Small-to-Medium-Sized Business Risk & Compliance Statistics

Key findings

Respondents more likely to say SMBs have lower or midrange maturity

To help determine the state of programs in 2025, NAVEX asked respondents to self-report their risk and compliance (R&C) program maturity based on the Framework for Ethics & Compliance Program Excellence criteria from the Ethics and Compliance Initiative (ECI). This five-point scale begins at the least mature, “Underdeveloped,” and advances in maturity through the stages of “Defining,” “Adapting,” “Managing” and, finally, “Optimizing.” It is worthy of note that there is no “end” to the spectrum – even the most mature programs have room to refine their approach. 

Forty-eight percent of respondents representing SMB organizations said their R&C program was either Managing or Optimizing – the two most mature designations on the ECI scale. Twenty-four percent said it was Defining or Underdeveloped – the two least-mature designations. For enterprise organizations, 70% were said to be in the more mature designations, with 11% in the less mature designations. It appears a greater share of SMB respondents than those from large enterprise feel their organization has significant room to improve.

SMBs join others in citing data privacy, cybersecurity incidents in past three years

Consistent with previous polling, data privacy/cybersecurity breaches remain the top compliance issue respondents said their organizations experienced in the past three years. Still, nuances remain that may help readers better understand how SMB and enterprise organizations compare. 

For example, for SMB, 13% of respondents said they had experienced a third-party ethics or compliance failure. This compares to 23% for enterprise. The larger share of enterprise respondents citing reputational damage due to executive misconduct (19% vs. 9% of SMBs), adverse media coverage (26% vs. 8%) and third-party ethics or compliance failure (23% vs. 13%) in the last three years may suggest the increased complexity and risk SMBs will face as they grow and mature. SMB respondents were also much more likely than enterprise (46% vs. 16%) to say their organization had not experienced any compliance issues in the past three years.

Like others, most SMB compliance investigation programs are centralized

Globally, most respondents (67%) said their organizations use a centralized approach in their day-to-day compliance investigations program. This was also the case for respondents representing SMB (65%), as well as enterprise (61%). Few enterprise respondents (1%) said their organization does not have a consistent approach, versus 10% for SMB.

Board engagement in compliance generally lower for SMBs

It stands to reason that organizations where boards of directors are engaged in Compliance are more effective and resilient in R&C.  

For SMB, 56% of respondents who are knowledgeable about ethics & compliance said their board of directors has oversight of the compliance program. This is roughly equivalent with responses representing large enterprise. However, in other measures, a greater share of enterprise respondents indicated various avenues of board engagement. The share that indicated their board examines compliance data when exercising oversight, for example, was 34% for SMB, and 47% for large enterprise.

Compliance involvement in AI use mixed for SMBs

As artificial intelligence plays an evolving role across different organizations, the role of Compliance in its implementation is also evolving.  

For SMB, 31% of respondents said Compliance was “very involved” in the use of AI. For enterprise, it was 27%. Respondents said compliance was “not involved” at a rate of 15% for SMBs, compared to 8% for Enterprise. 

A mixed picture emerges where, directionally, more SMB-representing respondents cite involvement by Compliance in AI decision making, but also directionally more say it is not involved compared to large enterprise.

Only 45% of SMBs said to have a whistleblower hotline

NAVEX survey data continue to show a concerningly low rate of respondents globally indicating that their organization has an internal whistleblower hotline. This is despite the fact that a mechanism for individuals to report misconduct anonymously and/or without fear of misconduct is a core part of any compliance program.  

For SMB, only 45% of respondents who are knowledgeable about ethics and compliance said the organization had a hotline or whistleblower internal reporting channel. This compares to 64% for enterprise, and 53% globally. 

The indicated lack of a process to detect retaliation is also notable. For SMB, 26% were said to have a process to detect retaliation. For enterprise, this was 38% - still lower than expected.