The topic can be easily interchangeable with any newspaper title, but I know one of my former bosses used to always talk about bad publicity ending up in The Washington Post (assuming Congress and Contracting Officers read this publication on a regular basis). I won’t even go into declining publication sales and such, but we will just assume this is true. One of the tasks I was given on my first day as Compliance Manager was twofold: 1) Keep the president of the company out of jail, and 2) Keep the company out of the paper. This required two things: 1) Have a compliance program run by a compliance officer that was independent of management, and 2) Have “tone at the top” that compliance was how we would run the business, not just a box that would be checked.
I wouldn’t be writing this blog today if that was an easy task. The first point I like to make is actually in regards to the “tone at the top.” You hear so much about this in relation to success of the business, but I have found many managers in my years around government contracting circles that really just want to check the box on the Proposal submission that says “Yes” and move on. I actually heard the phrase “We can worry about how to do that whenever the auditor comes back.” This should have been a big clue that I wasn’t in the right place, but I assumed naively that I could make it stick because they wouldn’t have hired me otherwise.
I have seen backlogs of compliance reports that stretched almost 2 years due to a contracting officers – quarterly and semi-annually reporting was required. So, after catching up I tried to integrate the compliance aspect into an ISO 9001 initiative so it became “automatic.” It didn’t. We did manage to gain ISO certification in about 10 months, but shortly after the certification was given, all ISO processes were abandoned regardless of the push of the few of us that knew what we had to maintain.
No true “Tone at the Top” existed.
The other issue I have faced is that I believe there are two functions within any company that should be independent of corporate management – Internal Audit (been there done that) and Compliance (been there done that). If either of these functions must report directly to the people that are supposed to be “policing” then you run the risk of problems either not being reported or not being followed up. Issues get raised to management and get lost on a desk (or in the “Recycle Bin”) and never get to the level that is necessary. Instead, the compliance or internal auditor has to circumvent the chain of command and a hostile work environment begins to fester.
No independence for key oversight functions creates big problems in reporting problems across the corporation.
I hope these ideas and experience help you and I am always interested to hear what you have experienced or seen in your GC travels.