Fred Geldon discusses how establishing a credible compliance program can help contractors and compliance professionals to manage risks specific to government contracting.
Special compliance requirements apply when doing business with the government. Many practices or activities that are legal and acceptable in the commercial marketplace are not legal or acceptable in the federal government marketplace.
Violating compliance rules can subject a contractor not only to contractual and financial harm, but potentially to criminal sanctions as well. Contractors must help the government operate with the highest degree of public trust. This is good ethics and good business. And it is required; by regulation, covered government contractors must establish and maintain a compliance program.
What is the Requirement?
Under the Federal Acquisition Regulation (FAR), section 203.10, federal government contractors are required to “conduct themselves with the highest degree of integrity and honesty” and to have a written code of business ethics and conduct, an employee business ethics and compliance training program and an internal control system. These programs and systems should:
- be suitable to the size of the company and extent of its involvement in government contracting,
- facilitate timely discovery and disclosure of improper conduct and
- ensure corrective measures are promptly instituted and carried out.
This compliance program requirement is implemented by FAR 52.203-13 (the “13 clause”), which must be included in solicitations and contracts if the value of the contract is expected to exceed $5.5 million and the performance period is 120 days or more.
The scope of this requirement depends on the size of the contractor and whether its government contracts are limited to commercial items. For all contractors:
- The code of business ethics and conduct is to be established and made available to contractor employees within 30 days of award of a covered contract.
- The contractor must exercise due diligence to prevent criminal conduct and promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
- The contractor must promptly disclose in writing if it has credible evidence that a principal, employee, agent or subcontractor has committed a violation of criminal law involving fraud, conflict of interest, bribery or gratuity violations or a violation of the civil False Claims Act.
Additional requirements apply to large businesses that engage in noncommercial items contracting, including:
- A compliance training program and
- An internal controls system, that includes:
- Assigning responsibility at a “sufficiently high level” and providing adequate resources for an effective compliance program,
- Reasonable efforts not to include bad actors as principals,
- Hotline or other mechanism for anonymous or confidential reporting of improper conduct
- Periodic reviews, audits and monitoring to assess the effectiveness of the business ethics/compliance program and detect improper conduct
- Full cooperation in government audits, investigations or corrective actions
- Disciplinary action for both improper conduct and failure to take steps to prevent or detect improper conduct
In short, a covered contractor must have a code of business ethics, a training program, internal controls and a culture of compliance. The regulation provides structural parameters but no template; it recognizes that one size does not fit all.
It’s worth noting that the FAR compliance program requirements grew out of the Department of Justice Sentencing Guidelines, with similar elements. When deciding whether to investigate and prosecute criminal charges and recommend appropriate penalties, prosecutors are directed to ask:
- Is the corporation’s compliance program well-designed?
- Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
- Does the corporation’s compliance program work in practice?
So, there are lots of reasons to establish a credible compliance program. The program should help employees understand compliance rules, help employees avoid violating rules and protect the company if violations occur.
And, of course, a compliance program is required under the FAR. Let’s look at the elements that should make up a compliance program.
Contractor Code of Business Ethics and Conduct
Though not required, the benefits of a code (promoting compliance, protecting the company, etc.) argue for the code being company-wide, including the contractor’s total mix of government and commercial business. Contractors with a global workforce may find it appropriate to have geography-based modules. While there is no prescribed template, a code will usually include the following components:
The introduction sets the tone. Most codes start with an endorsement from the highest level of the company, statements of the company’s ethical principles (e.g., “conducting business in accordance with both the letter and the spirit of the law”), and a guide as to the scope of the code and the responsibility of employees to follow it.
Companies must decide how much detail to provide. Greater detail will answer more questions but can be counterproductive if volume discourages employees from reading it. Companies must also decide how much discretion to allow – should employees be encouraged to exercise judgment, or will it be easier for them to understand and comply with black-and-white rules?
Many codes will set forth questions that employees should consider when facing ethical choices, such as:
- How will this action look to a government investigator or prosecutor?
- How would this action look in the newspaper?
- Am I treating others the way I would want to be treated?
- Does it “feel” appropriate in my gut?
Discuss issues that affect all government contractors. The code should provide guidance on issues that affect all government contractors. Indeed, government contracting officers, auditors and prosecutors will expect such coverage and be critical of codes that do not have it.
Bribes and Gratuities. Every code should address the prohibitions on gifts to government officials found in the criminal code (18 U.S.C. 201) and the Standards of Ethical Conduct for Employees of the Executive Branch (5 C.F.R. 2635). Contractors must make choices on matters such as whether to maintain a “zero tolerance” for gratuities.
Kickbacks and Contingent Fees. The code (and policies and procedures) must address anti-kickback restrictions and procedures to prevent and detect them, as well as prohibitions of contingent fees. Contractors must decide whether to have different rules for commercial contracting and government contracting.
Procurement Integrity. The code should alert all employees to the rules and risks and provide guidance when encountering sensitive procurement information that could give the company a competitive advantage.
Conflicts of Interest. The code of business ethics should advise employees to avoid and disclose potential personal conflicts of interest where their personal, family or business interests might differ from the company’s or its customers’ – especially if they are providing services to government procurement teams.
The code should also advise employees to be sensitive to potential organizational conflicts of interest, including:
- Disclosure of non-public information about open or future procurements (e.g., through emails, meetings).
- Requests for advice, outside the scope of the contract, that relate to future procurements.
- Opportunities to provide advice that would benefit the company.
Discuss other issues that apply to the contractor. Some compliance risks apply to all government contractors. But some do not. Whether they should be addressed depends on your current and future business and environment. A rigorous risk analysis is necessary; this should be a group function, including representatives from legal, human resources, finance and accounting, business development/sales/marketing, operations and management. The risk analysis should be dynamic, changing as needed when laws or regulations change or when the company’s contracts portfolio moves in new directions (e.g., when you grow out of your small business status or win your first cost reimbursement or T&M contract).
A risk analysis (and corresponding policies and procedures) should consider the company’s business and industry, its contracts and its corporate history and culture. For example:
- Small businesses may need to address size limitations and socioeconomic reporting issues.
- Schedule contractors should provide guidance about complying with the price reduction clause.
- Contractors that do business outside the United States or have foreign suppliers will need to address export control issues, country-of origin restrictions, domestic preferences, the Foreign Corrupt Practices Act and anti-human-trafficking rules.
- Contractors that do cost reimbursement or time and materials contracting will need to discuss the importance of following compliant systems and procedures for time recording and expense charging.
- Contractors whose employees work on government sites will want to focus particular attention on how to comply with gift rules and procurement integrity restrictions in a blended workplace.
- Contractors who engage in lobbying will need to advise regarding applicable registration and gift rules.
- Contractors whose business requires individual or facility security clearances will need to address the rigorous rules that apply.
- Contractors who hire from the government need to address laws that limit the ability of the contractor to recruit, hire and use former government personnel.
- Contractors may want to discuss limits on authority – which personnel can enter into non-disclosure agreements, teaming agreements or subcontracts/contracts.
- The code should emphasize that books and records must be accurate and that employees should cooperate with audits, whether internal or external.
Discuss generic issues. Especially if the code of business ethics is to apply company-wide, it should also include issues that apply to both government and commercial business, including:
- Insider-trading rules;
- Procedures for responding to media inquiries;
- Employee issues (e.g., equal opportunity, sexual harassment);
- Environmental, health and safety issues;
- Privacy issues (especially if subject to European Union’s General Data Protection Regulation (GDPR) or California Consumer Privacy Act);
- Charitable contribution policies;
- Use and protection of company assets and information, including its intellectual property rights;
- Cybersecurity issues; and
- Antitrust and competition requirements.
The Conclusion. The code should remind employees why compliance is important, recap the statement of purpose and the company’s ethical principles, discuss (briefly!) the dark side (False Claims Acts, suspension and debarment process), and emphasize employee responsibility for compliance. The code should make it clear that violators include:
- Employees who authorize, condone, or conceal violations;
- Managers who approve or disregard violations, or fail to prevent or report violations;
- Employees who retaliate against those who report violations; and
- Employees who falsely accuse other employees of violations.
Finally, the code should discuss the company’s compliance program and explain where reports or questions should be addressed and how to use the company’s hotline.
Other Requirements for a Compliance Program
Training. The “13 clause” requires “effective training programs” provided “to the contractor’s principals and employees and as appropriate to the contractor’s agents and subcontractors.”
Small businesses and commercial contractors are excluded from the training requirement, but must make a copy of the code of business ethics “available” to employees. But is “shelfware” enough? Why have a code that can be ignored? It only makes sense that small/commercial contractors conduct some form of training about the (required) code. This can be expanded as the company and its contracts grow.
There is no prescribed training regimen. Contractors must decide the frequency and duration of the training, whether it should be part of new employee orientation with periodic booster shots and whether it should be conducted by in-house leaders (who may better understand the company) or outside experts (who may have greater credibility and objectivity). Special arrangements may be appropriate for employees in the field or working at government sites. Either way, the training must be tailored to the company’s actual business and risk profile and must be kept fresh as laws and regulations change and the company’s contract portfolio evolves.
Organizational Culture of Compliance. Legal and compliance officers are like goalies on a soccer or hockey team: Their job is to keep the other team from scoring. But they can’t do their job alone; there will be too many scoring chances unless a strong defense team prevents the other team from shooting.
Compliance is not just the job of the compliance officer. It must pervade the organization, starting at the top. Are the board and CEO involved? What do they say? What do they pay attention to? What role models do they provide? As my former manager would say, “the spider monkeys do what the baboon does.”
Who is promoted? What incentives are provided for good behavior? For example, is ethical conduct a criterion in the bonus plan?
And the defining question: Is legal/compliance viewed as a supporting resource or as an obstacle? If legal/compliance advises that a proposed (and profitable) action is unethical and the issue is elevated, (a) will leadership pound on compliance or pound on the potential violator, and (b) does the potential violator – or the whistleblower – believe that leadership will pound on compliance or pound on the potential violator? In other words, will management shoot the messenger?
Disclosure. The FAR compliance rule requires that all contractors make timely written disclosures whenever the contractor has credible evidence that a principal, employee, agent or subcontractor has committed a violation of Federal criminal law involving fraud, conflict of interest, bribery or gratuity violations or a violation of the civil False Claims Act.
To meet this burden, contractors must maintain a culture (and mechanisms) where employees can disclose relevant information without fear of retribution. The company should have an open door policy and a hotline allowing anonymity.
Internal Control System. The “13 clause” adds a number of requirements for large businesses doing non-commercial work.
Assignment of responsibility at high level, with adequate resources. The Chief Compliance Officer should report outside the operational chain (e.g., to the CEO, CFO, board of directors or general counsel). The CCO should not be at risk of being fired by the employees whose compliance he or she must review. The compliance officer should be “in the room where it happens.”
Reasonable efforts not to include bad actors as principals. (i.e., rigorous due diligence for those to whom discretionary authority will be granted.)
Hotline or other mechanism for anonymous or confidential reporting of improper conduct.
Periodic reviews, audits and monitoring to assess effectiveness of business ethics/compliance program and detect improper conduct. There are number of possible mechanisms, as well as traps:
- Review reported violations or investigations. But will their absence demonstrate a culture of compliance, or an inadequate reporting system?
- Survey data can be useful, if done professionally.
- Anonymity encourages candor.
- Depersonalized questions (“Have you observed others committing violations?”) can reduce self-incrimination bias.
- Periodic surveys with consistent questions can allow for longitudinal reviews (“How have compliance issues changed over time or over company division?”)
- Metrics can benchmark status and (hopefully) progress. But beware of the “tyranny of the hard variable,” where only the trivial can be measured.
Full cooperation in government audits, investigations or corrective actions.
Disciplinary action for improper conduct and for failure to prevent or detect improper conduct. Were there opportunities to detect and prevent the misconduct in advance? What remediation activities have been taken to prevent future misconduct?
The Bottom Line
Ask yourself: What can you produce when an auditor knocks on your door? Because they will!
- Code of business ethics and conduct (duh!).
- Training materials, attendance sheets, student certifications.
- Placement of the compliance function in the organizational structure.
- Evidence that a person’s compliance record is considered in hiring, promotion and rewarding.
- Written records from periodic reviews and evaluations of effectiveness, as well as follow-on actions taken.
- Records of hotline calls and follow-up action taken, structural analysis of issues and other metrics.
- Employee survey results.
- Examples of disciplinary actions taken.
- Examples of disclosures and investigations.
Remember the First Rule of Government Contracts: It’s not enough to do what is required; you have to be able to prove you did it. DOCUMENT!
 The author regularly conducts a Hands-On-Workshop in how to develop an ethics and compliance program, under the sponsorship of the Public Contracting Institute. For further information, see www.publiccontractinginstitute.com.
 Except where otherwise noted, the references to Parts, Subparts, Sections, and Clauses come from the Federal Acquisition Regulation, or the Defense FAR Supplement (DFARS), which can be found on-line at http://farsite.hill.af.mil/
 Coined by the author. It’s in the public domain – feel free to use it!