While smaller organizations may lack the resources of their larger peers for the critical task of operating a strong governance, risk and compliance program, leaders in GRC said those same organizations still have ample opportunity to efficiently increase maturity and effectiveness.
By leaning on some quick wins and low-to-no-cost tools, resource-constrained organizations can still assess their maturity and aim for the kind of GRC program performance that is increasingly expected from organizations large and small, experts said.
Alongside Rebecca Walker, partner at GRC-specialist law firm Kaplan & Walker LLP, Harned spoke as part of the 2023 NAVEX Next Virtual Conference. The industry leaders said small-to-medium-sized-businesses (SMBs) should start by acknowledging the importance of GRC to their organizations.
“It seems clear that no matter what size organization you have, there’s a real reason to pay attention to ethics and compliance,” said Pat Harned, CEO of the nonprofit Ethics and Compliance Initiative (ECI).
SMBs face notable challenges
While definitions of what constitutes a “small,” “medium” or “large enterprise” organization differ, experts said dynamics for those in the “middle” band are distinctly challenging. These organizations may be growing in scope and complexity as a whole, Walker said, yet their ethics and compliance programs often still operate relatively lean.
Around half of respondents from medium-sized organizations said employees face pressure to compromise standards, according to 2020 ECI survey data presented at the session that defines between 500 and 999 employees as “medium.” About 30% of respondents at organizations both smaller and larger said the same. A similar dynamic emerged when respondents were asked whether they had observed actual misconduct: 71% at medium organizations said yes, compared to about 55% at both smaller and larger firms.
“It does make sense, I think, because, with smaller organizations, you’re going to have the ability to monitor employees on a real-time basis with managers right there next to employees. You have a lot of real-time oversight and monitoring. With larger organizations, you’ll have the resources to have more formal controls in place, perhaps a bit more than medium organizations would have. Medium organizations are caught in the middle – not able to do that direct monitoring, and also not having the resources for those formal systems,” Walker said. “It’s important for those folks right in the middle to think about ways to enhance their compliance system in a way that is cost-effective and doesn’t rely on that direct oversight as a control.”
It may not just be a matter of controls at medium-sized firms, either – employees at those organizations may be facing unique stressors that further emphasize the importance and challenge of effective GRC.
“There’s something about that medium size that clearly puts a lot of pressure on employees,” Harned said. “If employees tell you they are experiencing pressure, they are more likely to be observing misconduct around them.”
Determining effectiveness for SMB programs
Walker noted that the U.S. Department of Justice looks not only at program design, but also whether the program is effective in practice, as part of its assessments. This includes employee awareness of, and trust in, the program – something Walker’s firm takes into account when conducting program evaluations for organizations large and small.
Generally possessing fewer resources, smaller organizations may have GRC programs where roles and functional areas straddle more responsibilities than those within large enterprises. Walker noted that this variance in approach is widely accepted, and what matters most is whether the organization is accomplishing its GRC goals in practice.
“How the program looks on paper – yes, it needs to look good on paper. But is it reaching hearts and minds?” she said.
To assess effectiveness, Harned noted that employee surveys about the GRC program, compared to focus groups, can be effective for the smallest of organizations. They can be cost-effective, she said, and give employees an opportunity to speak about the program without being in earshot of their peers. Third-party survey options, which include maturity assessments provided through ECI, are also available to provide a neutral intermediary in the process.
Also effective for resource-conscious program assessment is working backward from the regulatory guidance of the DOJ, experts said. Freely available resources such as NAVEX’s Hotline & Incident Management Benchmark Report also allow SMBs to compare their program’s major metrics against peer averages.
While SMBs may not have the same sophistication of program elements as their larger peers, these assessments can help determine whether the program is still effective in practice and where it may land in terms of real-world maturity and performance, Harned and Walker said.
Tips for how SMBs can mature their programs
“Having the ability for employees to report issues confidently and anonymously, it really is considered – I wouldn’t even call it a best practice or a good practice, but an expected practice,” Walker said.
Still, some program elements represent significant ways for SMBs to improve the maturity and effectiveness of their GRC. These include an internal mechanism to facilitate reporting, including anonymous reporting.
“Having the ability for employees to report issues confidently and anonymously, it really is considered – I wouldn’t even call it a best practice or a good practice, but an expected practice,” Walker said.
A written anti-retaliation policy is another area where SMBs can quickly mature their GRC program, helping to build trust that reporters can bring issues to light without fear of reprisal. Enforcing that policy may be more difficult, Walker noted, but its sheer existence is a good first step.
Ultimately, Harned said, building trust among employees is critical. “A truly high-quality program is not a check-the-box program,” she said.
To view this session and all of the other NAVEX Next sessions on-demand, register with the link below:
