Sanctions Digest: Developing a risk-based approach to Sanctions

01 Mar. 2023

The article discusses the key aspects in developing a sanctions risk appetite and the factors that could be considered.


In our first and second blogs, we discussed the sanctions landscape and evasion. This blog focuses on the challenge of operating in the “grey areas”, where an entity can undertake an activity but must consider the reputational, ethical, and other risks of doing so.

To combat this challenge, institutions must develop an internal sanctions risk appetite to ensure continued compliance and to protect its institution and staff. This blog will cover key aspects in developing a sanctions risk appetite and the factors that could be considered.

Zero tolerance:

It is a common misconception that zero tolerance eliminates the need to develop a risk appetite for sanctions compliance. While it is true that zero tolerance means there is no appetite to violate sanctions, sanctions themselves are limited and nuanced. For example, a client may have one office in Russia that contributes 5% to their global group revenue. In this situation, the institution will need to decide whether they are comfortable with these indirect sanctions risks and, if so, what proportion of revenue would be acceptable.

There is a real risk associated with getting this risk appetite wrong and/or failing to consider wider risk implications such as boycotting risk, especially where sanctions are politically sensitive. A recent real-world example is H&M. H&M announced that it would no longer be sourcing cotton from Xinjiang due to concerns over alleged forced labour in Xinjiang. Following this announcement, H&M reportedly saw its sales slump 23% year on year, making a loss of $74 million. This shortfall was seemingly due to a boycott by Chinese consumers, as reported by the BBC1, which highlighted that H&M’s decision ‘led celebrities to cut ties with the brand and e-commerce platforms to drop H&M.’

H&M is not the only company in China to pull out of sourcing cotton from China, however, their approach to the issue led to them being targeted and punished. All institutions, financial and non-financial, need to consider the wider implications of setting a risk appetite. Institutions need to protect their staff and their business. Where countries are in direct conflict concerning sanctions, such as China and the USA, the internal risk appetite must also take this into account.

1H&M: Fashion giant sees China sales slump after Xinjiang boycott - BBC News

Deciding on thresholds:

One of the biggest challenges all institutions face is deciding on the correct risk thresholds. No two institutions will be the same when setting sanctions risk appetite due to the many different external and internal factors that will need to be considered. For example, an institution headquartered in India, and operating solely in Asia, might have a higher risk tolerance to Russia than an institution headquartered or operating in the European Union.

Institutions must ensure that their risk appetite considers external factors such as geopolitical risks, counter-foreign sanctions, peer practices, and reputation/boycotting risks. Institutions will also need to consider internal factors such as strength and experience of their sanctions team, the company’s strategy, locations of operation, products offered, and nationality of staff members.

A careful balance will need to be struck between the desire to limit risk while continuing to ensure smooth operations and drive efficiencies. For example, if the threshold for escalation is too low, without proper consideration for the operational and resourcing needs, then the sanctions team could be inundated with work and important time sensitive transactions may not occur. Conversely, if the threshold is too high, then the business might proceed with transactions which are beyond risk appetite and put the firm at risk.

Counter-foreign sanctions and recusal:

In recent years, we have seen the rise of counter-foreign sanctions, with two of the largest world powers, China and Russia, introducing more restrictions. Whilst most multinational companies do not recognise these sanctions, outside of the relevant country, this presents a challenge when defining a risk appetite and assessing sanctions exposure.

This challenge is exacerbated by data sharing restrictions, making it difficult to fully understand the scope of any onshore business and potentially also limiting the ability to refer decision-making to parties not based in the relevant location, such as China. Institutions often include clauses in their sanctions policies noting that onshore sanctions must be abided by but currently institutions may not have articulated the implications of this. Institutions often wait for guidance from local authorities, which to date has been sparse.

One method of risk management is the creation of specific risk appetite statements which detail escalation channels, permitted transactions, and provide guidance on what information can be published on and offshore, for instance, not sharing Xinjiang-related sanctions with the onshore teams. Another method is creating a recusal framework. One such example is when US or China citizens (based outside of the local jurisdiction) are allowed to recuse themselves from advising or signing off on transactions which would violate their own local sanctions or go against local foreign policy. This protects staff members whilst still allowing other qualified individuals to sign off or review transactions/clients.

Control framework:

A firm cannot decide on its risk appetite without factoring in the strength of existing sanctions controls. The recent unprecedented rate of change in sanctions has presented a challenge for the sanctions teams, not solely capacity wise but also because of the need to refresh and review whether the current framework is fit for purpose. Some institutions are already going one step further and thinking about other potential geopolitical events or issues to future proof the sanctions framework and develop contingency plans.

Technology has also become more important than ever in the fight against sanctions risk. Firms that look towards artificial intelligence and machine learning are better able to target their sanctions screening, reducing the need for manual intervention and freeing up resources to focus on other important areas, such as controls and risk assessment.

Clearly, the strength and maturity of a firm’s sanction control framework will help dictate the level of direct and indirect risk that it will accept. Firms that are still developing their response to recent world and sanction events will need to consider lowering their risk appetite to ensure that they do not violate sanction requirements and cause themselves future problems. For example, firms that continued to operate in Russia are now struggling to extract themselves.

The Way Forward:

Setting a sanctions risk appetite is a complicated process, which constantly requires review and update as both internal and external factors evolve. Institutions must remain abreast of current developments and adapt quickly to avoid long term issues. To ensure a pragmatic approach, global institutions should set a risk appetite which considers:

  1. Geopolitical developments and political sensitivities – look to the future and protect your staff. Consider developing contingency plans early should world events change.
  2. Counter-foreign sanctions – consider the local implications, but also the impact on your firm’s overall sanctions strategy. Involve your legal team in any discussions.
  3. Boycotting risk – consider the implications should your internal risk appetite or views be leaked externally. Ensure staff are aware of the risks and do not share views with press outlets.
  4. Appropriate risk thresholds – perform a full assessment of internal and external factors to decide on the right thresholds. Consider business factors when setting escalation channels and deciding on response times.
  5. Recusal – consider whether such a framework is needed and how it will impact decision-making both within and outside the sanctions department.
  6. Strength and maturity of sanction control framework – try to be proactive rather than reactive; constantly assess whether your controls need to be updated and whether technology, extra resources, or external assistance is needed to ensure suitability.


Sanctions is an ever-evolving area which requires institutions to remain proactive and forward thinking. Articulating a robust sanctions risk appetite will help institutions stay ahead of the game and ensure that resources are targeted where they need to be. This blog has articulated some of the key areas that institutions could consider when setting their risk tolerance levels and evaluating their current approach to sanctions. The information provided in this blog is intended for general information only which should not be treated as any form of professional advice. Should you need any assistance in developing your institution’s sanction control framework, please reach out to us if you would like to discuss any of these themes further.

Did you find this useful?