BNA INSIGHTS: Monitoring, Maintenance Are Vital in Ethics, Compliance Programs

Federal Contracts Report™ delivers concise, authoritative reports covering the complete spectrum of issues affecting the federal acquisition of goods and services, to keep you abreast of policies and...

Ethics

This article highlights the critical role that continuous monitoring, periodic review, and ongoing maintenance activities in ensuring the efficacy of any ethics and compliance program and the viability of relevant internal controls.

Jessica Abrahams Thomas Rath

By Jessica Abrahams and Thomas Rath

Jessica Abrahams is the chair of Dentons' U.S. Government Contracts practice. She represents clients in a wide variety of areas, including biodefense, health care information technology, defense services, infrastructure development, foreign assistance contracting and Javits-Wagner-O'Day Act (JWOD)/Ability One.

Thomas Rath is a member of the Government Contracts practice at Dentons in Washington, where he provides contractors advice and representation in connection with bid protests, disputes and contract compliance matters, including audits, investigations and performance disputes.

Previous installments of this series have explained the benefits to a government contractor of implementing an effective ethics and compliance program. We have also discussed the risks associated with overlooking key compliance requirements. Building a robust system to ensure compliance is in a contractor's self-interest for several reasons. First, the consequences associated with violations can be severe. Second, a documented and thorough ethics and compliance program can help a government contractor demonstrate value to the government and thereby improve relationships with the company's customers. And third, companies are obligated by regulation and contract to implement an ethics and compliance program.

Significantly, a contractor's failure to maintain that robust program can undermine and jeopardize all the effort expended in building an ethics and compliance program. This article highlights the critical role of continuous monitoring, periodic review and ongoing maintenance activities in ensuring the efficacy of any ethics and compliance program and the viability of relevant internal controls. A government contractor should treat its ethics and compliance program as an evolving system of controls, and continuous monitoring is critical to efficacy.

Continuous monitoring and maintenance is crucial to the success of a government contractor's ethics and compliance program. The reasons are plentiful. Changing regulations can make policies obsolete or inadequate. Evolving business roles can add new risks and requirements that must be accommodated.

New and additional contractual obligations may influence required policies, as well as internal control mechanisms. Finally, for some contractors, monitoring and maintenance are not just a good idea but are requirements of a code of conduct consistent with applicable regulations, as well as necessary to demonstrate to government investigators and regulators that the contractor has an effective ethics and compliance program.

An Evolving Legal Landscape

The laws, regulations and contract clauses affecting government contractors are subject to frequent revisions, and the sheer volume of regulations applicable — or potentially applicable — to government contractors makes the job of monitoring for changes vital. When changes occur, they may require significant revisions to a contractor's ethics and compliance program and the implementation of additional internal controls.

Changes to regulations can affect ethics and compliance programs in several ways. For example, recent changes have been made to the prohibition on human trafficking set forth at Federal Acquisition Regulation (FAR) 52.222-50. The amendment added a series of prohibited activities applicable to all government contractors. For instance, the rule bans “deny[ing] access by an employee to the employee's identity or immigration documents” and mandates that an employment agreement, if required, must be provided in a language understood by the employee. Other rules incorporate local labor laws and safety standards in foreign countries. Finally, for contractors providing services or supplies outside the U.S. with a contract value higher than $500,000, a compliance plan must be implemented with specific features enumerated in the rule.

As a consequence of the anti-human trafficking amendment, contractors must now consider additional training and awareness programs for U.S. managers and employees who need to know about the prohibited activities and be prepared to avoid them. If non-English-speaking employees are used, the contractor may need to consider drafting foreign-language employment agreements.

The new clauses also require contractors working overseas to perform risk assessments and other compliance activities to ensure that the company complies with local rules. Finally, contractors who meet the applicable thresholds must draft an entirely new compliance plan that addresses employee awareness of prohibited activities; procedures for employees to safely report potential violations; recruitment, wages and housing consistent with the rule's restrictions; and procedures to prevent violations by subcontractors.

While not all rule changes will have the same impact, the changes to the anti-human trafficking rule amply illustrate why contractors need to stay informed as the legislative and regulatory landscape shifts. An ethics and compliance program that was designed to satisfy the requirements as they existed in 2014 would not prepare a company to comply with the amended rule. By failing to stay abreast of such developments, the company could find itself in violation of the amended rule without engaging in any wrongdoing.

Business Changes

Contractors' risk profiles also change as they grow their businesses, and their ethics and compliance programs must be amended to keep up. Many otherwise welcome events may give rise to new risks that should cause the company to reassess its ethics and compliance program.

As an example, imagine a company that wins a new contract larger than any of its previous government awards. Because many government contracting regulations are triggered by dollar-value thresholds, that new contract might come with new compliance needs.

A key example in the area of ethics and compliance is FAR 52.203-13. That clause is required in contracts valued at more than $5.5 million with a performance period greater than 120 days. A contractor might be thrilled to win such a contract for the first time. But under FAR 52.203-13, the award comes with substantial requirements to implement a code of business ethics and conduct, exercise due diligence to prevent and detect criminal conduct, promote an ethical organizational culture, and disclose violations involving fraud and other offenses to the government if the contractor has “credible evidence” of such violations.

Similarly, a company might grow by acquiring or merging with another entity. This kind of event also imposes compliance risks. The combination could create organizational conflicts of interest. The combined entity could also be exposed to regulatory requirements that are new to employees on one or both sides. Indeed, the acquiring or acquired business may not have considered itself a government contractor before the deal took place.

All of these issues illustrate that a growing and changing business requires an evolving ethics and compliance program. Thus, an effective government contractor ethics and compliance program should take company changes into account and build opportunities for review, monitoring and assessment of these corporate changes into its overall ethics and compliance program.

Monitoring Required by Regulations and Sentencing Guidelines

Specific requirements for ongoing monitoring activities appear in both the FAR and other controlling guidance. The most explicit requirement is FAR 52.203-13, which requires certain contractors to include monitoring and assessment as part of their business ethics awareness and compliance programs and internal control systems. Specifically, the rule requires “[p]eriodic reviews of company business practices, procedures, policies, and internal controls for compliance with the Contractor's code of business ethics and conduct.” These reviews must include:

  • “Monitoring and auditing to detect criminal conduct”
  • “Periodic evaluation of the effectiveness of the business ethics awareness and compliance program” and
  • “Periodic assessment of the risk of criminal conduct, with appropriate steps to … reduce the risk of criminal conduct identified through this process.”

These requirements specify some of the precise review and assessment activities that contractors must undertake. Other rules are less exact but amount to a similar practical requirement. For instance, contractors subject to FAR 52.223-6 must create an “ ongoing drug-awareness program” and “[m]ake a good faith effort to maintain a drug-free workplace.” Similarly, the equal employment opportunity provisions of FAR 52.222-26 require contractors to take affirmative action to prevent discrimination in hiring and throughout the course of employment. Clauses like this require a continuous effort to remain in compliance, even though the nature of that effort is up to the contractor.

Finally, under the U.S. Sentencing Commission's Sentencing Guidelines, an effective compliance and ethics program can reduce the amount of any fine imposed on a company as a result of a criminal violation. To be considered “effective,” a compliance and ethics program must include reasonable provisions for monitoring and assessment, including steps to ensure that the program is followed, “monitoring and auditing to detect criminal conduct,” periodic evaluation of the program's effectiveness, and a system through which employees can report potential criminal conduct.

Additionally, the Sentencing Guidelines require that companies take steps after a violation is discovered to improve their programs and prevent future problems. These provisions underscore the theme of this article that a compliance and ethics program is not complete without effective provisions for ongoing monitoring and assessment.

Reviewing and Monitoring After Implementation

Effective review and assessment requires a holistic and systematic approach and a commitment on the part of the contractor to: (1) keep its ethics and compliance program current; (2) verify that the program is working; and (3) fix any part of the program that is not. With these goals in mind, this section will offer some key observations and suggestions on when and what to review and who should be involved.

Scheduling Monitoring and Maintenance Events

The timing of monitoring and maintenance activities should have several layers, ranging from continuous monitoring for legal changes to periodic reviews of the entire program. Below are ideas for both of these steps, and a few points in between.

Ongoing monitoring: As the discussion of rule changes above illustrated, one of the most disruptive events a contractor's ethics and compliance program can face is an amendment to the rules applicable to the company. But these changes do not happen overnight. Most regulatory changes, including changes to FAR clauses, are first proposed in the Federal Register, after which agencies will accept comments before issuing a final rule.

Legislative changes are also the result of long processes. Contractors should plan to learn about these changes before they happen by assigning an employee or an external adviser to monitor for relevant changes. A good target is monitoring for new obligations on a monthly basis. On a day-to-day basis, reviewing trade press in which relevant changes may be discussed is also a helpful practice.

Event-based reviews: Certain events have a high probability of exposing a company to new risks, and companies should accordingly reassess their ethics and compliance programs at those times. Included in this category are new contract awards, mergers and acquisitions, offering a new line of services, and launching a new product. Each of these events can impose new obligations on the company, and a new risk assessment should be conducted accordingly. If new requirements are encountered, policy changes, new training curricula and other steps may be required to keep the ethics and compliance program running as intended.

Lessons learned: A related category of event-based review takes place after a compliance violation occurs. Companies should plan an investigation of the incident itself to find out what happened, and should review policies and procedures in the affected compliance area to identify how improvements could address similar issues in the future. Additionally, companies should analyze whether enhanced training is necessary for employees who could make similar mistakes.

Annual or periodic review: Annual or periodic reviews are a key part of monitoring and assessment of a working ethics and compliance program. The function of the annual or periodic review is to give the company a complete assessment of how its ethics and compliance program is working on a regular basis. Companies should schedule these reviews on a recurring basis to conduct a comprehensive review of the policies, training and other programs that make up the ethics and compliance program as a whole.

What to Review

The assessment events discussed above focus on complementary and overlapping subjects. First, monitoring for legal changes and event-based reviews are necessary to renew the company's risk assessment and risk profile. As discussed in the first article in this series, compliance risk assessments allow for the identification of compliance obligations and risks.

Once a contractor identifies these risks, it should create a risk profile to organize and tailor the company's response to these obligations. When monitoring activity identifies a new legal rule, or a new contract triggers an event-based assessment, the company should repeat these initial steps with respect to the new risks and obligations, and take additional steps as necessary.

For example, using the scenarios addressed above, a contractor that has received its first contract of more than $5.5 million would conduct a risk assessment that would uncover the applicability of FAR 52.203-13 to the new contract. At that point, the contractor would be ready to devise a plan outlining the necessary features of the code of conduct and other requirements of that clause, setting a timeline for actions necessary to bring the company into compliance, and assigning staff and resources to complete those tasks.

Reviews conducted after a violation has occurred naturally have a different subject: understanding the incident and preventing it from happening again. Investigating what has already occurred is important so that the company understands the scope and potential consequences of the violation. Additionally, internal investigation can enable the company to cooperate with any enforcement action and potentially earn more lenient treatment. Once the company addresses the immediate violation, it should turn to improving its policies.

This step depends on the circumstances of the violation, such as whether the violation was a mistake or intentional, whether it was committed by one bad employee or indicative of a systemic problem, and whether the risk was overlooked in existing policy or addressed by the policy in an ineffective manner. A contractor should capitalize upon the knowledge gained through such a violation and take concrete, focused steps to ensure that the program is adjusted to prevent the recurrence of such an incident.

Lastly, annual or periodic reviews are scheduled to provide an assessment of the efficacy of the ethics and compliance program as a whole. These reviews should assess ethics and compliance from the ground up. The review should include a risk assessment, the first step in the ethics and compliance program. It should ensure that those risks are addressed in the company's policies. And it should ask whether the policies and procedures in place are working, and if not, how they can be improved.

By layering review and monitoring events in this fashion, different parts of the ethics and compliance program come up for review as necessary. The annual or periodic review fills gaps between more focused reviews, and studies the whole program even when everything appears to be functioning.

Who Should Be Involved

Review and monitoring of an ethics and compliance program will be most effective if these activities are institutionalized as a central component of the program itself. This is best achieved by implementing policies that seek broad engagement across all levels of company personnel and that assign clear responsibilities to those involved.

In some cases, outside advisers may also be necessary. The precise details should be customized to the company, but we suggest a basic, adaptable framework using a compliance officer with specified leadership tasks, delegated responsibilities for other company managers, and feedback opportunities for all employees.

A compliance officer is an individual within the company who is responsible for taking the lead and overseeing the functions of the ethics and compliance program. The tasks assigned to the compliance officer may include approving policies and other program documentation, reviewing suggestions for new policies and procedures, receiving and acting on reports and risk assessments, and delegating responsibility for program tasks.

Having a dedicated leader dispels ambiguity as to who is responsible for compliance tasks, so assigning a compliance officer brings clarity and accountability to the ethics and compliance program. Moreover, the role of the compliance officer is scalable with company size, as it may be filled by a manager with other responsibilities in a small company or by dedicated personnel in a larger business.

Assigning leadership roles to a compliance officer is not intended to compartmentalize the ethics and compliance program away from the operations it affects. To avoid this, the compliance officer should delegate responsibility to other leaders within the company. For instance, a company's human resources managers should be involved in developing, implementing and reporting on policies and procedures for equal employment opportunity compliance, drug-free workplace policies and compliance with applicable wage and hour regulations.

Similarly, sales managers and contract managers should be involved in developing and implementing compliance policies and procedures surrounding the company's pursuit of new contracts, including procedures designed to prevent illegal kickbacks and false claims. In large organizations, department leaders assigned these roles may be formally organized into a compliance council that has a regular meeting schedule and is led by the compliance officer.

But even without a formal council structure, compliance officers and managers with delegated compliance monitoring tasks should collaborate in a manner that allows the compliance officer to steer the program with the benefit of the managers' ground-level knowledge of their area of the business.

Feedback and reporting opportunities for lower-level employees who are not directly involved in monitoring and assessment are also important. Some rules require contractors to provide employees with opportunities to report potential violations without fear of reprisal.

Even without these rules, contractors should develop anonymous reporting opportunities so that they can learn about problems as soon as possible. Employees should also have opportunities to give feedback on issues other than potential violations. Learning employee opinions on policies, procedures and training can help the company assess the sustainability and practicality of existing programs and help build a culture of compliance within the company.

Finally, some companies and situations may call for outside advisers, such as attorneys, consultants and accountants with expertise in government contracting requirements. Smaller companies may need to rely on outside advisers to monitor the legal landscape for new risks, review new contracts, and conduct periodic reviews of their ethics and compliance programs. Larger companies that have internalized these functions may still engage outside help for more complex problems and provide an independent perspective.

Conclusions, Tips and Tricks

This three-article series has stressed the importance of developing and maintaining an effective, custom-designed and scalable ethics and compliance program. Contractors face an array of regulations that affect everything from cost accounting to affirmative action. Enforcement actions resulting from noncompliance can lead to severe penalties and business losses.

As this article has explained, however, the goal is not to generate a series of documents that sit in a binder gathering dust. Rather, a company must be committed to using the policies, procedures, and training and awareness programs it develops to generate and maintain an ongoing culture of compliance.

The monitoring and assessment activities described in this article further that goal by suggesting a framework that allows a company to assess and adjust its ethics and compliance program in response to noncompliant behavior, new business opportunities, and new or changing regulations. Failure to keep a company's ethics and compliance program up to date will jeopardize all of the benefits of creating the program in the first place, including mitigating the risk of noncompliance and providing demonstrable evidence of the company's commitment to ethical business to the government.

While the points above give a high-level outline of the activities necessary to successfully monitor and review an ethics and compliance program as a company evolves over time, this article concludes by offering the following finer points to consider.

Organize your compliance policies to anticipate changes. A contractor's monitoring and assessment programs are virtually guaranteed to reveal new circumstances and requirements that will require the company to update and adapt its policies. It is wise to anticipate these changes in the structure of your ethics and compliance policies.

Number your policies in a format that can be expanded. Keep a revision history that tracks the date of new issuances to help users identify the current policies. As new policies are created and existing policies are enhanced, establish a process to communicate the new and revised policies to employees. Also, consider maintaining all policies electronically so that employees can access the most up-to-date versions.

Develop a policy on policies. Controlling your company's policies and procedures is an important part of maintaining compliance after a program goes into effect. For this reason, companies should consider including a policy that addresses how new policies are adopted and how existing policies are enhanced. This policy on policies may also delegate responsibility for keeping policies up to date, and nominate a function to handle suggestions for improvements.

Make sure the writing matches reality. A contractor's review and assessment activities should focus not only on whether policies are well designed and addressing the right risks, but also on whether the company is actually following its own rules. A policy that is not being carried out may be unrealistic or impractical, indicating that revisions should be made to ensure compliance in a different manner. Alternatively, widespread noncompliance could indicate a deeper problem. In either case, though, a policy that is not followed is worth as much as the paper it is written on. As such, a contractor should build ongoing review and assessment into its compliance program to avoid such disconnects and catch problems early.

Tailor monitoring and maintenance activities to your company. As with other aspects of an ethics and compliance program, monitoring and assessment activities should be designed specifically for each company's needs. In some places, a full review may be warranted more often than annually. Companies with more complex regulatory obligations may need more elaborate training programs subject to frequent checks and updates. Effective monitoring and assessment should be designed around these requirements, resulting in a program that is unique and tailored to the company.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.