Title

Demystifying the Compliance & Ethics Requirements of FAR 52.203-13 Breakout Session C3 Amy E. Hutchens, JD, CCEP; amy.hutchens@wrmi-llc.com WATERMARK RISK MANAGEMENT INTERNATIONAL, LLC © 2012 Watermark Risk Management International, LLC. All Rights Reserved. Date: November 5, 2012 Time: 3:30-4:45pm

Overview Background of the Requirements Checklist of Requirements Risk Assessments Codes of Conduct Workforce Education & Training Monitoring and Auditing Mandatory Disclosure

Background of FAR 52.203-13/14 “Government contractors must conduct themselves with the highest degree of integrity and honesty.” FAR 3.1002 Current rules became final in 12/2008 The requirements echo Chapter 8 of the U.S. Federal Sentencing Guidelines, applicable to ALL companies Are still being updated, as recently as 9/2011 (hotline poster requirement)

Checklist – Are You Ready? Periodic risk assessment Code of Conduct Training of personnel Monitoring and auditing to detect issues Hotline – anonymous & DoD, if applicable Periodic review of business practices, procedures, policies and internal controls Disciplinary procedures Due diligence on principles: background investigations Mandatory disclosure for 3 years after closeout Full cooperation with government inquiries

Risk Assessment - GETTING IT DONE RIGHT Assemble the Stakeholder Team List the legal & compliance areas that touch the company Use a simple scale at first 1-3, Low-High, Red, Yellow, Green Rank as to PROBABILITY & IMPACT Consider company history, industry history, enforcement trends, operations Once accomplished, you know where to spend your limited resources – on the highest risks

Risk Assessment - GETTING IT DONE RIGHT Rank risks from highest to lowest Answer Options Low (unlikely) Medium (possible or likely) High (probably) N/A Risk Assessment - Intellectual Property Failure to register copyrights in a timely manner 2 1 2.33 Former employees' use of protected IP 2.00 Theft or unauthorized use by third parties (contractors) of K12 protected IP Use of third party trademarks 1.67 Theft or unauthorized use by current employees' of K12 protected IP Failure to mark copyrighted materials properly Failure to protect key unregistered marks of acquired companies Infringement of third party patents Failure to identify when copyright should be registered Infringement of third party copyrights (include risks associated with teacher/student use of material) Failure to obtain licenses to use IP from third parties 1.33

Risk Assessment In years 2-5, grow to a more sophisticated scale to capture more subtlety in risk variance

Code of Conduct - GETTING IT DONE RIGHT Code is the paramount communication of “tone from the top” Code sets forth the values of the company Code should address the highest risk areas from the Risk Assessment, including expected conduct

Code of Conduct - BEST PRACTICES Clear, authentic message from CEO/President Content Based on Risk Assessment Corporate Values Clear and Prominent Non-retaliation Statement Reporting Information: hotline, website, point of contact Who the code applies to: vendors? subs? Independent contractors? Plan for roll-out of the code; timing and presentation matter EDUCATE & TRAIN your workforce on the code – maintain proof it was distributed/published Code is NOT a legal document, should be written at the 6th-8th grade reading level

Code of Conduct - Not-so-BEST PRACTICES – “Don’t” Compliance with Laws The Company is subject to many laws and regulations in each of the countries or regions in which it operates, covering subjects as diverse as antitrust, commercial relationships, consumer protection, employee rights, environmental protection, insider trading and taxation. Such laws and regulations differ substantially in form and substance due to different cultures, traditions and political systems; but failure to comply with any of them can result in serious damage to the Company’s assets and reputation. Policy on Compliance with Laws It is the policy of the Company to comply with all laws and regulations applicable to its operations, as such laws and regulations are authoritatively interpreted and administered. HUH?!

Code of Conduct – BEST PRACTICES – “DO!” Now I get it...

Workforce Education & Training - BEST PRACTICES Focus training resources on the highest risk areas – use your risk assessment! To effectively train your workforce, you must use adult learning principles: Visual, Aural, Tactile Adult Learners must know WHY they need to learn something Use blended learning solutions: online, in-person, quick email blasts, posters, quizzes, contests, core values contacts When misconduct or mistakes are discovered, train on what went wrong Training should not be annual – it should be more often, and “operationalized”

Monitoring and Auditing - BEST PRACTICES Establish methods to monitor the highest risks (require 2 signatures for checks, randomly inspect travel vouchers, use other internal controls) Ask employees about knowledge of misconduct and perception of ethics and compliance during annual performance evaluations Ask departing employees about witnessed misconduct during exit interview Have a third party audit accounting practices and your compliance and ethics program Rotate internal audits of federal contracting risk areas: small business utilization, timekeeping practices, affirmative action plan requirements, cost allocation, etc.

Monitoring – HOTLINES - BEST PRACTICES Monitoring includes having a HOTLINE for reporting, and posting the hotline information FAR requires a mechanism which allows for anonymity or confidentiality Encourage the use of your hotline; train on how to use it and when to use it Be sure to post DoD or DHS hotline information in addition to your own hotline, as required by the FAR and your contracts, one is no longer enough

Mandatory Disclosure - BEST PRACTICES Form a team – designated to discuss what may be subject to disclosure. Form a process the team will use to decide what may need to be disclosed. Get legal counsel involved. Educate your workforce on the company’s obligations to disclose, tie it to their obligation to report.

Mandatory Disclosure - BEST PRACTICES Timely disclosure – yet undefined; In writing; To the agency Inspector General; Credible evidence (yet undefined) that a: Principal, employee, agent, subcontractor; Committed federal crime involving fraud, conflict of interest or bribery/gratuity violations or False Claims Act; In connection with the award, performance, closeout of any federal contract; Obligation continues for 3 years after final payment. Failure to disclose is a basis for suspension/debarment

Questions to Ask – Making the Grade Do we have a code of conduct? What is in it? Who drafted it? Do we train on it? How do we prove our employees received it? Is it working? How do we train our workforce? Is it working? What are we training on? Are they topics that are high risk for us? Have we done a risk assessment? Have we revisited it recently? Does it accurately reflect our risk picture? Do we have a hotline? Do we encourage its use? Do we have the required posters up where they need to be? Are we effectively monitoring and auditing our risk areas? Do we have a method to mandatorily disclose?

Watermark Risk Management International, LLC Service-Disabled, Veteran Owned Small Business Three areas of expertise: Ethics and Compliance & Legal Risk Management Critical Infrastructure Protection & Physical Security Planning Continuity of Operations Planning / Business Continuity Planning Follow us on Twitter @EthiFocus Follow us on Pinterest Ethifocus Visit us on the web @ www.wrmi-llc.com