83278 April 2012 Border Management Modernization Reference and Implementation Guide Risk-Based Compliance Management Making it Work in Border Management Agencies This Guide has been prepared by Professor David Widdowson, University of Canberra, on behalf of the Inter- national Trade Department of the World Bank and was supported by a grant from the Netherlands Govern- ment through the Bank Netherlands Partnership Program. Contents 1. About this Reference and Implementation Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2. Roles and Responsibilities of Border Management Agencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. What is Risk-Based Compliance Management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4. How Can Border-Related Risks be Managed?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Establishing the Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Identifying Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Analyzing risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Assessing and prioritizing risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 5. Mitigating Identified Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Legislative Base. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Client Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Compliance Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Compliance Recognition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Compliance Enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Monitoring and Reviewing Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 6. Enablers and Impediments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Organizational Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 International Instruments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Collaboration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 7. Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 8. References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 1 About this Reference and Implementation Guide The World Bank’s publication Border Management in the World Bank publication. Specifically, it builds Modernization (2011)1 provides policymakers and on the contents of Chapter 6 (Core border manage- reformers with a comprehensive ‘whole of govern- ment disciplines: risk-based compliance manage- ment’ perspective on improving trade facilitation ment) and Chapter 11 (Reform instruments, tools, through better border management. In introducing and best practice approaches) by providing: the subject, it points to the fact that overly bureau- cratic border clearance processes imposed by cus- • an introduction to the key issues associated toms and other border agencies are considered to with the practical implementation of a modern represent greater barriers to trade than the imposi- risk-based compliance management regime in tion of tariffs. border management agencies; • a step-by-step method of establishing a compli- Recognizing that Customs is only one of several ance management approach in a border man- agencies involved in border processing, Border Man- agement agency; agement Modernization provides extensive informa- • practical examples covering a range of border tion on a broad range of international developments management activities to illustrate the meth- and contemporary principles that are applicable to odology; and all aspects of border management, irrespective of • useful tips to help identify and rationalize or which agency may have the relevant policy or ad- eliminate resource intensive, time consuming ministrative responsibility. and ineffective regulatory processes. This Reference and Implementation Guide has been http://issuu.com/world.bank.publications/ 1 developed to supplement the information provided docs/9780821385968 2 Roles and Responsibilities of Border Management Agencies The practice of most governments is to assign as- ment of effective and efficient border management pects of regulatory responsibility at the border to a is ultimately a whole-of-government task, requiring number of different agencies. Each of these agen- the involvement of all government agencies with re- cies has its own specific mandate from government sponsibilities at the border. and, taken together, they cover issues as diverse as health, product safety, biosecurity, immigration The following examples, while far from being ex- controls, revenue collection and transport security. haustive, highlight the breadth of agencies’ roles Nevertheless, the fundamental nature of the chal- and responsibilities at the border. These diverse lenge that each agency confronts is the same, that aspects of border management will be used as ex- is, to facilitate the legitimate movement of people amples and case studies throughout this Guide. and goods while, at the same time, maintaining the integrity of the border by ensuring compliance with As we can see, the concept of risk is prevalent in relevant legal requirements. all aspects of border management with particular government policies designed to mitigate a wide Proper border management is critical to the cost ef- variety of risks to policy objectives, including the fectiveness of international trade transactions and risks of: the smooth flow of legitimate goods and people from the perspective of both the public and pri- • food-borne illness vate sectors. And while some agencies may have • pests and diseases entering the country particularly good procedures in place, the achieve- • people entering or leaving a country illegally Table 1.  Border Agency Roles and Responsibilities Food Safety Food that is imported into a country is required to meet the relevant food standards of that country. Laws relating to imported food products are designed to ensure public health and safety by minimizing the potential risk of food-borne illness. Similarly, export controls ensure that the quality of a country’s exported food meets relevant standards in order to meet the country’s international obligations and protect the reputation of its food industry. Food safety laws generally include provisions that enable an agency to inspect and analyze imported and exported food to ensure that the required standards are met. Generally, there is also a requirement for commercial traders of certain food products to obtain a permit or certificate prior to its importation or exportation. Biosecurity – Plant Quarantine Quarantine controls on imported and exported plants are designed to ensure that national and international standards of plant health are met. Import controls seek to minimize the risk of pests and diseases entering the country, while export controls seek to maintain a country’s reputation in overseas markets and ensure ongoing access to such markets. Laws relating to plant quarantine provide agencies with the authority to inspect, test and, if necessary, treat plants and plant products to ensure they meet relevant standards and do not pose a threat of pest or disease. In some countries, live plants may be held at quarantine stations until such time as they are deemed not to represent a pest or disease risk. It is also a common requirement for commercial traders of certain plants and plant products to obtain a permit or certificate prior to their importation or exportation. (Continued on next page) 4 | Risk-Based Compliance Management: Making it Work in Border Management Agencies Table 1.  Border Agency Roles and Responsibilities (Continued) Biosecurity – Animal Quarantine Quarantine controls also apply to the import and export of animals. Import controls are essentially intended to minimize the risk of pests or diseases entering the country, while export controls are designed to ensure that the regulatory requirements of the importing country are met and, in the case of commercial transactions, to maintain a country’s reputation in overseas markets. Laws relating to animal quarantine provide agencies with the authority to inspect, test and treat animals to ensure they meet relevant standards and requirements, and to ensure their health and welfare. In many cases, animals that are imported into or exported from a country are placed in quarantine and may only be released once the agency has determined that they are free of disease. Generally, there is also a requirement to obtain a permit or certificate prior to importation or exportation. Immigration Immigration controls apply to people who enter or leave a country, except in circumstances where special arrangements apply, such as borders within the European Union. Such controls are designed to ensure that people who travel across a country’s borders are authorized to do so, and to minimize the risk of people entering or leaving the country illegally. They are also designed to ensure that people who are allowed to enter a country conditionally meet the conditions under which they are admitted. Immigration laws include provisions to enable relevant agencies to question, search, conduct identity checks, and detain people who intend to cross the country’s border. In many cases, travelers who are non-citizens of a country are required to obtain an entry visa prior to or at the time of arrival in the country. Intellectual Property A broad range of border controls applies to internationally traded goods, including those relating to intellectual property. These are designed to prevent international trading in counterfeit and pirated goods, to provide protection to the owners of trademarks and copyright material, and to protect the community from potential risks (for example, counterfeit medicines). Laws relating to the protection of intellectual property generally allow agencies to examine and seize commercially imported goods that are suspected of infringing intellectual property rights. Such controls would usually only take effect if the owner of the intellectual property has made a formal request to the agency to protect them from counterfeit, pirated or unauthorized importations. Revenue Collection Most countries impose import duties and/or other taxes and fees on imported goods. In some cases this may also apply to certain exported goods. Laws relating to revenue collection are designed to ensure that the correct amount of revenue is paid on the imported (or exported) goods, and to minimize the risk of government revenue leakage. The powers that enable agencies to enforce revenue laws are extensive. Relevant provisions include such things as documentary and physical examination, detention, seizure, audit and investigation. International traders are required to provide evidence to help inform decisions about the amount of duties, other taxes and fees that are payable. Transport Security International transport is highly regulated, and regulatory measures have now been extended to secure the supply chain against acts of terrorism. Relevant regulatory controls are generally exercised at a country’s borders and/or at the borders of its trading partners, particularly in relation to air and marine transport and cargo. Such laws are essentially designed to minimize the risk of terrorist attacks. Laws relating to transport security provide agencies with wide-ranging powers to ensure that security standards are being properly observed and to verify the validity and integrity of shippers and other members of the international trading community. Safety Standards Safety standards apply to a wide range of products that are internationally traded. Their purpose is to protect consumers against injury, illness and death related to unsafe goods. Export controls are designed to ensure that the regulatory requirements of the importing country are met, and to maintain a country’s reputation in overseas markets. Relevant laws enable agencies to screen, examine and test goods to ensure that they meet product safety standards, and to ensure that their importation or exportation is not prohibited. Safety standards may not be restricted to unsafe design features, but may also apply to non- physical aspects of a product such as mandatory warnings, information and instructions. Roles and Responsibilities of Border Management Agencies | 5 • government revenue leakage Figure 1.  Facilitation-Control Matrix • terrorist attacks. High However, agencies with a responsibility at the bor- der also have a mandate to provide an appropriate RED TAPE APPROACH BALANCED APPROACH level of facilitation to traders and travelers and conse- CONTROL quently, another risk they face is the risk of failing to provide the level of facilitation expected by their gov- ernment. This highlights the need to regulate borders CRISIS MANAGEMENT LAISSEZ FAIRE APPROACH in a way that reduces the impact of interventionist strategies as much as possible. In other words, while maintaining cross-border control is non-negotiable, Low FACILITATION High the way in which it is achieved should also ensure the provision of appropriate levels of facilitation. Source: Widdowson (2003). Regrettably, border processes and procedures do not always reflect the risk or risks that agencies are re- In the following sections we will identify strate- quired to mitigate, and that is the underlying con- gies designed to achieve appropriate levels of both cern which this Guide addresses. facilitation and regulatory control. In the Facilita- tion-Control Matrix, which is described in more The Facilitation-Control Matrix shown in Figure 1 detail in Border Management Modernization, this provides a snapshot of the various ways in which approach to compliance management is represent- border agencies manage their roles and responsi- ed by the top right quadrant (high control, high bilities. Here the concepts of facilitation and control facilitation). It is this ‘balanced approach’ that are shown as two distinct variables of a regulatory border agencies should be seeking to achieve as matrix—they are not mutually exclusive; they are it brings the greatest possible benefits to both the equally important contributors to the achievement agencies themselves and those they are required of an agency’s objectives. to regulate. 3 What is Risk-Based Compliance Management? As we saw in the previous Section, all agencies op- in this Section we will examine some fundamental erating at the border have a fundamental responsi- differences between compliance management strat- bility to ensure compliance with particular regulato- egies that are risk-based and those that are not. ry requirements. However, the way in which this is achieved can be flexible. This is where the concept Although the following examples are specific to par- of risk management comes in. ticular aspects of border management, they are in fact generic in nature and are applicable to most Risk management is at the heart of border manage- facets of regulatory activity, regardless of the policy ment efficiency and effectiveness and is the key to that is being administered or the agency that is re- achieving the ‘balanced approach’ described in Fig- sponsible for its administration. ure 1. Non risk-based measures, on the other hand, can significantly reduce the efficiency of control From the examples in Table 2 we can see that risk measures and limit facilitation by adversely impact- management as a concept is nothing new; in fact, the ing compliant traders and travelers engaged in le- vast majority of agencies already have in place some gitimate cross-border activities. To demonstrate this, form of risk management procedures or guidelines, Table 2.  Compliance Management Examples – Risk-based and Non Risk-based Non Risk-Based Risk-Based Those categories of goods that have the potential to breach Government agencies work with the trading community to assist in the copyright are routinely examined. identification of potential IPR infringements. Control programs to identify potential terrorist threats are limited Government control programs include the ability for transport to routine examination of transport company operations by companies to voluntarily demonstrate compliance with agreed security government officials. and safety standards. Imported food products are routinely inspected and analyzed to Importers of food products with a history of compliant behavior are ensure they meet relevant regulatory requirements, regardless of subject to a reduced level of inspection and analysis. who is importing the goods. Mandatory warnings on particular imported products are routinely Regular importers are allowed to complete product labeling verified at the time of importation prior to release. requirements post importation and prior to sale in the domestic market. Importers of plants are required to obtain a permit for their Known importers of plants, and all importers of certain species, are able importation on a shipment-by-shipment basis. to obtain permits for their importation on a periodic basis. Immigration regulations require all travelers to obtain a visa prior Passport holders from particular countries may obtain a visa on arrival, to arrival. or may be exempted from visa requirements. Regulatory control programs for exporters of animals are aimed at The focus of regulatory control programs for animal exporters includes identifying potential non-compliers. the identification of both compliant and non-compliant traders. Physical control over imported goods is maintained pending Importers may take delivery of their goods prior to completing regulatory completion of all regulatory requirements, including revenue requirements in situations where post importation conclusion of such payment. requirements is possible. 8 | Risk-Based Compliance Management: Making it Work in Border Management Agencies either formal or informal. Indeed, no border agency of sophistication and effectiveness, border agencies is realistically ever going to check every single pas- worldwide seek to identify the risks associated with senger, consignment, carrier, or crew member. Nor is cross-border transactions and activities and to fo- it likely to have the resources to do so. Risk manage- cus their resources where they are likely to achieve ment, then, is also a technique that helps to facilitate the best results. However, while risk management the effective allocation of resources. is practised in some form or another by agencies around the world, very few address risks in a sys- Through the use of a variety of risk management tematic way. In the next Section we will examine a techniques, which vary considerably in their levels structured approach to managing border risks. 4 How Can Border-Related Risks be Managed? This Section introduces a framework that is of equal In this section we examine the first four of these relevance to both public and private sector organi- elements, before examining the treatment of risk in zations. Section 5. The Risk Management Process Framework shown As can be seen by the Monitor, Review, and Com- in Figure 2 provides a logical, structured, step-by- pliance Measurement loop in Figure 2, risk man- step approach to managing risk. agement is an iterative process. This is because risks are not static—they are continually chang- The Risk Management Process Framework is ing—which is something we will explore further in comprised of five core elements: a later section, as well as the need to communicate • Establishing the context and consult with key stakeholders throughout the • Identifying risks process. • Analyzing risks • Assessing and prioritizing risks • Treating risks. Establishing the Context When asked to provide a commentary on risk man- Figure 2.  Risk Management Process agement, the first question that needs to be asked is Framework always, ‘Risk to what?’. Answering this question is not always as simple as it sounds. The most important consideration from a risk man- Establish the Context agement perspective is to ensure that the relevant Monitor and Review, Compliance Measurement risk has been properly identified, to avoid the pos- sibility of introducing extraneous variables into the Identify Risks subsequent risk management decision making pro- Communicate and Consult cess. As such, establishing the context is probably the most important step in the risk management Analyse Risks cycle. Get this step wrong and the whole process fails because the context provides the foundation on which the remainder of the risk management Assess & Prioritise Risks process is based. Risk Assessment A risk, then, is anything that may have an adverse Treat Risks impact on an organization’s objectives. Conse- quently, the first step in managing border risks is to critically review and refine the particular agency’s objectives and to ensure that they are clearly identi- Source: Based on the original Australian and New Zealand Standard on Risk fied. This then becomes the reference point for sub- Management (AZ/NZS 4360: 2004) which now forms the basis of ISO 31000. sequent steps in the risk management process. 10 | Risk-Based Compliance Management: Making it Work in Border Management Agencies Turning to the list of examples outlined earlier, it creasingly important consideration for all govern- is useful to recap some of the higher level govern- ments and agencies with responsibility for border ment policy objectives relating to border manage- management. Consequently, in each and every case ment. These are identified in Table 3, together with we should add ‘… while facilitating the movement some broad strategies that are designed to achieve of legitimate trade and travel’. the particular objectives. Using transport security as an example, the policy In Table 3 the objectives and strategies are worded objective becomes: in a way which highlights the fundamental role of government policy and the overarching strategies • Protect the supply chain against acts of terror- to achieve the policy. Essentially, governments are ism, while facilitating the movement of le- seeking to protect their citizens’ way of life, and ad- gitimate trade and travel. ministrators are required to manage the associated risks. The strategy must also be expanded accordingly: There is, however, something missing here—the • Minimize the risk of terrorist attacks by en- objective of facilitating the movement of legitimate suring that international and national security trade and travel which, as we have seen, is an in- standards are met, in a way that facilitates the movement of legitimate trade and travel. Table 3.  Government Policy Objectives Issue Key Government Objectives Broad Strategies Food Safety • Protect public health and safety. • Minimize the potential risk of food-borne illness by • Protect the reputation of the country’s food ensuring that the quality of internationally traded food industry. meets relevant standards. Biosecurity – Plant • Protect the country from exotic pests and diseases. • Minimize the risk of pests and diseases entering the Quarantine • Protect the country’s reputation in overseas country by ensuring that national and international markets. standards of plant health are met. Biosecurity – • Protect the country from exotic pests and diseases. • Minimize the risk of pests or diseases entering the country Animal Quarantine • Protect the country’s reputation in overseas by ensuring that national and international standards of markets. animal health are met. Immigration • Protect the government’s right to determine who • Minimize the risk of people entering, leaving or remaining may enter, leave or remain in the country on a in the country illegally by ensuring that people who travel permanent or temporary basis. across or remain within a country’s borders are authorized to do so. Intellectual • Protect the rights of owners of trademarks and • Minimize the risk of trade in counterfeit and pirated goods Property copyright material. by ensuring that internationally traded goods do not • Protect the community from potentially unsafe infringe intellectual property rights, including trademarks products (e.g. counterfeit medicines). and copyright. Revenue Collection • Protect the national revenue. • Minimize the risk of government revenue leakage by ensuring that the correct amount of revenue is paid on imported (or exported) goods. Transport Security • Protect the supply chain against acts of terrorism. • Minimize the risk of terrorist attacks by ensuring that international and national security standards are met. Safety Standards • Protect consumers against injury, illness and • Minimize the risk of trade in unsafe goods by ensuring death related to unsafe goods. that internationally traded goods meet national and • Protect a country’s reputation in overseas markets. international safety standards. How Can Border-Related Risks be Managed? | 11 Table 4.  Environmental Factors Governments are seeking to protect their citizens’ way of life, and administrators are required to manage Internal Environment External Environment the associated risks • Hours of operation at the • Geographic setting. border post. • General facilities and • The number and infrastructure at the border Note that each strategy is in two parts: (1) minimiz- competencies of staff. (both private and public). ing risk to the achievement of a particular govern- • Staff responsibilities and • The nature of international ment objective; and (2) pursuing a specific course accountabilities. trade, transport and travel. of action to achieve such minimization. • Administrative framework, • The volume of international including practices and trade and travel. For the moment, however, we will restrict our focus to procedures. • Treaties and international the identification of objectives. Later, we will examine • Agency infrastructure at the obligations. strategies for identifying risks and treating risks (that border including systems • Quality of government is, pursuing a specific course of action to minimize and technology. legislation and policy. risks). In the meantime, there are further consider- • Quality and timeliness of • Interagency agreements and ations that must be taken into account in relation to head office support. level of cooperation. the context in which the risks are to be managed. • Internal communication and reporting mechanisms. Having established and clearly articulated the agen- cy’s objectives, it is important to consider relevant aspects of the agency’s internal and external envi- ronment that may have an impact on the achieve- Table 5 may be relevant, depending on the particu- ment of those objectives, since any decisions about lar circumstances. risk must be made in the context of the environ- ment in which they occur. For example, in Table 4, The potential causes can be diverse. For this reason, a number of environmental factors are listed that it is important for a knowledgeable group of people may impact on an agency’s ability to ensure that to devote resources to the risk identification pro- standards of plant health are met. cess, and indeed to other aspects of the risk man- agement process. Once we have a clear understanding of our objec- tives and an accurate picture of the environmental To this point, we have used relatively high level ex- factors that may impact on those objectives, we amples, and while these can help our understanding are in a position to embark on the process of iden- of the process of managing risk, it is often not until tifying risks. more specific, operational examples are used that we fully appreciate the benefits of the process. The examples in Table 6 may assist. Identifying Risks Clearly there are many more potential risks to the The process of identifying potential risks essentially achievement of these particular objectives. However, involves answering two questions: the above examples provide an insight into the types of issues that should be considered in the process of • What could happen that may have an impact identifying risks. The above examples identify risks on the agency’s objectives? resulting from a range of potential weaknesses in • How and why could it happen? regulatory controls, including: The first question helps to clarify the nature of • failure to detect and prevent the importation of potential risk while the second provides valuable high-risk goods; information about potential causes. Using safety • inadequate methods of dealing with goods that standards as an example, the issues identified in have already been imported; 12 | Risk-Based Compliance Management: Making it Work in Border Management Agencies Table 5.  Identifying Safety Standard Risks What can happen? • Unsafe goods enter the domestic market. How can it happen? • The responsible agency relies on border referrals, but potentially non-compliant goods are not being referred to them by other border agencies. • Import regulations are inadequate, e.g. newly identified consumer hazards are not reflected in national legislation. • Importers have not been advised of the latest standards and/or procedures. • Importers seek to deliberately circumvent regulatory controls. • The agency’s post-clearance audit regime is ineffective. • Agency staff do not possess the necessary knowledge and skills to identify non-compliant goods. Table 6.  Examples of Operational Risks Objective: Protect the country from the introduction of Bovine Spongiform Encephalopathy (BSE), commonly known as mad cow disease, which may lead to the deadly brain wasting disease in humans known as Creutzfeldt-Jacob disease. What can happen and BSE-infected cattle and beef products may be released into domestic consumption due to ineffective (or a lack of) how can it happen? controls to identify and prevent the importation of infected shipments. Objective: Protect the country from the introduction of Fire Blight, a destructive bacterial disease that affects apples and may lead to the decimation of the domestic industry. What can happen and Introduction of Fire Blight into the domestic economy as a result of inadequate methods of dealing with contaminated how can it happen? shipments that have been landed in the country. Objective: Protect the country from the introduction of Foot and Mouth Disease (FMD), a serious viral disease affecting cloven- hoofed animals such as cattle, sheep, pigs and goats. What can happen and Introduction of FMD into the country through contaminated footwear that is being carried in a passenger’s baggage. how can it happen? Objective: Protect the country from visitors who pose a criminal risk. What can happen and Visitors with criminal records that preclude them from gaining entry into the country may use a false name and how can it happen? passport to gain entry. Objective: Protect the community from counterfeit medicines. What can happen and Counterfeit medicines with ingredients that are dangerous to a person’s health may be released into domestic how can it happen? consumption undetected due to fake branding and packaging. Objective: Protect the national revenue against duty evasion. What can happen and Importers may pay the incorrect amount of duty on particular commodities due to a lack of clarity in the relevant how can it happen? revenue legislation. Objective: Protect the supply chain against acts of terrorism. What can happen and Terrorist groups may compromise a supply chain by introducing explosive devices into consignments that are being how can it happen? shipped by a reputable trader. Objective: Protect consumers against potentially dangerous electrical goods. What can happen and Sub-standard electrical fittings may be imported from countries with ineffective (or a lack of) regulatory controls over how can it happen? the manufacture and sale of such products. How Can Border-Related Risks be Managed? | 13 • failure to prevent and detect criminal activity; context. For the purposes of explanation, generic and definitions are used in the following example. First, • lack of legislative clarity. the definitions of likelihood: Almost Certain: The event is expected to occur. Analyzing Risks Likely: The event will probably occur. Possible: The event may occur at some time. Having identified potential risks, the next step is to Unlikely: The event is not expected to occur. analyze those risks. In doing so, it is important to Rare: It is highly unlikely that the event bear in mind that the concept of risk has two ele- will occur. ments: the likelihood of something happening, and the consequences if it does in fact happen. We con- If the event was to occur, its consequence may be sciously or unconsciously make judgments about estimated by determining how the result of its oc- these elements in our everyday lives. For example, currence would best be described: why do we drive to work when the consequences of having a serious accident are so high? The answer Severe: The event will have an extreme impact lies in the fact that we judge the likelihood of such on objectives. an occurrence to be extremely low. On balance, we Major: The event will have a major impact on consider getting behind the wheel to be an accept- objectives. able risk. Moderate: The event will have a high impact on objectives. This stage of the risk management process therefore Minor: The event will have a medium impact involves analyzing the relationship between the like- on objectives. lihood of a risk occurring and the consequences if it Minimal: The event will have a low or negligible does in fact occur. The combination of these factors impact on objectives. provides us with an understanding of the overall lev- el of risk, which then allows us to compare and pri- Once the levels of likelihood and consequence have oritize the variety of risks that have been identified. been assessed for each identified risk, the overall The aim, then, is to determine the relative signifi- level of each risk can be determined using the Risk cance of each risk which, in turn, enables us to make Matrix (Figure 3), and defined as follows: informed decisions in later stages of the process. Extreme: Highly likely to cause serious disrup- Three basic methods can be used to analyze risk: tion or impact on objectives. Should be quantitative; semi-quantitative; and qualitative. The addressed as a matter of priority and method chosen will generally depend on the degree urgency. Requires urgent, continuing to which risks can be expressed in quantitative terms management/operational attention. with a reasonable degree of accuracy. For example, High: Likely to cause serious disruption or im- revenue risks may be readily quantified, whereas pact on objectives. Should be addressed immigration risks are more easily dealt with quali- as a matter of some priority. Requires tatively. Not surprisingly, the most commonly ad- continuing management/operational opted method in a border context is the qualitative attention. approach, where managers use their experience, in- Medium: Will possibly cause considerable dis- tuition, and judgment to make decisions. ruption or impact on objectives. Re- quires some management/operational A 5x5 Risk Matrix, in which five definitions of attention. likelihood and five definitions of consequence are used, is a useful tool for analyzing risk.2 For practi- cal purposes, the definitions used to define ‘likeli- While some agencies will find the 5x5 matrix to be par- 2 hood’, ‘consequence’, and ‘risk level’ should reflect ticularly useful, some may prefer to use more or less a particular agency’s requirements and operational complex matrices. 14 | Risk-Based Compliance Management: Making it Work in Border Management Agencies Figure 3.  Risk Matrix LIKELIHOOD Rare Unlikely Possible Likely Almost Certain CONSEQUENCE Severe Medium High High Extreme Extreme Major Low Medium High High Extreme Moderate Low Medium Medium High High Minor Very Low Low Medium Medium High Minimal Very Low Very Low Low Low Medium Low: May cause some disruption or impact • strategies to prevent and detect deliberate at- on objectives. May require some man- tempts by the trading community to circum- agement/operational attention. vent controls; and Very Low: Unlikely to cause any disruption or im- • programs to improve staff knowledge and skills. pact on objectives. Requires little or no management/operational attention. Controls may already exist to address some identi- fied risks, in which case the likelihood of them oc- Using our previous example of product safety stan- curring will decrease. It is important, however, to dards (see Table 5), one possible view in relation test the effectiveness of such controls to ensure that to the risk of unsafe goods entering the domestic they are achieving their intended purpose, rather market may be as follows: than accepting their effectiveness on face value. This example suggests a need to address the follow- ing issues as a matter of priority: Assessing and Prioritizing Risks • procedures to ensure that potentially non-com- The purpose of this stage of the process is first, to pliant goods are being referred by other border determine whether an identified risk is acceptable agencies; or unacceptable, and second, to determine which of the unacceptable risks are in most need of an agency response. Cause Likelihood Consequence Risk Some people have great difficulty coming to terms Non referral of Possible Major High with the fact that a risk could be considered to be potentially unsafe ‘acceptable’. However, it is important to remember goods that agencies are generally unable to control all the Import regulations Unlikely Major Medium risks that confront them, and they must therefore are inadequate be selective in determining which risks they will Importers not advised Unlikely Minor Low accept, and which will be addressed through some of latest standards form of resource allocation. There may be a num- ber of reasons for a risk to be regarded as ‘accept- Importers Likely Major High able’. For example: deliberately circumvent controls • the threat posed by a potential risk may be con- Post-clearance audit Possible Moderate Medium sidered to be so low that its treatment is not war- regime is ineffective ranted in the context of available resources; or Staff knowledge and Likely Major High • the cost of treating a potential risk may be so skills high that there is no option but to accept it; or How Can Border-Related Risks be Managed? | 15 • the opportunity cost of accepting a potential est priority, recognizing the fact that controlling risk may outweigh the threats posed by the risk. all risks may be beyond the agency’s capabilities or resources. Generally speaking, the priority of a For example, it may be determined that certain dis- particular risk will depend on its rating within the eases may be introduced into the domestic economy risk matrix. However, it is not uncommon for risks as a result of bird migration. As there may be little to be rated equally, and if there are insufficient that can be done to prevent such an occurrence, the resources to address all risks, a decision must be focus should be on strategies aimed at minimizing made as to how the agency’s limited resources the impact of the disease if it was to be introduced should be deployed. in this way. Similarly, not every potential terrorist target can be fully protected against the possibility Finally, while those risks that are deemed to be un- of attack. As such, a more pragmatic strategy is to acceptable will be managed through a formal treat- focus on impact minimization and business continu- ment plan, those that are considered acceptable ity in the event that such an attack was to take place. should be monitored and reviewed periodically to ensure that the assumptions about their acceptabil- Having determined which risks are to be managed, ity remain valid. These matters are dealt with in the the next step is to identify which have the high- following section. 5 Mitigating Identified Risks In this section we examine ways of mitigating or appropriate level of facilitation for legitimate trade. ‘treating’ risks (the last of the core elements in the Consequently, while routine verifications at the bor- risk management framework). der will no doubt help to reduce the likelihood of unsafe goods entering the domestic market, they are Looking back at Table 3, we can see that strategies likely to also impede the flow of trade, including designed to ensure the achievement of government legitimate transactions. objectives are in two parts: (1) minimizing poten- tial risks to the achievement of particular govern- So, how do we ensure that regulatory procedures ment objectives; and (2) pursuing a specific course are risk-based? An effective way of doing this is to of action to achieve such risk minimization. At this develop a strategy which addresses the following point, it is worth reminding ourselves that the par- five basic elements of compliance management: ticular course of action taken will determine the ex- tent to which an agency’s management of the bor- • The agency’s legislative base; der is risk-based. • Client service; • Compliance assessment; Using safety standards as an example, we have not- • Compliance recognition; and ed that a strategy to protect consumers against inju- • Compliance enforcement. ry is to minimize the risk of trade in unsafe goods by ensuring that internationally traded goods meet na- The combination of these elements provides a struc- tional and international safety standards, in a way tured approach to the management of compliance at that facilitates the movement of legitimate trade and the border, as illustrated in the Risk-based Compli- travel. One way of approaching this is to require ance Management Pyramid shown in Figure 4. all imported products to contain specific consumer warnings. However, as we saw from Table 2, there are a number of ways of doing this—some that Legislative Base are risk-based and which are designed to facilitate trade, and others that are not: The fundamental charter of all government agencies is to ensure compliance with the law. Consequently, • Risk-based: regular importers are allowed to the foundation of any effective border management complete product labeling requirements post regime must be represented by sound national leg- importation and prior to sale on the domestic islation that provides the necessary basis in law for market, and the range of compliance management strategies that • Non risk-based: mandatory warnings on par- a border agency may wish to adopt. ticular imported products are routinely verified at the time of importation prior to release. We discussed a number of these strategies in Sec- tion 2 in the context of agencies’ roles and responsi- It could be argued that the routine verification of bilities. For example, we noted that: imports is in fact one way of mitigating the risk of trade in unsafe goods, and should therefore be con- • Food safety agencies are able to inspect and sidered to be a ‘risk-based’ response. While this is analyze imported and exported food to ensure true, the resultant risk treatment fails to address the that the required standards are met, and that other important risk—that of failing to provide an commercial traders of certain food products are 18 | Risk-Based Compliance Management: Making it Work in Border Management Agencies Figure 4.  Risk-based Compliance Management Ppyramid Modi cation of Ayres Penalty and Braithwaite (1992) Enforcement Pyramid Simpli ed procedures Formal Warning Increased self-assessment Intervention by exception Reduced regulatory scrutiny Periodic payment arrangements Persuasion Less onerous reporting requirements Risk-based Procedures: Enforce Reward Balance between control and facilitation noncompliance compliance using Focus on identifying compliance and noncompliance using administrative Information management focus administrative discretion Pre-arrival assessment, clearance, and release discretion Real-time intervention in high-risk cases Post-transaction focus in majority of cases Audits of industry systems and procedures Investigation where noncompliance suspected Consultation and cooperation Clear administrative guidelines Formal rulings Education and awareness Enforcement Technical assistance and advice Appeal mechanisms Recognition Recognizes respective responsibilities of government Compliance Assessment and industry Provides for electronic communication Client Service Establishes sanctions for noncompliers Enables exibility and tailored solutions Legislative Base Breaks nexus between goods and revenue liability Source: Widdowson (2003); see also Border Management Modernization 2011, Figure 6.3, p. 108. often required to obtain a permit or certificate • Transport security agencies have wide-ranging prior to its importation or exportation. powers to ensure that security standards are • Biosecurity agencies are authorized to inspect, being properly observed and to verify the va- test and if necessary treat plants and plant prod- lidity and integrity of shippers and other mem- ucts to ensure they meet relevant standards bers of the international trading community. and do not pose a threat of pest or disease, and that live plants may be held at quarantine sta- All relevant powers that give rise to an agency’s tions until such time as they are deemed not to rights and responsibilities must be clearly provided represent a pest or disease risk. for in the relevant legislation. For example: • Immigration agencies have the right to ques- tion, search, conduct identity checks, and de- • The Singapore Customs Act provides customs tain people who intend to cross the country’s officers with a range of powers including the border, and that non-citizens may be required power to issue search warrants; enter and to obtain entry visas. search premises; conduct a search without a Mitigating Identified Risks | 19 warrant under certain circumstances; access, well as the quantity, value and other particu- inspect and check the operation of computers lars; to provide invoices and other supporting and other apparatus; search vessels and air- documents as required by law (for example, craft; stop and examine any vehicle for certain permits, approvals, or licenses); to bring goods purposes; open packages and examine goods; for export into a designated Customs area or a search persons arriving in Singapore; etc. specially permitted place for storage; etc. • The Canadian Quarantine Act provides quaran- tine and environmental health officers with a range of inspection powers in relation to com- Client Service municable diseases, including the power to stop a conveyance and direct that it be moved to a A transparent and predictable legal framework also place where an inspection can be carried out; helps to ensure that those who are the subject of enter and inspect the conveyance or any place regulation know what the rules are. If they don’t where the conveyance has been; open and ex- know what the rules are, how can they be expected amine any cargo, container, baggage, package or to comply? And while ignorance of the law may be other thing; conduct tests and take samples; etc. no excuse, a poorly constructed, unpublicized or • The Uganda Citizenship and Immigration Con- ambiguous regulatory framework can often explain trol Act provides immigration officers with the instances of non-compliance. power to search any ship, aircraft, train or vehi- cle without a search warrant; interrogate a per- It is therefore important to provide clear informa- son who he or she reasonably believes is about tion and meaningful advice to those who are being to enter or leave the country, is a prohibited regulated. This aspect of compliance management is immigrant or is able to give any information generally referred to as client service, and includes regarding any regulatory infringement; require activities (risk treatments) such as: a person who intends to enter the country to make and sign a declaration and to undergo a • Consultation and cooperation; medical examination by a Government medical • Clear administrative guidelines; practitioner; etc. • Formal rulings; • Education and awareness; Similarly, the rights and responsibilities of the in- • Technical assistance and advice;and ternational trading community and traveling public • Appeal mechanisms. should also be spelled out in national legislation. For example: Client service activities such as these are designed to provide members of the public with the means to • The South African Immigration Act provides achieve certainty and clarity, to identify their rights that travelers should only enter or depart the and responsibilities, and to assess their liabilities country through an official port of entry; that and entitlements. In risk management terminol- they should be in possession of a valid pass- ogy they represent risk mitigation strategies (or risk port; that citizens will be admitted provided treatments) for those identified risks that relate to they identify themselves as such; that a foreign- a lack of knowledge, understanding, clarity or cer- er’s passport must be valid for not less than 30 tainty on the part of the regulated community. days after the expiry of the intended stay; etc. • India’s Import Procedures for Livestock Prod- Such strategies provide an effective means of miti- ucts specify that all livestock products are to gating the following types of risk which we identi- be imported with a valid sanitary import per- fied earlier. For example, the New Zealand Customs mit through seaports or airports where Animal Service publishes a series of fact sheets, available on Quarantine and Certification Services Stations the internet,3 which explain the regulatory require- are situated; etc. • Japan’s export legislation requires exporters to declare to Customs the nature of the goods as http://www.customs.govt.nz 3 20 | Risk-Based Compliance Management: Making it Work in Border Management Agencies ments relating to a variety of international transac- Methods of detecting compliant and non-compliant tions, such as its Advice on Private Motor Vehicle behavior include activities such as: Imports4 which explains the regulatory requirements for private importers, including immigrants, bring- • Data screening and verification; ing a vehicle to New Zealand. • Documentary examination; • Physical intervention (inspections, tests, verifi- Similarly, the Swedish Board of Agriculture pro- cation checks, sampling, analysis, etc.); vides extensive information on import and export • Audit; and requirements on its website,5 as do many other • Investigation. agencies, such as Citizenship and Immigration Canada,6 the Japanese Animal Quarantine Ser- The various methods of compliance assessment vice,7 the Thai Department of Livestock Develop- should be implemented in a way which provides ment,8 the South African Department of Agricul- legitimate trade and travel with an appropriate level ture, Forestry and Fisheries9 and the US Food and of facilitation. For example, physical intervention Drug Administration.10 should only occur when there is a legitimate risk- based reason to do so. Formal rulings are designed to provide the interna- tional trading community with increased certainty ‘Intervention by exception’ is a term used to de- and clarity, and take various forms. For example, scribe a regulatory compliance strategy that is based the Canada Border Services Agency publishes ad- on the principles of risk management. It implies reg- vance rulings in relation to tariff classification of ulatory intervention when there is a legitimate need goods, and traders and manufacturers may obtain for it, that is, intervention based on identified risk. advance rulings from the customs administrations of Canada, Mexico and the United States in rela- While many agencies now espouse a policy of in- tion to the treatment of goods under NAFTA. In fact tervention by exception, there is routinely a lack of advance rulings on matters such as tariff classifica- congruence between organizational policy and op- tion, valuation and preferential treatment are now a erational practice. For example, in one East Asian common feature of Free Trade Agreements.11 country a particular border agency ritually opens each and every express consignment but does not The various client service risk mitigation strategies apply the same level of scrutiny to sea cargo. This are designed to ensure that regulatory requirements reason for this approach is unfortunately clear— are properly understood by the regulated commu- agencies often examine what is easy to examine re- nity. However, while some non-compliers may gen- gardless of the potential risk posed. uinely make ‘honest mistakes’, others will deliber- ately attempt to circumvent the law, in which case Furthermore, it is frequently observed that the num- enforcement strategies are required as client service ber of ‘high-risk transactions’ tends to be directly strategies will prove ineffective. Enforcement strate- proportional to the resources available to conduct gies are addressed later in this section. 4 New Zealand Customs Service Fact Sheet No. 29 Ad- Compliance Assessment vice on Private Motor Vehicle Imports, October 2010. 5 http://www.jordbruksverket.se/swedishboardof agriculture Compliance assessment strategies serve two essen- 6 http://www.cic.gc.ca/english/index.asp tial purposes. First, they provide a means of identify- 7 http://www.maff.go.jp/aqs/english/animal/im_index. ing compliant and non-compliant behavior. Second, htm 8 http://www.dld.go.th/webenglish/move1.html where non-compliant behavior is identified, they 9 http://www.nda.agric.za/ help to identify why such behavior is occurring—this 10 http://www.fda.gov comes back to the issue of ‘honest mistakes’ vs delib- 11 For example, the Thailand-Australia Free Trade Agree- erate non-compliance. ment and the US-Singapore Free Trade Agreement. Mitigating Identified Risks | 21 the examinations. For example, during the recent As the name implies, pre-arrival clearance is a pro- global economic crisis, inspection rates in many cess that allows a trader to submit information to a countries rose in spite of much reduced trade government agency prior to the arrival of the goods volumes. It is doubtful that the level of risk had at the border and advance processing by the bor- changed dramatically during that period. Rather, der agency. In the event of there being no regula- lower volumes simply meant more staff were avail- tory concerns, this may lead to immediate release of able to conduct examinations. the goods once they arrive at the border. Pre-arrival clearance is particularly important for certain types of goods that are highly perishable or in some other Underlying Control Regimes way require prompt handling upon arrival. Where compliance assessment results in the identi- Pre-arrival clearance does not imply a lessening of fication of non-compliance resulting from genuine regulatory controls. Rather, it allows such controls errors, the most appropriate methods of reducing to be exercised in a timeframe which minimizes the likelihood of future non-compliance include: regulatory intervention by reducing the likelihood of processing delays. • the maintenance of a basic control regime; and • various forms of client service (see above). The most common form of post-clearance compli- ance assessment is the audit. Audits can take a vari- On the other hand, methods of reducing the likeli- ety of forms—from random audits, for verifying com- hood of non-compliance resulting from deliberate pliance with regulatory requirements, to planned or non-compliance include: leverage exercises targeting individuals or industry sectors. They rely on a legislative base that provides • the maintenance of a basic control regime; and trained officials with powers to enter premises and • various compliance enforcement strategies (see inspect goods and documents (physically or elec- below). tronically) in relation to border transactions. What then constitutes a basic control regime? Es- sentially, this refers to the legislative, documentary and physical processes that are in place to enable Pre-arrival Profiling and Targeting agencies to perform their duties. For example, when A risk profile consists of a set of risk indicators that may relate a truck crosses a border, it is required to do so at a to the type, value or origin of goods, instances of third country specified location and certain formalities must be transit or transhipment, mode of transportation, method of pay- completed before the driver, the truck and its cargo ment, etc. are authorized to proceed. Similarly, a traveler ar- riving at an airport is not free to exit via the nearest Risk profiles are developed from data and intelligence obtained gate but must follow clearly defined physical and by border and other law enforcement agencies, including infor- documentary procedures before being authorized to mation obtained from previous instances of non-compliance. leave the airport. In the absence of such require- Border agencies may establish cargo and/or passenger analysis ments, it would be impossible to exercise any sem- units to develop and refine risk profiles on an ongoing basis. blance of regulatory control. When such profiles can be applied to information obtained by the border agency at an early point in the movement of the goods or person to the destination country, an assessment of the risk Pre- and Post-clearance Compliance posed by the goods or person can be made at an earlier point in Assessment time, and an intervention strategy devised accordingly. The use of pre-arrival information therefore provides a benefit to both Compliance assessment can take place prior to government and business, which leads to more efficient border clearance of goods by the border agency, or after clearance processes. the event, that is, post-clearance. 22 | Risk-Based Compliance Management: Making it Work in Border Management Agencies discussed in chapter 6 of the Border Management Border Agencies Working Closely Together Modernization publication. to Target Risks for More Effective Border Control A key feature of audit activity is its purpose. It is, New Zealand’s recently opened Integrated Targeting and Opera- quite simply, designed to identify whether the regu- tions Centre (ITOC) has enhanced the government’s ability to pro- lated party is compliant or not—it should not be tect the safety and security of all citizens by bringing together approached with the sole intention of detecting er- key border agencies including Customs, Quarantine, Immigration rors in the regulatory dealings of a business or in- and Transport to improve the targeting of border risks presented dividual. Used correctly, it can provide the agency by specific goods, people or craft, and to respond to risks more with valuable information about both compliant effectively and efficiently with better coordinated border agency and non-compliant behavior—see the information operational activity. box ‘Benefits of identifying low risks’. The ITOC is a 24-hour, seven-day a-week multi-agency facility with 60 well-trained staff to support the command, planning, and coordination of border operations. It has two core func- Compliance Recognition tions: For those businesses or individuals that are consid- • Targeting (Risk rule sets, profiles, assessments, recommen- ered to represent a relatively low risk, the level of dations, information and intelligence, prioritizing operational regulatory scrutiny may be reduced, with greater re- response); and liance being placed on a self-assessment of their ob- • Coordinating Operations (Border domain awareness, op- ligations. This approach recognizes that, in terms of erational activity support, operational command). regulatory compliance management, one size does The ITOC works under a command and control structure—con- not necessarily fit all. trol (what needs to be done) is centralized and operational ex- ecution (how it will be done) is decentralized. Responsibility for operational outcomes remains with the specific workgroup or border agency through standing management structures. Benefits of Identifying Low Risks Source: “Integrated Targeting and Operations Centre” brochure – New Businesses and individuals with a good record of compliance Zealand Customs Service (2011) require a lower level of scrutiny than those with a history of poor compliance, or those about which little is known. This concept is integral to a number of ‘trusted trader’ programs which promote a range of benefits for certain businesses by virtue of Such audits provide border agencies with a clear their low risk status. These programs reflect sound principles picture of the transactions in question and an in- of risk management by identifying low risk members of the dication of the overall compliance rate within a international trading community, thereby reducing the size business or industry sector. They also highlight or of the ‘risk pie’, and in turn aiding the deployment of resources confirm areas of risk where additional compliance towards potentially high-risk operators. or enforcement activity may be required, thereby Their level of compliance is generally assessed by way of an audit completing the risk management loop by producing which is intended to assess the degree to which a company is data that can be fed back into the risk management complying with the relevant regulatory requirements and not, as process (including the updating of risk profiles). some assume, simply to detect errors in a company’s regulatory dealings. The important point here is that such an assessment, A number of different audit approaches are avail- regardless of the result, assists in determining where future able to border agencies. These include desk audits, compliance resources should be directed. transaction-based audits and system-based audits. A corollary to this is that an auditor’s finding of compliance is The specific type of audit will depend on the na- equally as good a ‘result’ as a finding of non-compliance. This ture of the potential risk identified by the agency in is often overlooked, as regulatory auditors generally base their selecting an individual or company for an assess- effectiveness on identified instances of non-compliance. ment of compliance. The different types of audit are Mitigating Identified Risks | 23 Applying a lower level of scrutiny to those with a A business seeking recognition as a known shipper/ good record of compliance has two specific bene- known consignor will generally be required to: fits. First, it serves to facilitate legitimate trade and travel, and second, it enables agencies to direct their • demonstrate that it has developed and is im- resources to those businesses and individuals that plementing a risk-based operational security are likely to pose a higher risk, that is, those with a program history of poor compliance and those about which • agree to ongoing compliance with specified little is known. regulatory requirements • demonstrate the ongoing effectiveness of its Compliance recognition is something which is often security-related controls overlooked. Border agencies generally focus solely • undertake to provide its personnel with the on applying sanctions to identified instances of non- necessary knowledge, skills and competencies compliance rather than adopting both a carrot and to effectively meet their security obligations. stick approach—the traditional approach to compli- ance management being all stick and no carrot. Trusted Trader Programs Compliance recognition strategies are reflective of what is often described as a compliance improve- ‘Trusted trader’, ‘gold card’, ‘accredited client’ and ment approach, the principal focus of which is the similar customs programs have been in existence achievement of future compliance and ensuring that for many years. Examples of such programs include an appropriate balance exists between incentives those that have been implemented in Thailand,15 for compliance and sanctions for non-compliance. Abu Dhabi16 and Jordan.17 Several different forms of compliance recognition The principal international convention on customs are available to border agencies, including the use matters, the Revised Kyoto Convention,18 includes of simplified procedures, an increased reliance on provisions to establish mutually beneficial partner- self-assessment, reduced regulatory scrutiny, peri- ships between customs agencies and the private sec- odic payment arrangements and less onerous re- tor, and to introduce initiatives to recognize highly porting requirements. Examples include the ‘known compliant traders. Low-risk companies are permit- shipper’ schemes operated by transport security ted to operate under less onerous regulatory re- agencies, the customs ‘trusted trader’ programs and quirements and may anticipate little in the way of ‘registered traveler’ programs. regulatory intervention. Other benefits for compliant companies may include greater reliance on their self- assessed liabilities and entitlements, release of goods Known Shipper Schemes on minimum documentation, less onerous reporting requirements, reduced processing fees, periodic pay- ‘Known shipper’, or ‘known consignor’ programs ment arrangements and simplified procedures. are being introduced in a number of countries, in- cluding the United States,12 South Africa13 and mem- This concept has been expanded in recent years to ber states of the EU.14 These programs, which are not only include compliance with general customs operated by agencies responsible for transport se- curity, waive the requirement for routine security checks of cargo that is being carried on passenger 12 http://www.tsa.gov/ flights in cases where the shipper/consignor is con- 13 http://www.caa.co.za/ sidered to have adequate security controls in place 14 For example, the UK known consignor program, http:// over its consignments. Consequently, the fact that www.dft.gov.uk/ 15 http://internet1.customs.go.th/ certain shippers can demonstrate their compliance 16 http://www.auhcustoms.gov.ae/en/index.aspx with predetermined security requirements (and are 17 http://www.customs.gov.jo/ therefore deemed to present a relatively low security 18 The revised International Convention on the Simpli- risk) is formally recognized by the agency in a way fication and Harmonization of Customs Procedures, which reduces their level of regulatory scrutiny. which entered into force in 2006. 24 | Risk-Based Compliance Management: Making it Work in Border Management Agencies requirements but also compliance with supply chain security standards. Companies that meet these cri- Border Intervention vs Post-border teria are commonly referred to as ‘Authorized Eco- Control nomic Operators’ (AEO), and bilateral arrangements While post-border controls help to facilitate trade and travel, in exist whereby AEO status is mutually recognized be- certain circumstances it is essential for an agency to intervene at tween trading partners. Examples include the mutual the border, that is, at the time of importation or exportation, or recognition arrangements that have been established even prior to that point where it is feasible to do so. between Canada and Japan, Korea and Singapore, So, when is border intervention necessary and when is post- and New Zealand and the United States.19 border control appropriate? The answer to this question lies in the nature of the risk that is being managed. Registered Traveler Programs For example, risk to the revenue can generally be managed post-border for regular traders, as any short-paid duties and Similar risk-based programs are being considered in taxes may be readily recovered after the event (particularly if the context of security screening of air passengers some form of security bond is in place). However, for first-time whereby passengers that are considered to represent importers and those about whom little is known, it will be more a low security risk may be subjected to less oner- appropriate to finalize duty and tax assessments before releasing ous screening requirements20 prior to boarding their the consignment. flight. Similarly, if the potential risk relates to the importation of prohibited goods, or the risk of pests and diseases entering the country, or terrorism, for example, immediate intervention will Compliance Enforcement generally be the appropriate course of action, as the likelihood of mitigating such risks ‘after the event’ is minimal. As previously noted, in the process of assessing lev- els of compliance, border agencies will encounter two situations—compliance and non-compliance. And while some non-compliers may genuinely make Management Process Framework shown at Figure 2 ‘honest mistakes’, others will be found to be involved is an iterative model which incorporates a require- in blatant fraud or other intentional illegalities. ment for ongoing monitoring and review. For those that are found to be at the high end of the For example, in the context of analyzing risks, we non-compliance spectrum, that is, those who are noted that an agency may already have controls in intent on breaking or circumventing the law, client place that serve to address some of the identified service strategies will prove ineffective and some risks. However, as part of the monitoring and review form of sanction will be necessary. Compliance en- process, it is important to test the current effective- forcement strategies may include formal warnings, ness of such controls to ensure that they continue administrative penalties, name and shame lists, li- to achieve their intended purpose. This will help cense suspension or revocation, criminal prosecu- to determine whether the controls are sufficient to tion, fines and imprisonment. address the identified risks or whether they need to be strengthened or supplemented in some way. Alternatively, existing controls may be found to be Monitoring and Reviewing Risks excessive, thereby consuming resources that may be better allocated to an alternative source of risk. Risks are not static—circumstances and risks change over time. As a consequence, a risk that has previously been deemed to be acceptable may for 19 A compendium of all such programs can be found at any number of reasons be regarded subsequently http://www.wcoomd.org/home_research_research- as an unacceptable risk and require some form of series.htm treatment strategy. Similarly, the ongoing relevance 20 Research into this type of program has been undertak- of risk treatments may change. That is why the Risk en by the Reason Foundation, see http://reason.org/ Mitigating Identified Risks | 25 It is also worth noting that compliance assessment high risk, and transactions or entities for which no strategies themselves provide agencies with a use- risk assessment has been undertaken, would be ful means of identifying new and emerging risks, more likely to be selected for higher levels of reg- and should therefore be regarded as extremely use- ulatory intervention and scrutiny. This will result ful tools when monitoring and reviewing risks and in a new or revised assessment of compliance that the effectiveness of existing risk treatments. In this may indicate a higher or lower level of risk than context, entities that are considered to represent a was previously determined. 6 Enablers and Impediments In this section we examine some additional regula- spectrum of border management policies, pro- tory, organizational and administrative issues that cesses and practices, the effectiveness of any may have an impact on an agency’s implementa- risk-based compliance management program tion and ongoing sustainability of a risk-based will be weakened significantly. The issue of compliance management regime. This includes the collaborative border management is further range of reform instruments, tools, and best prac- discussed below. tice guides that are available to support the imple- mentation process. Organizational Issues Communication An agency’s organizational capacity to effectively manage compliance (risk-based or otherwise) is Effective communication and consultation with critical to its ability to effectively carry out its role stakeholders will encourage the sharing of informa- and responsibilities. When discussing the identi- tion, expertise and ideas by those who are likely to fication of risk, we noted the need for businesses be affected by new policies and procedures. It will and individuals to understand their rights and re- also assist in bringing a wider variety of perspec- sponsibilities, and have access to information that tives to the risk management process which, in turn, allows them to act with certainty and clarity in their will help in assessing the likely impact of particular dealings with border agencies. There is also a need proposals, highlighting potential implementation to ensure that agency personnel have the neces- difficulties and identifying the most appropriate ap- sary skills, knowledge and competencies to effec- proaches for implementation and enforcement. tively and efficiently perform their duties. Indeed, weaknesses in these areas may well be identified Two particularly important groups of stakeholders as potential risks to the achievement of an agency’s are private sector interests and other government objectives, and relevant capacity building initiatives agencies. would then emerge as appropriate risk treatments. • It is important to have a good understanding of Other organizational issues that may impact on the the interests of the private sector and to com- achievement of objectives include political support, municate regularly with those elements of that responsibilities and accountabilities, processes and sector that may be impacted by particular as- procedures, financial and other resources, infra- pects of the initiatives and their implementa- structure and technology. tion. It is therefore important to actively en- gage the business community and to take its Importantly, the management of risk should not be views into consideration. isolated from other aspects of an agency’s manage- • The need to engage other government agen- ment processes, but should form an integral element cies, including agencies with border manage- of the organization’s management framework. It is ment responsibilities, is addressed in some therefore important to integrate risk management detail throughout Border Management Mod- into the agency’s everyday management practices, ernization, in the context of collaborative bor- particularly the strategic planning process. This is- der management. Unless agencies coordinate sue is discussed in more detail in Border Manage- their activities and collectively address the ment Modernization. 28 | Risk-Based Compliance Management: Making it Work in Border Management Agencies International Instruments er, in order to achieve an optimal national solution, alignment and collaboration among all border agen- International instruments represent a valuable cies are essential. A true interagency approach will source of policy advice and technical information enable the development of a single access point for that can assist agencies to implement and maintain the border clearance process (a single window) rath- an effective approach to risk-based compliance man- er than an individual agency approach that, while agement. These range from legally binding require- improving individual processes, will still require the ments, such as those incorporated in World Trade trading community to deal with multiple points of Organization (WTO) agreements, through to recom- access to meet all regulatory requirements. mended best practices and guidelines. They include: Border clearance processes that involve uncoordi- • Conventions that have a legally binding force nated checks and approvals from a range of regu- on contracting parties, such as WTO agree- latory authorities can result in unnecessary delays, ments and the International Maritime Organi- lost commercial opportunities and increased costs zation’s (IMO) Convention on the Facilitation for the international trading community. Further- of International Maritime Traffic. more, compliance management efforts may also be • Recommendations, such as those published by significantly weakened through a failure to share the United Nations Economic Commission for data and intelligence which could otherwise lead to Europe (UNECE), that have no legally binding force, the purpose of which is to provide practi- cal means of attaining harmonization and uni- formity of international practice. Collaborative Border Management: • Guidelines, also nonbinding, whose purpose Cambodia is to provide information on particular techni- Prior to 2008, eleven Cambodian government agencies were cal matters, such as the World Customs Orga- actively involved in the clearance of international consignments, nization’s (WCO) Time Release Study and the the five principal agencies being Customs, Health, Agriculture, World Bank’s Trade and Transport Facilitation Industry and Camcontrol. Clearance activities were characterized Audit guidelines. by ineffective controls; overlap and duplication; routine checks; • Compilations, whose purpose is to provide case independent agency procedures with no inter-agency coordina- studies and best practices on particular techni- tion; and no evidence of a risk-based approach to compliance cal matters, such as the United Nations Centre management. The resultant costs, delays and regulatory com- for Trade Facilitation and Electronic Business’s plexity severely impeded trade and investment. (UN/CEFACT) Case Studies on Implementing a Single Window. In an effort to redress this situation, the Cambodian Government has embarked on a significant reform process which centers on As international instruments are generally agreed the design and implementation of a risk-based system of cargo and ratified at the political level, they can be a per- inspection across all government agencies with border man- suasive driver of change and an effective tool in agement responsibilities. Key elements of the revised strategy managing potential interagency conflicts over own- include coordinated agency activities including joint inspection ership and leadership of border-related responsibili- arrangements; intervention based on identified risk; and active ties. A compendium of useful instruments, includ- facilitation of legitimate, low-risk consignments. ing those published in Border Management Modern- Achievements to date include the passage of enabling legislative ization, is provided in the attached Annex. amendments; the establishment of agency risk management units; development and implementation of new operational procedures; the conclusion of inter-agency service level agree- Collaboration ments (under which one agency undertakes certain activities on behalf of another agency); joint agency development of risks and Agencies that seek to implement risk-based compli- selectivity criteria; introduction of a multi-agency use IT system ance management strategies in isolation may create (which incorporates the agreed risk profiles); and extensive train- tangible improvements at the agency level. Howev- ing across all relevant agencies. Enablers and Impediments | 29 more complete and accurate risk profiles of particu- An extension of this concept is cross-border harmo- lar consignments, businesses or individuals. nization which recognizes that the export process in one country relates directly to the import process Forms of interagency collaboration vary widely in in another country and, with increased integration scope and include activities such as increased data of trade supply chains, opportunities exist to create sharing, harmonization of data requirements and efficiencies through harmonization that can treat coding, delegation of authority, joint operational both the import and export procedures as part of activities and the use of a single window for bor- the same clearance process. Further information der clearance processes. Interagency collaboration on this issue can be found in Border Management may also enable the sharing of data and intelligence Modernization. upon which risk-based decisions are made. 7 Getting Started In this section we briefly examine some specific tech- tify those aspects of risk-based compliance manage- niques that will help to facilitate the implementation ment that are already being applied by the agency and maintenance of risk-based compliance manage- and those which need to be addressed. This is re- ment. In particular, we consider ways of assessing ferred to as a situation analysis. an agency’s current approach to compliance manage- ment, its existing capabilities and reform priorities. The next step is to determine what the future com- pliance management strategy should look like and Introducing a risk-based approach to compliance to identify the steps that are necessary to achieve management is not an insignificant task, and agen- the desired end-state. This is referred to as a gap cies are likely to experience some resistance to analysis. change as they seek to progress its implementation. Consequently, it will be necessary to maintain ef- Both the situation analysis and the gap analysis will fective communication and consultation throughout take time and effort to complete. It is important that the process in order to obtain the support and com- agencies apply sufficient resources to these tasks, mitment of key stakeholders. and equally important that a knowledgable and ex- perienced group is identified to progress them. Ide- At the outset, it will be necessary to draw a com- ally, personnel who are technically proficient across parison between the way in which your agency cur- the broad range of agency responsibilities should be rently operates and the principles and procedures asked to study this Guidebook from the perspective that are discussed in this Reference and Implemen- of their particular areas of expertise and to draw tation Guide. The purpose of the exercise is to iden- comparisons with current practice and procedure. Technical experts cannot, however, be expected to work without guidance. It is therefore also desirable Figure 5.  Situation and Gap Analysis that there be a management team in place to super- vise and coordinate their activities. Existing Principles and Compliance practices in this Situation Management How do we compare? Guidebook One way in which risk-based compliance manage- Analysis Regime ment may be introduced into the organization is to adopt a phased approach by identifying certain as- pects of the agency’s proposed regime that may be introduced in the short term and at relatively low Existing Proposed Compliance How do we change? Compliance Gap cost. For example, the existing regulatory frame- Management Management Analysis work may allow for some risk-based processes to be Regime Regime introduced without the need for legislative reform. Similarly, some risk-based activities may initially be Source: Based on the original Australian and New Zealand Standard on Risk introduced manually in advance of the acquisition Management (AZ/NZS 4360: 2004) which now forms the basis of ISO 31000. of specific ICT solutions. 32 | Risk-Based Compliance Management: Making it Work in Border Management Agencies Lack of Technology is Not a Barrier to Managing Risk Sri Lanka Customs identified the potential benefits to both government and industry of pre-arrival screening and clearance of air express consignments. It was determined that the most efficient method of introducing pre-screening was through the introduction of an automated clearance system. However, implementation of the desired automated solution was not scheduled for some time. Regardless, the agency determined that implementation of pre-clearance procedures may proceed prior to the installation of its automated systems through the implementation of revised manual processes and procedures. This consisted of a combination of manual documentary assessment, selective examination, and the establishment of x-ray facilities to address the potential risk of misdescription. Consolidated manifests were manually submitted to Customs prior to aircraft arrival, together with advance copies of air waybills and invoices. These were manually screened by customs to identify potentially high-risk shipments (based on intelligence, emerging trends, the previous compliance record of consignees and consignors, and so on). Any consignments that were considered to be high risk were identified for further examination upon arrival, together with certain dutiable and restricted goods that were held pending formal clearance. All other consignments (that is, low-risk shipments) were available for delivery on arrival. Source: De Wolf & Sokol (2004) 8 References De Wolf, Luc & Sokol, Jose B. 2004. Customs Mod- tor Programmes 2011 edition, Brussels: World ernization Handbook. Washington, DC: The Customs Organization. World Bank. WCO (World Customs Organization). 2011. WCO ISO 2009. ISO 31000:2009 Risk management – Prin- Customs Risk Management Compendium, ciples and guidelines, Geneva: International Brussels: WCO. Organization for Standardization. Widdowson, David. 2003. Intervention by Excep- McLinden, Gerard; Fanta, Enrique; Widdowson, tion: A Study of the use of Risk Management David and Doyle, Tom. 2010. Border Manage- by Customs Authorities in the International ment Modernization, Washington, DC: The Trading Environment, doctoral thesis, Can- World Bank. berra: University of Canberra. Polner, Mariya. 2011. WCO Research Paper No. 14: Widdowson, David. 2010. Risk Management: key en- Compendium of Authorized Economic Opera- ablers, WCO News No. 62:25–27, June 2010.