Skip to main content
2016 OAS Guidelines

3.III.6.1 Economic operator risk assessment and management

The organization of an economic operator can constitute a complex system involving numerous interrelated processes. An AEO should focus on processes, risk management, internal controls, and measures taken to mitigate risks. A periodic review of such processes, controls and measures adopted to reduce or mitigate the risks associated with the international movement of goods should be included here.

Internal control is the process implemented by an economic operator to prevent, detect, and address risks, thereby ensuring that all relevant processes are adequate. An organization that has not adopted any internal control system, or whose system has data demonstrating poor performance, is, by definition, at risk.

Risk management systems establish the guidelines that guide the actions of economic operators in any sector in the areas of risk assessment, control, monitoring, and treatment. For an AEO, this means that the economic operator must clearly set out in its policies and strategies the objectives relating to compliance with customs regulations and the protection of its part of the supply chain in accordance with its business model. The management system must include:

  • a continuous cycle of identifying needs and requirements;
  • the evaluation of the best means of meeting the requirements;
  • the execution of a managed process for the implementation of the selected management actions;
  • monitoring system performance;
  • Maintaining data that demonstrates the application of the processes used to achieve business objectives and identifying opportunities for functional or business improvement, including mechanisms for reporting deficiencies, incidental errors, and potential structural errors.

All of these characteristics must be considered within the framework of compliance with the legal and regulatory requirements to which the organization subscribes or is required to comply.
The more aware an organization is of its processes and the risks associated with its activities, the greater the likelihood that those processes will be managed appropriately. In this regard, an organization must consider concepts such as risk management, governance, and control (monitoring, re-evaluation, process re-execution, and redesign procedures), and must adopt appropriate procedures to address the most significant risks and identify new ones.

Within the economic operator's organization, there must be a designated person or, depending on its size and complexity, a unit responsible for conducting risk and threat assessments and implementing and evaluating internal controls and other measures. The risk and threat assessment should address all risks affecting the AEO status, taking into account the economic operator's role in the supply chain. Such risks include:

  • threats to the security and protection of facilities and goods;
  • physical threats;
  • the reliability of information related to customs operations and logistics of goods;
  • a visible audit trail and the prevention and detection of fraud and errors;
  • contractual clauses relating to business partners in the supply chain.

The assessment of risks and threats related to security and safety must cover all facilities related to the economic operator's customs activities.