Compliance for Small & Micro Businesses

Introduction

In the mega-large company world of government contracting, many Huntsville based businesses are relatively small, ranging in size from a company of one employee to several hundred employees. Decades of promoting small, disadvantaged, and services disabled businesses and an historic increase in the influence of the Small Business Administration has created an exciting entrepreneurial environment in Huntsville. Today we are blessed with numerous micro and small, Huntsville-based, engineering services companies.

Both of the authors of this article work for companies which are relatively small, and we both advise in the areas of compliance, ethics, and risk. Small businesses are particularly vulnerable because we don’t have all the resources of a large company who can devote thousands of hours and dollars to compliance programs. Small businesses like ours tend to run lean operations, and we make our profits by being focused on doing a few things well and being nimble and responsive to the customer. 

Small business owners who are successful tend to prioritize well.  That ability to prioritize is helpful to remain focused and keep the main thing the main thing. However, it’s also extremely important to put ethics, compliance and risk into the crosscheck and not allow them to be pushed aside in the business world where competing priorities are the norm. This article seeks to help small and micro businesses, particularly young companies, with their compliance programs.        

Why Compliance Programs are Important

A bona fide compliance program is the first line of defense in a government investigation. The adoption and implementation of a compliance program helps a business identify and mitigate its risks before the dark suits show up at your office. An effective compliance program helps identify and safeguard against improper payments, false claims, fraud and abuse, and many other risks which could result in an adverse action by a governmental entity. 

Corporate compliance can seem daunting, but a bona fide program is manageable for any company of any size. The important thing is that business leaders treat it seriously and give it a reasonable amount of time and attention. Business leaders who seek to have a compliance program that is not merely a collection of paper or a binder on a shelf can dramatically reduce risk for their company. Remember that compliance is not a quick fix to the latest hot problem and a string of hollow words. An effective compliance program is a living, ongoing process that is part of the fabric of the organization. You can think of a compliance program as a demonstrated commitment to an ethical way of conducting business and a system for helping individuals to the right thing.

Importance of the Federal Sentencing Guidelines

To begin your compliance program we recommend looking to the Federal Sentencing Guidelines. It may seem as an odd place to start, but the Guidelines lay out the basic requirements of an effective compliance program. The Guidelines have been amended many times since their inception. The current Guidelines were promulgated by the United States Sentencing Commission in 2015.[1] What has remained consistent is the defense of “mitigating factors.” The prior diligence of an organization in seeking to prevent and detect criminal conduct has a direct bearing on the potential penalties and probation terms for the organization and its leaders if convicted and sentenced for a criminal offense. What the governmental entity will be looking for is a good faith effort to prevent the violations they are investigating. If a company can show it has a program in place to identify these risks and a process for handling them when they arise, the penalties which may be imposed will be much lower than if the company does not have such a program.

For small and micro businesses that may just be starting up, you too should take heed. Don’t put compliance, ethics and risk on the shelf as something you will address later. Weave it into your culture now, from the start. Here are some tips that any company can do, even a tiny company with only a few employees.

Roadmap

We propose an 18-month process to fully develop a proper compliance program.

Month 1 -- Make some notes about risks you can think of and find out about that apply to your company currently, and that your company may face as you grow your business. Consider laws, regulations, safety, reputation, and cyber security, and be very specific, even if it appears some risks overlap others. Do some research and find out how similarly situated companies have found themselves in trouble. Don’t rush this. Keep a scratch pad on your desktop and your phone.   Make notes as you research and talk with colleagues. 

Month 2 -- From your notes, do your best to create an organized list of your risks grouped by theme. There’s no special or magic way to do this.  You will probably find yourself grouping your risks into such areas as Accounting and Payments, Code of Conduct, Contracting and Subcontracting, Data Privacy and Security, Employment Rules, Intellectual Property, ITAR, OCI, etc. You can even break the listed areas down further. For instance, under your risk area for Code of Conduct, you might want to include such risks as: Procurement Integrity, Illegal Gratuities, Lobbying Restrictions, Collusive Bidding, etc. Understand and note the rules that govern in these risk area as best you can. If you are not a lawyer, then simply do this part as best to the best of your ability. . 

Month 3 -- Take your list to a business attorney and get some help organizing and fleshing it out into what we call a “Risk Framework” (We don’t use the term “Risk Assessment” here because you need not have in depth quantitative or qualitative estimates at this phase). Some business owners will want to jump right to this step, but we advise against it. It’s very important that business owners understand and internalize their risks. The process in steps one and two is part of a bona fide beginning that lays groundwork for good compliance, ethics culture, and proper attention to risk throughout the life of the company. 

Month 4 – Hold the first meeting of your Compliance Committee. We’re often asked, “Who should be on our committee?” If you are a company of one person, you should simply set aside time on some regular basis for compliance work and “thinking time”. If you are a company of two people, it’s going to be you two meeting on some regular schedule. If you are bigger, we recommend you choose a couple of people to form a standing committee of three or four. 

Standing compliance committees in small companies might consist of: the Director of Human Resources, the Director of the Business Office, and a “Compliance Committee Coordinator.” The coordinator generates and maintains committee minutes. The committee chair and members should be designated by the company owner because of their track record for good judgment and discipline. The chair and members absolutely must have the ear and the respect of the owners and managers. The chair should be able to add ad hoc members as needed from time to time depending on the areas of review the committee is tackling. 

The compliance committee should make a meeting schedule and stick to it as closely as possible. Every other month or every quarter is a reasonable schedule unless there is a need for more frequent meetings. Keep minutes and any attachments to the minutes. This is very important because undocumented efforts aren’t effective if you need to provide a defense that meets the expectations of the Federal Sentencing Guidelines. 

Next, draft a simple handbook that outlines your approach in simple terms to compliance. This need not be long or complicated but lay out how you intend to methodically approach compliance in your company. The handbook should contain a list of the questions that should be asked and answered every time the compliance committee meets. This is important to show that each area of risk was thoroughly examined and considered.

Use your risk framework to organize your efforts. As you review an area of the company, work closely and collaboratively with the employees in your business whose responsibility it is to carry out the work. For example, let’s assume your risk area of review is Cyber Security and the compliance committee works with IT to complete the review. IT may decide they want to use a checklist for the portion of the review that deals with Safeguarding Sensitive Information. Attach any checklist, power point presentation, etc. that is used when IT sits down with the committee to go over the review area. 

Month 5 through 17 -- Communicate the key expectations to all employees through training sessions or company memos, but most importantly, make sure you document that these expectations were communicated. Continue meeting with your committee and adjust the handbook content as you discuss these risks with your team. You may discover other areas of risk or determine that what you thought was a risk at day one, is not really that big of a deal and does not warrant continuous monitoring. Carry out your compliance efforts through month eighteen and document what you do. 

Month 18 – Take the documentation of your efforts back to the attorney who helped you with your risk framework. Ask them to conduct a desk audit and advise you on ways you can improve your efforts. As mentioned before, the compliance program is a living program and should always be evaluated and adjusted to match your company’s needs and the ever evolving risks it faces.

Closing

Many large companies with expensive, complicated compliance programs have lapsed and forgotten or strayed from their simple, ethical beginnings.[3] Start right and stay on the right path when it comes to compliance and ethics. The most important thing about any compliance program is that it is bona fide. Owners should approach it with genuineness and authenticity. Document all efforts. Be methodical and intentional. No business owner or manager can reduce their risk to zero, but if your approach to compliance is bona fide, your risks are automatically much reduced. 

Mary Scott Hunter, Esq. -- Intuitive Research and Technology Corporation, Huntsville, AL

Vickie A. Gesellschap, Esq. -- ADS LLC, Huntsville, AL 

*DISCLAIMER - The content on this article is offered only as a public service to the small business community and does not constitute solicitation or provision of legal advice. This article should not be used as a substitute for obtaining legal advice from an attorney licensed or authorized to practice in your jurisdiction. You should always consult a suitably qualified attorney regarding any specific legal problem or matter. The comments and opinions expressed in this article are of the individual author and may not reflect the opinions of the firm, company or any individual attorney. Nothing on this article is intended to create an attorney-client relationship and nothing written constitutes legal advice.

[1] https://www.ussc.gov/guidelines/2015-guidelines-manual

[2] Federal Sentencing Guidelines (2015), §8B2.1

[3]Volkswagen Emissions Scandal Speaks to Troubled Culture by Carrie Penman, Sept 15, 2015.  https://www.navexglobal.com/blog/volkswagen-emissions-scandal-speaks-troubled-culture

• 
  
• Like
• Compliance for Small & Micro Businesses
• 
  
• Comment
• 
  
• Share
• Share Compliance for Small & Micro Businesses
•