Blog

A Siemens AG (NYSE:SI) subsidiary's widely reported problems with a whistle blower and federal government contracts should serve as a cautionary tale for all businesses now subject to the FAR/DFAR mandatory disclosure requirements.

This week at the National Contract Managers Association's (NCMA) Annual Congress in Long Beach, California, I heard a number of concerns from those nervous about the FAR/DFAR's new ethics and mandatory disclosure requirements for government contractors. But, I also heard many strong indications from government contracting officers that they view this new basis for suspension and debarment as being both welcome and long overdue.

This is the first in a series of posts about the many new compliance obligations contained within the recently signed, recovery Act, formally called the American Recovery and Reinvestment Act. The initial posts will not focus on the expected reforms related to new rules for executive compensation at companies taking government bailout money but instead will highlight lesser known new policy reforms on data protection and privacy, healthcare, taxes, and corporate whistleblowers. Part One looks at how the law expand's HIPAA scope and the the compliance risks associated with breaches of Protected Health Information or PHI. To enhance enforcement, the Act also makes HHS audits of HIPAA-covered companies mandatory and requires investigation of privacy and security rule related complaints. Although we can describe the rough contours of the changes based upon statutory language the HIPAA provisions also will be subject to rulemaking that will determine more exactly how challenging managing the new reforms may be.

This is the first in a series of "Thinking About Risk" posts directed at improving business processes among the growing number of government contractors facing the new federal compliance requirements which include mandatory disclosure regulations.

Non-Disclosure Agreements (NDAs) have become a ubiquitous part of doing business with the government and with other government contractors. Yet the proliferation of NDAs may have actually increased the risk of failure to protect and safeguard truly sensitive information such as trade secrets. While the use of NDAs provides evidence of an intent to comply with non-disclosure requirements, we must ask whether their overuse--often driven by an abundance of caution and the desire to assure the availability of a legal defense should it become necessary-- actually increases risk by undercuttting the true value of such instruments.

Why the FAR Amendments?

Any federal prosecutor worth his or her salt understands exactly why the Federal Government is trying to regulate ethical behavior with amendments to the Federal Acquisition Regulation (FAR). Unfortunately, the answer has very little to do with reducing fraud or transforming U.S. Government contractors into bastions of ethical behavior and culture.

The unwillingness of employees to report misconduct, even anonymously to corporate ethics offices or external hotlines, poses a continuing risk to companies, as I observed in my posting in January, "Dangerous Silence"

Some time afterwards, I had lunch with Norm Augustine, the retired chairman and CEO of Lockheed Martin, and we discussed that topic. He brought up a salient point, and I asked him to post it on our blog.

Speaking at a recent National Association of Corporate Directors (NACD) chapter meeting, I was stunned to hear CEOs and directors alike question why they should care about data quality—after all, isn’t that just the CIO's problem?
To my even greater surprise, among the least concerned in attendance were those who, like myself, were lawyers by training. Executives, Directors and ethics or compliance officers all need to recall the computer science teaching mantra “Garbage In, Garbage Out” or GIGO coined in the early days of computing to remind students that computers, unlike humans will unquestioningly process the most nonsensical input data and produce equally nonsensical output.

Prevent Misconduct? First, understand the causes: Why do companies spend so much time and money teaching their employees about laws, regulations and company policies? Is it because executives believe that serious misconduct is the result of ignorance of the rules? Or, is it because they want evidence with which to absolve themselves when employee misconduct occurs—it’s not their fault, they told employees the rules. Why do employees break the rules, anyway?