Robert Tompkins is a Partner and Rodney Perry is an Associate in Holland & Knight's Washington D.C. office

It's been ten years since the Federal Acquisition Regulation (FAR) was amended to require government contractors to have a business ethics and compliance program – that's right, it's a requirement in every government contract and in most subcontracts! Aside from being a requirement in every contract and a core component of a small business' "present responsibility" (i.e. eligibility to be a contractor at all), recent developments have made it essential for small business to address compliance now.

In particular, the Department of Justice has issued guidance as to what it expects from an organization's ethics and compliance programs, and has reiterated that it will not tolerate companies that lack an effective program. In other words: get caught without one, and that may be the end of your company. See our post about the DOJ Guidance. The good news is there has been a lull in new FAR and other regulatory requirements under this Administration, so this is a good time to play some catch up.

But let's face it, many small businesses are not where they should be, and some others are not even close. So why aren't small businesses better prepared and how do small businesses move ethics and compliance programs from a perennial back burner issue to the forefront?

What's Holding Many Small Businesses Back?

Small businesses confront a multitude of challenges in establishing and maintaining a government contracts ethics and compliance program. Resources and bandwidth are precious commodities and company management is often stretched too thin. Particularly for contractors experiencing rapid growth, keeping basic performance functions up and running takes all their time and energy. Further, small businesses can have difficulty deciding even where to begin because the requirements imposed by the FAR are immense and can seem daunting.

Common misconceptions about ethics and compliance programs and what they entail also tend to hold small businesses back.

First, while some view compliance solely as a risk mitigation process that is designed to avoid downside risk with no potential upside, this is far from true. Most significant, protecting against downside risk in government contracts is essential because the consequences of mistakes can be catastrophic and include treble damages under the False Claims Act, suspension and debarment, and even the process penalty that comes with a significant government investigation. Each of these can kill a company. At its basic level, compliance is about preventing and detecting misconduct and mistakes that can lead to compliance issues. But an effective ethics and compliance program also helps companies avoid performance mistakes (and costly re-work), and has the benefit of allowing companies to present timely and acceptable invoices resulting in quicker payments and a better reputation (and better CPARS).

Second, a common mistake is to view compliance as an entirely separate function from other business processes and systems, or worse, one which is at odds with efficient and effective operations. Effective ethics and compliance programs should be set up alongside and as a part of other major business systems. In addition, while it's essential to assign responsibility (and resources) to a person with overall responsibility for the program, this is not a one person show. All your functional managers have a role in compliance; HR, Accounting, Program Management and Business Development all must be a part of assessing risk in their functional areas, ensuring controls are in place to address those risks, and funneling those requirements up to the compliance manager to weave into the tapestry of the program.

Third, small businesses often don't give themselves enough credit for what they are already doing. All too often we hear "we don't have an ethics and compliance program." This is almost always untrue because the internal controls small businesses have in place to govern basic business systems are themselves an important part of their compliance efforts. Simply taking stock of what's already in place and taking a holistic view allows a small business to start checking off a number of requirements, making the rest of the process more manageable.

Finally, we still hear remnants of a fading viewpoint: good people don't need to be trained in these things and our people are good people and inherently know what to do. This is wrong. The regulatory environment for contractors is too complex to count on basic human instincts. It also will be construed as indifference, or worse, by the Justice Department, by suspension and debarment officials, and by contracting officers. The government has made it clear there will be no forgiveness for such a view – one bad step and a company is sunk.

So What's a Small Business to do?

The first step is to take stock. Get major functional group leadership together to identify existing controls and where they think improvement is needed. Read contracts and identify the requirements and clauses that present catastrophic consequences. Pay special attention to FAR Part 3 and Part 9 clauses.

Second, consider available guidance documents on ethics and compliance programs. Law firms with experience in this area have a lot of materials "in the can" and can help small businesses figure things out quickly. Look at available government guidance, like DOJ's guidance and the DCAA Audit Manual. Many companies have their materials posted online – don't be shy about reviewing those materials, but don't just cut and paste them either. Finally look to organizations that focus on compliance, like the Society for Corporate Compliance and Ethics (SCCE).

Third, perform a basic risk assessment to better inform the company's views and to prioritize which issues to address first. The DOJ's recently updated guidance on ethics and compliance programs has elevated the importance of a risk assessment as a defining aspect of an ethics and compliance program. While one hopes to never have to deal with DOJ, their guidance is relied on by other government officials (DCAA, contracting officers, Inspectors General) in assessing a compliance program. They also played a big role in the development of the FAR requirements mandating the adoption of compliance programs, so their guidance is very important. (Stay tuned for another article from us on Risk Assessments and what they should entail).

Fourth, designate someone to be the company's Chief Compliance Officer. For small businesses, this can be a person who holds another title (or titles). Particularly for starters, pick someone who is trusted, respected, and organized. Make it clear that the rest of management is expected to execute on what's needed to support the CCO and the overall project.

Finally, think of this as a pass-fail test and address the things that could kill the company first. Over time, as the program evolves, work can be done on elevating the company's letter grade.

With those basic points in mind, here's a suggested timeline and punch list to get that grade up to a pass:

Immediate Requirements:

  • Take the steps noted above; in particular conduct a basic risk assessment and appoint a Chief Compliance Officer or equivalent and provide sufficient resources to carry out the program.
  • Adopt and distribute an overall policy outlining the program and make sure the issues that present the highest risk are covered. Also, list the basic components (the code, training, hotline, report handling, the role of the CCO) and have it come from senior management.
  • Create a code of business ethics and conduct – keep it simple and hit the basics: don't lie, cheat or steal – or bribe, or make false statements, or violate the Procurement Integrity Act – and be sure to cover any special high risk areas identified in the risk assessment.
  • Distribute the code to all existing employees and require acknowledgement and include a message from management emphasizing the importance of this effort for all employees.
  • Institute and publicize a hotline or other anonymous, internal reporting structure for reporting suspected or alleged violations of the code or other misconduct (the FAR requires this). This can be outsourced to a vendor, a law firm or an accounting firm with a dedicated voicemail line or email address, with access limited to a designated monitor works.
  • Establish a basic method and procedure for responding to reports of misconduct or violations. Again, everything should be kept as simple as possible and until the company gets its sea legs, it should consider getting a law firm to help with any reports of serious misconduct. At this point, the company should not have that many (and maybe not any).

Short-term Requirements:

  • Hold a training session for employees (and board members, if applicable) on special contracting rules and regulations for doing business with the Federal Government. Keep it simple by tracking the code (which should be tracking the risk assessment).
  • Establish a training program for new employees and a program for periodic training and updates for existing employees. Again, don't overcomplicate it and just teach what's in the company's code and keep track of attendance.
  • Establish a reporting process for the CCO to report to the CEO, and the Board if the company has one, periodically.

Longer-term Requirements:

  • Establish an internal control system and procedures to facilitate discovery and disclosure of improper conduct.
  • Carry out periodic reviews (annually or semi-annually) of policies and procedures concerning business conduct.
  • Establish a periodic (and perhaps more robust) risk assessment process.
  • Ensure that there are appropriate consequences for employees and management related to the ethics and compliance program (i.e. discipline for violations and positive reinforcement for compliant behavior).
  • Add policies as needed to address special government contracting requirements, and develop training modules to educate the work force.

Tackling the above, and having a plan in place showing how you intend to do so, should get you over the pass-fail hump. The sooner you do, the better.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.