Risk Assessing for AEO

Authorised Economic Operator status is a well-established ‘trusted trader’ customs programme created by the World Trade Organisation (WTO) in 2008. AEO status shows that the supply chain you’re involved in is secure and compliant and that you can be regarded as a Trusted Trader. It’s a non-mandatory ‘fast track’ that simplifies certain customs procedures. It also provides potential reductions in guarantees required to operate Customs special procedures such as warehousing and inward/outward processing regimes.

The most common question I get from clients when applying for AEO status is what security measures must be in place before applying, and the simple answer is the security measures that are required to mitigate the current risks to which the organisation is exposed.

A common misconception surrounding AEO is that one size fits all. There is no restriction on who applies for AEO status – anyone operating from a back yard shed to a multinational organisation is presented with equal opportunities to be granted AEO status.  AEO is not mandatory. Any economic operator established in the EU who is part of the international supply chain and is involved in customs activities can apply for AEO status. You must have an Economic Operator Registration Identification (EORI) number. The conditions for AEO status apply to all businesses regardless of size. Manufacturers, exporters, freight forwarders, warehouse-keepers, clearance agents, carriers and importers may all apply for AEO status (https://www.revenue.ie/en/customs-traders-and-agents/authorised-economic-operators/index.aspx)

Annex 2 of the AEO guidelines are in place (https://ec.europa.eu/taxation_customs/general-information-customs/customs-security/authorised-economic-operator-aeo_en) to provide companies with a framework relating to the security measures that are required but, is it really essential for a one-man organisation to be equipped with an identity badge in a fob and key restricted access zone? No, it is not! Annex 2 includes the document ‘Threats, Risks and Possible solutions’ which is addressed both to customs authorities and economic operators. It aims at facilitating the audit and the examination to ensure compliance with AEO criteria by matching the information provided in the SAQ and the risk areas identified and also provides examples of possible solutions to cover the risks and threats identified. In addition to this the ‘AEO Compact Model’ provides a framework including methodology for risk assessing economic operators.

The AEO Compact Model

 Figure 1 The AEO Compact Model

To determine what security and threat-mitigating factors your organisation requires before applying for AEO, the simplest strategy is to carry out a security and threat risk assessment. Doing this determines what the highest risks to the organisation are in terms of likelihood and impact, what control measures are currently in place to mitigate those risks, and what risk factors require additional measures to reduce the residual risk.

The risk and threat assessment should cover all risks relevant for AEO status, keeping in mind the role of the economic operator in the supply chain and should include:

  • Access control
  • Logistics and production control
  • Personnel security
  • Premises security
  • Information security

The risk and threat assessment for security and safety purposes should cover all the premises that are relevant to the economic operator’s customs-related activities.

Relationship between AEO and Corporate Security

Figure 2 Relationship between AEO and Corporate Security (European Commission 2016)

From the five categories mentioned above all the risks in these areas should be identified and documented. A five by five risk matrix can be used to determine the current risk rating and the residual risk rating.

A five by five matrix is a commonly used risk assessment tool for evaluating and estimating Risk Level.  Based on the results of this a determination can be made as to whether additional control measures need to be put in place.

The five by five matrix works by multiplying the likelihood of an incident occurring by the impact on the company if that incident were to occur. The table below demonstrates how to construct and utilise a five by five matrix.


Table 1 Risk Exposure Matrix

Colour coding the risk matrix is a useful visual tool for presenting the data. Determining the likelihood and impact of a risk occurring is a subjective task and should be carried out by a group through a brainstorming exercise to ensure that the risk assessment isn’t completely governed by one person’s opinion.

In conclusion the simplest way to determine what your organisation requires before applying for AEO status will be determined by the company’s security and threat risk assessment. If the residual risk rating determined for any of the risk categories scores in the high to critical zone the organisation does not have enough security measures in place to apply for AEO status. Granting AEO status can start in theory if all risks are covered. ‘A “fit for purpose” risk response will combine various strategies and mechanism to achieve the desired results.’ WORKING DOCUMENT TAXUD/2006/1452 The AEO Compact Model). Working through the risk matrix and providing additional mitigating elements to the high-risk categories until all risks are controlled and score in the insignificant to low marks will ensure your organisation satisfies the AEO criteria.  The AEO Compact Model describes mitigating measures for risk reduction under the following headings;

  • Take – within the acceptable materiality. Some risks cannot be avoided, some risks can be practically and affordably reduced to zero likelihood/zero impact. For example, it is physical impossible to check all exports shipments to third countries
  • Treat – Audit Plan; By treating risks, the aim is to change the likelihood and/or impact of a recognised risk in order to achieve the customs objectives.
  • Transfer – Guarantee (For example, an operator can transfer the risk of unauthorized access to a surveillance company)
  • Terminate – Rejecting the facilitation

Once you are confident you have sufficient mitigating measures in place you can continue on to complete the AEO SAQ and accompanying documentation in order to apply for AEO Status.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: