Keywords

15.1 Introduction

This is a chapter on the business case of the Royal Netherlands Air Force (RNLAF) Command involving the handling of military and dual use items, technical data, technology, software and defense services. More specifically, this chapter examines how an adequate Internal Compliance Program (ICP) for the RNLAF was developed. This is relevant for RNLAF in particular, but also for other organizations that have need of an ICP or might be involved in developing one.

In order to understand the importance of this research, both the historical background for the need of an adequate ICP and the environment the RNLAF operates in will be described. These topics will be handled in Sect. 15.2. Next, the legal aspects with regard to an adequate ICP for the RNLAF will be elaborated on in Sect. 15.3. Furthermore, the concept of an ICP will also be presented in this section. Thus, the third section focuses on the main legal regimes the RNLAF has to comply with in its operations. When one understands and implements these legal aspects, one is able to put an adequate ICP for the RNLAF in place as it covers all operational activities. Only then can the RNLAF conduct its operations in an export control compliant matter. Of course, it is obviously not solely a matter of legal aspects when designing an ICP. However, when the goal is to adequately achieve compliance, legal aspects are core. This is inherent to our topic: compliance. Generally, compliance means adhering to a rule, such as a policy, standard, specification, or law. Regulatory compliance defines the goals companies want to achieve to ensure that they understand and take the necessary steps to comply with policies, laws, and regulations. We will, when relevant, also discuss other aspects of compliance, however. Finally, a conclusion is presented in the final section, Sect. 15.4, of the chapter.

15.2 Setting the Scene

In order to provide the reader with a historical context and to understand the types of relevant environmental influences affecting compliance on export control of the RNLAF, we present a brief historical analysis of the RNLAF with regard to the importance of developing an adequate ICP, as well as a Political, Economic, Social, Technological and Legal (PESTL) analysis.

15.2.1 Historical Context

With a so-called Voluntary DisclosureFootnote 1 the RNLAF, in June 2015, started a path to improve on the compliance on export control laws and regulations. The Voluntary Disclosure was answered in January 2017 by the US government and the RNLAF was strongly advised to become in control. And although the it concerned one specific regulatory regime, the activities in the compliance domain thereafter covered all export control activities that the RNLAF is conducting. The ratio behind this is simple; throughout the world there is a great variety of export control laws and regulations and the RNLAF, an organization that operates internationally (e.g., contractual, on mission, training), is confronted with all these types of legal constraints. Therefore, the ICP must cover all these compliance aspects.

Becoming and remaining compliant with all these export control laws and regulations can only be achieved by setting up an adequate ICP that embeds control measures in the RNLAF daily business. Therefore, the RNLAF tasked itself to build an ICP. On 24 December 2019, the first version of the RNLAF’s ICP was posted on the intranet of the RNLAF.Footnote 2 It seems a little bit late for the RNLAF to finish its ICP. However, from the start of the Voluntary Disclosure, the RNLAF took all corrective actions to resolve all the past violations, but also took measures to prevent future violations. Thus, on an operational level, both corrective and preventive actions were taken, such as conducting risk assessments on the numerous Air Bases the RNLAF operates, building an export control database, creating management commitment (which resulted in embedding a Unit Export Control Compliance in the RNLAF’s organization structure), starting a licensing process and writing policies and procedures. In fact, the RNLAF already started with designing the pillars of an ICP at an early stage, although it was not written in a formal document.

At the start of the operational process, the RNLAF swiftly had to make personnel available to start doing the export control tasks. However, very logically there was a lack of personnel with knowledge about these specific laws and regulations. Until August 2019, the operational course of action took place. The positive effect thereof that was realized: while conducting three years of operational export control compliance corrective and preventive actions, the RNLAF to a certain degree became an export control compliant organization. Now, it was time however to become export control compliant on a strategic level. Only by designing an adequate ICP and maintaining it with dedicated capacity, the RNLAF would become fully aware how all relevant export control laws and regulations affect its operations and enable it to implement measures to make sure that it remains export control compliant, this time on a strategic level.

15.2.2 PESTL Analysis

As stated before, it is important to understand the RNLAF’s relevant environmental influences affecting compliance in general. Every single day, the RNLAF sends all kinds of military and dual use items and technical data and delivers services to external parties (e.g., Northrop Grumman International Trading Inc., Meggitt Inc. and Teledyne Defense Electronics LLC) for testing, repair and maintenance, and overhaul. These items are most of the time classified on either the United States Commerce Control List (US CCL)Footnote 3 or the United States Munitions List (USML).Footnote 4 However, sometimes the items do not have a US classification, but are classified on European or national control lists. The fact, however, that they are classified, means that compliance aspects are at stake. The type of classification determines the level and type of export controls that apply.

US defense companies have two main avenues for selling on the international market: Foreign Military Sales (FMS) and Direct Commercial Sales (DCS). Under FMS, the US government procures defense articles and services with defense industry on behalf of the foreign customers. DCS allows US defense companies (in possession of a commercial export license) to negotiate directly with foreign customers. Most of the RNLAF’s items have been acquired from the US through several FMS cases (i.e., F-16, AH-64 Apache, MQ-9 Reaper), some through DCS (i.e., C-130, NH-90) and some through a combination thereof (i.e., CH-47 Chinook). Therefore, in order to effectuate the envisaged re-exports, the RNLAF needs prior US Department of State, Office of Regional Security and Arms Transfers (RSAT) authorization or authorization of other offices (US, EU or other). Understanding the importance of strict adherence to US export controls and other regulatory regimes, the RNLAF all the time requests authorizations for these envisaged re-exports. Furthermore, the RNLAF urges the regulating offices of these re-exports to swiftly process these requests on their part, as it is crucial for maintaining the operational readiness of the RNLAF.

In order to fulfill all export control compliance conditions (legal, regulatory or other), the RNLAF needs to have an adequate ICP. Only then, the RNLAF is able to strictly adhere to US export controls and other regulatory regimes, while requesting for authorizations for these envisaged re-exports. The ICP is the core instrument to be in control and compliant.

The RNLAF is a military organization, and therefore has specific requirements and needs, to stay in control and compliant. These specific requirements and needs are highly dependent on trade laws and regulations that affect its re-exports of the items, services and technologies. In this business case, an ICP Framework was build, based on the existing ICP Frameworks, that fulfills all the needs of the RNLAF in its daily business (see Sect. 15.3).

The PESTL analysis considers five dimensions that should be taken in consideration in the business case: the Political, Economic, Social, Technological and Legal dimension. Below, we will elaborate on how these dimensions affect the RNLAF, and more specifically an ICP.

15.2.2.1 Political and Legal Environment Analysis

The reason we describe the political and legal environment together is because they are highly intertwined. Politics to a large extent shapes the legal environment, since politics in most Western countries have the authority under constitution to make laws and to alter or repeal them. Most of the weapon systems the RNLAF has, are bought through FMS cases or DCS contracts from the US. Only a small percentage of all the RNLAF weaponry is bought from the EU market. Therefore, the RNLAF has to comply with various US laws and regulations (see Chap. 11 of this volume), but also sometimes with EU or the various national laws and regulations. Furthermore, because of the fact that most weaponry is bought from the US Department of Defense and the US defense industry, the RNLAF is highly dependent on the US defense industry complex as a whole: US government, Army, Air Force and industry. Therefore, the scope in building an adequate ICP should consider all US political and legal aspects (which are subject to frequent change). Nonetheless, EU and various national politics and legal aspects should likewise be taken into account. And these aspects affect not only the domain of export controls. As national and supranational political fora tend to intervene in more and more areas of procurement, trade, labor market, environment, and so on, compliance becomes a chief priority for doing and staying in business. The impact of the legal aspects, as can be expected, is large and affects the daily business of the RNLAF. Its importance reflects in the legal framework of an ICP (see Sect. 15.3).

15.2.2.2 Economic Environment Analysis

The RNLAF is a defense organization and therefore depends on the economic environment, national as well as international. The RNLAF is doing its business in an environment of mostly government to government deals (FMS Cases) and industry to government deals (DCS and other commercial contracts). Its funding is provided by taxpayers’ money. The RNLAF is a governmental organization, which makes it an economically atypical organization, compared with the defense industry. On the other hand, the RNLAF is highly dependent on the economical maturity of the various defense industries it deals with (e.g., Northrop Grumman, BAE Systems, Raytheon). Furthermore, the RNLAF is highly dependent on the relationship between the defense industry and its governments abroad. In short, the economic environment can at best be described as imperfect markets of goods and services. Investment selection in these markets cannot be made under competitive conditions (e.g., by public tender) because there are only one or a few suppliers (monopolies or near monopolies) for specific products or services. In addition, the number of buyers in these markets is often limited, especially in cases of government procurement.Footnote 5 All this makes contractual relations of the utmost importance. All these considerations should be envisaged when designing an adequate ICP for the RNLAF.

15.2.2.3 Social Environment Analysis

Monitoring the public opinion, both nationally and abroad is essential for the RNLAF for maintaining the operational readiness. Especially a change of the public opinion in the US concerning the defense industry or spending can harm its operations, but also enable the RNLAF to import new weaponry and re-export it. Again, most of the RNLAF’s weaponry is bought and repaired in the US, thus, an adequate ICP should consider the most relevant actual and future social factors in the US as well as its national and EU social changes. Of special interest is also the effect of public opinion on topics as accountability and corporate governance.

15.2.2.4 Technological Factors

The RNLAF is highly dependent on US military and dual use items, technical data, technology, software and defense services. If the RNLAF complies with all US export control laws and regulations and does not commit violations like re-exporting items or technology to 126.1 International Traffic in Arms Regulations (ITAR)Footnote 6 embargoed countries, there will be no reason to negatively affect the RNLAF in, for instance, receiving less than the state-of-the-art technology. With this technology, the RNLAF is able to maintain its older weaponry (e.g., repair, overhaul), but also able to constantly improve newly bought weaponry such as the MQ-9 Reaper and the F-35 Joint Strike Fighter to US Standards of Technology. Not surprisingly, specifically for the project F-35 a complete ICP Framework was built in order to entirely comply with all relevant US Laws and regulations.Footnote 7 Therefore, the focus of an adequate ICP for the RNLAF should be on building walls around US technology; thus: prohibiting re-exports to embargoed countries. Screening of RNLAF personnel and embedded contractors and physical and IT security should be considered to prevent the leaking of technology to unauthorized persons/countries. In short, technology is of the utmost importance for the RNLAF and everything must be done in the field of compliance, to secure its future use.

15.3 The Development of an Internal Compliance Program

In this section we examine how an adequate ICP for the RNLAF was developed. After a short introduction (Sect. 15.3.1) of the method used, we first describe the legal framework. This contains the main legal regimes the RNLAF has to comply with in its operations. With this legal framework (Sect. 15.3.2), by using relevant ICP guidelines, frameworks and standards (Sect. 15.3.3), an adequate ICP for the RNLAF is put in place (as described in Sect. 15.3.4).

15.3.1 The Need for an Internal Compliance Program

According to Tamada and Achilleas, export control regimes are developed and implemented by a method combining an international approach and a national approach.Footnote 8 The development and implementation of an export control regime consists of a two step-method. This comprises the establishment of a legal framework on the basis of national law and applicable international law. Thereafter the other elements of the regime are defined and modified to the organizational needs.

The above-mentioned concept for developing and implementing export control regimes, can apply to designing an ICP for any organization, thus also for the RNLAF. In fact, the first step the RNLAF should take to become export control compliant is to understand the export control laws and regulations that affect its daily operations. Thus, the first question the RNLAF has to answer is: With which parties from which countries do we do business with?

Thereafter comes the question: What kind of ICP Framework or combination of ICP frameworks available do we need to apply for building our own ICP Framework? Over the years, many ICP Frameworks were developed by different organizations. One should examine which ICP Frameworks are the most relevant for the RNLAF’s operational environment. By comparing, combining and applying these ICP Frameworks, the RNLAF is able to design a tailor-made and adequate ICP.

15.3.2 Legal Framework

Since the RNLAF is mostly US-orientated, the RNLAF should gain a thorough understanding of at least the US ITAR,Footnote 9 the Export Administrations Regulations (EAR)Footnote 10 and the Security Assistance Management Manual (SAMM)Footnote 11 (for the FMS cases the RNLAF is party to). The most important section of the latter document is SAMM, C8.7, third party transfers, as it describes the licensing process for third party transfers. Since the RNLAF is involved in many FMS cases, every time re-exports take place, the RNLAF has to apply for a third-party transfer authorization before the re-exports actually happen. Therefore, the ICP of the RNLAF should incorporate these US laws and regulations.

Furthermore, the RNLAF is part of the Kingdom of The Netherlands, which is member of the United Nations, the European Union, and the RNLAF also does business with several EU member states. Therefore, the UN, EU and the Dutch export controls, and other import, anti-bribery and anti-corruption laws and regulations should be incorporated in the ICP. In fact, it is to be expected that all these export control laws and regulations be applied in the daily operations of the RNLAF. Finally we mention sanctions law, as the RNLAF needs to secure that every time re-exports take place they comply with sanctions law, for example by checking that no companies are involved that violated UN, EU and US sanctions law earlier.

Further, an interesting aspect one should understand is that the EU Export Controls and the Dutch Laws and regulations are civil law systems, which means that these regulatory regimes are driven by codified standards. Wernaart defines a civil law system as, “The idea behind a civil law system is that a society can be organized in a coherent way by adopting written codified standards”.Footnote 12 However, as mentioned before, the RNLAF is mostly involved in deals with the US government or the US defense industry. US Laws and regulations are based on a common-law system, which is a case law driven system. With regard to the essence of a common-law system, Wernaart describes it as, “A common law system is case law driven. The law is therefore predominantly developed by judges, rather than a legislator or academics”.Footnote 13

The impact of the difference between the civil and common law-based origins is however not as big as one would expect at first sight, because U.S. Export Controls are codified in federal laws and regulations (such as ITAR and EAR). The majority of the changes in the US thus find its origins in changes of these laws and regulations and not so much in new jurisprudence. In general however, one can observe that U.S. Export Controls, take the ITAR for example, tend to change more frequently than the EU and Dutch Export Controls, which is important to keep in mind.

Also, between the EU and Dutch regimes, a specific relation must be mentioned. One has to understand that the laws of the EU have a supranational character, which means that to become in force, these laws need to become part of the national legal system of the EU Member States.Footnote 14 Another legal aspect that needs to be addressed is that some export control regimes have an extraterritorial character. This is the case with the US export control regime. In practice, this means that the US Laws and regulations follow the goods. Thus when, for example, the RNLAF buys F-16 aircraft through FMS-cases, every time the RNLAF wants to re-export, re-transfer or import these defense articles, US Laws and regulations need to be applied on these transactions, which results in the application for authorizations (such as a third-party transfer) with the US Department of State. Thus, in order to design an adequate ICP for the RNLAF not only all the above-mentioned laws and regulations must be incorporated into the different pillars of the ICP, but also the relationships between them must be embedded.

15.3.3 Internal Compliance Program Frameworks and Guidelines

As has been said, there are many models available for designing ICPs. However, for US oriented businesses and organizations, such as the RNLAF, the most applied models are the Committee of Sponsoring Organizations of the Treadway Commission Internal Control—Integrated Framework (COSO Model),Footnote 15 the US Department of Commerce/Bureau of Industry and Security Compliance Program Guidelines (BIS Guidelines)Footnote 16 and the US Department of State/Directorate of Defense Trade Controls, Compliance Program Guidelines (DDTC Guidelines).Footnote 17 Furthermore, there are lots of additional frameworks and guidelines for developing an adequate ICP: the Coalition for Excellence in Export Compliance Best Practices for Export Controls (CEEC Best Practices),Footnote 18 the Common Industry Standards for European Aerospace and Defense (CIS Standards),Footnote 19 the Framework for IT Governance and Control (COBIT Framework)Footnote 20 and many more. In addition, the EU recently presented a recommendation on ICPsFootnote 21 as did the Dutch Ministry of Foreign Affairs.Footnote 22

All the aforementioned ICP guidelines, frameworks and standards (hereinafter together summarized as ‘ICP frameworks’) consist of a combination of pillars that need to be elaborated on in the ‘perfect ICP’. Furthermore, most ICP Frameworks take the five COSO Model components as a starting point: (1) control environment; (2) risk assessment; (3) control activities; (4) information and communication; and (5) monitoring. The COSO Model is a very flexible ICP framework that can be used for businesses as government organizations and non-governmental organizations. In fact, the COSO Model is just a starting point and not a ready to use ICP. It is literally a framework that should be supplemented with other pillars specially designed for an organization such as the RNLAF. Since most of the time the RNLAF deals with DDTC and BIS, it is understandable that their ICP Frameworks will be examined as a surplus to the COSO Model and an opportunity to achieve best practice. The guidance on ICPs provided by the EU and the Dutch Ministry of Foreign Affairs have not been taken into consideration when developing an ICP for the RNLAF, first, because the RNLAF focused primarily on ICPs for US-oriented businesses and organizations, second, because they have only become available recently. They will be considered in the near future however.

Examining the above-mentioned ICP Frameworks, results in a combination of a maximum of ten separate components that are considered relevant to be incorporated in an ICP:

  1. (1)

    Management commitment (CEEC, BIS, COSO, COBIT, CIS and DDTC);

  2. (2)

    Compliance organization (CEEC, COSO, CIS and DDTC);

  3. (3)

    Risk assessment (BIS, COSO and COBIT);

  4. (4)

    Policies and procedures (CEEC, BIS, COSO, COBIT, CIS and DDTC);

  5. (5)

    Contract management and authorization applications (CEEC, BIS and DDTC);

  6. (6)

    Screening (CEEC, BIS and DDTC);

  7. (7)

    Training and communication (CEEC, BIS, COSO, CIS and DDTC);

  8. (8)

    Physical/IT security (BIS, COSO, COBIT and DDTC);

  9. (9)

    Compliance reviews/audits (BIS, COSO, COBIT, CIS and DDTC);

  10. (10)

    Handling violations and voluntary (self-) disclosures (CEEC, BIS and DDTC).

The DDTC and BIS Frameworks both combine 9 pillars together, which make them the most detailed and complete ICP Frameworks. The difference between them is that DDTC includes the pillar Compliance Organization and lacks the pillar Risk Assessment, while for BIS the opposite counts.

The COSO Model defines internal control as a process effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance of the achievement of objectives in the following categories: (1) operational effectiveness and efficiency; (2) financial reporting Reliability; and (3) applicable laws and regulations compliance. Obviously, the last category is most relevant when designing an ICP. Bearing in mind the original five COSO Model components, we consider the longlist of 10 separate components a natural refinement logically following the needs of the specific application in export control compliance. And although in different organizations the names and number of ICP components might be slightly different, in general they will not be essentially different from our ten components’ longlist.

15.3.4 The Internal Compliance Program of the Royal Netherlands Air Force Command

Now that the ICP frameworks that are most relevant, as well as the laws and regulations the RNLAF is obliged to comply with, have been elaborated on, these elements are combined in order to design the most adequate ICP for the RNLAF. The RNLAF’s ICP consists of 11 pillars, which are distilled from the COSO-, BIS-, and DDTC-frameworks:

  1. (1)

    Introduction and management commitment;

  2. (2)

    Legal and regulating framework;

  3. (3)

    Compliance organization;

  4. (4)

    Policies and procedures;

  5. (5)

    Contract management and authorizations and authorization applications;

  6. (6)

    Screening;

  7. (7)

    Training and communication;

  8. (8)

    Physical and IT security;

  9. (9)

    Recordkeeping;

  10. (10)

    Compliance audits;

  11. (11)

    Violations and voluntary (self-)disclosures.

Most ICP frameworks contain a maximum of nine pillars. The RNLAF added two extra pillars (i.e., (2) legal and regulating framework and (9) recordkeeping). Also, we see that risk assessment is not a pillar, as conducting risk assessments is considered inherent to evaluating all pillars of the ICP and is a continuous process. Below, we will shortly explain the relevance and content of each pillar.

15.3.4.1 Introduction and Management Commitment

The most essential pillar that provides the fundament of an ICP is that the senior management of the RNLAF commits itself to all the other pillars of the ICP. Therefore, a management commitment letter from the Commander of the RNLAF is included. This letter contains a strong and durable commitment to exercise control compliance for the RNLAF, and all its approximately 6000 employees. In the COSO Model commitment is an essential part of the control environment, which is defined as “set of standards, processes and structures that provide the basis for carrying out internal control across the organization”.Footnote 23 This component comprises the tone at the top, communication about ethical behavior and internal control within all levels of staff, and the overall integrity and values of the organization. These elements provide the overall basis for a successful system of internal control. Not directly in the ICP, but in the control environment as a whole, resources to develop and implement the ICP are provided and assigned.

15.3.4.2 Legal and Regulating Framework

As important as the first pillar is the component of all the export control laws and regulations the RNLAF has to comply with while conducting its operations. This pillar incorporates the legal framework. The primary focus in this pillar is on the US laws and regulations (ITAR and EAR, as well as the SAMM for FMS Cases). The EU export control regime and the Dutch strategic goods regulation,Footnote 24 and other import, anti-bribery and anti-corruption laws and regulations are also included. Furthermore, the difference between the legal essence and implications of FMS and DCS bought articles is explained. This pillar affects all other pillars of the ICP, as it constitutes the core of compliance. Therefore, the RNLAF explicitly chose to include the legal framework as the second chapter of the ICP.

15.3.4.3 Compliance Organization

In this pillar the compliance function is set up and the staff is assigned to the compliance function to ensure there is capacity, so the ICP can do its work to achieve the organization’s strategic goal of compliance. Furthermore, the staff compliance officers and the compliance officers at the Air Bases are cited. Thus, all the RNLAF personnel is able to reach out to their specific point of contact, when they have export control compliance questions. As such, the senior management of the RNLAF has ensured that there is a sufficient number of personnel dedicated to the export control compliance functions. Furthermore, back-up personnel is assigned that can maintain the compliance function in the absence of the key compliance officers.

15.3.4.4 Policies and Procedures

Policies and procedures are the operational elements of an adequate ICP. In fact, the policies and procedures of the RNLAF translate the strategic ICP goals into operational control measures. Here, the policies go into processes, which relate to procedures on such a detailed level that work instructions are touched upon, that contain the specific internal controls. These work instructions are vital considering the fact that the 6,000 employees of the RNLAF need to understand and apply these work instructions in their daily business.

15.3.4.5 Contract Management and Authorizations and Authorization Applications

Contract management deals with the processes and requirements applicable when the RNLAF deals with external parties. For being (and staying) export control compliant, it is essential to incorporate the applicable laws and regulations into all contracts in the whole supply chain. Furthermore, this pillar contains all the agreements the RNLAF is involved in with external parties, such as the Technical Assistance Agreement (TAA), the Warehouse Distribution Agreement (WDA) and the Manufacturing License Agreement (MLA) and the implications thereof.Footnote 25 Moreover, this pillar covers the licensing processes for the application for third party transfers and general correspondences. Because of the complexity of these export control contracts, agreements and authorizations, guidance by the Unit Export Control Compliance is given to the RNLAF personnel on all the above-mentioned procedures.

15.3.4.6 Screening

The RNLAF personnel, suppliers, customers and embedded contractors the RNLAF does business with must be screened on the proper security level, to make sure they are of proper conduct and good standing. In this pillar, all the RNLAF’s requirements for an adequate screening are elaborated on, to make it a sufficiently preventive control.

15.3.4.7 Training and Communication

Without proper communication and training on export control compliance, the RNLAF’s ICP would be ineffective. Therefore, to ensure that the RNLAF personnel complies with all the export control laws and regulations in its daily business, the RNLAF developed communication strategies and several training programs, such as e-learning modules export control compliance designed to create awareness at all levels of the RNLAF, as well as export control training provided to focal points, who are appointed to answer export control related questions of the RNLAF personnel on the ground. These strategies and programs are elaborated on under this pillar.

15.3.4.8 Physical and IT Security

The RNLAF took measures to ensure that export control compliance is incorporated in the security environment. It covers for example controlled access to certain RNLAF locations (physical security) and IT procedures that need to be applied (IT controls incorporated), such as the (semi-)automated SEC database that controls all re-exports of items and technical data. The SEC database is continuously developed and upgraded according to the latest export control regulations. Without an approval of the requested re-exports of transfers in the SEC database, the items cannot be shipped or technical data not transferred to third parties. Regarding the latter, the focus is laid on the re-exports of technical data.

15.3.4.9 Recordkeeping

A properly functioning documentation and recordkeeping system is essential for an adequate ICP. In case of, for example, an external audit by DDTC, the RNLAF must be able to show the records of the past transactions, to establish an audit trail. The RNLAF has different systems for recordkeeping, such as the X-Post system. The different legal requirements for periods of recordkeeping are also covered in this pillar.

15.3.4.10 Compliance Audits

An inclusive audit system is an indispensable element for the RNLAF’s ICP. In fact, this audit system allows the RNLAF to evaluate if its ICP is designed properly, is actually implemented and is working effectively to achieve its strategic goal. Therefore, operational and compliance audits need to be performed. These audits help the RNLAF to improve its ICP when gaps are found. This pillar focuses on internal and external audits and the audit tools the RNLAF uses as part of the Three Lines of Defense model.Footnote 26

15.3.4.11 Violations and Voluntary (Self-)disclosures

All companies and organizations, including the RNLAF, sometimes commit violations. The US authorities consider a clear procedure of how to handle violations—a procedure in which is explained how the RNLAF handles voluntary (self-)disclosures—a mitigating factor. Therefore, a clear procedure of the handling of violations and voluntary (self-)disclosures is designed and presented. Furthermore, examples of non-conformities and violations are elaborated on, this in order to instruct and educate the RNLAF personnel.

15.4 Conclusion

This section summarizes our research and sets out some further topics for consideration.

15.4.1 Summary

In this chapter we examined how an adequate ICP for the RNLAF was developed. We described the historical context that triggered the need for an adequate ICP. In order to create an adequate ICP, we then examined the PESTL environment the RNLAF operates in. This is essential for the determination which environmental aspects should be incorporated in the ICP framework. Thereafter, the legal framework was established. This is based on scrutinizing the RNLAF’s daily business (with which countries and continents does the RNLAF conduct business) and thus which laws and regulations need to be complied with. Furthermore, the different ICP frameworks were compared in order to make a combination of them to create the most adequate ICP for the RNLAF. We concluded that this should be a combination of mainly US ICP Frameworks as the RNLAF is mostly US orientated. The COSO Model as an internationally widely used best practice framework is the core which was built upon. The combination of the PESTL analysis, the legal framework and the chosen ICP Frameworks together resulted in an 11 pillars ICP, which we conclude is the most suitable ICP for the RNLAF. The steps taken and elements included in the ICP of the RNLAF and the development process in general, can be of use to any other organization that has need of an ICP and/or might be involved in developing one.

15.4.2 Consideration

For an ICP to be adequate and truly state-of-the-art, it has to be tailored to the situation (e.g., nature of items, size of the organization, national, regional and global footprint). We have seen that there is no one-size-fits-all approach, because there are no ICP (frameworks) that are ready to use instantly. Because of its flexibility, the COSO model has been used as a framework starting point for the RNLAF. Besides, other ICP Frameworks were combined with the COSO model, which enabled to design an ICP that specifically fits the organizational structure of the RNLAF, its size and daily operations. For a good development (process) of an adequate ICP it requires time (years), in depth knowledge, effort and experience as we can learn from the RNLAF. And the job is never finished, the ICP is a living program. When changes occur in laws and regulations, structure of the organization, or personnel the ICP is updated in real-time and communicated throughout the organization.

Another topic of consideration is the following: the native tongue of the RNLAF personnel is Dutch. Although on average they have a fair knowledge of English, for an adequate implementation of the ICP, the RNLAF chose to document the original version of the RNLAF ICP in Dutch. Its availability in the personnel’s native tongue is a requirement for the ICP to be embraced at all levels, so that the procedures and working instructions can be understood and applied. It is also imperative for the RNLAF to establish a culture of compliance within the RNLAF. Therefore, training is provided throughout the organization to create awareness, working procedures in chart are published on the intranet, rules and regulations elaborated for their proper application and focal points are created on all levels for questions and support.