Small government contractors are in an unenviable position when it comes to developing effective ethics and compliance programs.
On the one hand, profit margins are low, competition is fierce, and financial and personnel resources are scarce — particularly for tasks that do not contribute immediately to the bottom line.
On the other hand, government agencies and mature prime contractors expect emerging contractors to reflect the same “culture of ethics and compliance” that large companies commit substantial resources to implementing, and that the government commits substantial resources to policing.
The fear of compliance missteps and attendant risks such as reputational harm, contract termination, suspension/debarment, civil lawsuits and criminal prosecution, keeps many conscientious executives up at night. They realize that potential disaster looms if they do not commit appropriate resources to building out an effective ethics and compliance program, but are undecided on where to start and how best to utilize scarce resources. More often than not, they adopt a reactive, “whack-a-mole” approach to compliance, post hoc addressing the crisis of the day and little else. Meanwhile, that sense of dread never really goes away.
There is a better way! Undertake a formal risk assessment in four steps: identify, quantify, prioritize and act.
Identify. Contractors cannot meaningfully predict and mitigate risks without first identifying them. Most emerging contractors, however, do not have a legal and compliance staff with subject matter expertise to comprehensively spot the many ways they could run afoul of government ethics and compliance requirements. In those instances, it makes sense to retain outside legal counsel at the outset to ensure that the company is proactively avoiding failures, instead of reactively bobbing and weaving among the “pop ups” that will inevitably plague those firms that don’t prepare in advance.
Experienced counsel who have lived through and/or helped to remedy ethical crises or shortfalls, can efficiently help put into place governing standards, interview the company’s key managers, and identify specific areas of law and compliance that intersect the contractor’s lines of business.
Quantify. Once there has been a keen sense of the risk landscape, the consultants can moderate the company’s first formal risk assessment. At this stage, a cross-disciplinary risk committee selected by the company’s senior leadership can quantify each risk area by probability and potential harm such as financial, operational or reputational.
Prioritize. Having identified and quantified all relevant areas of risk, a contractor now has the ability to rationally apportion its limited resources. It obviously makes sense to prioritize those risks for mitigation that have the highest combined probability and potential harm — the company killers — and thereby gain maximum value from the resources assigned to compliance and ethics.
Act. For most contractors completing their first formal risk assessment, the list of risks to address may be uncomfortably long. Nevertheless, the company is unquestionably better off knowing the scope of the job and having a clear priority of work than simply reacting to crises as they arise.
Bonus! Consider these additional benefits of conducting formal ethics and compliance risk assessments:
- Standing all by itself, carrying out a formal risk assessment is a telltale demonstration of the contractor’s commitment to building a culture of ethics and compliance. It underscores its commitment to comply with all applicable laws and regulations, and to maintain a reputation as an ethical business partner and responsible contractor.
- Next, companies that have undertaken efforts to systematically identify and confront compliance risks can legitimately point to that commitment as a conspicuous differentiator from other competitors.
- Also, formalizing the risk mitigation process gives the contractor demonstrably tangible proof, if and when needed, to remove any doubt as to the company’s commitment to ethics and compliance.
- Finally, companies that understand their risk profile will inevitably make wiser strategic choices about growth. These companies come prepared to assess, quantify, prioritize and mitigate compliance risks. With a scalable risk assessment process and compliance program, an emerging contractor positions itself for growth with a level of confidence about compliance that few small companies can boast.
The risk assessment process described above takes strong management commitment, but it doesn’t have to break the bank. In the long run, wholly apart from being the right thing to do, prioritizing and taking strong, unequivocal, proactive compliance measures up front, is what will prevent much greater harm down the road. Effective compliance costs real money, but not nearly as much as ineffective compliance.