In order for a reporting/notification program to work effectively, employees must be convinced that management is truly committed to STC compliance. Management should seek to cultivate an environment where employees feel empowered to report violations without the fear of consequence, because they realize that management views reporting suspected STC violations as an integral part of the enterprise’s ICP and an important component of their individual job responsibilities and duties.

Management can facilitate non-compliance reporting by undertaking the following tasks:

• Assure employees that STC compliance is management’s paramount concern and should never be sacrificed for commercial gain;
• Clearly-articulate the legal and ethical responsibilities of all employees and attempt to instill a sense of personal commitment to STC compliance and the values of your enterprise;
• Encourage employees to immediately notify management when they are uncertain about the proper course of action, need advice, believes that another employee has done or might do, something to violate your enterprise’s compliance policies, or if they believe that they themselves have been involved in non-compliant activity. To achieve this objective, employees must be assured that they will be free from reprisals from other employees or management;
• Ensure that employees have adequate training, knowledge, and resources to comply with your enterprise’s ICP and they understand how to report incidents of non-compliance to the appropriate empowered compliance official(s) and through the appropriate channels;
• Utilize your enterprise’s internal publications (newsletters, intranet, company website, etc.) to commend those employees that have reported STC violations or raised non-compliance concerns. By doing so, management further illustrates its commitment to compliance and actively promotes a culture of compliance within the broader enterprise; and
• Reiterate the importance of reporting non-compliance concerns during employee performance evaluations and the promotion process.

As part of your enterprise’s ICP, all employees should be given clear instructions on where suspected incidents of STC-related non-compliance should be reported.

Internal Reporting Procedures

Employees must have clear directives that allow them to communicate suspicious order inquiries or disclose STC violations to management, if and when they occur. Suspected or known incidents can be directed to a variety of places within your enterprise (depending on your enterprise’s organizational structure) including, the CCO, Trade Compliance Managers/Officers, legal counsel, or an ethics hotline.

The office or individual(s) responsible for receiving STC non-compliance reports should be publicly identified, and the name, physical location (including the specific building and room number), telephone number, and e-mail address of the notification office or person(s) should be made available to all employees. In addition, your enterprise might consider establishing a mechanism that enables employees to anonymously report non-compliant activity in order to ensure that the information is confidential and shared on a "need-to-know” basis. In fact, some enterprises choose to utilize hotlines, sanitized email addresses, or reporting websites to enable employees to report acts of STC non-compliance anonymously.

Your enterprise should develop written, internal procedures to govern the actions of employees when a suspected or known incident of STC non-compliance has occurred. Your enterprise should envision all possible contingencies, and draft detailed internal procedures that, at a minimum, should include:

• Identification of the office or individual(s) responsible for receiving reports of STC non-compliance. Employees should be provided with a documented process, detailing the steps for internal escalation and the procedures to follow when a compliance breach is discovered;
• Procedures for stopping suspected shipments and determining whether further action can be taken to prevent a negative outcome (e.g. recalling an export that is in transit to prevent it from reaching a restricted/prohibited end-user or destination);
• The criteria for when to conduct an investigation on a potential compliance violation;
• How to determine the scope of the investigation. Investigations should be broad enough to reveal related or similar STC violations by closely analyzing similar shipments, customers, product lines, business units, and destinations;
• The investigation procedures (who, what, where, when, and how?);
• Investigative report documentation requirements;
• Management notification procedures if an act of non-compliance is discovered, including the method by which employees notify the responsible compliance personnel and how to transmit any relevant information;
• Documentation required when remedial action will be taken;
• Follow-up reporting procedures to management regarding corrective actions taken; and
• Notification procedures to inform the employee responsible for reporting of the outcome of the investigation.

External Reporting Procedures

Your enterprise should also establish written procedures for reporting violations and suspicious order inquiries to the competent government authorities. Some countries maintain Voluntary Self-Disclosure (VSD) provisions within their STC legal authorities, where the disclosure of an STC violation is considered a mitigating factor in any subsequent enforcement action.

If an STC violation is reported and confirmed, the individual or office responsible should notify the competent national authorities, without delay, in the form of a VSD. To be considered “voluntary,” most governments require the disclosure be made prior to the time the national authorities obtain similar information from another source or initiate their own investigation or inquiries. Voluntary disclosures should only be made with the full knowledge and consent of senior management and legal counsel.

Your enterprise should consult your national STC legal authorities or STC licensing authorities to determine whether your enterprise can benefit from voluntary self-disclosures and if so, decide how best to transmit information to the appropriate national authorities.

Assuming your country affords enterprises the opportunity to submit a VSD, your enterprise should develop procedures that:

• Specify VSD documentation and information requirements;
• Stipulate the preferred method of submission for VSDs (e.g. hard-copy or electronic and to whom);
• Identify whether disclosures are made public or remain confidential;
• Determine the process for how a VSD will be internally reviewed before it is submitted to the national authorities (e.g. legal counsel and senior management); and
• Identify when and if other governments or external parties should be notified of the violation and/or VSD.

Note: It may be prudent or necessary to inform other governments of a VSD, if the technology is of foreign origin or to disclose an STC violation to other suppliers/customers/distributors, when contractual agreements mandate such admissions.

Even without a regulatory basis for voluntary self-disclosures, your enterprise’s external procedures should:

• Identify the individual(s) or office responsible for communicating instances of non-compliance and suspicious order inquiries to the competent national authorities;
• Determine the process for disclosing STC violations to the national authorities (decision-making should likely include involvement from compliance personnel, senior management, and legal counsel); and
• Stipulate the preferred method of reporting an STC violation (e.g. submit in hard-copy or electronic format and to whom) and all documentation and information requirements.

When STC violations occur, your enterprise must take appropriate corrective and disciplinary actions. Your employees should be held responsible and accountable for any non-compliant activity and appropriate disciplinary action should be taken in the event of violations or negligence. Thus, your enterprise should develop appropriate, disciplinary procedures and explain the disciplinary actions to be taken when violations occur.

Most enterprises consider disciplinary actions on a case-by-case basis and maintain a graduated scale of punishments. Disciplinary measures can range from oral or written reprimands or demotion to employee termination. Depending on the seriousness of the incident, an enterprise may also choose to impose financial penalties on the employee, which serves as a clear and powerful message to employees throughout the enterprise that non-compliance is not tolerated by management.

In order to stress the importance of STC compliance to employees, your enterprise should consider:

• Outlining possible penalties for STC noncompliance in new employee contracts and paperwork;
• Posting STC penalties on your enterprise website, making a hard copy list of penalties available in the Human Resources (HR) department, and/or posting STC compliance posters; and
• Stipulating that employees who commit or conspire to commit any criminal act shall be referred to the appropriate national authorities and prosecuted in accordance with applicable criminal law.

STC violations necessitate the introduction of appropriate corrective actions and preventive measures for the future. By closely examining violations after-the-fact, your enterprise can identify risks and vulnerabilities and implement corrective measures to strengthen your ICP, enhance your enterprise’s business and STC compliance processes, and ensure that similar violations do not recur.

When evaluating STC violation, your enterprise should:

• Identify the law or regulation violated;
• Determine the cause of the violation (e.g. misclassification, lack of screening or due diligence);
• Develop a corrective action plan that identifies specific remedial actions to be taken and provides a timeline for implementation (should stipulate those responsible for implementing and define dates for completion of each measure);
• Assess corrective actions on a periodic basis to confirm proper implementation and the elimination of identified vulnerabilities; and
• Incorporate any “lessons learned” into future training and awareness-raising efforts for the benefit of employees.