Beware of the Big Stick Carried by the Government

Beware of the big stick carried by the government. Its called the False Claims Act and contract and environmental managers have long known that they can’t just sign the myriad of required certifications to the government without risk of organizational and personal prosecution. You can’t just cross your fingers and hold your breath, hoping no one notices if your certified statement isn’t true. In many instances, the penalty for admitting a compliance failure or weakness up front may be small, but the cost of filing a false statement or false claim (a false statement tied to a government payment) can be huge. Now, Chief Compliance Officers and other GRC executives are learning it the hard way.

The complaint filed this week against Christi Sulzbach, who was the Associate General Counsel and Corporate Integrity Program Director at Tenet Healthcare Corporation (Tenet) makes that point loud and clear. Sulzbach is alleged to have signed and provided to the Government declarations that falsely stated that to the best of her knowledge and belief, Tenet was in material compliance with all federal program legal requirements, despite her allegedly having received legal opinions to the contrary. The government also alleges that these false declarations allowed Tenet to bill Medicare for millions of dollars in claims that it was not legally entitled to receive.

It’s just a signature on a standard required clause, right? WRONG. It’s a signature that now is exposing Ms. Sulzbach to hundreds of millions of dollars of potential liability PERSONALLY, even after Tenet has settled with the government for more than $920 million dollars.

I used to jokingly call the Chief Compliance Officer job the “designated scapegoat,” but cases like this one highlight the importance of taking the job seriously. Understand what government contract laws and regulations apply to you and your organization. Use a consistent approach to manage compliance. Don’t sign things that put your personal reputation, assets and possibly even freedom on the line – unless you have undertaken the necessary investigations to know that what you are saying is true. Don’t assume that no one checks. Don’t step into the line of the swing of that big stick.

GRC - More than Three Letters

To be clear, there are substantially more processes than governance, risk and compliance playing critical roles in GRC. But 13-letter acronyms rarely catch on. To understand the complete portfolio of processes related to GRC – processes that help an organization drive toward objectives while staying within boundaries – consider the following areas:

Governance. Processes typically executed by the board, corporate secretary and governance professionals including board management; staying qualified to do business; shareholder / stakeholder relations; setting and evaluating performance against enterprise objectives; vetting strategy; evaluating executive performance; risk oversight; etc.

Strategy. Processes typically executed by the chief executive officer, “c-suite” as a whole and strategy professionals including: setting strategy; designing balanced scorecards; managing corporate performance; merger and acquisition activity; etc.

Risk Management. Processes typically executed by the chief risk officer, business line and other executives including: identifying, assessing and managing all types of risk (strategic risk; financial risk; operational risk; compliance risk, etc.); buying insurance; etc.

Audit. Processes typically executed by the chief audit executive, internal audit, audit committee and external auditors including: managing internal audits; facilitating external audits; executing financial reporting; evaluating internal controls (e.g., internal controls over financial reporting (ICFR), internal controls over other risks); conducting investigations; etc.

Legal. Processes typically executed by the general counsel and legal staff including: defining legal strategy; investigations; litigation; assisting with due diligence for mergers and acquisitions; ensuring legal compliance (see next point); etc.

Compliance. Processes typically executed by the general counsel, chief compliance and ethics officer, compliance professionals and other legal staff including compliance in areas such as: employment; environmental; government contracts; global trade; anti-fraud; anti-corruption; information privacy and security; sales practices (antitrust issues); advertising and marketing; product quality and manufacturing; etc.

Information Technology. Processes typically executed by the chief information officer, privacy officer and/or security officer including: automating controls; managing electronic records; facilitating internal and external reporting; delivering electronic filings; securing information; ensuring privacy; etc.

Ethics & Corporate Social Responsibility. Processes typically executed by the chief ethics officer and chief responsibility officer including: managing the code of conduct; developing ethical leaders; promoting adopted principles and values; crafting public communications and reports; understanding socio-political-economic context; aligning incentives and human behavior; etc.

Quality Management. Processes typically executed by quality professionals throughout the organization such as: integrating “lean” thinking, Six Sigma or other techniques into all enterprise processes; conducting root cause analysis and process improvement projects; etc.

Human Capital & Culture. Processes typically executed by human resource professionals and organizational design and development professionals including: enhancing workforce capabilities; appraising individual and team performance; developing culture of performance, integrity, openness and accountability; etc.

Each of those areas plays a key role in helping an organization drive principled performance. And all of them can benefit from a shared strategy and operational approach and from cross-communication and shared technology.

When I talk about "integrated GRC," I do not mean that all of these processes and functions should be consolidated. Rather, management should take a step back and consider what they all have in common. Where practical, management should adopt a common language and approach to the meta-process that they all share.