Everyone has a plan until they get punched in the mouth. It’s a nugget of wisdom (courtesy of heavyweight boxing great Mike Tyson) that companies would do well to heed when it comes to international compliance risks.

While many larger firms have good plans in place, mid-sized ones tend to treat compliance risks as check-the-box exercises. Maybe they think they’re covered because they closely monitor a database that screens incoming sanctions announcements from the U.S. Office of Foreign Assets Control or other bodies. That works until an alert flashes about new OFAC sanctions on one of the company’s third-party suppliers. At that point, the firm will need much more than a database to avoid a situation that could quickly turn expensive and disruptive.

The chance your company will confront a compliance alert is rising as the geopolitical picture becomes more complex. The Biden administration has already taken a tougher posture toward many foreign actors than its predecessor, announcing fresh sanctions on China and Russia. So far this year, OFAC has imposed about $14 million in civil penalties. German software giant SAP was hit with over $8 million in combined U.S. penalties in April for selling products to Iran in breach of U.S. sanctions.

Any company that gets a call from a regulator — or a ping from its compliance software — will be in trouble if it doesn’t already have solid procedures in place. Imagine the repercussions if, for example, your firm used an agent in Saudi Arabia who was found to be linked to bringing products into Iran or somehow tied to terrorist financing. Penalties could range from millions of dollars of fines to criminal charges.

The keys to meeting an alert head on, even if it’s a false alarm, are documentation, research, action and remediation.

Document, Document, Document

When enforcement agencies get wind of a possible compliance lapse, they’ll want to know not only “What went wrong?” but also “What did you do to prevent it?”

It’s worth having an answer to that second question now, before a compliance alert. Documentation is your friend. Regulators will be more willing to show lenience and work constructively with companies that have extensive documentation of their communications and processes around third-party entities, whether or not the relationships were considered risky. Assume you are exposed to sanctioned partners and act accordingly.

Good research on your company’s third parties is fundamental. Every database has its limitations, even OFAC’s “comprehensive” list of sanctions programs. It’s vital to have access to supplemental directories or information, along with processes to analyze the data. Once a supplier has been flagged, firms should be able to quickly mobilize internal and external resources to determine initially whether the information is correct.

Sometimes the research will find there’s no cause for concern — perhaps the alert happened because an unrelated partner in Taiwan has a similar business name to one in the Chinese mainland that was earmarked for sanctions. In this case, you’ve saved money and avoided undue stress. The information was on hand, and your team didn’t have to hire external counsel.

Have an Action Plan

If, on the other hand, research shows that the partner is indeed the flagged and sanctioned entity, your team is armed to take action. With the information at hand, your compliance team already knows the depth of the relationship and the company’s potential exposure. The next steps might be retaining legal counsel or other external advisers.

The final step of a good compliance alert plan is remediation. This might mean working with an experienced law firm or even finding experts who speak the local language and can advise your company on the exposure and alternatives.

Sometimes the solution is as simple as cutting all ties with the partner. If the relationship is a crucial or unavoidable one, it might not be that easy. In the airline business, for example, it can be virtually impossible to avoid working with airport servicing companies that could have corrupt links to governments. This is where it can be worth seeking to work with regulators to explain the situation and try to find a compromise solution. But again, this will achieve much better results when a company can show it followed the correct processes and has an audit trail that documents them.

A common mistake to avoid is approaching the sanctioned entity itself to ask questions. The OFAC list contains some of the world’s most unsavory actors, making it unlikely that they are going to give an honest account.

Having systems in place, as opposed to ad-hoc reactions, bulletproofs the business so that it’s not dependent for compliance on any one point of failure, such as a general counsel who decides one day to quit. With documentation, research, pre-planned action and remediation, your company will have its best defense for that punch-in-the-mouth moment.

Allan Matheson is chief executive officer of Blue Umbrella, a Vancouver-based compliance technology company.