I recently had the chance to visit with Travis Miller, General Counsel (GC), and I discuss how the regulatory requirements of the Federal Acquisitions Regulations (FARs) impact access to markets and supply chain compliance. Flow downs are one the things that bedevils compliance practitioners in many disciplines, including supply chain compliance. The most basic question is how far down must you go? FARs compliance is certainly becoming more challenging but Miller sees government contracting and FARs requirements becoming even more challenging. These changes are beyond simply contractual requirements and have moved towards more programmatic requirements on prime contractors. The flow downs make it “equally important on the subs who are servicing them to make sure that they have all the materials and fully secure supply chains in a way that we’ve never really seen come out of any procurement entity, let alone the US government.”
These programmatic changes are in a wide variety of areas including the various modern slavery acts, counterfeiting issues, anti-money laundering (AML), cybersecurity, data privacy demands and, of course, anti-corruption compliance. Some of these are moral and human rights issues, such as the modern slavery initiatives, but others are more national security focused such as a desire to protect US intellectual property (IP) rights. These are most sensitive around military security such as jets, weapons and similar types of products but it can extend out to oil and gas producing technology. The flow downs are critical because this is where many foreign actors will try and penetrate companies that have lesser cybersecurity protections in place.
One need only consider the Target Corporation data security breach to see how this can play out in the real world. Target was hacked through a HVAC vendor. The resulting fallout caused massive losses of data and massive costs to Target. It also massively disrupted the lives of Target customers.
Yet Miller believes that supply chain compliance can respond to these changing government requirements and, when properly executed, can provide a business differentiator to a company. The key is how you enter the relationship with your flow downs. It all begins with a risk assessment to understand where your organization may be vulnerable. From there move to robust due diligence on your third parties. Here, you may want to take more time evaluating your counterparties, third parties, subcontractors, or even those that you are doing business with as customers so that when the time comes and the ink is on the contract, you can move quickly. In the supply chain, the ability to move quickly, to respond quickly is a critical element of not only those down your supply chain, but of the lead company itself.
Miller emphasized, “I always talk to all of my clients, both internal and external that in relations to government contracting, it is a different business. Even if you are producing exactly the same product, it is a different business and should be treated as such. The type of programs you put into place, the way that you manage it, the way that you cost something, the type of employees that you handle top to bottom. It’s just an entirely different business. If you treat all your flow downs the same, I guarantee you’re going to find yourself in a bad place, on the wrong side of an enforcement action because the rules of the game are just so different.”
All of these challenges also create a barrier to market entry and market access. Miller noted that on the one hand, “it means there is a whole lot of work to do if you want to try to sell into or work in that particular market.” However, “the flip side to that is if your organization has established a supply chain compliance program, it’s an awfully sweet spot to be in because your competitors have a whole lot of work to be able to do the same thing that your company is already doing. This means the more you can institutionalize your compliance programs, the more nimble and agile your company will be to respond to a variety of situations.
As a lead organization, you do not want to be purchasing programs, a bunch of counterfeit goods or devices which fail. Miller said that this “causes consumer distress.” You do not want to allow people to peer into your data and to steal your technology or your IP as that is “foundationally a bad thing.” This is why robust compliance is going to make you a better company. Miller concluded by noting, “being able to institutionalize the compliance programs that make sense across the company is great. Then being able to go a little further, either in a subsidiary, a standalone entity, or in a specific business unit or function that can handle those additional pressures and requirements is what I really see as a best practice and what I would advocate for most.”
[View source.]
