Building and Assessing Your University Export Controls Compliance Program
Meet Wayne Mowery
Senior Director of Compliance & University Export Compliance Officer The Pennsylvania State University
Traliance: A comprehensive export compliance program intersects with a variety of research departments and administrative offices across campus. This is due to the complex nature of the regulations as well as the complex organizational structures we see at most universities. What do you suggest as a first step for establishing a new export compliance program?
Wayne: Starting a program from scratch is an exciting but challenging process. Fortunately, I believe that even when it appears that you’re building from the foundation up, there is often already a significant baseline of information, efforts, and support structures in place to help guide the development of the program. Because of this basic belief, I think there are three related analyses that should be done as a first step in putting a new export compliance program in place: (1) know your institution; (2) know the players; and (3) know your targets.
Most people who have heard me talk about process management know the value I place on identifying and expressing an understanding of the current state of reality. I think this is important at all levels and stages of both personal and business development. When I recommend knowing your institution, I mean understanding what makes your institution unique, what is its history with international trade, export control, and/or restricted research in general, and then talking with senior leadership about the research perspectives and approaches taken at your institution.
I believe there are some foundational questions about your institution that can help inform your understanding. Is your institution Fundamental Research only? Does your institution have significant defense related research activities (current, past, or future)? Does your institution have a specific content area of concern that is either well known or growing in expertise? Obtaining the answers to these questions, and others like them, will help to create the big picture framework for your program.
Once you have a general grasp on who you are as an institution, the next step is to understand who your critical customers are and how to connect with them directly. Do you know who the contact point person is for IT security? Do you know the faculty members that you have to win over because of the nature of their research portfolio? Have you identified the break points for change management at your institution? How do you get in front of faculty for outreach and educational purposes? An exercise I recommend at this point is to sit down and identify the following individuals/groups (and there may be overlap among the four pools): (i) who are your critical users; (ii) who are your critical support units; (iii) who are your champions; and (iv) who are your most likely (and vocal) challengers. Knowing these individuals/groups and then building relationships with these key resources will often make the difference in the successful implementation of any program.
Finally, after a bunch of background effort, no new program will be successful unless there is some momentum. One of the biggest mistakes I see is letting perfection get in the way of progress. We tend as administrators to overthink sometimes. I encourage people that are going through any change management process to identify short, medium, and long term targets. Having a big project creates energy, excitement, and looks good on paper, but having some quick “wins” produces onward momentum for the program. Being able to keep that energy going through the cycle of change requires a deft balance of all three types of opportunity targets.
Traliance: Support from university leadership is critical for any export controls officer who is just getting started. Often senior leaders want to know when they can expect to have a comprehensive compliance program. What are your thoughts on the time to reach maturity, headcount, and dedicated resources?
Wayne: Support from leadership is crucial to any compliance program. It is not surprising that “Management Commitment” is the first element listed in the BIS “Elements of an Effective Export Compliance Program” document. But the question that many forget to ask is what makes for true management commitment?
Like many, I make sure to get good documentation about management commitment, whether in the form of Empowered Official designation letters or a formal Export Compliance Commitment Letter. But those “check the box” activities do not necessarily equate to true commitment. I think management commitment is really a two-way activity and communication is going to be a critical part of this process.
“Do not underestimate the need for training. I think the most common mistake that I see is not giving people the basic training they need to succeed.”
First, as export officers we need to do a much better job of setting and communicating expectations with our senior leadership. Helping the C-Suite level administrators put compliance, and specifically export compliance, in a proper perspective is one part of that process. While you may be the export expert, getting anything operationalized in an academic environment takes a lot of time, patience, and socialization. Helping your boss, and your boss’ boss, understand that just hiring staff, or creating policies, or implementing export review procedures, in and of themselves, do not mean the program is comprehensive. It just means it’s developing. So I am always careful not to over or-under sell my program and my plans for improvement. Instead, be honest, realistic, and open with senior leadership on the strengths, weaknesses, opportunities, and challenges you are facing. And check back in regularly with updates.
Look, I know it is not easy to set reasonable expectations since most compliance functions are not “value added” programs. We are not generating revenue or profits. We cannot be easily measured based on standard corporate/institutional metrics dashboards. But helping leadership know what “success” looks like for your institution is critical.
When it comes to allocation of resources and staffing, to be honest, this will look somewhat different at each unique institution. For smaller, traditional Liberal Arts institutions, a big team and a significant allocation of resources may not be the right course. But at other schools with significant research efforts in emerging technology or high-risk fields, trying to use a patchwork approach or a part-time manager of the program may create unacceptable risk assumption. The one commonality among all programs is training. Do not underestimate the need for training. I think the most common mistake that I see is not giving people the basic training they need to succeed.
Traliance: I understand you have established many strong connections with other administrative programs at Penn State. What tips can you share with universities that are struggling to integrate export compliance into their existing structure?
Wayne: The biggest take-away here is that compliance is compliance. Look, export compliance is complex. It involves government regulations intermingled with a variety of very complex technological descriptions and specifications. It’s like the perfect storm for confusing everyone!
But just because the content area is unique does not mean that your export compliance program has to exist on an island. If you look at just about any compliance program, you can see the overlap of key program elements, efforts, and metrics. So if you want to succeed at your institution don’t go the Lone Ranger route. Partner up with other compliance units and find the synergies that exist to help your programs grow.
We’ve tried to put this into practice in a number of ways. First, become a part of the Risk, Audit, and Compliance framework at your institution. Even if your export compliance program is housed elsewhere (in Sponsored Research Programs, in Office of General Counsel, in Responsible Conduct of Research, etc.), make connections with these other units. Learn what the risk management team looks for when evaluating risk and setting institutional risk thresholds. Understand the detail, recordkeeping, and due diligence that your internal audit staff is looking for when evaluating internal programs and structures.
And communicate, communicate, and communicate some more. We implemented a monthly get together with compliance professionals across the organizational structure. And we talk about things like the foundational pillars for compliance programs (we use the U.S. Sentencing Guidelines – “7 Pillars for Effective Compliance Programs”), training and outreach efforts and recommendations, general compliance related issues and topics of interest, and we talk about upcoming big compliance “pushes”. This interdepartmental communication is critical to help identify ways that you can support other compliance efforts in your organization (and even sometimes get support for your own programs).
“Risk assessments, audits, and informal reviews of your program are a great tool in helping to know your current state of reality…each has added value.”
Traliance: The U.S. export controls regulations are constantly changing. How do you ensure Penn State’s export controls compliance program stays up-to-date?
Wayne: The first way is regular, ongoing, and updated training. As mentioned above, I think this is one area where we under resource many of our compliance programs, not just export compliance. Making sure people are getting up-to-date training on the current state for compliance that is designed to speak to their role in the institution is the best way to build awareness and understanding from the ground up. We do fairly well at the basic awareness level training for compliance but getting beyond that to speak to people in their own role in the compliance process is often incomplete.
The second way is to get involved and stay connected. AUECO is a great resource for university export staff. But you can also find people involved in organizations like NCURA, NACUA, AAU, COGR, etc. who are regularly talking about and providing members/participants with resources on export compliance in the University environment. Likewise, finding blogs, list-serves, outside vendors/content suppliers, and go-to websites can help keep the learning cycle primed and moving forward.
And third, do not get complacent. Just because something worked in the past does not mean there might not be a better solution for the future. Don’t assume the answer from yesterday is still the answer for today. Keep an open mind, be willing to run trial efforts/programs, and subscribe to the concept of continuous improvement.
Traliance: We see a lot of value in performing an up-front program assessment to identify risks and potential gaps. How has Penn State utilized risk assessments in its program? Can you speak about the benefits you have witnessed?
Wayne: If we go all the way back to the beginning of this conversation, it’s all about knowing thyself! Risk assessments, audits, and informal reviews of your program are a great tool in helping to know your current state of reality. At Penn State, we have done all three levels of assessments from formal audits, to informal analysis, to structured risk assessments. And each has added value.
The outcome of the internal audit we did really provided the framework for setting up the centralized export compliance program. It also provided a timeline and measurable targets/goals for implementation. By reviewing the audit action items and setting realistic targets of opportunity, we were able to build momentum to move quickly from a start-up effort to a more mature operational compliance program.
The informal assessments and analyses that I conducted when initially brought in to set up the centralized export compliance effort help me to focus my attention to specific areas/programs of interest or concern. It also provided a number of talking points for faculty, staff, and senior leadership and helped to express the breadth of reach of export controls in the operations of Penn State. I still use this informal assessment as part of my outreach to help people see beyond the obvious export issues into areas that may have more impact on their own roles at Penn State.
The formal risk assessment of export compliance that we completed a little over a year ago helped to provide some metrics of performance, and also identified some missing pieces in our program. I use this as part of a talking point for compliance awareness with our senior leadership teams. It also serves to help advocate for resource allocation and staffing needs.
Who We AreTrade Compliance Services
Traliance provides export controls consulting services for research universities and technology companies. Our focus is on the implementation of practical solutions that drive robust export controls compliance. Our services are based on a unique blend of knowledge in U.S. export controls regulations, scientific research, and business process improvement methodologies. We bring valuable experience from working with universities, non-profits, and companies of all size that span a range of industries and sectors (including satellites, drones, aerospace, advanced materials, chemicals, underwater, medical, and SaaS.)