Navigating FOCI Risks: Why Organizations Should Care

Managing foreign ownership, control, or influence (FOCI) risk is a critical concern for U.S. companies. This risk extends far beyond a national security issue; it encompasses protecting classified information, intellectual property, ensuring supply chain resilience, and the overall performance and schedule of contracts.

FOCI risk arises when a foreign interest, direct or indirect, can influence and make decisions affecting a company’s management and operations. Such influence, if not properly managed, can lead to unauthorized access to classified information or negatively impact performance and contracts. Given these dynamics, the importance of FOCI risk management cannot be overstated:

• Asset protection: Safeguarding intellectual property, trade secrets and classified information is essential, especially in the face of a 1300% increase in China-linked espionage cases.
• Regulatory compliance: Adhering to FOCI risk regulations is vital, as 1 in 5 corporations claim China has stolen their IP in the past year.
• Business continuity: Ensuring uninterrupted operations is critical to counteract economic coercion and safeguard corporate interests.
• National security: Proactively managing FOCI risk is an integral part of preserving national security, considering the gravity of the threat.

Let’s delve into the risks associated with FOCI and why businesses need to prioritize FOCI risk management. 

Table of Contents

·  Demystifying FOCI Risks

·  Who Is Impacted FOCI Risks?

·  The Consequences of Ignoring FOCI Risk

·  FOCI Mitigation Strategies

·  Explore Exiger for FOCI Risk Mitigation

Demystifying FOCI Risks

FOCI risk factors can be categorized into three primary areas:

Foreign Ownership: This category involves the degree to which foreign entities possess ownership stakes in a U.S. company, its subsidiaries, and its affiliates.  It could mean that a portion of the company’s shares is held under foreign investment by a foreign person, foreign resident, or that a foreign company has significant equity interest.  Foreign investments can also come through venture capital.

Foreign Control: Foreign control concerns the authority and influence exerted by foreign entities over a company’s decision-making processes. This can involve the appointment of key personnel, board members or other measures that grant foreign interests a say in how the company operates.

Foreign Influence: Foreign influence encompasses more subtle forms of influence that foreign interests might wield. This influence can come from various sources, including economic leverage, strategic partnerships or even subtle political maneuvering.

Who is Impacted by FOCI Risks?

FOCI risks have far-reaching implications for a variety of stakeholders. These risks touch upon government contractors, organizations operating within the defense and critical infrastructure sectors, as well as international entities such as multinational corporations. 

Government Contractors

Government contractors are at the forefront of FOCI risks, given their involvement in classified projects and the defense and security domains. These organizations often handle sensitive information and contribute to critical government projects. 

• Record of compliance: Government contractors are required to adhere to strict regulatory and security measures. Failing to manage FOCI risks effectively can lead to non-compliance, which, in turn, jeopardizes the cost, schedule and performance of valuable government contracts.
• Information security: Handling classified information comes with an inherent responsibility to protect it. FOCI risks can lead to unauthorized access, data breaches and the compromise of national security.
• Business continuity: FOCI risks can disrupt the smooth flow of business operations. Ensuring business continuity while managing FOCI is a critical challenge.

Defense and Critical Infrastructure Sectors

For entities operating in defense and critical infrastructure sectors, FOCI risks are not merely theoretical; they are a daily reality. The implications are profound:

• National security: The defense sector plays a pivotal role in safeguarding national security. FOCI risks can compromise the integrity of defense projects, leading to vulnerabilities exploitable by threats that affect a nation’s security.
• Economic stability: The reliable functioning of critical infrastructure sectors, such as energy, telecommunications, and transportation, is vital for economic stability. FOCI risks can disrupt these sectors, leading to economic turmoil.
• Technological advancements: Innovations in defense and critical infrastructure sectors drive technological advancements. FOCI challenges can hinder the progress of cutting-edge technologies and their applications.

International Organizations

In a globalized world, multinational corporations have a substantial presence in various countries and markets. This global reach exposes them to FOCI risks:

• Supply chain vulnerabilities: Multinational corporations often have intricate supply chains. FOCI risks can manifest as vulnerabilities in the supply chain, affecting production, distribution, resilience and, ultimately, competitiveness.
• Market access: FOCI risks can lead to economic coercion and market access issues. Multinational corporations need to navigate geopolitical complexities while protecting their interests.
• Data privacy: The global nature of business means dealing with diverse data privacy regulations. FOCI risks can create challenges in ensuring data security and compliance with international data protection laws.

The Consequences of Ignoring FOCI Risks

Ignoring FOCI risks can lead to legal and regulatory repercussions, significant reputational damage and even jeopardize national security interests. Recent initiatives such as the UFLPA record of enforcement and international sanctions, particularly against Russia and China, have added new dimensions to the FOCI landscape. Understanding these consequences is crucial for informed decision-making and effective risk management.

Legal and Regulatory Consequences

Failing to address FOCI risks appropriately can result in a range of legal and regulatory consequences. Recent enforcement of the Uyghur Forced Labor Prevention Act (UFLPA) has increased the scrutiny of foreign influence activities. Noncompliance with UFLPA, for example, can lead to substantial fines, legal repercussions and loss of revenue from detained shipments.

The imposition of sanctions against countries like Russia and China underscores the regulatory environment’s complexity. Noncompliance with these sanctions can lead to severe penalties, including asset freezes and restrictions on conducting business in certain regions.

Reputational Damage

Reputation is a valuable asset in today’s business world, and FOCI-related controversies can severely tarnish it. FOCI-related controversies tend to attract media attention, particularly in the context of heightened geopolitical tensions and sanctions enforcement. Public and media scrutiny can lead to a negative public image that is challenging to rectify.

Public awareness and concerns about FOCI factors can lead to consumer boycotts, causing long-term harm to an organization’s brand and market presence. Reputational damage can erode investor confidence, impacting stock prices and access to capital.

National Security Implications

FOCI risks have direct implications for national security, as recent developments have demonstrated. Unauthorized access to classified information due to FOCI risks can compromise national security, leading to vulnerabilities and threats. The NISPOM (National Industrial Security Program Operating Manual) plays a pivotal role in safeguarding classified information by establishing and enforcing security standards, protocols, and security clearances for defense contractors and organizations working with sensitive government data.

FOCI Mitigation Strategies

Navigating the complexities of FOCI risks demands proactive action plans like the National Interest Determination (NID) statement issued by the Government Contracting Activity (GCA), assuring that proscribed information to a company will not compromise the national security interests of the United States.

Furthermore, mitigation measures can be categorized into two groups of information exchange agreements: one for facilities with Minority Ownership and another for those under Majority Ownership or Control.

Minority Ownership Mitigation Agreements

• Board Resolution (BR): A resolution by the governing board to mitigate FOCI risks.
• Security Control Agreement (SCA):  A legally binding certificate insulating foreign shareholders from unauthorized access to government information.

Majority Ownership or Control Mitigation Agreements

• Special Security Agreement (SSA): A comprehensive aggregate agreement defining terms and conditions for foreign involvement which may include imposed security measures.
• Proxy Agreement (PA): Designating a trusted U.S. citizen to vote on behalf of foreign interests.
• Voting Trust Agreement (VTA): Allowing a trusted U.S. trustee to hold voting rights for foreign interests.

Other strategies include fostering a compliance culture through education, training and clear communication as well as seeking guidance from FOCI experts to tailor mitigation strategies effectively.

Explore Exiger for FOCI Risk Mitigation

The 1Exiger platform offers end-to-end supply chain visibility with a suite of tech tools for due diligence, supply chain visibility and third-party relationship monitoring.

• DDIQ Analytics serves as a cornerstone in data-driven FOCI mitigation. Harnessing the capabilities of Exiger’s proprietary technology stack, DDIQ Analytics empowers organizations to distill and visualize extensive and intricate data sets. This not only simplifies the interrogation of your risk ecosystem but also allows you to uncover potential FOCI risks and take swift, informed actions.
• Supply Chain Explorer provides unparalleled transparency in a single click. It empowers companies and government agencies to swiftly gain insights into their supply chains, ensuring that they are well protected from potential FOCI-related risks and disruptions.
• Insight 3PM serves as a workflow tool that empowers organizations to make informed decisions while optimizing resources. It provides real-time research and configuration attributes that enable you to maintain control over your third parties and supply chain, all while enhancing efficiency, transparency, and auditability.

FOCI risks are not to be underestimated; they can result in legal penalties, reputation damage, and even national security risks. To address them effectively, look beyond your primary suppliers to the nth tier in your supply chain. 

1Exiger, informed by global research, highlights FOCI risks, financial health, cybersecurity vulnerabilities, ESG concerns, and modern slavery risks. Equip your organization with the insights and tools needed for proactive FOCI risk management.

More resources:

• The Ultimate Guide to the Sanctions Screening Process
• 7 Takeaways from the Executive Order on Tech Investments in China
• Exiger Helps Safeguard Sensitive Research
• U.S. Partnership for Assured Electronics Selects Exiger as Strategic Technology Partner