What you'll learn on this podcast episode
The Federal Acquisition Regulation, or FAR, is the primary guidance followed by federal agencies—including NASA, the Department of Defense, the General Services Administration, and all others when acquiring goods and services. It’s also a regulation with its own set of compliance requirements for government contractors. How does FAR differ from other regulatory guidance, and what do government contractors need to know to ensure they have an effective program in place? On the Principled Podcast, host Jen Üner talks with LRN colleague Eric Morehead about why the FAR compliance program requirements matter to broader E&C program effectiveness, and how government contractors can implement those requirements in practical ways.
Where to stream
Be sure to subscribe to the Principled Podcast wherever you get your podcasts.
Guest: Eric Morehead
Eric Morehead is a member of LRN’s Advisory Services team and has over 20 years of experience working with organizations seeking to address compliance issues and build effective compliance and ethics programs. Eric conducts program assessments and examines specific compliance risks, he drafts compliance policies and codes of conduct, works with organizations to build and improve their compliance processes and tools, and provides live training for Boards of Directors, executives, managers, and employees.
Eric ran his own consultancy for six years where he advised clients on compliance program enhancements and assisted in creating effective compliance solutions.
Eric was formally the Head of Advisory Services for NYSE Governance Services, a leading compliance training organization, where he was responsible for all aspects of NYSE Governance Services’ compliance consulting arm.
Prior to joining NYSE, Eric was an Assistant General Counsel of the United States Sentencing Commission in Washington, DC. Eric served as the chair of the policy team that amended the Organizational Sentencing Guidelines in 2010.
Eric also spent nearly a decade as a litigation attorney in Houston, Texas where he focused on white-collar and regulatory cases and represented clients at trial and before various agencies including SEC, OSHA and CFTC.
Host: Jen Üner
Jen Üner is the Strategic Communications Director for LRN, where she captains programs for both internal and external audiences. She has an insatiable curiosity and an overdeveloped sense of right and wrong which she challenges each day through her study of ethics, compliance, and the value of values-based behavior in corporate governance. Prior to joining LRN, Jen led marketing communications for innovative technology companies operating in Europe and the US, and for media and marketplaces in California. She has won recognition for her work in brand development and experiential design, earned placements in leading news publications, and hosted a closing bell ceremony of the NASDAQ in honor of the California fashion industry as founder of the LA Fashion Awards. Jen holds a B.A. degree from Claremont McKenna College.
Principled Podcast transcription
Intro: Welcome to the Principled Podcast brought to you by LRN. The Principled Podcast brings together the collective wisdom on ethics, business and compliance, transformative stories of leadership, and inspiring workplace culture. Listen in to discover valuable strategies from our community of business leaders and workplace change makers.
Jen Uner: If you work for a government contractor in the United States, chances are you're already familiar with the acronym FAR. It's short for Federal Acquisition Regulation. FAR is the primary guidance followed by federal agencies including NASA, the Department of Defense, the General Services Administration, and all others when acquiring goods and services. It's also a regulation with its own set of compliance requirements. How do these requirements differ from other regulatory guidance and what do government contractors need to know to ensure they have an effective program in place? Hello and welcome to another episode of LRN's Principled Podcast. I'm your host, Jen Uner, Strategic Communications Director at LRN and co-producer of this podcast. Today I'm joined by my colleague Eric Morehead, Director of Advisory Services Solutions at LRN. We're going to be talking about why the FAR compliance program requirements matter to broader ethics and compliance program effectiveness and how government contractors can implement those requirements in practical ways. Eric, thank you for joining me on the Principled Podcast.
Eric Morehead: Thanks for having me, Jen.
Jen Uner: Government contracting, as we know, can present interesting growth opportunities for business, but it needs to happen in specific ways. Can you start by giving a general overview of the FAR and its compliance program requirements?
Eric Morehead: First, we can talk a little bit about what it is. The Federal Acquisition Regulations have been in place for many years, but the specific requirements we're talking about, the compliance requirements, have been around since mid to late early 2000s. I guess I should say, 2007, 2008 were the two amendments that we're most interested in. And that really brought into the FAR the requirements that most of us who are compliance professionals who are interested in compliance are already familiar with. Seven hallmarks of the federal sentencing guidelines, for example. Things like training, auditing and monitoring your program, code of conduct and other written standards. Those are all things that are mentioned in the guidance. The biggest difference and the kind of key difference between an organization that's subject to the FAR because they're contracting with the federal government is that these parts of an effective compliance program that we're all again fairly familiar with are required when you are a government contractor subject to the FAR versus being good to have or nice to have when you are an organization engaged in any business endeavor.
We talk a lot lot about the sentencing guidelines and we have to be careful when we're talking about them broadly about being requirements. They only really come into effect for most organizations when they're unfortunately facing potential criminal charges because that's what the sentencing guidelines are for. They've become kind of defacto standard and best practices, but there's no absolute legal requirement for an organization other than those that are government contractors, which we're going to talk more about here for the next few minutes, to have this in place. So that's the biggest difference here is the things that we constantly talk about as being effective components of a program are required when you're a government contractor.
Jen Uner: So required versus guidance, that's the main difference.
Eric Morehead: That's the main difference. For example, the FAR states that an organization must have a code of conduct in place within 30 days of engaging in the government contracting. Also, should note that and there are some exceptions, but for the most part, these compliance program requirements don't affect organizations unless they have a contract value with the government over $5 million. When we say government contractors, we're talking about organizations that are engaged in fairly significant work over $5 million. So within 30 days you have to have a code of conduct and within 90 days you're expected to have other components of ineffective program including training and a reporting mechanism.
If you've ever read the sentencing guidelines standards and you read the FAR guidelines, it's going to be very familiar because it uses a lot of the same terminology. When it's talking about a reporting mechanism, it talks about an anonymous reporting mechanism, which is the language lifted directly out of the sentencing guidelines, for example. So a lot of the things that we would normally expect to see whenever we're looking at an effective program, that's going to be what's written into the federal acquisition guidelines as well.
Jen Uner: I'm kind of curious how you prove that you've got those things in place. Is it a bunch of forms or do you send them links or what do you typically do?
Eric Morehead: It's not uncommon for the contracts themselves to have these requirements listed in them. So that is oftentimes where you're going to find some of the more specific enumerated expectations that is common. Also, the contract language itself might refer to the Federal Acquisition Regulations and particularly the section that talks about compliance requirements, which is 52.303-13 for those that want to find it specifically, if you're not already familiar with. It'll either refer directly to the expectations in the Federal Acquisition Regulations or it may have some of those specific requirements listed in the contract. I've seen that before. For example, in contracts with Medicare/Medicaid, oftentimes those will have specific compliance requirements actually in the contracting language itself. I don't know that that's true across the board with all federal agencies, but in some instances it might actually just be they're in black and white.
The FAR themselves say that you have to have these things in place within 90 days of contracting, but we all know those of us who have been engaged in working on compliance programs for a while. If you're starting from zero, it would be pretty hard to have an effective training program, for example, in place within 90 days. You could probably do it. It's going to be difficult to start from the day that you sign on the dotted line and become a government contractor to have all of this in place within 90 days. So I think the other key thing that organizations that are contemplating moving into the space should keep in mind is that you probably need to be preparing well before 90 days to have a program that's going to meet these requirements before you engage in a government contract.
Jen Uner: You don't just win the contract and then start building a program. You want to make sure that you're already qualified.
Eric Morehead: It's possible, right?
Jen Uner: Theoretically.
Eric Morehead: Theoretically. And if you're smaller, the other thing too is like the sentencing guideline standards, the expectation for an effective program varies depending on the size and complexity of your organization. There are some very basic things that all compliance programs should have in place. You need to have written standards. You need to make sure that you have some sort of training and communication effort. You have to have an anonymous reporting mechanism that allows people to properly report. And if you don't have these things in place, then it's hard to imagine no matter what size your organization is that it's going to be deemed an effective program.
Jen Uner: So would you say that the FAR requirements differ in any way from DOJ guidance and federal sentencing guidelines? Or is it just that it's required or is there a different set of compliance requirements to be aware of?
Eric Morehead: We already mentioned that the biggest difference between the expectations in the FAR guidelines and the standards that we find in the sentencing guidelines for effective compliance and ethics programs is that it's a requirement for an organization that's engaged as a federal contractor. There are some other specific things that are called out in the FAR that I think are worth mentioning too that are either slightly different or more enhanced, shall we say, than what you see in the sentencing guidelines. One is the expectation that an organization will promptly disclose any kind of misconduct or potential violation of the law or regulation whenever they discover it. That is mentioned in both DOJ guidance for all organizations, whether they're contractors or not, and also there is a mention in the sentencing guidelines about reasonably prompt disclosure about misconduct that is criminal. So the FAR guidelines are a little bit more specific about that, and it may not be criminal conduct, but conduct that potentially violates the law or regulation should be disclosed right away.
So that is a key component that is slightly different. We already talked about the deadlines. There are no deadlines in sentencing guidelines for when you must have components of your program including your written standards in place, and obviously that's a specific difference that we see in the guidelines. A couple other small differences include the fact that if an organization doesn't have hotline or helpline, it must make sure that there are posters or other clear guidance for their employees and others to call a fraud hotline or regulatory hotline for the agency with which they're contracted with. So in other words, under the sentencing guidelines, an organization is encouraged to have an anonymous reporting mechanism or a hotline or helpline to have an effective program.
If you don't have, it's an either or under the FAR guidelines, you can have that. Or you must post prominently and communicate how individuals can get in touch with the fraud hotline or helpline for the agency with which you're contracting. So that's a slight difference too. But for the most part, when we're looking at the FAR expectations, it really dovetails pretty directly with what we've been promoting for the last 25, 30 years as effective components of any compliance program. So measuring the effectiveness of training or how effective your code of conduct or your reporting mechanism might be. Those same standards are going to apply when you're putting together an effective program under the FAR guidelines as well.
Jen Uner: Thank you for that rundown. That was really thorough. I understand that a large number of government contractors are small organizations. How does company size impact FAR requirements?
Eric Morehead: And that's one of the reasons why I wanted to present on this and talk about FAR. It is kind of the confluence of two danger areas. Obviously, there are some specific requirements that we've been talking about the last few minutes when you're a federal contractor that you must abide by. But also 25% of organizations that are federal contractors are considered small organizations, and by small, I mean really small, in some cases. Organizations that have 500 or fewer employees, sometimes 50 or fewer employees, they make up one quarter of the contracts that are out there. And because they're small and sometimes, not always, but sometimes maybe even newer organizations that have not been around as long. Their compliance programs tend to be less mature, particularly if they haven't been in this space before. If you are a small business and you're operating in a non-regulated environment and you're not a government contractor and say you have 200 employees. Maybe you're a small organization that's smaller manufacturing or something. If you're not in a highly regulated space, you might not have much or any compliance program.
You may not have a code of conduct. You may not be training other than informally training. If you decide through the normal course of business, you are headed towards becoming a government contractor or a government contract has fallen in your lap and you're about to sign on the dotted line. It presents a danger if you're not aware of these requirements. And now again, oftentimes they are contractual and so they might be spelled out very specifically in the contract or they're going to refer to the expectations in the FAR guidelines. So you'll be on notice once you sign the contract, but as we talked about a couple of minutes ago, that might be too late. Or it'll put you in a position where you've got to put together a program in at warp speed within 90 days, which is hard to do. So it behooves smaller organizations that are contemplating this to really look at the expectations for an effective program and the specific requirements under the FAR regulations to make sure that they're being proactive before they start negotiating contracts because that's just not a lot of time to get these things in place.
Technically, you could put together a code of conduct pretty quickly, but is it going to be an effective code of conduct? Because that's the other thing that has changed over the last 15 or 20 years is that the expectations around all of these components of programs, and we know this have changed. The expectation of what a code of conduct will look like, whether it's going to be accessible and readable to your population is maybe something that wasn't an expectation 20 or 25 years ago, but certainly is now. Same goes for training. There's expectations now that have been detailed in the DOJ memo over the past few years, as well as other regulatory expectations that the training is going to be effective and it's going to meet those learners, those employees where they are. That the training is going to cover the risks that are appropriate to your organization and not be too generalized, if you will.
That makes it much harder to put something together on a short fuse. If you just need something generic maybe you could throw together a code of conduct in 30 days or put together a training program in 90 days. But we have these enhanced expectations from regulators about how effective our programs are going to be and how accessible different components of those programs are going to be, and that's much harder to do if you're small and you don't have a lot of resources and if you don't have a lot of time.
Jen Uner: So effectiveness really matters.
Eric Morehead: It really matters. It particularly matters if there's any kind of failure. If you have a program that you've really put effort into that is tailored to your organization, you've done your risk assessment upfront and you identified where you need to have training, where you need to have communication and written standards to guide the population on what they need to do and what they need to avoid. Then you might still have a failure but if you have an effective program, that's your shield. That's your shield not only for the worst case scenario and some sort of criminal repercussions for the organization, but it's also potentially your shield for suffering the consequences of violating the terms of your contract as a government contractor. Not having a program or not having a program that's tailored to your organization, whether you technically meet these very basic requirements of having a written code within 30 days or not.
The inquiry, particularly if the regulatory agency is following the guidelines that have been set out for programs by the Department of Justice and the sentencing commission over the years. If they're following those same expectations, they're going to look at your code and determine not only whether you have it or not, whether there's a document that exists, but how effective it is.
Jen Uner: Let's say you have an opportunity to get on the GSA. You're going to be a government contractor. What are sort of the first, second, third things that you would recommend doing when putting together an ENC program that's going to be FAR compliant?
Eric Morehead: Well, first is and always the case, is doing a complete risk assessment of not only what compliance risks you face, so you know where to marshal your resources, but also look at what's in place. We talked about the fact that a lot of smaller organizations don't have much, if anything, in place before they're forced to have a program put in place, and maybe sometimes that's because they become a government contractor and they need to have a program. Let's say you're an organization that does have a code of conduct and does have some training. Step one would be evaluating that and taking a look and see, is this really going to be deemed an effective program under the expectations that we know that are out there now? And what risks are we facing? Does this program address those risks? So the first step always, whether you're a government contractor or not, is the risk assessment process. And that's been reiterated again by our friends at the Department of Justice over the past few years with the program memorandum that they've updated.
That risk assessment piece is the very first thing that's listed as a program requirement in the document. It's under the first heading, is the program well-designed? The first section is risk assessment. That's how you know what the environment is that you're facing and what risks you need to address, and also it allows you to assess what's in place, what controls you already have and whether those are effective. Second thing is those specific components that are mentioned both in the sentencing guideline standards and in the FAR regulation, so written standards, code of conduct. Specifically code of conduct when you're talking about the FAR regulations, it talks specifically about having that code within 30 days. So written standards are really important. Training and communication is specifically mentioned in the FAR guidelines and also obviously in the sentencing guidelines standards, so making sure you have training, a reporting mechanism.
We've mentioned that a couple of times too, so those, along with the other components of an effective program, you want to make sure that you're reviewing those carefully or if you don't have them, that you have a plan for implementing those. And the third thing, which is an important component for any compliance program, again, not just organizations that are government contractors, is how does the program work? How are you measuring effectiveness? What kind of continuous improvement and testing are you doing on your program? That to me is also really important. So you got to do your risk assessment upfront, so you know sort of where the landmines might be, put together those kind of basic pieces of the program and bolt them together. And then on the back end, do your evaluation to make sure you know what's going on. The other thing too, when you're talking about a government contractor, your mileage will vary.
You have to really look carefully at the contract so we know what the FAR regulations say, but they're again, pretty similar to the expectations we see in the sentencing guideline standards and pretty straightforward. But I have heard from government contractors before that there can be some specific compliance requirements in your contract, so you need to make sure that you're obviously meeting any of those specific requirements that are going to be in the contract that may or may not be in the FAR guidance or the sentencing guidelines.
Jen Uner: Rolling back to code of conduct, I mean, we've talked about it several times in this conversation. What does a FAR compliant code of conduct look like?
Eric Morehead: Again, an effective code of conduct for any organization is going to meet those requirements for FAR. FAR is pretty broad in the requirement. Again, the big difference being that it is a requirement that you have to have a code and that code must be in place 30 days from the time the contract is initiated. That's pretty much the extent, and those are significant differences because again, there's no timeframe for an organization that's not a government contractor to get their code up and running and there's also no requirement that you have a code at all. Although we all know that's a best practice, and if something were to go wrong and you didn't have a code, the expectation would be that you would. I think that's the biggie is that it has to be in place, and so you have this fuse lit when you're a government contractor that you just don't have necessarily when you're not. At least when you're setting up your program.
Some organizations are setting up their program because they're forced to do so. It might be some sort of settlement, and so they may not be a government contractor, but they have compliance requirements that are mandated by court orders, for example. But setting those aside, the big difference here, again, going back to the very top of the conversation is it's a requirement. You can't dither, you can't decide that you want to spend your limited resources somewhere else. You have to have a code. You have to train. You have to have a reporting mechanism that meets with the requirements under the FAR guidelines or provide communication and access to a government monitored fraud hotline. These are things that are just you have to have and you have to have within a time certain if you're going to be in compliance.
Jen Uner: One of the nice things about codes is they're really about values, not just rules. Rules are good, values are better. One of the things that we like to say here. As you're trying to build a culture of compliance, a good ethical workplace culture, what are some of the things, practical ways that contractors can ensure they're promoting in a way that's consistent with FAR expectations?
Eric Morehead: Ultimately, having an effective compliance program, as you know Jen, you can't have that if your culture is poisonous or ruinous. And so having a program that not only addresses the very specific requirements in FAR but actually is a program that is value centered, helps and encourages employees to speak up and ask questions when they are not sure about what to do and report concerns that they have. And again, regardless of whether you're a government contractor or an organization that has no intention of ever being a government contractor, that's how you get into an effective program. The rules of making an effective program that we talk about all the time don't really vary just because you are a government contractor. What changes are some technical requirements that you need to make sure you are in compliance with. That you meet those deadlines that we talked about, that you have certain components of a program in place, but if you have an effective program, this is again what I said at the top.
If you have an effective program in place or you're building an effective program, it will meet these requirements. Again, regardless of whether you're a government contractor or not. Those don't change. The other thing that is true is the big thing that's kind of shot through the FAR guidelines, also the DOJ guidance, is they're really, really interested in organizations detecting misconduct, and once they detect misconduct, speaking up to the agency about it. In other words, coming forward, and then they say this in a prompt manner with any kind of potential violations of the law or regulation. So if there's misconduct in your organization and you have a culture where people are afraid to speak up or concerned about retaliation, it doesn't matter if you have a FAR compliant code of conduct and a FAR compliant reporting mechanism if nobody's going to read the code or call the hotline or helpline.
So the effectiveness of your program depends a lot on culture. Although culture is not specifically discussed within the FAR guidelines, and for that matter, it's only kind of broadly discussed in the updated sentencing guidelines. It's still probably one of the more fundamental things that you need to have to have an effective program, whether you're a government contractor or not, because you're just not going to get there. If you just kind of hit your marks, so to speak, have a code, have training, but that training's not effective and it doesn't reach the population it's supposed to reach and doesn't communicate to them what's important. And you have a reporting mechanism, but nobody ever calls it or would think to call it because they're concerned about retaliation. Then while you've met the letter of the rules for having a FAR program, it's not really an effective program. It doesn't meet those expectations ultimately.
Jen Uner: Very, very well put. Eric, this was a really interesting conversation today. I want to thank you for joining me on this episode. I learned a lot.
Eric Morehead: Well, it was my pleasure.
Jen Uner: My name is Jen Uner and I want to thank you all for listening to the Principled Podcast by LRN.
Outro: We hope you enjoyed this episode. The Principled Podcast is brought to you by LRN. At LRN, our mission is to inspire principled performance in global organizations by helping them foster winning ethical cultures rooted in sustainable values. Please visit us at LRN.com to learn more, and if you enjoyed this episode, subscribe to our podcast on Apple Podcasts, Stitcher, Google Podcasts, or wherever you listen, and don't forget to leave us a review.
Be sure to subscribe to the Principled Podcast wherever you get your podcasts.