 72 hour window. Companies don’t like to broadcast breaches internally or externally. Thus, the number of folks “in the know” are few. When the breach involves export controlled data, TC must be included in IT’s breach notification process. Your CISO can make that happen.
- Network Administrators – these individuals hold the “keys to the kingdom” and should have a holistic understanding of your ecosystem. They should be able to provide you with a good understanding of what’s where and how it is managed/used. In addition, they should have visibility into how hardware, applications, administrators, and users are provisioned (set-up).
- Infrastructure Administrators – these individuals have responsibility for the hardware supporting the network(s) and systems. They should be able to tell you the geographic location of the underlying hardware, which is a key export controls consideration.
- Application Administrators – these individuals have responsibility for one or more applications in your IT environment. They are typically responsible for application maintenance, upgrades/enhancements, and user provisioning. When it comes to integrating export controls in ERP, PLM, email, etc., the application admins are key.
- Client & Mobile Device Administrator(s) – these individuals are responsible for ensuring all clients (e.g. laptops) and mobile devices are running approved and up-to-date software. When it comes to pushing client-and mobile-based tools to your users, these administrators will be critical. Additionally, these folks are critical to processes like clean traveler laptops and mobile devices.
Are you a TC professional who has successfully engaged IT? Share your keys to success in the comments.
IT, meet Trade Compliance.
In the ideal scenario, TC is a centrally-managed, corporate-driven services organization where the Trade Compliance lead runs a Program Management Office (PMO). Within the PMO, a specific TC professional has been assigned export control responsibilities and ensures all corporate-driven initiatives (e.g. going to the Cloud, ERP consolidation, outsourcing, offshoring, etc.) are vetted for export control considerations. This person ensures TC is actively engaged in new IT projects. In addition, this person is responsible for ensuring IT implements methodologies and tools needed for the business to comply. This person can connect you with all the key players in TC and should already be interfacing with them on your behalf.
If your company operates with a model similar to that described above, you’re ahead of the curve. If your TC organization operates in a highly-decentralized model, where maverick TC organizations do what they want, you have a tougher road ahead of you.
IT professionals, you’ll want to connect with the TC professionals who have the following roles/responsibilities:
- TC Lead – depending on your organization structure, and where you’re located in the world, the TC lead could have the title of Manager, Director, VP, or Head. In some cases, the General Counsel will have ultimate responsibility for the TC program. IT leadership will need to establish a relationship with this person, but will likely be working with one of his/her generals. The TC Lead should assign a TC resource to directly support IT.
- TC IT Liaison – for lack of better term, the TC IT Liaison is the TC professional assigned to support IT. In many TC organizations, this may not exist. Work with your TC Lead to create this role and assign responsibilities.
- TC Automation Manager – many TC programs have purchased and leverage IT systems specifically designed for TC use cases (e.g. Restricted Parties Screening, Jurisdiction and Classification, Export Authorization Management, Export Shipment Management, etc.). It is fairly typical for these programs to have a specific person responsible for managing these applications. If you don’t have a TC IT Liaison, the TC Automation Manager is an excellent candidate for the role. These professionals have a good understanding of business, TC, and IT requirements.
- Empowered Official (EO) – I’ve thrown this in for U.S. companies subject to the ITAR. An “Empowered Official” a defined term in the ITAR. It is these folks whose names are on the hook for every illegal export committed by the company (along with the individuals directly committing the violations, and the company as a whole). Naturally, these folks can be a bit sensitive to risk. The EOs don’t necessarily have the skill sets to help you, but they are the gatekeepers. An EO in your company will ultimately sign-off on risk-based decisions pertaining to export controls.
Are you an IT professional who has successfully engaged with your TC organization? Share your keys to success in the comments.
IT, meet Trade Compliance.
Few companies have fully integrated export controls into IT environments. The “cyber compliance” aspect of export controls is the new frontier. Addressing today’s cyber compliance challenge, integrating export controls into IT, isn’t going to happen overnight. It is a long-term proposition. However, with thoughtful coordination, collaboration, and planning, it can be achieved. Your company’s ability to compliantly compete in a globally-networked, information-driven economy depends on it. It all begins with connecting the IT and TC bellybuttons.