United States: Small Businesses: Why And How To Set-Up Or Enhance Your Ethics And Compliance Program

Robert Tompkins is a Partner and Rodney Perry is an Associate in Holland & Knight's Washington D.C. office

It's been ten years since the Federal Acquisition Regulation (FAR) was amended to require government contractors to have a business ethics and compliance program – that's right, it's a requirement in every government contract and in most subcontracts! Aside from being a requirement in every contract and a core component of a small business' "present responsibility" (i.e. eligibility to be a contractor at all), recent developments have made it essential for small business to address compliance now.

In particular, the Department of Justice has issued guidance as to what it expects from an organization's ethics and compliance programs, and has reiterated that it will not tolerate companies that lack an effective program. In other words: get caught without one, and that may be the end of your company. See our post about the DOJ Guidance. The good news is there has been a lull in new FAR and other regulatory requirements under this Administration, so this is a good time to play some catch up.

But let's face it, many small businesses are not where they should be, and some others are not even close. So why aren't small businesses better prepared and how do small businesses move ethics and compliance programs from a perennial back burner issue to the forefront?

What's Holding Many Small Businesses Back?

Small businesses confront a multitude of challenges in establishing and maintaining a government contracts ethics and compliance program. Resources and bandwidth are precious commodities and company management is often stretched too thin. Particularly for contractors experiencing rapid growth, keeping basic performance functions up and running takes all their time and energy. Further, small businesses can have difficulty deciding even where to begin because the requirements imposed by the FAR are immense and can seem daunting.

Common misconceptions about ethics and compliance programs and what they entail also tend to hold small businesses back.

First, while some view compliance solely as a risk mitigation process that is designed to avoid downside risk with no potential upside, this is far from true. Most significant, protecting against downside risk in government contracts is essential because the consequences of mistakes can be catastrophic and include treble damages under the False Claims Act, suspension and debarment, and even the process penalty that comes with a significant government investigation. Each of these can kill a company. At its basic level, compliance is about preventing and detecting misconduct and mistakes that can lead to compliance issues. But an effective ethics and compliance program also helps companies avoid performance mistakes (and costly re-work), and has the benefit of allowing companies to present timely and acceptable invoices resulting in quicker payments and a better reputation (and better CPARS).

Second, a common mistake is to view compliance as an entirely separate function from other business processes and systems, or worse, one which is at odds with efficient and effective operations. Effective ethics and compliance programs should be set up alongside and as a part of other major business systems. In addition, while it's essential to assign responsibility (and resources) to a person with overall responsibility for the program, this is not a one person show. All your functional managers have a role in compliance; HR, Accounting, Program Management and Business Development all must be a part of assessing risk in their functional areas, ensuring controls are in place to address those risks, and funneling those requirements up to the compliance manager to weave into the tapestry of the program.

Third, small businesses often don't give themselves enough credit for what they are already doing. All too often we hear "we don't have an ethics and compliance program." This is almost always untrue because the internal controls small businesses have in place to govern basic business systems are themselves an important part of their compliance efforts. Simply taking stock of what's already in place and taking a holistic view allows a small business to start checking off a number of requirements, making the rest of the process more manageable.

Finally, we still hear remnants of a fading viewpoint: good people don't need to be trained in these things and our people are good people and inherently know what to do. This is wrong. The regulatory environment for contractors is too complex to count on basic human instincts. It also will be construed as indifference, or worse, by the Justice Department, by suspension and debarment officials, and by contracting officers. The government has made it clear there will be no forgiveness for such a view – one bad step and a company is sunk.

So What's a Small Business to do?

The first step is to take stock. Get major functional group leadership together to identify existing controls and where they think improvement is needed. Read contracts and identify the requirements and clauses that present catastrophic consequences. Pay special attention to FAR Part 3 and Part 9 clauses.

Second, consider available guidance documents on ethics and compliance programs. Law firms with experience in this area have a lot of materials "in the can" and can help small businesses figure things out quickly. Look at available government guidance, like DOJ's guidance and the DCAA Audit Manual. Many companies have their materials posted online – don't be shy about reviewing those materials, but don't just cut and paste them either. Finally look to organizations that focus on compliance, like the Society for Corporate Compliance and Ethics (SCCE).

Third, perform a basic risk assessment to better inform the company's views and to prioritize which issues to address first. The DOJ's recently updated guidance on ethics and compliance programs has elevated the importance of a risk assessment as a defining aspect of an ethics and compliance program. While one hopes to never have to deal with DOJ, their guidance is relied on by other government officials (DCAA, contracting officers, Inspectors General) in assessing a compliance program. They also played a big role in the development of the FAR requirements mandating the adoption of compliance programs, so their guidance is very important. (Stay tuned for another article from us on Risk Assessments and what they should entail).

Fourth, designate someone to be the company's Chief Compliance Officer. For small businesses, this can be a person who holds another title (or titles). Particularly for starters, pick someone who is trusted, respected, and organized. Make it clear that the rest of management is expected to execute on what's needed to support the CCO and the overall project.

Finally, think of this as a pass-fail test and address the things that could kill the company first. Over time, as the program evolves, work can be done on elevating the company's letter grade.

With those basic points in mind, here's a suggested timeline and punch list to get that grade up to a pass:

Immediate Requirements:

  • Take the steps noted above; in particular conduct a basic risk assessment and appoint a Chief Compliance Officer or equivalent and provide sufficient resources to carry out the program.
  • Adopt and distribute an overall policy outlining the program and make sure the issues that present the highest risk are covered. Also, list the basic components (the code, training, hotline, report handling, the role of the CCO) and have it come from senior management.
  • Create a code of business ethics and conduct – keep it simple and hit the basics: don't lie, cheat or steal – or bribe, or make false statements, or violate the Procurement Integrity Act – and be sure to cover any special high risk areas identified in the risk assessment.
  • Distribute the code to all existing employees and require acknowledgement and include a message from management emphasizing the importance of this effort for all employees.
  • Institute and publicize a hotline or other anonymous, internal reporting structure for reporting suspected or alleged violations of the code or other misconduct (the FAR requires this). This can be outsourced to a vendor, a law firm or an accounting firm with a dedicated voicemail line or email address, with access limited to a designated monitor works.
  • Establish a basic method and procedure for responding to reports of misconduct or violations. Again, everything should be kept as simple as possible and until the company gets its sea legs, it should consider getting a law firm to help with any reports of serious misconduct. At this point, the company should not have that many (and maybe not any).

Short-term Requirements:

  • Hold a training session for employees (and board members, if applicable) on special contracting rules and regulations for doing business with the Federal Government. Keep it simple by tracking the code (which should be tracking the risk assessment).
  • Establish a training program for new employees and a program for periodic training and updates for existing employees. Again, don't overcomplicate it and just teach what's in the company's code and keep track of attendance.
  • Establish a reporting process for the CCO to report to the CEO, and the Board if the company has one, periodically.

Longer-term Requirements:

  • Establish an internal control system and procedures to facilitate discovery and disclosure of improper conduct.
  • Carry out periodic reviews (annually or semi-annually) of policies and procedures concerning business conduct.
  • Establish a periodic (and perhaps more robust) risk assessment process.
  • Ensure that there are appropriate consequences for employees and management related to the ethics and compliance program (i.e. discipline for violations and positive reinforcement for compliant behavior).
  • Add policies as needed to address special government contracting requirements, and develop training modules to educate the work force.

Tackling the above, and having a plan in place showing how you intend to do so, should get you over the pass-fail hump. The sooner you do, the better.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions