ETHICS CORNER DEFENSE CONTRACTING
Compliance Guidance for Smaller Contractors
In April, the Department of Justice issued updated guidance regarding the evaluation of corporate compliance programs to assist prosecutors in deciding whether they were adequate and effective at the time of an offense, as well as at the time of a charging decision. It builds upon earlier guidance and provides further specificity as to the factors the department will consider in their evaluations.
The department disclaims using “any rigid formula to assess the effectiveness of corporate compliance programs,” but instead makes “an individualized determination in each case” based on three fundamental questions: Is the program well designed? Is it being applied earnestly and in good faith? And does it work in practice?
For each of these questions, the department posits a list of factors to consider. However, when it comes to small- and medium-sized businesses, some of the features described by the department may be out of reach in terms of staffing, operations and cost. While large corporations can take the guidance and turn it into a checklist to determine that their compliance programs have all the features endorsed by Justice, smaller companies must make a very different and difficult assessment: what program elements can they effectively implement, and how much compliance can they afford?
As to program design, Justice will look at five elements: risk assessment; policies and procedures; training and communications; confidential reporting and investigation processes; third party management, if any; and procedures for compliance issues in mergers and acquisitions. Setting aside the last element, small- and medium-sized defense contractors should already have these basic elements in place, given the requirements of the Federal Acquisition Regulation Part 3.1002 for a written code of business ethics and conduct as well as an internal control system that promotes compliance, and FAR §52.203-13, which requires the contractor to adopt a code for contracts expected to exceed $5.5 million.
But for many companies, both risk assessment and reporting and investigation structures may pose challenges to organizational and financial resources. Justice looks for a risk management process, with risk-tailored resource allocation, and ongoing revisions based on lessons learned. Smaller organizations that lack internal audit or legal resources should consider engaging outside compliance experts to help them meet these expectations. Given that a solid risk assessment will allow the company to focus its limited resources where the need is greatest, this is a worthwhile investment that can save money in the long run, because compliance problems often can be identified and remediated before they become offenses.
With respect to policies and procedures and training and communications, contractors can look to several nonprofit organizations for guidance and model policies, training materials, and other resources available at the cost of membership. The Ethics & Compliance Initiative, the Defense Industry Initiative on Business Ethics and Conduct, and the Society of Corporate Compliance and Ethics offer assistance. Membership fees are typically graduated based on company size.
In determining whether a compliance program is being implemented effectively, the department looks for a commitment by senior and middle management to foster a culture of ethics and compliance with the law, while also watching out for management tolerance of compliance risks in pursuit of new business or increased revenues or encouraging employees to act unethically to achieve goals. Management’s persistent focus on ethics and compliance is perhaps the most important and least expensive element of an effective program.
The department also looks for employee incentives and disciplinary measures. Companies can integrate them into their employee evaluation, compensation and development processes. Recognition of positive behavior, along with promotions or bonuses, can significantly reinforce an ethical culture.
The question of whether a compliance program works in practice often arises once an enforcement action is underway and a charging decision is before the prosecutor. Here the department looks for evidence of “continuous improvement, periodic testing and review,” which presumes auditing, updating risk assessments and measuring the culture. For many small- and medium-sized companies, these activities can only be provided by outside resources, which means potentially significant added cost.
Justice also looks for a “well-functioning and appropriately funded mechanism for the timely and thorough investigation” of allegations of misconduct. For most small- and medium-sized companies, that requires engagement of outside counsel, which can be expensive. If, however, these questions are being raised in a government investigation or prosecution, the company will likely already have outside counsel engaged to respond and investigate.
Finally, the department looks to a company’s follow-up to a compliance breach — root cause analysis and remedial actions, or gleaning lessons learned — as the ultimate indicator of an effective compliance program. These efforts will almost always be the outcome of an investigation or enforcement action, and the follow-up required is often necessary to avoid suspension or debarment under FAR by demonstrating “present responsibility” in remediating past misconduct.
For contractors, a careful assessment and prudent investments in compliance can mean the difference between a compliance disaster and a compliance success.
The Law Office of Brian E. Sweeney focuses on technology, aerospace and defense, government and commercial contracts, and ethics and compliance programs. He can be reached at email@example.com.