Authors' Note: Visit our panel at the National 8(a) Association Summer Meeting in Anchorage on Tuesday, June 18: Government Contractor Ethics and Compliance Programs – How to Meet the Government's Evolving Expectations and Improve Your Business.
It's been ten years since the Federal Acquisition Regulation (FAR) was amended to require government contractors to have a business ethics and compliance program – that's right, it's a requirement in every government contract and in most subcontracts! Aside from being a requirement in every contract and a core component of a small business' "present responsibility" (i.e. eligibility to be a contractor at all), recent developments have made it essential for small business to address compliance now.
In particular, the Department of Justice has issued guidance as to what it expects from an organization's ethics and compliance programs, and has reiterated that it will not tolerate companies that lack an effective program. In other words: get caught without one, and that may be the end of your company. See our post about the DOJ Guidance. The good news is there has been a lull in new FAR and other regulatory requirements under this Administration, so this is a good time to play some catch up.
But let's face it, many small businesses are not where they should be, and some others are not even close. So why aren't small businesses better prepared and how do small businesses move ethics and compliance programs from a perennial back burner issue to the forefront?
Small businesses confront a multitude of challenges in establishing and maintaining a government contracts ethics and compliance program. Resources and bandwidth are precious commodities and company management is often stretched too thin. Particularly for contractors experiencing rapid growth, keeping basic performance functions up and running takes all their time and energy. Further, small businesses can have difficulty deciding even where to begin because the requirements imposed by the FAR are immense and can seem daunting.
Common misconceptions about ethics and compliance programs and what they entail also tend to hold small businesses back.
First, while some view compliance solely as a risk mitigation process that is designed to avoid downside risk with no potential upside, this is far from true. Most significant, protecting against downside risk in government contracts is essential because the consequences of mistakes can be catastrophic and include treble damages under the False Claims Act, suspension and debarment, and even the process penalty that comes with a significant government investigation. Each of these can kill a company. At its basic level, compliance is about preventing and detecting misconduct and mistakes that can lead to compliance issues. But an effective ethics and compliance program also helps companies avoid performance mistakes (and costly re-work), and has the benefit of allowing companies to present timely and acceptable invoices resulting in quicker payments and a better reputation (and better CPARS).
Second, a common mistake is to view compliance as an entirely separate function from other business processes and systems, or worse, one which is at odds with efficient and effective operations. Effective ethics and compliance programs should be set up alongside and as a part of other major business systems. In addition, while it's essential to assign responsibility (and resources) to a person with overall responsibility for the program, this is not a one person show. All your functional managers have a role in compliance; HR, Accounting, Program Management and Business Development all must be a part of assessing risk in their functional areas, ensuring controls are in place to address those risks, and funneling those requirements up to the compliance manager to weave into the tapestry of the program.
Third, small businesses often don't give themselves enough credit for what they are already doing. All too often we hear "we don't have an ethics and compliance program." This is almost always untrue because the internal controls small businesses have in place to govern basic business systems are themselves an important part of their compliance efforts. Simply taking stock of what's already in place and taking a holistic view allows a small business to start checking off a number of requirements, making the rest of the process more manageable.
Finally, we still hear remnants of a fading viewpoint: good people don't need to be trained in these things and our people are good people and inherently know what to do. This is wrong. The regulatory environment for contractors is too complex to count on basic human instincts. It also will be construed as indifference, or worse, by the Justice Department, by suspension and debarment officials, and by contracting officers. The government has made it clear there will be no forgiveness for such a view – one bad step and a company is sunk.
The first step is to take stock. Get major functional group leadership together to identify existing controls and where they think improvement is needed. Read contracts and identify the requirements and clauses that present catastrophic consequences. Pay special attention to FAR Part 3 and Part 9 clauses.
Second, consider available guidance documents on ethics and compliance programs. Law firms with experience in this area have a lot of materials "in the can" and can help small businesses figure things out quickly. Look at available government guidance, like DOJ's guidance and the DCAA Audit Manual. Many companies have their materials posted online – don't be shy about reviewing those materials, but don't just cut and paste them either. Finally look to organizations that focus on compliance, like the Society for Corporate Compliance and Ethics (SCCE).
Third, perform a basic risk assessment to better inform the company's views and to prioritize which issues to address first. The DOJ's recently updated guidance on ethics and compliance programs has elevated the importance of a risk assessment as a defining aspect of an ethics and compliance program. While one hopes to never have to deal with DOJ, their guidance is relied on by other government officials (DCAA, contracting officers, Inspectors General) in assessing a compliance program. They also played a big role in the development of the FAR requirements mandating the adoption of compliance programs, so their guidance is very important. (Stay tuned for another article from us on Risk Assessments and what they should entail).
Fourth, designate someone to be the company's Chief Compliance Officer. For small businesses, this can be a person who holds another title (or titles). Particularly for starters, pick someone who is trusted, respected, and organized. Make it clear that the rest of management is expected to execute on what's needed to support the CCO and the overall project.
Finally, think of this as a pass-fail test and address the things that could kill the company first. Over time, as the program evolves, work can be done on elevating the company's letter grade.
With those basic points in mind, here's a suggested timeline and punch list to get that grade up to a pass:
Tackling the above, and having a plan in place showing how you intend to do so, should get you over the pass-fail hump. The sooner you do, the better.
Please note that email communications to the firm through this website do not create an attorney-client relationship between you and the firm. Do not send any privileged or confidential information to the firm through this website. Click "accept" below to confirm that you have read and understand this notice.