AIG Compliance Panel on Compliance Programs
SCCE’s CEO, Roy Snell, participated in a panel discussion at the annual Association of Inspectors General conference in Newark, New Jersey this week. The panel focused on the intersection of compliance programs and the role of inspectors general. Joining Roy on the panel were Thomas Nicastro, Ph.D., Senior Vice President/Chief Compliance and Ethics Officer for Berger Group Holdings, Inc.; the Honorable Nicholas J. Schuler, Interim Inspector General for the Chicago Board of Education; and moderator Eric Feldman, President of Core Integrity Group. The session focused on panelists answering questions posed by the audience. Below are some of the highlights from that session.
From the perspective of an inspector general, what are the most important components of a contractor’s compliance and ethics program?
Tom: Tone at the top, no question. Senior management must embrace compliance and demonstrate it with their own actions.
Roy: A robust compliance program is the most effective tool any company or agency can have to prevent, find, and fix ethics and regulatory problems. Having a code of conduct, tone at the top, and a strong message from leadership are important, but they aren’t enough. The simple fact is, we can’t solve the problems if we don’t look for them. Compliance programs are built to prevent, find, and fix issues. They help any organization become more credible, follow the rule of law, and behave ethically. Is the compliance department working to implement the seven elements of a compliance program laid out in the Federal Sentencing Guidelines? Look for specific details on how their programs work.
Nick: No one likes hard questions or investigations. Many contractors are unaware of ethical policies that bind public employees. Some big contractors aren’t even aware of the FCPA and how it works at a local level. Do our people (employees and contractors) know they can’t give or receive gifts? Do they even know the policy is in place? If the contractors knew Inspectors general would be investigating later, it would have deterrent power on the front end.
How can inspectors general get involved in companies’ E&C programs to prevent problems before they occur?
Nick: That’s the ten million dollar question. No one wants the inspector general around until there’s a problem. Overall, I think Inspectors general should be making themselves more known on the front end. I think one goal is to move in the direction of Inspectors general being more proactive in sharing what will be evaluated in the compliance and ethics program if something goes awry. It’s an easier decision for companies to do training and instill positive ethical culture before issues arise, rather than only when an investigation starts.
Is it a red flag if a business doesn’t have compliance program or compliance officer? What inferences can be drawn from lack of program?
Tom: Government contracts have language encouraging organizations to follow the listed compliance framework and best practices. Contracts officers and Inspectors general need to determine what exactly they’re going to require. However, I will say that an organization’s compliance and ethics programs can be a competitive advantage in the bidding phase.
Roy: It’s very important, and a great way to establish the kind of message that an organization wants to send. A word of caution, however. Some smaller organizations don’t have the time or resources to have large, flashy compliance programs. A good measure is to ask contractors for details about their organization’s monitoring, auditing, investigations practices. Actually look at the company and the tone, not just that the company checks the boxes. Inspectors general can help contractors by sharing what “counts” in a compliance program, and what you’re looking for from the seven elements.
Many organizations have figured out that they need something on paper with all the elements spelled out to meet the Federal Sentencing Guidelines, but when you look behind the curtain, nothing is there. How can you tell if a program is actually being implemented?
Tom: Ask the compliance officer! Talk to the chief compliance officer and determine his/her independence in the company. You should always want CCO to report directly to the board.
Nick: Local Inspectors general can be creative, since they’re overseeing small, single agencies, where the rules may be more flexible. While you could ask for proof of the seven elements, it’s better to actually look at an organization’s track record—what has been reported? who have people reported to? Have there been investigations? If so, what was the result? Inspectors general need to put pressure on contractors to show and not just tell.
Roy: The CCO mentality should be all about cooperation, but Inspectors general should ask to see all the CCO has done to implement a compliance program, and look a numbers not just the paper, such as, hours of education, job titles of who was educated, what was taught, number of audits, responses to complaints. Don’t settle for “this is what we thought we should do or this is what we promise we do.” If you want to know if it’s paper or real, when they’re done with the paper show, ask for the numbers.
With ethics, often the problems aren’t at the top; they’re in the middle. How do you deal with that?
Tom: We find implementing a worldwide helpline has helped. We also publicize the results of investigations so everyone can see that action was taken from the hotline calls.
Roy: Corporations do a poor job of marketing tone at the top. The vast majority of organizations are filled with good people who are trying very hard, but senior leadership needs to get the compliance and ethics message down to the people. Tone at the middle is very important. One of the most effective ways to get tone at the middle is to incorporate compliance criteria in everyone’s annual review (suggest that mid-level managers are encouraging regular compliance and ethics education, responding to complaints, and developing policies). What gets measured gets done. Incorporate compliance expectations and criteria into reviews and tie them to bonuses and goals, then we’ll see change.
Eric: Let’s remember, tone at the top is a minimum requirement. The most influential factor for employees is the behavior of their first-line manager. What actually influences employees is what I like to call the mood in the middle and buzz at the bottom of organizations.
When orgs do enterprise-wide anti-fraud risk assessments that are all encompassing is it a viable way of identifying true weaknesses in the org when it comes to anti-fraud?
Tom: I believe they are. People’s effort and time in interviews and assessments has value and is empowering.
Nick: There are always going to be risks, especially when middle tier salespeople are compensated based on sales. Part of an ethics program is questioning whether there’s a de-coupling between sales and ethics.
Eric: There are often unintended consequences for companies implementing hard sales goals, because people will be incentivized to meet their performance metrics and ignore the compliance and ethics program.
Roy: There are two ways enterprise risk assessments get messed up. The first is that they think the more spreadsheets and more identified risks automatically equate with success. Oftentimes, the focus on the minutia keeps them from seeing the obvious. The second way is when risk officers only look for risks posed to their company such as vendors double billing their company and insurance or investments risks, etc. In compliance, assessing risk is about the risks the organization poses toward others. Another way to improve a risk assessment is to look at what the enforcement community is focusing on. This will provide key information on what you should be evaluating internally.
Procurement often requires choosing contractors based on cost, and compliance programs come at a premium. What can you do to recognize the premium that compliance programs provide?
Eric: This supposes that compliance and ethics programs cost a lot of money, and that may not be true—especially with smaller and mid-sized companies.
Roy: Cost isn’t the question, it’s that compliance programs are necessary. Compliance programs don’t need to be expensive. You can run compliance and ethics programs effectively or ineffectively just like any other department. Also, there are surveys suggesting that compliance programs are being considered by companies that want to bring down their legal costs. An effective compliance program can find the problems before they turn into distracting legal issues and keep the company from the incurring the costs to defend itself.
Nick: How much is it going to cost when the inspector general calls and there’s a problem that requires an attorney?
Eric: I think that the inspector general’s office shouldn’t be viewed as a cost center, but can be viewed as a profit center if done in the right way, and the same applies to compliance programs. However, the bottom line shouldn’t be money, it should be a requirement that anyone who bids on a government contract needs to have compliance program and be able prove to it’s effectiveness to the selecting agency.
How can contractors better prepare for inspector general oversight?
Nick: For my agency, we’re trying to move companies toward considering the kinds of risks they have, and their methods of doing business. This is coupled with trying to get these organizations to disclose potential issues upfront.
Roy: The concept of compliance is incredibly simple, it uses tools that have existed for years; they’re just being used in a coordinated way. We do a lot of training and help people understand the compliance role and what compliance officers do. We help people understand that it’s not as complicated as people make it out to be. It’s easy to determine if the seven elements exist in an organization. The real trick, however, is to evaluate if the organizations are implementing the elements effectively… that’s much harder.
Best practices for having CCO report to General Counsel?
Roy: The thing I want to clarify is that the question isn’t whether or not the CCO reports to general counsel. The question is: does the general counsel do the annual review and making hiring and firing decisions? What general counsel will tell you is that they’ll build a wall for the 1-2 times a year that the CCO has to be independent. General counsel’s role is to defend the company, and that’s important. We have defenders, prosecutors, and someone who settles the dispute. You can’t be an effective CCO and adopt a defense or prosecutorial role. Your role is to bring all the facts to leadership and ask, “Do you think we have a problem and should we report it?” It’s fundamentally difficult for a CCO to approach the audit committee and speak openly and occasionally disagree with the person who is doing their annual review (the general counsel). All problems are rooted in conflict of interest therefore the compliance officer needs to be independent to help sort it out.
If you want the red flag of all red flags—find out if the CCO is independent. You cannot find out the root of a problem if the person who’s job it is to find it doesn’t report to the board as is the case with auditors. If you can only ask one question of a company to determine if their program is effective, ask them who hires and fires compliance officers?
Tom: It’s a CCO fundamental observation. Tone at the top is not right if CCO reports to general counsel.