David Robbins (email@example.com) and Erin Schrantz (firstname.lastname@example.org) are Co-Chairs of the Investigations, Compliance and Defense and Government Contracts Practices at Jenner & Block, headquartered in Chicago, Illinois, USA.
United States government contractors are contractually required to maintain business ethics and conduct programs. These contract clauses, prescribed by regulation, require companies to “exercise due diligence to prevent and detect criminal conduct” and to “otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Those are high marks to hit, and yet the contract clause itself does little to explain how government contractors should comply. Instead, it only sets the foundational bare minimum effort for the industry.
Contractors, like other organizations, also have the benefit of the Department of Justice (DOJ) Evaluation of Corporate Compliance Programs guidance. Developed in 2017 and most recently expanded in 2020, the guidance instructs prosecutors across the Criminal Division on how to probe the efficacy of an organization’s compliance program and provides an important window for corporate executives into DOJ’s expectations of compliance programs and the leaders who bear responsibility for their success. The guidance applies broadly to organizations and corporations across industries, confronting different regulatory landscapes and varied compliance risks. In that sense, the challenge for government contractors is to craft a compliance program that would satisfy DOJ’s expectations, taking into account the unique regulatory landscape and risk profile in their industry and their existing (if not necessarily detailed) contractual requirements.
In this article, we focus on four aspects of effective compliance programs that government contractors should put at the top of their priority list to both enhance their business ethics and conduct programs and better defend their compliance programs in future investigations.
Demonstrating risk assessment implementation and effectiveness
DOJ’s guidance emphasizes risk assessments as the foundation to effective compliance programs. Compliance programs should be tailored to the specific risks faced by the business entity and the industry in which it operates, and that is no less important for government contractors. The challenge is to make sure the company is considering a wide enough variety of risks. Corporate culture, norms, and expectations can play a role in how an organization perceives its risk and can create blind spots in how a company perceives itself. Getting outside the figurative “four walls of a company” can help overcome those limitations. For example, government contractors can conduct periodic, independent reviews with professionals who understand government contracting and compliance to help identify and prioritize compliance risk areas. After all, it is harder for prosecutors and regulators to fault a company that actively identified and monitored a risk area than one that ignored the risk all together. The distinction can be the difference between reasonable efforts and willful blindness that exposes the company to increased risk of punishment.
Performing an independent compliance assessment is the easy part. Government contractors need to also demonstrate to DOJ the scope of the compliance program they implemented and the risks it was designed to cover, so they should be ready to explain (or have in writing) their processes for identifying and categorizing top compliance risks. Government contracts require certain business systems and government-driven audits, which present more readily ascertainable risks that contractors can articulate to DOJ. Explaining how the company also builds out the balance of its risk matrix to include, for example, regulatory, international, and security risks can help present a thoughtfully designed risk assessment process. A government contractor should also be prepared to explain how it learns lessons from past compliance gaps and how it stays abreast of best practices around emerging risk areas such as information protection and cybersecurity.
Getting more granular, DOJ has also made clear that data matter. Compliance program leads for government contractors may want to consider tracking the number of policies, how often they are revised, and how many compliance resources (e.g., activities, dollars, headcount) are involved in the program. These easily quantifiable metrics are particularly helpful to show trends over time of investment in compliance.
Beyond data about the compliance program itself, government contractors should consider how they can mine business data, like key performance indicators, to detect noncompliance or new risk areas. The government contracts industry can create the most advanced weapons systems in the world, and can use data analytics to solve the nation’s most pressing problems. The government assumes that the industry can use that same skill set to the benefit of its compliance program as a whole. Government contractors are comparatively better positioned when they can explain their use of advanced analytics to benefit their compliance programs. Doing so also helps demonstrate that the program is well designed and appropriately resourced.
Government contractors also need to be able to explain to DOJ and to government customers that their program is well designed. That can take time to construct, and in a crisis or in the face of an investigation, time can be in short supply. As such, government contractors might also consider maintaining a narrative explanation of their compliance programs. The narrative should address why the program is set up the way it is, and what lessons the contractor learned from each iterative review and enhancement to the program. The narrative should help tell the story of the program’s successes, but it should also serve as evidence for continuous improvement and reassessment of risk and why the level of investment in the program is adequate.
This narrative form is also particularly effective to memorialize in one central place how senior leadership has demonstrated the “tone at the top,” such as the frequency of communications about compliance risks and the channels they used for those communications (emails and town halls, for example). A narrative description can also summarize how leaders at the top measure the impact of their communications on middle-level managers, and how the company as a whole evaluates corporate reactions to its compliance efforts. This sort of narrative can be substantially less expensive and intrusive than additional sets of crisis-driven workplace surveys, for example.