Co-authored by: Olaf Casperson
The heavily regulated aerospace and defense industry, which is estimated to be valued at USD 1,600 billion in the year 2025, has been dealing with stringent and complex compliance requirements mandated by governments and internal stakeholders. Due to the sensitive nature of products and services delivered by aerospace and defense companies, there are restrictions imposed on raw material usage, third-party contracts, manufacturing processes, upgrades, and even hiring practices. Guidelines issued by regulatory agencies such as the Federal Aviation Administration (FAA) and the European Aviation Safety Agency (EASA), as well as export control laws in the U.S., the European Union, and other parts of the world, emphasize the need for watertight compliance workflows and supporting data technology stacks to minimize the risk of compliance fines and penalties. Compliance programs need to be agile and highly responsive, considering export controls evolve with changes in geopolitical conditions and foreign policy.
For instance, recently, the U.S. restricted the export of its defense and dual-use technologies to Hong Kong. We are seeing similar scenarios in today’s volatile, uncertain, complex, and ambiguous (VUCA) world where countries are taking drastic measures to safeguard national security and achieve foreign policy or commerce-related objectives. Moreover, there are unified standards such as Cybersecurity Maturity Model Certification (CMMC), which ensure that only defense companies who meet a certain maturity level in terms of cybersecurity practices are eligible to become impaneled suppliers. It is no surprise then that robustness of a compliance program plays a critical role in ensuring business continuity of aerospace and defense companies.
According to John Forrest, Head of Global Trade and Government Affairs at DLA Piper, the need for compliance programmes to be responsive to legislative developments and to address divergent measures across key jurisdictions has only intensified in recent months and years. This is because the pace of development and imposition of export control measures, particularly relating to defence and aerospace-related goods and technology, has increased.
This has been accompanied by an increased divergence and fracturing of the approach and measures implemented by Western nations which have formerly acted with a greater degree of alignment. For example, this has been evidenced in the divergent approach by different EU member states with respect to the licensing of arms and defence related materials to Saudi Arabia; with the approach to export control policy in Europe vulnerable to further divergence in the context of Brexit; and whilst differing approaches again have been in evidence across European states and the US with respect to restrictions on the export of controlled technology targeting China, with a particular focus on Huawei at present.
All the while, the complex compliance challenge facing businesses is accompanied by an increased appetite on the part of regulatory authorities to investigate, enforce, and penalize breaches of export controls. This has included an increased use of civil and “compound” penalties and settlement agreements in lieu of criminal prosecution, the application and usage of the former being boosted in particular by lower civil law “balance of probabilities” standard of proof which must be met, compared with the “beyond reasonable doubt” standard in criminal prosecutions in many jurisdictions, John Forrest told HCL.
The need for enterprise-wide transformation of compliance programs
Considering such restrictions have been in place for decades, and since aerospace and defense companies have had ongoing compliance programs for that time, what has led to a consensus that those programs may need a facelift? First, the amount to data that needs to be monitored to driving compliance processes has increased manifold, with blueprints, drawings, photographs, plans, instructions, and documentation existing in the form of PLM data, emails, data in shared drives, legacy data– in both unstructured and structured formats. Legacy compliance processes are not able to cope up with the volume, variety, and velocity of data generated today. Moreover, regulators such as the U.S. International Trade Administration (ITA) and the U.S. Department of Defense have become increasingly vigilant with sensitive data going digital. There are regulations in force that mandate how such data is protected and where that can or cannot be moved.
Traditionally, global aerospace and defense organizations have relied on country-level compliance processes and IT delivery, resulting in siloed data and lack of centralized visibility with minimal data sharing. The same has resulted not only in a non-standardized information management but has also increased IT costs and redundancy, along with poor visibility into the efficacy of compliance programs across geographies. There have also been issues with mapping compliance requirements with corresponding technology interventions, partly due to scarcity of domain expert resources and challenges around interpretation of prevalent laws.
The compliance requirements for aerospace and defense organizations has been ever-evolving but has always been reactive and focused on trying to keep up with obligations. According to Bo Berndtsson, Partner at Setterwalls Advokatbyrå, this problem is rooted in the fact that legislative processes are reactive rather than proactive. “The aerospace and defense organizations’ current compliance programs are naturally aligned with applicable laws and legislations. Since the applicable laws and legislations, in most cases, are not adapted to the situations that may arise due to the development of, say, technological interventions, and the amount and kinds of data handled and monitored by today’s aerospace and defense organizations, the organizations’ compliance programs are trying to keep up with the reality the organizations find themselves in”, Bo Berndtsson told HCL. “Since laws and legislations are usually national while aerospace and defense organizations usually operate across borders, and since it is difficult to map compliance requirements with the volume, variety, and velocity of data and the corresponding technology interventions, the aerospace and defense organizations are placed in a difficult situation. The digitalization, globalization, and technological development will most likely not stop, but rather continue at an accelerated rate. The legislators need to take this into account.”
A prudent roadmap for a modernized compliance program
Building a global brand with standardized, transparent, scalable, and highly responsive compliance processes would require aerospace and defense companies to overcome a major roadblock– localized compliance mechanisms. Here are four ways companies can alleviate the challenges we have discussed so far and bolster their global compliance programs:
Common control framework: Establish a common control framework that can be presented in an enterprise, entities and countries hierarchical structure, allowing firms to easily related and understand the specific arrangement that must be taken to meet any regulatory, compliance, and other standard requirements.
- Streamlined Information management: Establish standardized processes to discover, classify, and segregate all existing information based on requirements laid out by local regulators. Next, implement a zero-trust architecture that prioritizes a network-centric data security strategy, restricting data access based on business needs. With solutions such as attribute-based access control where authorization to access sensitive information is granted based on subject attributes, environmental attributes, and resource and action attributes, companies can achieve an authorization model that is highly dynamic, context-aware, and risk-intelligent.
- Continuous compliance monitoring: Move away from a reactive approach to compliance management towards a more proactive approach, which is very different from merely conducting audits at regular intervals. Through real-time monitoring of access control, policy-based enforcement on IT assets, firewall administration, application governance, and more; and by continuously comparing performance with compliance requirements, companies must uncover operational or technological gaps that need immediate resolution. Further, enterprises need to ensure ‘security and compliance-by-design’ and think about functionalities such as export control checks at the time of designing the digital journey.
- Blockchain for improving compliance posture: Ensure future readiness by making strategic investments in next-generation enablers such as distributed ledger technology (DLT), which delivers greater transparency, enhanced security, and easier traceability. In the export control space involving very high volumes of record-keeping requirements, blockchain is a natural fit. It will streamline the process of recording export/re-export documentation and shipping documents, allowing for documents to be easily traced and retrieved quickly and cost effectively. Such digital ledgers would also prevent the risk posed due to human errors and unauthorized access, which otherwise could lead to severe compliance lapses.
With a phased, well-planned transformation plan focused on centralization, standardization, efficiency, and transparency, aerospace and defense companies can achieve superior compliance, eliminate the risk of cyber security lapses, and secure competivtetive advantage.
To learn how you can accelerate the transformation of your legacy compliance program, write to us at CFS-GRC-PMG@hcl.com.