Article
Government contractors: How to understand your contract risk profile
Sept. 25, 2024 · Authored by Joseph P. Bentz, Drew Lewis
Although many factors can influence the nature and extent of government contract oversight, five—including contractor size, product/service commerciality, contract type, contract size, and competition and negotiation—have the greatest impact. They are interdependent of each other and, therefore, must be considered both individually and in the aggregate. As you seek to better understand your contract risk profile and chart a successful path forward, consider using these factors as a tool to understand, anticipate, manage and mitigate government contract compliance risk.
Five factors to understanding your contract risk profile
Contract requirements and regulatory exemptions vary for smaller and larger firms, as well as whether a firm is a contractor or a subcontractor. Small businesses (meeting the Small Business Administration’s size standards) are exempt from some of the government’s most onerous regulations. As contractors grow, they can expect to trigger more regulatory burdens and more direct government oversight.
The government’s rules establish a preference for commercial products and services and require it to acquire them at reasonable prices established in the commercial marketplace -without regard to a contractor’s costs of production. Accordingly, commercial item contracts are exempt from many onerous regulations and are generally insulated from most (but not all) government audit and oversight activities. Contractors selling commercial and non-commercial items on a single contract must persuasively demonstrate commercial pricing to rebuff the government’s ever-present desire to audit production costs (and deny reasonable commercial margins).
Contract type is the nucleus of government contract risk. It is the instrument by which performance and cost risks are allocated between the parties. Contractors willing to accept greater performance and cost risk are rewarded with less burdensome administrative requirements. As the government accepts greater performance and cost risk, contractors must accept heavier regulatory compliance and oversight burdens. Those new to cost reimbursable contracts must enter with eyes wide open and with considerable organizational preparedness for the oversight that will ultimately follow.
Contracts below the simplified acquisition threshold ($250,000) generally carry the fewest compliance requirements. Additional regulatory burdens may accumulate (depending on contract type) as contract values grow beyond $2 million. Generally, a large volume of low-dollar contracts will attract less direct government oversight than a small volume of large dollar contracts.
Competition and negotiation:
The competition spectrum ranges from sealed bidding (highly competitive price shoot-out) to sole-source negotiation (noncompetitive cost-based pricing). Combined with the four factors above, competitively awarded fixed-price contracts for commercial items offered by small businesses below $250,000 carry the least compliance and oversight risk. The opposite carries the most risk. In the absence of commercial market information and competitive forces, the government deploys its arsenal of regulations to prescribe nearly every contractor business activity.
Steps to better identify and address your high-risk areas
You can’t necessarily control the external operating environment and the factors that impact your potential contract compliance risk; however, now that you have become aware of these five key factors and how they affect your risk profile, you can examine your internal operating environment (factors that you can control) to mitigate risk in these areas. While there is no simple, one-size-fits-all approach, a basic, four-step solution generally includes:
- Knowing your operating environment and having and testing key related business processes and controls. Ensure you have clearly articulated and well-documented policies and procedures for your critical business processes and that key internal controls are in place and operating effectively to ensure your business processes achieve the intended outcomes. Routinely assess and monitor controls to ensure the effectiveness of their implementation and operation.
- Reviewing and understanding results from other related internal and external audits/reviews. Perform your own robust internal audits and reviews, and also have independent external organizations review your policies, procedure and controls. Be sure you understand the relevant significance of the findings of these internal and external audits and reviews, and the areas where corrective actions are required.
- Knowing, identifying, acknowledging and correcting deficiencies. Take timely action on results from internal and external/independent audits and reviews, and ensure corrective actions address the root causes of any findings identified during those audits and reviews. Also, be sure to follow up to ensure corrective actions fix the problems and that the fixes are systematically instituted in your business processes.
- Understanding your own systems and documentation. Have thorough knowledge of your own systems, how they are configured and process data, and the design and operation of the system controls implemented to ensure proper processing. Understand and articulate the importance of documentation to support transactions and the ability to produce and provide that documentation to internal and external auditors and reviewers.
Deficiencies and non-compliances in these areas are “low hanging fruit” for government auditors and oversight organizations and are routinely included as findings in government audit reports.
