Business 0

How far is organized crime from your company?

By AndreaPosted on
Time to Read:-words

R$52 billion. This is the volume handled by the Primeiro Comando da Capital (PCC) in the fuel sector between 2020 and 2024, according to investigations by the São Paulo Public Ministry.

It is not money kept in clandestine vaults. It is capital circulating in companies with CNPJ, contracts, invoices and, in many cases, commercial relationships with other companies that have no idea what (or who) is on the other side of the business.

This number existed before May 2026. But it was in May 2026 that he began to have a new perspective on the corporate world.

Continues after advertising

What changed, without legalese

On May 28, 2026, the United States government designated the PCC and Red Command as Foreign Terrorist Organizations (FTOs), that is, foreign terrorist organizations.

A classification originally created for groups such as Al-Qaeda and Hezbollah that, for the first time, was applied to Brazilian criminal factions.

What does this mean in practice? It means that any company, Brazilian or foreign, that has a connection with the American financial system and provides resources, services or support, even if indirectly, to these terrorist organizations, becomes subject to investigations and sanctions under American law.

Continues after advertising

PCC and Comando Vermelho are not just groups associated with drug trafficking, weapons or urban violence.

It is precisely when its activities reach the formal economy that the topic ceases to be exclusive to public security and becomes a matter of Corporate Governance, Risk Management and Compliance within all companies.

The supplier has a CNPJ, but the risk may have another identity

We are not talking about the caricatural hypothesis of a company signing a contract directly with a criminal faction.

Continues after advertising

The most difficult risk to see is another: an organization hiring a third party, who hires another third party, who operates in a sensitive region, who uses a non-transparent financial structure, who has indirect links with agents involved in the illicit activities of the PCC or Comando Vermelho.

Think about some sectors in which this reality is already more evident:

  • Logistics and transport These are environments where organized crime has long charged informal tolls, controlled routes and imposed suppliers in certain regions. A carrier hired by your company can operate perfectly well and still have subcontractors who navigate this environment every day paying tolls.
  • Fuels concentrate one of the largest volumes of PCC assets in the formal economy. Stations, distributors and fleets that supply industrial and agricultural operations in various regions of the country are part of this ecosystem without the contractors knowing.
  • Fintechs and payment methods are at a crossroads. In addition to the risk of serving as a channel to process, move or integrate resources of illicit origin in the midst of legal activities, these structures can be incorporated into money laundering schemes designed to hide real beneficiaries or give the appearance of legitimacy to the origin of the resources.
  • Local outsourcing services in generalsuch as cleaning, security, maintenance, facilities, often operate in regions where the presence of organized crime is part of the context. Hiring services in these regions without understanding who, in fact, is behind the operation is a risk that few managers stop to evaluate.

For the company, the risk of connection or support to terrorist organizations has become a diffuse, widespread risk and, often, invisible to the naked eye. It can be outside the main contract, outside the tier one supplier, outside the standard due diligence report, and yet within the value chain.

Continues after advertising

Corporate Governance: who decides when risk appears?

When a company identifies possible exposure to third parties, operations or financial flows that may have a connection to criminal factions, the issue quickly goes beyond the operational field and becomes a business decision.

Continue or terminate a business relationship. Suspend payments. Stop a critical operation. Review a supply chain. Redesign a logistics route. Reevaluate an investment.

All of these decisions involve financial, contractual, operational and reputational impacts. And that is precisely why corporate governance plays an important role.

Governance, in this context, does not just mean discussing the topic at Board of Directors meetings. It means defining who should be informed, which criteria will guide the analysis, which areas will participate in the evaluation, what the decision-making powers are and how this entire process will be documented.

In complex scenarios, mature organizations are able to demonstrate what information they had, what alternatives they evaluated and why they followed a certain path.

When the topic involves potential connections with terrorist organizations, this traceability ceases to be a good practice and becomes an essential element of institutional protection.

Risk Management: the challenge of diffuse risks

Traditional risk management tends to work well when the risk has clear boundaries. A machine can break. A system may become unavailable. A rule may be violated.

But exposure to organized crime follows a different logic.

This is a diffuse risk, which crosses contracts, outsourcing, subcontracting, geographies, financial flows and entire production chains. A risk that rarely appears concentrated in a single event or process.

Therefore, the question “are we related to PCC or Comando Vermelho?” is too simplistic for corporate reality.

The most useful questions are: Where is our exposure most likely? What operations depend on transportation in sensitive regions? Which suppliers use extensive subcontracting networks? Which contracts involve local intermediaries? Which areas operate with large circulation of money, complex logistics or critical infrastructure?

From this mapping, risk management begins to build scenarios, define indicators, monitor warning signs and establish prioritization criteria.

Not every supplier requires the same level of diligence. Not every operation demands the same degree of monitoring.

We have already learned that the objective is not to eliminate risks. It is understanding where they are, what impacts they can generate and which controls are proportional to the identified exposure. After all, when everything is treated as a top priority, nothing really is a priority.

Compliance: when screening is no longer sufficient

If there is one area directly impacted by this change in scenario, it is compliance.

For many years, most organizations have structured their due diligence based on a relatively simple logic: check restrictive lists, consult public databases and assess the existence of formal sanctions. This work continues to be important. But he does not respond to the current challenge alone.

The risk of connection to or support of terrorist organizations may arise long before any names appear on a restrictive list.

Therefore, mature compliance programs tend to expand their analysis beyond the screening traditional: final beneficiaries, complex corporate structures, abrupt changes in control, indirect links, unusual payment patterns, excessive use of intermediaries and even the geographic location of operations.

This information becomes as important an element as formal consultation of sanctions lists.

Technology and due diligence tools become increasingly necessary, as manual monitoring of all these bases would be humanly unfeasible. But just as important is the ability to create a culture capable of recognizing warning signs and acting on them.

This includes not only risks related to third parties, but also situations in which employees themselves may be targets of extortion, coercion or attempts at influence by criminal organizations.

Control will help identify an alert situation, but it is people who will have to raise their hands and activate compliance so that the company can decide what to do with the identified risk. Even because ignoring warning signs regarding foreign terrorist organizations is not treated as innocence.

Turning a blind eye to what is evident can, in itself, be interpreted as a choice and that is exactly how American officials have framed this type of situation.

Do we know who the final beneficiaries of our critical suppliers are? Does our risk matrix include the risk of criminal factions? Do we have protocols for escalation and decision-making for cases involving organized crime?

The classification of the PCC and Comando Vermelho as terrorist organizations by the United States placed the issue on the agenda of corporate risks with probability, impact and responsibility, like any other relevant business risk.

It will be up to companies, with the support of their GRC areas, to understand their level of exposure, strengthen their due diligence, update their risk matrices and adequately record the decisions made.

For those who work in GRC, the challenge is to know the business well enough to map out where this risk is hidden. For those who lead the business, it means having an area capable of doing this at their side. In both cases, the starting point is the same: recognizing that this risk is probably closer than it seems.

Source link

You may also like:

Ray Dalio says the US has had its “Suez moment”; What does this mean?

Zuckerberg wants to enter the predictive market and seeks partnership with leaders

Replacing young people with AI could make the company “implode”, says AWS CEO

Best investments of the last 100 years: almost all are technology companies

Leave a Reply

Your email address will not be published. Required fields are marked *