Company-Wide Compliance Programs: Assign Responsibility & Create Accountability
By David Allison & Susan L. McGreevy
As a construction company grows and expands, so do the intricacies, nuances, and responsibilities related to its projects.
From contract requirements, HR compliance, and data/IT protection to permits and risk management, these responsibilities and more are often delegated to employees with already heavy workloads and therefore not given the necessary time and attention. As a result, the neglect of these impactful details is unfortunately only discovered after it has turned into a problem.
Do any of the following scenarios seem familiar?
• “The State Department of Labor called because one of our subcontractors – that was terminated for default – never submitted certified payrolls.
According to our PM, all of our subcontractors send their certified payrolls in directly, not through us. Now that the subcontractor is gone, we have no idea how many workers he had, what their hours were, or how much they were paid. The State says it can suspend our right to perform public work.”
• “By sheer coincidence, I discovered that only about half of our subcontractors had supplied proper insurance certificates before starting work onsite. Our field staff said that they were under so much pressure to get the job started that they figured that they would clean up the paperwork later – when they got the subcontracts issued.”
• “The government is rejecting our equipment, claiming a Buy America violation. It turns out that the version that applies to this job is different from prior jobs. How was I to know?”
• “Why are the state highway inspectors refusing to sit in our box at the playoff game? In other states where we operate, they are still happy to let us entertain them.”
• “We missed our mechanic’s lien filing time again. Accounting says that this is my job to monitor, but I say that they are in the best position to track late payments.”
Some contractors have decided to decrease these and other risks by establishing a program to assure compliance beyond government regulations and account for the many details that impact a company’s success.
How to Create Company-Wide Compliance
David Allison is responsible for ensuring his company’s policies are followed, and Susan McGreevy has guided construction companies in establishing systems to assure compliance. Together they’ve provided seven steps to help you implement company-wide compliance.
Before you set out to create a compliance program, consider the following factors:
• The size of your company: How many employees are there? How many projects are performed simultaneously and/or throughout the year?
• Where work is performed: Is all work performed in one locale or throughout multiple states? Is there any foreign work?
• The type of work performed: Is there only one type of work, or are there multiple types?
• Customer base: Are there just a few customers/contracts that you know well? Or, are there many new and/or unfamiliar customers?
• Public vs. private work: Does your company perform local, state, and/or federal projects, or just private work?
• Third-party concerns: Are your company’s bank/surety/insurer/indemnitors particularly concerned about any issues?
• Use of equipment: Does motorized equipment go out on public roads?
• Types of agreements: Is it signatory to collective bargaining agreements? Are union-affiliated subcontractors used?
These factors (and more) will contribute to the amount of tracking and oversight your company might want to implement.
Step One: Assign the Leader(s)
After considering your responses to the previous questions, the first step is to determine who will lead your company’s compliance efforts. For larger contractors, it may make sense to create the position of Chief Compliance Officer (CCO); in smaller companies, the responsibility could be added to one or more existing job positions.
This compliance officer role would not be required to actually complete the tasks (although it may appropriate for him or her to perform some of the compliance work); rather, he or she would be responsible for ensuring every task is assigned and holding those people accountable.
Compliance Officer Qualifications
A qualified compliance officer is persistent, has a keen eye for details, is willing to confront employees who aren’t following company policies, and has earned the respect of company owners so that his/her recommendations (including discipline for offenders) will be heard.
Since adding new duties to already over-committed staff is seldom the answer, it might be better to segment the responsibilities. Regardless of how they are assigned, it is essential that the person(s) assigned to a responsibility clearly understands the importance of the job (formalized in the job description) and that it is tied to performance evaluations.
Training is available through industry associations, publications, and seminars to help bring the compliance officer up to speed.1 Some of these programs are focused on specific aspects of compliance (e.g., business ethics, HR, fraud, or environmental), while others are more generic. It may be necessary to put your own training program together to cover all the subjects that your company needs.
Step Two: Determine What to Monitor
Once a compliance officer is appointed, he or she must figure out what needs to be monitored. Start by analyzing:
Current Customer Requirements & Contract Details
What has your company promised to do? Are there any special safety programs, insurance requirements, confidentiality agreements, record retention policies, etc.? For example, customers may have different rules for organizing and retaining the same data. Who decides which rules are followed?
Is your company required to sign confidentiality agreements with customers and institute specific practices for more extensive background checks than what is normally performed? Or, is it required to assure the customer that none of your employees or subcontractors will film or photograph the customer’s facility, or retain or share access to plans or plant layout? Who is training all of these folks to ensure your company meets this obligation?
Company Subcontract & Purchase Order Requirements
What is required of your subcontractors and suppliers? While much time and effort may have been spent drafting written agreements, do you know who is following up to ensure compliance with the terms? Who signs off on changes in terms that are not consistent with your forms?
For example, a contractor was getting signed subcontracts for all of its large and regularly used subcontractors performing scopes of work. However, its staff did not consider the cleaning crew, fencing subcontractor, replacement subcontractors, etc., in the same category and had them on the job without a signed subcontract.
Such “small” subcontractors (e.g., anyone performing labor services on your jobsite) pose substantial risk of loss disproportionate to the subcontract amount and the loss exposure can only be covered with a subcontract that has proper workers’ comp insurance.
Public Contract Requirements
If your company performs public work, then it will be required to comply with additional laws and regulations. These requirements may differ among owners and can change over time.
The compliance officer should delegate the responsibility of reviewing every contract and noting all such requirements. Then, compliance responsibility should be assigned to departments or employees based on the subject:
• Accounting may be responsible for regulations on certified payrolls, payment applications, and change orders;
• HR may be responsible for workforce diversity;
• PMs may be responsible for MBE/WBE goals; and
• Field forces may be in charge of inspection, testing, and safety.
Also, consider whether your contracts require an Affirmative Action hiring program. If so, is your company in compliance? Depending on the size of the project, a formal Ethics Compliance program may be required.
Motorized Vehicle Compliance
The Federal Motor Carrier Safety Administration Regulations2 are extensive for both drivers (hiring, training, recordkeeping, restrictions on driving, and discipline) and vehicles (inspection, maintenance, loading, and documentation) that could go on public roads, including backhoes, bulldozers, lifts, and trucks.
All employers are required to preserve the privacy of some types of employee information, and there are stiff penalties for violating the Health Insurance Portability and Accountability Act (HIPAA)3 or disclosing employees’ social security numbers. Do you know who has access to this information? Have all those people been trained about where the data is stored and how it must be protected?
Most companies have a dedicated staff or department to handle HR. Do these employees have the training to assure that employment practices (from questions asked during the hiring process to policies on time off to how employees are terminated) will not lead to lawsuits? Is the person responsible for non-discrimination able to monitor and discipline violators? Are anti-harassment and anti-retaliation policies in place and enforced?
Aside from any customer requirements, it is crucial to have control over your data and communications. Do you have back-up and redundant systems in place to ensure business continuity in the event of a problem? Do you have adequate malware protection? Remember, Target’s massive breach of customer credit card data began with an HVAC contractor that had its network credentials issued from Target stolen in a malware attack.4
Also, how do you verify proper process for wire transferring funds? For example, a project owner recently was forwarded a “phishing” e-mail received by its Operations Director, which ended up being forwarded to a Title Company, which then sent a contractor’s next payment by wire to a bank account in Arizona instead of by check per the contract. The owner did not know it had been defrauded until the contractor called to ask when it was going to get its nearly $1 million check! The owner and the contractor both learned to require a mobile number to use to authenticate such requests before making any change in how payments are made.
Overcharging a customer can lead to as many problems as underbilling. Are invoices going out on time? Who checks them for accuracy and any contractual limitations? Are proper internal controls in place?
Most construction contracts require permits and many trades must be licensed. If work is performed in multiple states, then you may have to register as a foreign corporation and pay annual fees. Are these being properly maintained and only terminated when it is safe to do so?
Most contractors rely on brokers and agents to guide them on what specific insurance they should purchase. But that does not relieve a contractor of the responsibility for deciding what risks it is willing to take and how much it is willing to pay for them to be covered.
Many contracts require unique coverages, which may or may not be picked up by the people obtaining the insurance. This is, unfortunately, one area in which you may not realize that you did not buy the right coverage until it is way too late.
It is beyond the scope of this article to list all of the potential environmental laws that may require compliance (e.g., air, water, storm water, material handling). However, the consequences of violations can shut a job down and the fines can be staggering. Do you have a staff member who is on top of all these laws?
Many owners (and GCs) layer their own safety requirements on top of your company’s own programs and training, and requirements may differ from one job to the next.
Quality Control/Field Work
Claims, delays, and lawsuits could be significantly reduced if problems with materials or labor were caught earlier. Few contractors intentionally perform poor work, but if a supervisor wasn’t around the day the work was being done, and the workers did not have clear instructions, then unintended consequences can occur. A vigorous quality control program can make a contractor’s reputation (and profitability) as easily as a poor one can ruin both.
Many subcontractors are taking on more work than they can adequately staff or supervise, increasing their risk of non-performance. Do your PMs know to monitor subcontractors for signs of impending default (e.g., inadequate crews or materials, COD deliveries, or lack of responsiveness)? Do your PMs know what they have to do to issue a “cure letter” (giving 3-5 days’ advance notice) and where a termination notice has to be delivered? Do they know that they may have to also give advance notice to a subcontractor’s surety (or a GC’s SDI carrier)? Failure to do any of these things can prevent recovery of costs, and failure to train your PMs in how to do this will only increase the chances of a problem.
Step Three: Assess Who Is Doing What
Once you fine-tune your comprehensive list of compliance needs, the compliance officer must then learn who is currently covering each area, and what specifically that person(s) is doing.
Step Four: Find & Fill the Gaps
Potentially the most time-consuming step for the compliance officer, it may be beneficial to consult with third parties (e.g., accountants, lawyers, consultants) to see where procedural gaps exist and get suggestions on how to solidify programs. The compliance officer will then figure out, in conjunction with other managers, what makes sense depending on the nature of the risks. The compliance officer will then have to go back to individual departments and people to work out how to implement new systems.
For example, there might be three separate divisions of a company working within the same city. One of those contracts for a government agency, however, may require all man-hours worked in the entire city to be reported, forcing an audit to be conducted of unrelated payroll data of the separate divisions for inclusion in the reports.
The right people must be assigned compliance responsibility and notified that they will be held accountable. Modify job descriptions to include specific duties.
Step Five: Monitor Compliance
Determine how to monitor the subject areas to assure that the systems are working as intended. Those who are responsible may need to copy the compliance officer on filings, provide access a database to record entries confirming that all permits were obtained or MBE/WBE goals were met, or create dashboards to highlight noncompliance. However, for other tasks, the compliance officer may need alternative means of verifying compliance, such as being given access to a database of signed subcontracts.
Step Six: Audit (Internal or External)
Audits are essential to ensure compliance. While it may not be necessary (or even appropriate) for the compliance officer to perform the audits, he or she must assign the responsibility to an internal or external party. Selective contracts can be pulled or company policies identified and their requirements checked against what the assigned staff is doing. Similarly, payment applications or change orders could be reviewed to assure that the backup is in order. These audits are often the only way that companies ever find out what they have missed – unless a government agency finds out first.
Step Seven: Address Problems
While mistakes are inevitable, what sets great companies apart is how they handle mistakes and whether they learn from them. The company culture must be accepting, and should even expect, that employees come forward when they see mistakes occurring or things falling through cracks.
If there is no intentional malfeasance, then there should be no adverse consequence for offenses (although, at some point, sloppy work and oversights cannot be rewarded) since the goal is to figure out what failed and how to improve the process. This may require re-filing documents with owners or regulatory agencies, instituting corrective action plans, or getting outside lawyers or accountants involved. But, if the compliance officer does not see that problem is solved, the system will lose integrity and much effort will have been wasted.
Your Company’s Future
Compliance with company and government policies requires a checks-and-balances system. It is essential to put forth the effort to create a control system with dashboard notifications when noncompliance occurs. Most contractors would rather ensure proper compliance measures are in place than gamble on haphazard processes, leaving their competitors with the upper hand.
2. See 49 CFR Parts 300-399.
3. See Public Law 104-191 (1996).
David Allison, CCIFP, CPA, is Chief Administrative Officer for Crossland Construction Company, Inc. and related Crossland family entities in Columbus, KS. With more than 30 years of experience in public accounting, David’s duties include strategic and financial leadership for the family enterprises, including HR, IT, corporate finance/accounting/
tax, enterprise risk, and internal support.
David is a longtime member of CFMA and its Kansas City Chapter, and is a prior author for CFMA Building Profits. He is also a member of AGC and is Chair of its Financial Issues Committee. He earned a BBS in Accounting from Kansas State University.
SUSAN L. McGREEVY is Partner at Stinson Leonard Street, LLP in Kansas City, MO, where she advises contractors, sureties, design professionals, and owners in their day-to-day business ventures. She specializes in drafting and negotiating of all types of agreements, dispute resolution, strategic and succession planning, and representing sureties in bond claims and litigation. Previously, Susan was a trial attorney for the U.S. Department of Justice.
A member of CFMA’s Kansas City Chapter for more than 10 years, Susan is a longtime author for CFMA Building Profits and has presented at numerous industry events.
Copyright © 2016 by the Construction Financial Management Association (CFMA). All rights reserved. This article first appeared in CFMA Building Profits and is reprinted with permission. CFMA Building Profits is a member-only benefit; join CFMA to receive the magazine.
Contact firstname.lastname@example.org for reprinting information.
Click here to view a PDF of this article.