United States: Demonstrating The Effectiveness Of US Government Contractors' Compliance Programs

United States government contractors are contractually required to maintain business ethics and conduct programs. These contract clauses, prescribed by regulation, require companies to "exercise due diligence to prevent and detect criminal conduct" and to "otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law." ¹ Those are high marks to hit, and yet the contract clause itself does little to explain how government contractors should comply. Instead, it only sets the foundational bare minimum effort for the industry.

Contractors, like other organizations, also have the benefit of the Department of Justice (DOJ)Evaluation of Corporate Compliance Programs guidance. ² Developed in 2017 and most recently expanded in 2020, the guidance instructs prosecutors across the Criminal Division on how to probe the efficacy of an organization's compliance program and provides an important window for corporate executives into DOJ's expectations of compliance programs and the leaders who bear responsibility for their success. The guidance applies broadly to organizations and corporations across industries, confronting different regulatory landscapes and varied compliance risks. In that sense, the challenge for government contractors is to craft a compliance program that would satisfy DOJ's expectations, taking into account the unique regulatory landscape and risk profile in their industry and their existing (if not necessarily detailed) contractual requirements.

In this article, we focus on four aspects of effective compliance programs that government contractors should put at the top of their priority list to both enhance their business ethics and conduct programs and better defend their compliance programs in future investigations.

Demonstrating risk assessment implementation and effectiveness

DOJ's guidance emphasizes risk assessments as the foundation to effective compliance programs. Compliance programs should be tailored to the specific risks faced by the business entity and the industry in which it operates, and that is no less important for government contractors. The challenge is to make sure the company is considering a wide enough variety of risks. Corporate culture, norms, and expectations can play a role in how an organization perceives its risk and can create blind spots in how a company perceives itself. Getting outside the figurative "four walls of a company" can help overcome those limitations. For example, government contractors can conduct periodic, independent reviews with professionals who understand government contracting and compliance to help identify and prioritize compliance risk areas. After all, it is harder for prosecutors and regulators to fault a company that actively identified and monitored a risk area than one that ignored the risk all together. The distinction can be the difference between reasonable efforts and willful blindness that exposes the company to increased risk of punishment.

Performing an independent compliance assessment is the easy part. Government contractors need to also demonstrate to DOJ the scope of the compliance program they implemented and the risks it was designed to cover, so they should be ready to explain (or have in writing) their processes for identifying and categorizing top compliance risks. Government contracts require certain business systems and government-driven audits, which present more readily ascertainable risks that contractors can articulate to DOJ. Explaining how the company also builds out the balance of its risk matrix to include, for example, regulatory, international, and security risks can help present a thoughtfully designed risk assessment process. A government contractor should also be prepared to explain how it learns lessons from past compliance gaps and how it stays abreast of best practices around emerging risk areas such as information protection and cybersecurity.

Getting more granular, DOJ has also made clear that data matter. Compliance program leads for government contractors may want to consider tracking the number of policies, how often they are revised, and how many compliance resources (e.g., activities, dollars, headcount) are involved in the program. These easily quantifiable metrics are particularly helpful to show trends over time of investment in compliance.

Beyond data about the compliance program itself, government contractors should consider how they can mine business data, like key performance indicators, to detect noncompliance or new risk areas. The government contracts industry can create the most advanced weapons systems in the world, and can use data analytics to solve the nation's most pressing problems. The government assumes that the industry can use that same skill set to the benefit of its compliance program as a whole. Government contractors are comparatively better positioned when they can explain their use of advanced analytics to benefit their compliance programs. Doing so also helps demonstrate that the program is well designed and appropriately resourced.

Government contractors also need to be able to explain to DOJ and to government customers that their program is well designed. That can take time to construct, and in a crisis or in the face of an investigation, time can be in short supply. As such, government contractors might also consider maintaining a narrative explanation of their compliance programs. The narrative should address why the program is set up the way it is, and what lessons the contractor learned from each iterative review and enhancement to the program. The narrative should help tell the story of the program's successes, but it should also serve as evidence for continuous improvement and reassessment of risk and why the level of investment in the program is adequate.

This narrative form is also particularly effective to memorialize in one central place how senior leadership has demonstrated the "tone at the top," such as the frequency of communications about compliance risks and the channels they used for those communications (emails and town halls, for example). A narrative description can also summarize how leaders at the top measure the impact of their communications on middle-level managers, and how the company as a whole evaluates corporate reactions to its compliance efforts. This sort of narrative can be substantially less expensive and intrusive than additional sets of crisis-driven workplace surveys, for example.

Tuning the program to the risks of the industry

This is an area where the government contracts industry has an advantage over many others, as there are industry groups heavily focused on government contractor ethics and compliance, like the Defense Industry Initiative (DII). ³ These organizations host top executives as well as ethics and compliance professionals. These peer interactions are important, as they allow learning and sharing of best practices across industry members. This external benchmarking can be especially helpful as organizations consider risks facing their industry broadly, perhaps needing to benchmark their efforts against similarly situated companies.

But obtaining the most benefits out of involvement in organizations such as DII requires sustained interaction by senior level compliance and business executives. This can help bridge the compliance/business divide and gain buy-in for new initiatives. Additionally, the new ideas brought back from these industry groups and implemented by a government contractor can help to expand the compliance narrative.

Compliance considerations in mergers and acquisitions

The government contracts industry is rapidly consolidating as merger and acquisition (M&A) activity is high among companies of all sizes and across the entire industry. Meanwhile, the DOJ has repeatedly emphasized that companies need to do a better job of discovering misconduct before acquiring a company. Obviously, diligence is comparatively more limited in public company transactions, but DOJ has laid its marker that "unknowingly buying a problem" may not be as effective of a defense argument in the future.

Diligence in government contractor transactions can be particularly difficult, especially when dealing with companies of scale. Government contractors actively involved in M&A should consider the role of specialized government contracts lawyers to diligence teams to assist with evaluating specific government contracts compliance risks. Indeed, folding in government contracts–focused practitioners in support of large corporate deal teams is an emerging best practice. While corporate lawyers are remarkably effective at shepherding a transaction through many required, complex steps, they might not have experience with government contracting sufficient to identify a compliance risk. DOJ has asked some of our clients about their ethics and compliance diligence in government contracts transactions, and have expressed skepticism where deal teams did not include a qualified government contracts lawyer for diligence purposes.

But let us be clear, the idea is not to delay the transaction. Rather, specialized lawyers with government contracts experience on diligence teams can assist in identifying post-transaction integration steps to address, mitigate, and (if necessary) report compliance issues. This same team can be a resource (including for the compliance function) as the integration process begins and others in-house take over post-closing tasks.

Autonomy and resources

In a rapidly consolidating industry, it can be difficult for chief ethics and compliance officers to maintain their direct reporting relationships to CEOs or their resources during integration-related cost-cutting efforts, but compliance resources are a key factor identified by DOJ in measuring the effectiveness of a compliance program. Therefore, charting out resources dedicated to the program over time, credibly measuring program effectiveness by metrics other than headcount and resources, and explaining the rationale for any reductions are vitally important to help demonstrate to DOJ that the program is appropriately resourced.

Additionally, and especially where the chief ethics and compliance officer is no longer reporting to the CEO, internal audit can play an important role in reviewing compliance resources. Placing compliance resources on the audit list may help maintain consistency of support and identify emerging areas of potential weakness.

Risks are only increasing in the government contracts space. And the perennial challenges of the industry remain, such as the command structure mentality of employees who are former military, employees following a program through multiple employers, and employees working on site or distributed globally far away from corporate headquarters—much less regional offices. Reductions in resources, consolidations, or organizational changes for the compliance functions need to be justified and explained to the government in the context of why the function can continue to operate at a high level—with data to back up the representations.

Additionally, government contractors may want to consider a review of their ethics and compliance programs under DOJ's guidance as part of any significant investigation or defense effort. This industry is used to the mitigation and remediation steps required by 48 C.F.R. § 9.406-1(a) to avoid exclusion from government contracting by suspension or debarment. However, the 10 debarment-related factors are binary and relatively limited compared with DOJ guidelines. Preparing early to discuss the compliance program with DOJ can mean the difference between receiving credit and prosecutorial discretion and a full-blown investigation and a far more expensive resolution.

Making sense of it all

Regulations and contract clauses have general high-level requirements, while DOJ guidance is unspecific to the industry albeit more detailed, so government contractors face many challenges in understanding the varied regulations and guidance surrounding ethics and compliance programs. By focusing on these and other key areas of risk, government contractors can effectively apply the more general DOJ guidance to their organizations.

Takeaways

• Government contractors are required by contract and regulation to have a business ethics and compliance program.
• Applicable contract clauses and regulations are general and vague concerning the contents of the business ethics and compliance program.
• Department of Justice guidance provides more detail, but it is not specific to any industry, leaving government contractors to adapt the guidance to their unique risk profile.
• Independent risk assessments can help focus government contractors' resources where they are most needed.
• Risks associated with mergers, acquisitions, and integration remain substantial given rapid industry consolidation and Department of Justice attention to the area.

Footnotes

1 48 C.F.R. § 52.203-13(b)(2).

2 U.S. Dep't of Justice, Criminal Div.,Evaluation of Corporate Compliance Programs (Updated June 2020), http://bit.ly/2Z2Dp8R.

3 "Welcome to Defense Industry Initiative (DII)," Defense Industry Initiative, accessed May 10, 2021, http://dii.org.

Originally published by CEP MAGAZINE, A PUBLICATION OF THE SOCIETY OF CORPORATE COMPLIANCE AND ETHICS (SCCE)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.