I recently drafted a whitepaper on things that must be done before even presenting a bid to the government on an open opportunity (due to be released in early November). That exercise got me to thinking about getting back to basics across the board. You hear the mantra all the time and there are plenty of clichés to fill the conversation about “tightening the belt”, “getting down to brass tacks”, or “trimming the fat” from any program or business to get back to basics. Along this same line of thinking, I came across some notes I had taken during a seminar a few months ago (I believe it was the NCMA 100 Worst Mistakes…). The item that popped out at me was what I titled “9 Essentials for Effective Gov Compliance Program.” I thought about it for a while and decided it was worth dusting off and exploring for a moment. Especially in light of looming cuts.
1. Responsible Individual to Manage the Program
I experienced some struggles with this one that really stuck with me. Once upon a time I was a Government Compliance Manager. The position originally appeared to be at the right level – reporting directly to the company President. However, over time, it came to be that in our particular situation, it would have been more appropriate to have the compliance function completely independent and reporting to the Board of Directors. This level of independence is already given to internal auditors and would allow a responsible individual managing the compliance program the same level of trust and impact. This is a BIG and IMPORTANT recommendation as far as I am concerned.
2. Ethics Code
This isn’t just a recommendation, it is a FAR clause requirement. Within 30 days after contract award, a contractor must have a written code of business ethics and conduct, and make a copy of the code available to each employee performing on the contract. Contractors must promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law; as well as exercise due diligence to prevent and detect criminal conduct. A written code of ethics is a good start, but without #3 below is not very effective.
3. Regular Training/Communication
Training and communication are the backbone of continued compliance. Employees that are brought into a culture where they know they will be required to complete the next round of training and that are reminded that the company doesn’t take kindly to non-compliant employees (more on this later) are more likely to stay compliance-focused in their everyday tasks. The responsible party factors in here again to ensure regular communication, appropriate signage, and specific training and re-training whenever necessary. Coordinating these items and documenting them should be a high priority for the Compliance Manager (or whatever that title is).
I really had to dig for this one to understand what I meant. I have mainly been part of DOD contracts on one side or another for most of my career, so my first thought was the Fraud/Waste/Abuse Hotline posters hanging all over DOD contractor walls. Then, I found what I jotted down briefly in my notes about hotlines. There should be a way in which ANY employee can reach out to an authority figure if they witness any compliance violation. This can be in the form of anonymous web form that goes to a dummy e-mail or through a third-party application for reporting such things. The point here is that all employees should be advocates of compliance – it could mean their job if they or someone else in the company does not treat compliance with the importance it deserves.
5. Internal Reviews
Outside of financial and regulatory reviews, most times little is done in the area of operations and compliance reviews. A simple checklist in this area can be sufficient, but the more robust and well-managed the plan, the better served is the business. The internal review of the compliance program should be performed by the responsible party and/or those that are “one-off” from the function. This is where my experience with ISO 9001 makes me a little obsessive. It all comes down to saying what you do and then doing what you say. Whatever it says in your policy and procedures related to compliance is what you should be able to demonstrate. Remember also that demonstration can be documentation – and some would argue SHOULD be documentation.
6. Timely Corrective Actions
Again, I am reminded of the ISO9001 exercises to set up the quality management system. It is fine to have all of the items listed above as a “checklist,” but what happens when there is a failure of the test? Knowing how to correct and actually correcting the items that come up in a review and as a result of a robust compliance system is where the true test of the system comes to pass. Only with proper follow-through can a contractor ensure that the same mistake doesn’t happen again for the same reason. It may happen again, but should NEVER happen again for the same reason because corrective action was taken (and in a timely manner).
7. Disciplinary Mechanisms
Part of timely corrective action can sometimes lead to a blame game. The point of a compliance program that works is not to identify the offender and chastise them publicly. The point of a compliance program is to make sure that the offense doesn’t happen again for the same reason, and if it does to take appropriate disciplinary actions. There is only so much a Compliance Manager can do to correct non-conformities and take the blame. In the end, there should be a mechanism in place that allows the responsible compliance person(s) to do something more than just write a report. My experience was that you could say as much as you wanted about non-compliance, but if a procedure is not in place to formally discipline continued offenders, there is little you can do to stave off major non-compliance.
8. Good Delegation of Authority
Compliance is one of those areas that called to me as a professional because of its logic – much like accounting did for me in college. Accounting logic tells me that if there is a single point of failure in an accounting system, an error or omission or illegal act is bound to happen at that point. So, to ensure there are no single points of failure, accounting dictates segregation of duties and mandatory swapping of duties. A good delegation of authority is much like accounting internal controls – make sure there is no single point of failure that can be exploited. This is difficult to say the least, but sometimes through the proper review and follow-up these holes can be addressed and remedied early in the process.
9. Self-Reporting, Cooperation, and Acceptance of Responsibility
This last one (actually 3 items) could be the summary to the entire post. Each of these themes should be applied throughout the compliance system. Allow self-reporting without fear of reprisal internally and make sure you let your CO or other agency contact know when a non-conformity or non-compliance happens. It is much easier to ask for forgiveness if you bring it to the attention of the government official than it would be if you are approached by a government auditor or officer that is armed with a report of non-compliance from outside your organization. Then, once you have reported, cooperate with the government to make sure there is timely corrective action. Follow-up, in writing, about what you are proposing to do about the problem, or how it has been mitigated elsewhere. This can be easier for non-technical glitches than it can be for technical glitches. Finally, accept responsibility for what has gone wrong. Again, provide a solution or mitigation plan. Do whatever you can to let the government agency know that you know it is a problem, it is your fault, and that you have done or are doing everything you can to make it right so it doesn’t happen again.
These are just the essentials in my humble opinion – what else have you seen that you couldn’t do without? Anything you take issue with on its face?