Demonstrating the effectiveness of US government contractors’ compliance programs

By David Robbins and Erin Schrantz

David Robbins (drobbins@jenner.com) and Erin Schrantz (eschrantz@jenner.com) are Co-Chairs of the Investigations, Compliance and Defense and Government Contracts Practices at Jenner & Block, headquartered in Chicago, Illinois, USA.

United States government contractors are contractually required to maintain business ethics and conduct programs. These contract clauses, prescribed by regulation, require companies to “exercise due diligence to prevent and detect criminal conduct” and to “otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”[1] Those are high marks to hit, and yet the contract clause itself does little to explain how government contractors should comply. Instead, it only sets the foundational bare minimum effort for the industry.

Contractors, like other organizations, also have the benefit of the Department of Justice (DOJ) Evaluation of Corporate Compliance Programs guidance.[2] Developed in 2017 and most recently expanded in 2020, the guidance instructs prosecutors across the Criminal Division on how to probe the efficacy of an organization’s compliance program and provides an important window for corporate executives into DOJ’s expectations of compliance programs and the leaders who bear responsibility for their success. The guidance applies broadly to organizations and corporations across industries, confronting different regulatory landscapes and varied compliance risks. In that sense, the challenge for government contractors is to craft a compliance program that would satisfy DOJ’s expectations, taking into account the unique regulatory landscape and risk profile in their industry and their existing (if not necessarily detailed) contractual requirements.

In this article, we focus on four aspects of effective compliance programs that government contractors should put at the top of their priority list to both enhance their business ethics and conduct programs and better defend their compliance programs in future investigations.

Demonstrating risk assessment implementation and effectiveness

DOJ’s guidance emphasizes risk assessments as the foundation to effective compliance programs. Compliance programs should be tailored to the specific risks faced by the business entity and the industry in which it operates, and that is no less important for government contractors. The challenge is to make sure the company is considering a wide enough variety of risks. Corporate culture, norms, and expectations can play a role in how an organization perceives its risk and can create blind spots in how a company perceives itself. Getting outside the figurative “four walls of a company” can help overcome those limitations. For example, government contractors can conduct periodic, independent reviews with professionals who understand government contracting and compliance to help identify and prioritize compliance risk areas. After all, it is harder for prosecutors and regulators to fault a company that actively identified and monitored a risk area than one that ignored the risk all together. The distinction can be the difference between reasonable efforts and willful blindness that exposes the company to increased risk of punishment.

Performing an independent compliance assessment is the easy part. Government contractors need to also demonstrate to DOJ the scope of the compliance program they implemented and the risks it was designed to cover, so they should be ready to explain (or have in writing) their processes for identifying and categorizing top compliance risks. Government contracts require certain business systems and government-driven audits, which present more readily ascertainable risks that contractors can articulate to DOJ. Explaining how the company also builds out the balance of its risk matrix to include, for example, regulatory, international, and security risks can help present a thoughtfully designed risk assessment process. A government contractor should also be prepared to explain how it learns lessons from past compliance gaps and how it stays abreast of best practices around emerging risk areas such as information protection and cybersecurity.

Getting more granular, DOJ has also made clear that data matter. Compliance program leads for government contractors may want to consider tracking the number of policies, how often they are revised, and how many compliance resources (e.g., activities, dollars, headcount) are involved in the program. These easily quantifiable metrics are particularly helpful to show trends over time of investment in compliance.

Beyond data about the compliance program itself, government contractors should consider how they can mine business data, like key performance indicators, to detect noncompliance or new risk areas. The government contracts industry can create the most advanced weapons systems in the world, and can use data analytics to solve the nation’s most pressing problems. The government assumes that the industry can use that same skill set to the benefit of its compliance program as a whole. Government contractors are comparatively better positioned when they can explain their use of advanced analytics to benefit their compliance programs. Doing so also helps demonstrate that the program is well designed and appropriately resourced.

Government contractors also need to be able to explain to DOJ and to government customers that their program is well designed. That can take time to construct, and in a crisis or in the face of an investigation, time can be in short supply. As such, government contractors might also consider maintaining a narrative explanation of their compliance programs. The narrative should address why the program is set up the way it is, and what lessons the contractor learned from each iterative review and enhancement to the program. The narrative should help tell the story of the program’s successes, but it should also serve as evidence for continuous improvement and reassessment of risk and why the level of investment in the program is adequate.

This narrative form is also particularly effective to memorialize in one central place how senior leadership has demonstrated the “tone at the top,” such as the frequency of communications about compliance risks and the channels they used for those communications (emails and town halls, for example). A narrative description can also summarize how leaders at the top measure the impact of their communications on middle-level managers, and how the company as a whole evaluates corporate reactions to its compliance efforts. This sort of narrative can be substantially less expensive and intrusive than additional sets of crisis-driven workplace surveys, for example.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings