Small Businesses Strategies to Enhance Governance, Risk, and Compliance Programs

Leaders in Governance, Risk, and Compliance (GRC) suggest that smaller organizations, despite resource constraints, have opportunities to efficiently enhance their maturity and effectiveness in GRC programs, according to an article by Navex. The insights were shared during the 2023 NAVEX Next Virtual Conference by experts including Pat Harned, CEO of the Ethics and Compliance Initiative (ECI), and Rebecca Walker, a partner at GRC-specialist law firm Kaplan & Walker LLP.

Small-to-medium-sized businesses (SMBs) are encouraged to recognize the importance of GRC to their organizations. Despite facing challenges, medium-sized organizations, in particular, operate lean ethics and compliance programs. Survey data from the 2020 ECI indicated that around 50% of respondents from medium-sized organizations believed employees faced pressure to compromise standards, with 71% reporting observed misconduct.

The dynamics at medium-sized firms involve a lack of direct monitoring capabilities and fewer resources for formal controls, putting them in a challenging position. To address this, the experts recommend enhancing compliance systems in a cost-effective manner that doesn’t solely rely on direct oversight.

The Department of Justice evaluates both the design and the effectiveness of GRC programs in practice. Walker emphasized the importance of assessing whether the program reaches the hearts and minds of employees. Smaller organizations may have GRC programs where roles straddle multiple responsibilities, but effectiveness is key.

For assessing program effectiveness, employee surveys, focus groups, and third-party survey options are suggested. Additionally, working backward from DOJ regulatory guidance and leveraging available benchmark reports allow SMBs to compare their program metrics against peer averages.

Key tips for SMBs to mature their programs include establishing mechanisms for confidential and anonymous issue reporting, implementing a written anti-retaliation policy, and building employee trust. The goal is to create a high-quality program beyond mere compliance checkboxes.