ETHICS CORNER DEFENSE CONTRACTING
Ethics Programs Need Regular Improvements
Photo: iStockMany know what an effective compliance program looks like, but how does it operate?
An effective program is one that is planned, executed and enforced toward the goal of detecting wrongdoing and preventing noncompliance, according to the Federal Sentencing Guidelines of the Department of Justice. Although the guidelines provide information on what elements an effective compliance program should contain, they do not explain how the program must operate in a real company.
Beyond complying with the law, one important goal of having a compliance program is to respond to regulatory investigations. Compliance programs will need to be explained to a regulator at some point. To show an effective compliance program to regulators, a contractor must explain how the compliance program works by answering the following questions: How does the company decide how to achieve compliance? How does the company implement measures to achieve compliance? How does the company know whether compliance procedures work? How does the company react to problems?
The answers to these questions can change, but they need to be answered in detail. How the compliance program works needs to be well-known by those with a role in its operation.
One approach is to use the structure of continuous improvement, borrowed from the world of manufacturing, to operate an effective compliance program, also known as “Plan, Do, Check, Act” or PDCA. Those familiar with quality management from manufacturing already understand continuous improvement. A library of books has been published on the topic. As an example, below is a simple description of a manufacturing continuous improvement cycle.
First, a manufacturer creates a plan to produce a product. Second, the manufacturer executes the plan. Third, during product production, the company checks for defects in the resulting product. Fourth, the company manages the defects by creating corrective action plans for reducing or eliminating defects. The cycle repeats with execution of the corrective action plans, measuring the results, creating new corrective action plans, and so on. With each successive cycle, changes are made to improve results, reducing the risk of defects.
In addition to quality management in manufacturing, the process of “Plan, Do, Check, Act” is also helpful for a contractor building an effective compliance program. Using it is helpful because its implementation also gives the business the ability to answer fundamental questions.
Plan. How does the company decide how to achieve compliance? Before a contractor can have an effective compliance program, it must first address how decisions about compliance will be made. In other words, it needs to determine how the compliance program will be governed. This is a step that is easy to overlook. However, without a sustainable method of making decisions, none of the other steps of PDCA can be accomplished. For example, in the case of a manufacturer of children’s toys, how will the company decide what policies and procedures are necessary to manage its compliance risks? These decisions require input and expertise from many participants from many levels and functions.
Do. How does the contractor implement measures to achieve compliance? Of course, implementation of the plan is the next step. Although directing the company to “do” sounds simple, reality is much more complex. The company needs to identify a responsible leader to ensure proper implementation. Determining who will hold this responsibility can be a tricky problem if the obvious candidate does not want the job. Companies are not normally structured around compliance obligations. Often responsibilities need to be shared across functions.
Check. How does the business know whether compliance procedures work? Contractors must be able to demonstrate why regulators should have confidence in the compliance program. Monitoring must be designed to detect problems. Companies cannot “go through the motions” and expect to build credibility with regulators.
It helps the monitoring function when policies and procedures are designed to be checked or raise red flags when problems arise. Further, procedures need to be designed with an eye to being auditable. The actions that the operation takes to comply need to leave behind a record that can be checked, either in an audit or as part of the process itself. For example, if a toy manufacturer required its toys to meet certain technical criteria, a procedure documenting the testing of the toys could be checked by an audit. If a procedure existed to stop shipment in the absence of the testing documentation, the procedure itself would include an automatic “check” on whether testing was done.
Act. How does the business react to compliance problems? Contractors must act reasonably and respond appropriately to information about compliance failures. Depending on the circumstances, what is “reasonable” can mean anything from re-training staff to automating manual processes to disciplining employees. Disclosure requirements must also be considered.
Repeat the cycle on a rhythm — weekly, monthly, quarterly — that makes sense for the contractor’s business and the risk at issue. Using the PDCA structure in compliance is helpful to the compliance practitioner. It provides a common language for the cross-functional work of operating the compliance program. It helps that continuous improvement is a method with which many are likely familiar. It also breaks down the broad goal of “compliance” into actionable steps.
In short, using these four fundamental questions within a PDCA approach is a practical way to think of how an effective program operates. It is a good guide for contractors to use to design the operation of compliance programs. It leads to answering fundamental questions that the company will need to explain to demonstrate its compliance program’s effectiveness.
Leona Lewis, JD, is the founder of ComplyEthic Consulting LLC (www.complyethic.com), a compliance consulting company. She can be contacted at firstname.lastname@example.org.