BNA INSIGHTS: Key Considerations for Establishing an Effective Ethics and Compliance Program

Federal Contracts Report™ delivers concise, authoritative reports covering the complete spectrum of issues affecting the federal acquisition of goods and services, to keep you abreast of policies...

Compliance Programs

This article discusses the importance of establishing an effective, sustainable and scalable ethics and compliance program, and how such a program can benefit both growing and well-established companies. The author suggests a potential framework for developing and maintaining an effective program, highlighting certain specific compliance areas of focus, discusses the key characteristics of effective programs and offers design tips.

Jeniffer M. De Jesus Roberts

By Jeniffer M. De Jesus Roberts

Jeniffer M. De Jesus Roberts is a Partner in the Government Contracts practice in Dentons' Washington, D.C., office. She has a multidisciplinary practice, including extensive experience designing, implementing and enhancing ethics and compliance programs for new and established major government contractors.

Contracting with the U.S. federal government is not for the weak-hearted. Government contracting is a highly regulated business, and government contractors face a tremendous amount of scrutiny and increasing government oversight. The government has established certain ethical and compliance standards which dictate what, at a minimum, should be included in an ethics and compliance program.

These compliance requirements go beyond compliance with contract terms and conditions, and require that government contractors address how the company will comply with a plethora of statutes and regulations, including those aimed at ensuring competition and integrity in the procurement process; preventing corruption; and achieving certain socioeconomic goals, as well as evaluating whether a company has appropriate protocols in place to prevent and detect criminal conduct.

The extent to which these obligations apply to a particular company varies depending on, among other things, what type of agreement the company enters into with the government, and whether the company is a small business or commercial item contractor.

The diversity of contracting opportunities with the government, coupled with the uniqueness of the companies that enter into such contracts, makes a “one-size fits-all” approach to establishing an effective ethics and compliance program impossible. Defining what constitutes an “effective” ethics and compliance program for a particular company requires thoughtful consideration of a company's business, overall risk profile, and the contractual and regulatory obligations to which it is subject.

Indeed, what constitutes an effective ethics and compliance program for a small business, commercial item or service provider or a new entrant to government contracting is vastly different from what constitutes an effective ethics and compliance program for a major government contractor.

This article begins with a discussion about the importance of establishing an effective, sustainable and scalable ethics and compliance program, and how such a program can benefit both growing and well-established companies. This article then suggests a potential framework for the development and maintenance of an effective ethics and compliance program, highlighting certain specific compliance areas of focus. Next, it discusses the key characteristics of effective ethics and compliance programs and concludes by offering a few design tips to consider to enhance an ethics and compliance program.

The Importance of Establishing an Effective Program

The risks associated with failing to establish and maintain an effective ethics and compliance program are substantial. Lack of an effective ethics and compliance program may result in violations of applicable laws, regulations and contractual requirements. In turn, noncompliance may lead to claims for breach of contract and termination for default, negative past performance ratings, and the potential for suspension and disbarment proceedings, which could result in preclusion from working as a government contractor.

Noncompliance could also pose significant financial risks to a company, including cost disallowance or delays in payment and civil penalties, as well as having to pay the government the costs associated with the reprocurement of the goods or services at issue. For example, an ill-designed ethics and compliance program may result in inaccurate billings and potential overcharging to the government, which may lead to fraud allegations and civil and criminal penalties for knowing concealment of facts and false representations under various laws including the False Claims Act (FCA), the False Statements Act and Obstruction of a Federal Audit.

More importantly, however, establishing an effective, sustainable and scalable ethics and compliance program promotes business growth. Structured optimally, a company's ethics and compliance program can be a strategic value differentiator when bidding on opportunities and can be one of a company's best assets to grow its government business. To be effective as a business driver, an ethics and compliance program must: (1) address the actual compliance and regulatory requirements of the company; (2) have alignment with the company's culture and be aimed at achieving the highest standards of integrity and fair dealing; (3) be scalable to support business growth in line with the company's objectives; and (4) strive to achieve customer confidence and satisfaction while protecting the business and legal interests of the company. An effective ethics and compliance program will yield high customer confidence and satisfaction, resulting in positive past performance ratings, and the potential expansion of current work and referrals to other customers for additional business opportunities.

A Potential Framework

To be effective, a company's ethics and compliance program must go beyond reciting the rules and regulations that apply to it. Rather, the ethics and compliance program must be uniquely tailored to consider the company's industry, customer base, overall growth strategy and risk tolerance. In addition, a company's ethics and compliance program must not only be meaningful to the individuals charged with managing the ethics and compliance program, but, to achieve optimal success and effectiveness, it must be meaningful to everyone in the company, including leadership, managers on the ground and all employees, especially those who are being asked to take ownership over various aspects of compliance.

An ethics and compliance program that “looks good on paper” but is difficult to implement or is out of touch with the current business environment is meaningless. Successful ethics and compliance programs are achieved when companies establish and promote a “culture of compliance” that consistently demonstrates that the company is an ethical actor in the marketplace, rewards ethical behavior and has zero tolerance for improper or illegal behavior.

Following is a potential four-part framework for the development and maintenance of an effective compliance program. This framework is intended to assist a company in thinking through how to design its ethics and compliance program.

Step 1: Conduct a Compliance Risk Assessment. The first step is for a company to identify its specific compliance areas of focus. This will dictate which policies and training programs are created, how the internal control and internal audit programs will function, and what communications and leadership messaging will need to be developed. Identifying a company's specific compliance areas of focus is done, in large part, by taking an inventory of and reviewing the company's contractual and other regulatory obligations. If a company already has government contracts, it should review and analyze its existing contracts to assess its contractual compliance obligations. Companies that have no current government contracts but are contemplating becoming government contractors should review sample solicitations to become familiar with the types of requirements likely to be included in government contracts. All companies also will want to undertake a review of the current government contracting regulatory environment to understand areas of general industry risk and high enforcement.

Below is a list of specific substantive areas of focus that may be included in an ethics and compliance program. The list is by no means exhaustive, and should not substitute for a detailed review of a company's specific contractual and other regulatory requirements. It is included merely as a guide to assist in thinking through the various compliance areas of focus to which a company may be subject.

  • Business ethics and conduct. In addition to maintaining a written code of business ethics and conduct, government contracts contain clauses that require contractors to adhere strictly to certain ethics standards and to implement internal controls to ensure compliance, including the establishment of anonymous reporting hotlines, conducting thorough internal investigations, and establishing a practice that supports the company's full cooperation with government audits and investigations.
  • Procurement integrity. All government contractors must be aware of and comply with the laws and regulations governing the integrity of the government's procurement process, particularly those aimed at combating corruption and fraud, and promoting competition and procurement integrity. Closely related are the government's conflict-of-interest rules which may impede a company's ability to get work due to a perceived or actual organizational or personal conflict of interest.
  • Mandatory disclosure. Under the FAR's Mandatory Disclosure Rule, government contractors must disclose credible evidence of any of the following in connection with a government contract or subcontract: violations of federal criminal law involving fraud, conflicts of interest, bribery or gratuities; violations of the civil False Claims Act (FCA); and substantial overpayments by the government.
  • Interactions with third parties, including government employees. There are various requirements and restrictions associated with a company's use, diligence and treatment of third parties and its interactions with government employees. For example, former government officials are subject to restrictions on the type of work they can perform after leaving the government. There also are several regulations dealing with the competitive procedures to be used, and the vetting process required for the use of third parties on government contracts. In addition, there are laws in place that prohibit the offer or acceptance of gratuities (including gifts and hospitality to government employees), bribes and kickbacks.
  • Socioeconomic and human rights requirements. The government expects its contractors to support and advance its socioeconomic policies, including those aimed at supporting contracting with small businesses, advancing equal employment opportunities and combating human trafficking.
  • Employment and labor requirements. A variety of labor and employment laws and regulations may apply to a company doing business with the government. Examples include the Fair Labor Standards Act (FLSA), Service Contract Act and the Davis-Bacon Act. In addition, there have been several executive orders issued recently dealing with such issues as minimum wage, paid sick leave and fair play and safe workplaces.
  • Domestic preference requirements. In some cases, the government will mandate that a company use domestic supplies and materials in performance of its government contracts. These domestic sourcing requirements are addressed in a variety of statutes including the Buy American Act and the Trade Agreements Act.
  • Protection of the government's assets. A significant number of rules and regulations (both long established and recently developed) concern how to use, treat, protect and dispose of the government's assets, including real property, electronic information, personally identifiable information and customer data. Data protection and privacy, and cybersecurity in general, are central priorities for the government.


The desired outcome of Step 1 is to obtain a solid understanding of the various laws and regulations to which the company is subject as a government contractor.

Step 2: Develop an Ethics and Compliance Risk Profile. Armed with the knowledge of the applicable contractual requirements and the various rules and regulations to which a company is subject, a company can now begin to develop an ethics and compliance risk profile. It should address the following three distinct areas:

  • Contractual requirements. First, take an inventory of the mandatory terms and conditions that apply to the company. This includes an analysis of the company's current ability to comply with various contract clauses and associated compliance requirements.
  • Noncontractual requirements. Second, assess the noncontractual compliance requirements set forth in the various applicable regulatory authorities triggered by virtue of doing business with the government, including those identified in Step 1.
  • Key enforcement and high-risk areas. Third, assess the key enforcement and high-risk areas for the industry. As part of this process, a company should consider its own risk areas based on its past and current experiences, focused not just on the risks associated with being a government contractor, but also on its other business lines and strategic business expansion and growth priorities.


The desired outcome of Step 2 is a written, customized ethics and compliance risk profile tailored to the company's business interests. The risk profile will allow the company to (i) identify high-priority areas of focus (both for enhancing the ethics and compliance program and addressing business needs), (ii) establish priority-based timelines for completion of tasks, and (iii) identify staffing and budget needs.

Step 3: Design and Implement the Ethics and Compliance Program. The third step in the framework is to leverage the customized government compliance risk profile created in Step 2 to develop the company's ethics and compliance program, and then implement it. The major components of the ethics and compliance program should include policies, toolkits, processes, internal controls and audit procedures to ensure effective monitoring of the program, and a robust training and communication plan (including leadership messaging).

As the final design of the ethics and compliance program is developed, there are various questions that can be asked to assess the strength of the design of the ethics and compliance program. These include:

  •  Can the compliance infrastructure identify, prioritize and manage key opportunities and threats to the company's business objectives?
  •  Have customers raised compliance concerns (either contractual or noncontractual) in the past? If so, does the current program (or proposed enhancements thereto) address these concerns to the fullest extent possible?
  •  Is the ethics and compliance program designed in such a way that it is scalable to support business growth (i.e., work on new and different programs with additional compliance requirements and/or inorganic growth, via acquisition, requiring absorption of another entity with a different ethics and compliance infrastructure)?
  •  Do company employees know whom to call with ethics and compliance-related questions? Is there an anonymous ethics and compliance hotline? Are employees fearful of retaliation if they raise a concern?
  •  Is a “rapid response team” in place to be able to triage any immediate, high-profile compliance issues (i.e., data breach, anonymous e-mails to customers, notice of lawsuit, surprise government raid, etc.).


Fundamental to the effectiveness, sustainability and scalability of any ethics and compliance program is ensuring that the highest level of leadership within the company is engaged and has set the appropriate tone at the top by promoting a culture of success through ethical behavior and compliant business practices. Further, the program must include clear, consistent and easily understood standards and lay out requirements to which employees are held to comply.

In addition, the program should maintain up-to-date, relevant training and a clear communication on the policy and training requirements for each employee. Training curricula should be customized for each employee depending on his or her level of responsibility and functional role within the company. It also should have adequate monitoring, auditing and response mechanisms in place to verify compliance and procedures in place to address noncompliances.

Last, the ethics and compliance program must be treated as a living and fluid program with periodic assessment of the effectiveness of the current program and continuous enhancements to keep pace with the changing regulatory landscape.

Step 4: Establish a Risk Management Framework to Support the Periodic Assessment of the Ethics and Compliance Program. It is not enough to draft and release policies, and develop and then launch training. Companies that have truly effective, sustainable and scalable ethics and compliance programs will make the systematic review of the program's efficacy in managing the company's compliance obligations an integral part of the ethics and compliance program. Periodic assessment of the ethics and compliance program (either with an internal team or with external consultants) provides a fresh perspective on the strengths and weaknesses of the program. Systematic reviews conducted on a regular, periodic basis are important because federal compliance requirements constantly change depending upon new or updated statutes, changing enforcement trends and contractual obligations. These reviews can either be time-based (e.g., annually) or event-based (e.g., award of a new contract) and should review all aspects of the ethics and compliance program. In conducting a periodic review, a company should be self-reflective and ask various questions, including:

  •  What are the company's current compliance obligations?
  •  Are there policies, procedures and training curricula aimed at addressing the most at-risk programs and behaviors?
  •  What metrics are being collected to verify the program's effectiveness? Are the metrics accurate?
  •  What improvements can be made to increase the effectiveness of the program?


Establishing an ethics and compliance program that is continually reviewed provides a company with the ability to establish its baseline risk profile, prioritize its risk, track its leading indicators of risk mitigation (e.g., resources, training, audits, etc.) and evolve its ethics and compliance program to not only protect the company, but also allow it to achieve business growth by addressing ethics and compliance issues before these issues become impediments to doing business.

Key Characteristics of Effective Ethics and Compliance Programs

Notwithstanding the thoughtful customization that is required to design an effective ethics and compliance program, there are a handful of common characteristics that should be present in any well-designed and effective ethics and compliance program. These characteristics include a fundamental understanding and awareness of the compliance regime to which a company will be held, together with an understanding of the company's business and growth and sales strategy. To be most effective, ethics and compliance programs must be business-minded, agile and scalable.

The program must not only assist the company to avoid compliance issues and prevent, detect and deter improper conduct; it also must be designed to support the company in its efforts to increase its sales and expand its customer base. Similarly, effective compliance programs recognize that a company's compliance obligations will continue to change over time as the government's priorities shift and the company's core offerings to the government change and expand.

Below is a set of “design tips” to keep in mind in creating and/or enhancing an ethics and compliance program.

Collaboration is Key

To be successful, one must seek and receive input from the business and functional groups in designing the program and also in conducting periodic reviews of the program so that the company can assess the sustainability and practicality of its ethics and compliance initiatives. Collaboration must exist across all functions including finance, human resources, sales, procurement, quality, operations, marketing, communications, strategy and business development. Each function must “own” and be held accountable for ethical and compliant practices and behavior. The company needs to ensure the correct individuals are involved in developing solutions to address enterprise risk and that the ethics and compliance function is appropriately staffed. Company leaders and all employees must be proactive about advocating for ethical and compliant behavior and business practices. Create a culture of compliance by ensuring everyone from the CEO to the entry-level analysts, as well as suppliers and business partners, are aware of the ethics and compliance program, understand it and recognize their role in helping the company be an ethical and responsible government contractor.

Put It in Writing

If the integrity of the company were ever to be questioned, the company will have to demonstrate it has: (1) meaningful written policies and procedures that make clear that the company understands its compliance obligations and has a plan in place to comply; (2) an effective training and communication program that ensures that all ethics and compliance policies and procedures are socialized to all relevant employees and suppliers and that these individuals have been trained on what those policies and procedures mean and how to raise a compliance concern; and (3) procedures in place for the periodic monitoring, auditing and review of its compliance program to ensure it is working according to plan and addressing ethics and compliance risks and issues appropriately.

Monitoring, Auditing and Response

As noted above, an important aspect of an ethics and compliance program is monitoring the actions of the company, its employees, subcontractors and agents to ensure all actions on behalf of the company are compliant with the relevant statutes and regulations and consistent with a company's code of business ethics and conduct. A review of the ethics and compliance program should be conducted periodically, and feedback should be provided regarding any trends, actions or behaviors that expose the company to risk, as well as if there are any necessary enhancements required to be made to the program to account for changes in the company's business and the ever-evolving regulatory landscape. Company leaders should take action to address any compliance deficiencies in addition to assessing whether any identified deficiencies have a broader potential impact on the company as a whole.

Ask for Help

Given today's regulatory environment, a company seeking to ensure that its ethics and compliance program is effective should get involved in the government contracts community as a way to learn how other contractors are tackling compliance issues and to network with fellow government contractors. It should also know when to call in the experts. By seeking support from consultants, accountants or attorneys familiar with the government's procurement process, the company will be well-positioned to take advantage of the prime opportunities to sell its products and services to the government.


In sum, a well-designed and effective ethics and compliance program is one that is tailored to the company's specific compliance obligations, understands and supports the company's business and sales strategy, and is scalable, adaptable and consistently monitored so that the ethics and compliance program can adjust and evolve in response to changes in government regulations and the company's business focus. Through increased regulation, it is clear the government is focused on doing business with companies that are consistent ethical actors and that strive to do business fairly, ethically and in compliance with all laws and regulations. Given today's regulatory landscape, a well-structured ethics and compliance program can be a strategic value differentiator and can provide a company with the edge it needs to beat its toughest competition. With successful implementation and maintenance of an effective, sustainable and scalable ethics and compliance program, the sky's the limit.

Request Federal Contracts Report