Published

What Your SMB Needs to Know About Compliance Maturity

GRC – a Small Business’ Growth Driver

While an effective governance, risk and compliance program is increasingly critical for smaller organizations as a tool to mitigate risk, strong GRC also provides those organizations a major reputational asset that increases their competitiveness against better resourced, large-enterprise rivals.

In an era when consumers and employees alike often choose their business relationships based on moral considerations, organizations with strong GRC components such as a robust internal whistleblowing program broadcast a set of values that advance their standing in the marketplace. The social justice movements of the past few years have intensified the pressure for organizations to communicate ethical business practices, and a well-oiled GRC program is a tangible example of putting those values into action.

What Happens When Things Go Wrong

It will be interesting to hear the cautionary tales that my colleague Scott Nelson, Partner at Hunton Andrews Kurth LLP, will share during our upcoming webinar on June 7, 2022. Scott and I have spent three decades counseling and, in Scott’s case, litigating on behalf of organizations across the size and maturity spectrum, and we’ve seen myriad examples of the pitfalls that are possible when small-to-medium-size businesses fail to put a strong GRC program in place.

Definitions of what exactly constitutes an SMB vary, and specific regulatory requirements can change depending on those definitions. At NAVEX, we define a “small” business as fewer than 1,000 employees, and a “medium” business as between 1,001 and 2,000 employees. Broadly speaking, these are organizations that typically don’t have the economy-of-scale and resources of large-enterprise organizations.

This doesn’t mean SMBs can’t get into trouble when they fail to have a strong GRC program. Let’s look at a few categories of risks:

  • Litigation risk: Smaller organizations face disproportionate impact from legal action compared to larger enterprises. For example, a 2020 study by the U.S. Chamber of Commerce’s Institute for Legal Reform found that U.S. small businesses making less than $10 million in annual revenue paid 53 percent of the commercial liability costs in the tort system in 2018. Further, companies making less than $1 million per year paid 39 percent of the costs.
  • Regulatory action: Even well-meaning employees who are unaware of compliant conduct can create regulatory risk through their improper actions – but that’s just one example of a sprawling area of risks stemming from the lack of a robust GRC program.
  • Reputational damage: Employees who lack a trusted and anonymous vehicle to report misconduct internally, or through a trusted, anonymous, third-party reporting mechanism, may turn their powerlessness into tomorrow’s front-page story. All things being equal, would a consumer or partner then be more inclined to choose a competitor?

What Happens When Things Go Right

Meanwhile, small organizations that have taken the right steps to build an effective ethics and compliance program from the outset realize several benefits:

  • Decreased legal costs: As mentioned in the “litigation risk” example above, small-to-medium businesses face an outsize burden in legal financial risk. A strong GRC program creates multiple touchpoints to enforce proper conduct, provide avenues for internal resolution of allegations and bolster legal defense through a defensible paper trail.
  • Reputational gains: This is the area where SMBs can realize an immediate boost from a strong GRC program. The ability to tell a new employee that the organization takes misconduct seriously and has tools in place to enforce those values is a powerful position that improves employee recruitment and retention. Similarly, the ability to broadcast those efforts to consumers can be part of a story of organizational values that meaningfully influences consumer purchasing decisions – especially today.
  • Analytics: Data from NAVEX’s 2022 Hotline & Incident Management Benchmark Report shows employees are more willing than ever to put their name behind claims of misconduct, compared to the still-crucial option of anonymous reporting. Employees are eager to weigh in on the dynamics of their workplaces, and companies that are positioned to capture this information in a meaningful way can parlay that feedback into better business performance. Without a GRC program that centralizes that data, responsible parties at SMBs, perhaps wearing multiple hats, may miss a major opportunity to impact the bottom line.  
  • Ability to scale: Finally, our experience at NAVEX shows that smaller organizations that implemented effective GRC early in their growth trajectory enjoy a major payoff through the ability to scale those practices and concepts as they expand. If a company waits until it’s a large enterprise to institute an effective GRC program, it’s too late. The DNA of the company is already formed, attracting both employees and partners who don’t share strong GRC values. Attempting to change at that point is incredibly challenging, time-consuming and expensive.

Foundations for GRC

Fortunately, the foundations of effective governance, risk and compliance for small-to-medium-size organizations are relatively simple. What matters is that all of the elements work together as a cohesive whole, which provides valuable bandwidth back to respective program managers within SMBs:

  • Hotline and incident management: a secure, anonymous vehicle for whistleblowers to report misconduct
  • Training: A consistent, verifiable medium through which employees (and potentially third parties) can receive training relevant to expected conduct and regulatory compliance
  • Policy management: A mechanism to ensure relevant policies are up-to-date, consistent and maintained. This includes an organization’s code of conduct, a foundational document.

I look forward to discussing the finer points of GRC for SMBs with Scott during our June 7, 2022 webinar. To attend:

Register Here

For more information about NAVEX’s work with small-to-medium-sized businesses, click here.


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.


Risk Management as a Business Enabler

Risk Management as a Business Enabler

What is the relationship between governance, risk and compliance – widely referred to as “GRC” – and business agility? This blog post discusses the hallmarks of a high-performing GRC program: agility, resilience and the organization’s impact on people and the environment.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Your Questions, Answered: Assessing and Maturing Third-Party and IT Risk Management Programs

Recently, NAVEX hosted a webinar that discussed best practices on how to assess and mature third-party and IT risk management programs. This post is dedicated to answering the questions we received during the webinar.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.