Assessing & Monitoring for FOCI (Foreign Ownership, Control, and Influence) Risk

FOCI risk can strike a federal supplier at any time, anywhere. Mergers and acquisitions, minority investments, leadership changes, and corporate restructuring can all introduce risk with no outward signs. To safeguard the mission, companies need continuous monitoring, and an evidence-based, repeatable process that triages and mitigates new risk as soon as it’s detected.

What is FOCI Risk?

Foreign Intelligence, Control, and Influence or FOCI risk is the risk of a foreign entity having undue access or power over a company’s sensitive data, decisionmaking, or operations. Not all FOCI risk is the same; if an entity with influence is linked to a US ally, generally the FOCI risk is considered low. However, if they’re linked to a Foreign Country of Concern (FCOC), they may pose unacceptable risk.

By reducing or eliminating FOCI risk, companies protect the integrity of:

National security: preventing access to sensitive info, tech, and projects
Critical infrastructure: safeguarding energy, transportation, and defense
Supply chain: reducing the risk of disruption by, or dependency on foreign adversaries

FOCI risk breaks down into three main components.

Foreign ownership

The company is owned by foreign shareholders or state-owned enterprises, either directly or through opaque structures, such as shell companies or offshore entities. The significance of this type of risk depends on the company involved, its ownership stake, and what rights are involved. Foreign ownership can be difficult to detect, as entities may use complex ownership chains in order to obscure connections to geopolitical adversaries.

Foreign control

Ownership doesn’t always mean control. With the right governance, it’s possible for a foreign entity to exercise partial ownership without undue influence. That’s why it’s crucial to look not just at who owns a company, but what degree of control they exercise over it.

Foreign control measures the degree of power foreign entities have over the key decisions, assets, and operations of a company. To examine it, companies look at factors like who sits on the board, who has voting rights, and what management agreements the company may have with foreign entities. Signs of foreign control include FCOC-connected board members with decision authority, outsourced operations to foreign entities, and any special voting rights or golden shares.

Foreign influence

Foreign influence is the most difficult factor to fully identify and quantify. A vendor without any overt signs of foreign ownership or control, may still be dependent on a foreign government, if that government is a major client or has an exclusive contract or partnership. They may also be subject to data-sharing or intelligence laws based on their jurisdiction, which compromise their ability to protect sensitive information.

Why Do Onboarding FOCI Checks Fail?

FOCI due diligence takes a snapshot of risk, typically during the onboarding process and during compliance reviews. But FOCI risk is dynamic. A company may look clean on the day you assess it, but its ownership, control, and influence profile can change overnight without any obvious signs. Unless you’re continuously monitoring, you just won’t see it.

Mergers and acquisitions

M&A expose you to an entirely different ownership and control dynamic. If a cleared company gets rolled into a private equity-backed organization or merges with a corporation with foreign LP exposure, it raises all kinds of problems: new indirect foreign ownership, possible control rights shift, and potential foreign influence through the jurisdiction of the new partner, just to name a few. And your initial FOCI investigation becomes all but worthless.

New funding

Investment comes with rights. When a company holds a new equity round or finances its debts, these rights can raise complex FOCI risks. Investors may directly gain decisionmaking or influence rights, but even when they don’t, they may still end up with an unacceptable degree of information access.

And then there’s the matter of subtle influence without direct control. Capital dependence on a foreign sovereign wealth fund or network influence through a FCOC investor can significantly elevate your risk through creating an incentive to keep the investor happy. But that won’t raise an alarm without ongoing monitoring.

Leadership changes

Decisionmakers can be a major FOCI risk. Hiring a new CEO or CFO, reshuffling the board, and even bringing in new advisors can add significant influence that needs to be investigated. If a company brings in leadership with strong ties to a foreign country or parent company, they can shift strategic direction, or gain access to sensitive projects and data.

Corporate restructuring

Companies use a range of control to protect valuable or sensitive assets internally. Access control, segmentation, vetting, monitoring, and training empower organizations to minimize risks like data leaks and IP theft in specific LOBs or divisions without the expense and complexity of turning the whole organization into a high-security facility.

When an organization restructures, all of that can get thrown out the window. Business units reorganize, IP is transferred to different entities, and segmented IT, HR, and finance services can get centralized without preserving the careful controls put in place before the restructuring. That means riskier entities within the organization can obtain control, influence, or data access that poses serious FOCI risks.

How to Get FOCI Right

Effective FOCI management requires a combination of deep research, clear workflows, and ongoing monitoring to prevent drift. Here’s how to do it.

Platform-facilitated entity resolution

Modern corporate structure is a hassle for any kind of due diligence. Companies can have multiple legal names, redundant subsidiary names with slight variations, and complex and opaque ownership structures. Then there are all the codes to confirm, including EIN, DUNS, EIN, CAGE, and other registration and identification systems.

And that’s just pinning down an individual company — before the cross-source matching and relationship stitching starts.

It’s absolutely unmanageable for a person, but it’s the sort of task that platforms, like Craft, are very good at. Craft can assemble a golden entity record — a single canonical profile for a target, linked to all known aliases, legal and historical names, and registration IDs. From there, it can carry out cross-source matching across corporate registries, sanctions and watchlists. Relationship stitching follows, tracking down subsidiaries, parent companies, and related entities. With a few clicks, you’ve got a real-world entity footprint that lets you start to see the potential risks at play.

Corporate hierarchy and beneficial ownership intelligence

Once you’ve traced the general outline of the entity, you need to flesh it out by looking at the ownership structure, teasing out the various stakeholders the amount of control or influence each exercises. FOCI risk can hide in the complex structures of parent companies, offshore layers, and fund structures. To flush it out, you need to work through the full ownership tree, from subsidiary, up to parent, to UBO. That lets you flag and evaluate state-owned enterprises, sovereign wealth funds, and politically exposed persons (PEPs).

The degree and type of ownership is every bit as important as the owners. Passive ownership by a problematic partner can become a concern when it approaches a majority or plurality, since it can influence the direction and decisions of the company. However, control rights are a much bigger concern. A PEP or FCOC-linked organization with voting rights, board seats, special government or data rights can pose a bigger risk with 10% control than a 40% passive ownership stake. It’s up to you to evaluate the types and degrees of control.

Event-driven monitoring

Your FOCI risk calculation is only as good as your ability to recognize and evaluate change. You need event driven monitoring to inform you every time that there’s a significant change in the company that could affect FOCI risk, This monitoring should provide alerts whenever there’s a change in:

Ownership: New investors, mergers, and acquisitions are the most significant ownership events, but even stake increases and decreases should be evaluated, since they can affect the degree of influence

Governance roles: Every time there are new board members elected or executive turnover

Corporate structure: If new subsidiaries are added or business units are reorganized
Financial signals: Whenever there are new funding rounds or negative financial signals that could increase vulnerability to foreign influence

Excluding irrelevant alerts is almost as important as including relevant alerts. There will be FOCI alerts that don’t reveal new risks upon analysis, such as a new investor with no foreign connections or influence. That’s good, because it’s still a change you should investigate.

However, false positives can alert you to changes that are totally unrelated to FOCI. Too many false positives, and your team will start to pay less attention to alerts, eroding their vigilance over time. Make sure the monitoring tools you use are powered by well-designed agentic AI systems to give you every relevant signal with as little additional noise as possible.

Clear decision process and workflow

You need a defined escalation path for new FOCI signals. Alerts should send signals to analysts, who can then triage them for severity and eliminate any false positives. Signals should be assessed as low, medium, or high risk, and escalated to a multi-disciplinary team which can address the security, legal, program, and contracting aspects accordingly.

For each risk, you need to decide whether to accept, mitigate, or replace the supplier. Mitigation will need to be on a case-by-case basis, but you should have a standard playbook using access restrictions, data segmentation, and governance changes to mitigate different types of issues, and a qualified review team to catch errors.

Finally, the whole process should be auditable, with every data point validated and justified, so that it can be defended to regulators if necessary.

Moving From Check-the-Box to Mission-First

You can check all the boxes and still miss the risk. To really protect your organization from FOCI risk, you need to move beyond simple compliance to mission assurance. Every day, your team needs to ask itself, “could foreign ownership, control, or influence degrade our ability to execute the mission?” Only then can you avoid disruptions, last-minute fire drills, and other unexpected surprises.

Craft powers FOCI risk prevention by providing the alerts, data, and analytics you need. We provide deep insight into entity resolution, ownership structures, and affiliations. You can take in an entity’s entire footprint through a single pane of glass, quickly identify exposed and sanctioned individuals, and conduct your whole FOCI risk workflow, right in the platform.

That gives your analysts all the information they need to make the right decisions, mitigate risk, and ensure your organization continues to succeed in its mission. Contact us to learn more.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.