Evaluating Ethics, Compliance Programs
Photo: iStockLast fall, the Department of Justice hired Hui Chen as its first full-time compliance counsel. Chen came to the DoJ with experience as both a prosecutor and a corporate compliance officer. This new role is designed to enhance the department’s approach to evaluating companies’ compliance programs.
The creation of this new position sends a powerful message about the current focus on compliance across industry. Indeed, Assistant Attorney General Leslie R. Caldwell has stated that the establishment of this new role “should be an indication to companies about just how seriously we take compliance.”
It should also serve as a healthy reminder to contractors to evaluate their own ethics and compliance programs. The policy for federal contractors on “Contractor Code of Business Ethics and Conduct” can be found at Federal Acquisition Regulation (FAR) Subpart 3.10. In addition, there are specific contractual requirements at FAR 52.203-13 for contracts valued at over $5.5 million and with a period of performance of 120 days or more — subject to certain exceptions for small businesses and commercial item contracts.
These prescribe program elements comprising a written code of conduct, communications and training, an internal reporting mechanism such as a hotline, and more, including a specific requirement to conduct periodic evaluations of the effectiveness of the program.
While a government contractor may never have its ethics and compliance program assessed by the Justice Department, it is likely to have it reviewed by the Defense Contract Audit Agency and other agencies or customers. It behooves contractors to be prepared for such reviews, rather than having to scramble in response to the proverbial knock on the door.
An evaluation of an ethics and compliance program’s effectiveness should be done vis-à-vis all applicable requirements or guidelines. The overall goals the program is designed to achieve — such as creating a culture of integrity or safeguarding the company’s good reputation — should also be borne in mind. It is not a check-the-box exercise. For example, it is not enough to ask whether compliance policies exist. It is important to ask whether employees know what the policies mean in relation to their own jobs and how to use policies or other resources to help them respond in a tricky or uncomfortable situation.
In a recent interview published by Ethics and Compliance Initiative, an Arlington, Virginia-based association devoted to corporate ethics, Chen shared some of the indicators she looks for when assessing the effectiveness of a compliance program. Among these are: How empowered is the compliance officer and does the role get the resources and support it needs? Is compliance just on paper or truly embedded in daily business operations? In the event of a violation, are corrective actions real and suitable? And are cross-functional collaboration, ownership, commitment and accountability for compliance manifest throughout the organization, especially among the leadership?
These effectiveness “tests” illustrate the in-depth approach that should be taken with a program assessment.
One example of required program elements from FAR 52.203-13 centers on “effective communications and training.” Periodic and practical communications and training about the ethics and compliance program, tailored to each audiences’ roles and responsibilities, must be provided to company leadership or principals, employees, and, as appropriate, to others who act on behalf of the company such as agents and subcontractors.
An effectiveness evaluation needs to ask questions such as: How are resources allocated to communications and training? Are they sufficient? How does the company determine whether the communications and training are effective; for example, does it survey employees to gauge understanding or issue post-training tests to measure comprehension? Is business area leadership supportive or is there push back about incurring training costs? If that sort of discord takes place, how does it get resolved?
Another required program element is “risk assessment.” Contractors need to periodically evaluate the risk of criminal conduct and then design, implement or modify their ethics and compliance program and internal controls program to mitigate any identified risks.
In evaluating this process, consider the resources allocated to it. Are they adequate to conduct a meaningful assessment? Does the company leadership support the process as one that adds value? If not, why not? Is the risk assessment broadened to take into account ethics and reputational risks? Does participation in the process extend far enough in the organization to be valid? In an area identified as high risk by the assessment process, how does the functional head respond in terms of involvement and commitment to modifying processes to mitigate the risk?
In addition, contractors should look at their “internal reporting mechanisms.” The contractor must make available a communications channel, such as a hotline, which allows for confidentiality or anonymity, that employees can use to report suspected misconduct.
The contractor must also give employees instructions and encouragement to use the internal reporting mechanism. Evaluate the effectiveness of the hotline by asking, for example: Is it available to all employees worldwide in their own languages? Does the company explain to employees exactly what happens, step by step, if they choose to raise a concern using the hotline?
Are suspected violations investigated fairly and thoroughly and dispositioned promptly? Does leadership across the board support use of the hotline as one of the company’s tools for preventing and detecting misconduct? Is management committed to prohibiting retaliation against employees who report concerns via the hotline?
The Ethics and Compliance Initiative interview with Chen can be found at: www.ethics.org.
Anne R. Harris is owner and principal of Ethics Works LLC, an ethics and compliance consulting practice with a particular focus on defense contractors. She formerly served as chief ethics officer for General Dynamics Corp. The opinions expressed are her own. Comments may be sent to firstname.lastname@example.org.