This week, in this five-part podcast series, sponsored by Affiliated Monitors, Inc. (AMI), I am exploring the need for federal contractors to maintain their status as “Responsible Contractors” and delineating the benefits of having an effective compliance and business ethics program to not only increase business efficiencies and profitability but prepare you in good stead if the regulators come knocking. I was joined in this podcast series by Rod Grandon, Managing Director at AMI.

Why Are We Still Talking About This?

Yet even in 2019, many federal contractors still do not have effective compliance programs in place. I posed the question to Grandon, “Why are we still talking about this?” Grandon began by noting that this is a fair question given that many of the policies and procedures required in the Federal Acquisition Register (FAR) 3.1000 and 52.203-13 relating to contractor integrity and honesty have been in place since December 2007. Also, Sarbanes-Oxley (SOX) was passed in 2002 so those requirements have been around for nearly 17 years as well.

Many contractors, particularly major prime contractors, have invested heavily over the years establishing and maintaining robust corporate ethics and compliance programs and internal controls. Additionally, major primes have taken steps to encourage and assist their subcontractors and suppliers to develop appropriate codes of conduct and related policies, procedures, and infrastructure. The limited research in this area to date has shown that such programs, when effectively implemented, produce positive results in reducing misconduct. Still, significant gaps remain within the federal marketplace, especially at the mid and lower tiers of the supply chain and services industries.

Grandon believes that while these responses to the FAR and legal requirements are “trickling down” to smaller organizations, unfortunately there are a large group of small and middle tier contractors that believe these programs are only for large government contractors, or they believe they lack expertise and resources to build and maintain appropriate programs. Many more do not focus on the requirements at all (until it is too late); instead focusing on building the business and thinking that their customer relationships will help them business survive any future challenges.

Grandon also related, “frankly, a lot of small businesses and medium sized businesses either ignored this all together in their pursuit of business and revenues or they put in place a written policy set of policies and procedures, including a written code of conduct.” Perhaps they provided some training, but in most cases, “it was all a paper exercise. It never transcended into a way of doing business”. This has led to continued compliance and ethics lapses.

Regardless of size, for-profit businesses are hesitant to expend time, effort, and money on efforts that do not directly advance company market objectives or revenue growth. Government contractors are no exception. As such, while many contractors grasp the need for integrity programs, company leaders elect to forego necessary investments of time and resources into such programs. Instead, they operate under the assumption that they operate ethical companies; they believe their employees understand and embrace what we all should know from childhood:  it is wrong to lie, cheat, and steal.

Grandon concluded by intoning, “even the best programs are threatened by complacency.  Contractors must continuously strive to creatively spark their ethics and compliance programs to keep the objectives and expectations  fresh and central to business operations.”

Keeping it Fresh

We next turned to a consideration of how an organization can keep your compliance program fresh through ongoing monitoring. To gain a better understanding of the effectiveness of corporate ethics and compliance efforts and to identify any gaps in the program’s scope, contractors are well advised to commit to an objective assessment of their ethical culture and ethics and compliance programs before a crisis occurs. Grandon stated, “part of the requirement for an ethics compliance program is that the contractor will conduct periodic reviews of the company’s business practices, procedures, policies, and internal controls for compliance with the Contractors Code of business ethics and conduct and the requirements associated with federal contracting.” Contractors should consider carefully whether the assessment can be performed using in-house resources, or whether the assessment should be performed by an independent and objective outside organization.

These reviews include monitoring and auditing and periodic evaluation of the effectiveness of the infrastructure and the efforts that are in place. But more than simply testing the ethics and compliance programs, companies and contractors need to be aware of the operational risks and business risks so that policies, procedures and internal controls can be aligned to address and ideally, mitigate or reduce the impact of misconduct in the workforce. Grandon concluded, “it comes down to being diligent and ensuring that whatever is put in place is effective.”

It is in this space that obtaining internally unbiased and useful information about the effectiveness of a company’s compliance program, and the strength of a corporate ethical culture, can be challenging. Grandon noted, “internal or external audits may not effectively conduct a comprehensive review of a company’s overall compliance infrastructure or ethical culture, as that is not how those functions are structured. Furthermore, asking the managers responsible for implementing the program to evaluate their own effectiveness or success carries certain inherent conflicts.” Finally, “even if such a self-evaluation mechanism is established, getting honest answers from employees who may fear retaliation from their superiors is likely to be difficult and can lead to skewed results.”

An effective assessment typically begins with an analysis of the existing ethics and compliance program and the internal control processes established to operationalize the program throughout the company. This high-level review evaluates the program for completeness in ensuring compliance with government regulations; in effectively training and messaging corporate policies; and in investigating and remediating reported instances of non-compliance or other misconduct within the organization. Such a review includes:

  • Assessing the effectiveness of the organizational structure and reporting lines for the compliance function, including whether the ethics and compliance function has been provided the authority, independence and adequate resources to succeed.
  • Reviewing the adequacy and completeness of the company Code of Ethics and Business Conduct in setting the parameters for employee behavior in the organization.
  • Assessing whether the company has in place formal and informal training efforts, or other lines of instructional communication, necessary to ensure the workforce understands company expectations relating to ethics and compliance.
  • Determining whether the company has established credible reporting mechanisms for employees to raise concerns and ask questions.
  • Evaluating how well the company responds to allegations of suspicious or questionable activities within its ranks, including the adequacy and professionalism of internal investigations.
  • Reviewing whether the company’s ethics and compliance objectives are sufficiently aligned with the performance management systems that incentivize promotions, bonuses and assignments; and benchmarking all aspects of the company’s program with those of similarly sized companies in like industries.

As the evaluation goes deeper, the company should seek input and insight from senior leadership, mid-level managers, and working level staff.  This part of the assessment will evaluate the effectiveness of the program by identifying and analyzing, from the staff’s perspective, what impact the program is having on the organization and its employees. Some of the questions Grandon suggested were, “Do the employees understand the company’s Code of Ethics and Business Conduct and related policies? Is the ethics and compliance training effective, or merely a “check the box” exercise? Are employees convinced of the important role they play in promoting integrity in all aspects of the company’s business, or do they receive mixed messages from their managers and leaders? Have employees invested themselves in the success of the program, and if so, how? Do employees feel the program is fairly implemented throughout the company, regardless of rank or level of contribution?”

This assessment approach positions a contractor to learn about the effectiveness of the company’s training programs; the awareness of any communication or whistle-blower hotline channels available to them; and to assess staff-level comfort in raising issues and questions and whether their input is taken seriously. Once an ethics and compliance assessment is complete and the analysis digested, the company should have a detailed a roadmap for improving the effectiveness of its program. The roadmap should highlight opportunities for making appropriate investments to better position the contractor to manage and minimize the risks of misconduct occurring and to proactively discover matters that should be self-reported to government regulators.  The roadmap will help companies determine where corporate budgets and resources should be targeted to achieve maximum value to the company.

An independent, outside reviewer would in their report create a roadmap that a company could use to remediate any deficiencies if new risks had arisen, either in markets, products or services that could be used as a documented roadmap if a regulator ever came knocking. The company could show such regulator that “yes, we not only reviewed our program, but we have a roadmap and here are the steps we are taking based upon this roadmap to move forward into the future.”

You can check out the full podcast series with Rod Grandon now. All five episodes are now available on SpotifyiTunesMegaphoneand YouTube. Episodes 1-5 will be released daily on the following sites: FCPA Compliance ReportJDSupra, and Corporate Compliance Insights.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2019