top of page
  • _



Darrell Smith CFE, ARM, CIM, FCSI

Most small businesses are run by one or two entrepreneurial owners, with most day to day business decisions being made by the owners and senior managers. The external stakeholders, do not have an active role in the decision making process.

The stakeholders are, shareholders, lenders including banks and family, employees, suppliers, contractors regulatory agencies, government, customers and the general public. Many decisions made by organizations have consequences beyond the organization itself. Therefor in decision making a small business must take into account how it affects all its stakeholders. This approach is called social responsibility.


When we look at the definition of Governance, I like Ray Dalio’s definition from the Bridgewater Group. “Governance is the process that checks and balances power to assure that the principles and interests of the community as a whole are always placed above the interests and power of any individual or faction.”


Compliance is the process of making sure your company and employees follow the laws, regulations, standards and ethical procedures that apply to your organization.


Compliance does not constitute risk management, however the risks of non-compliance is countless. An organizations social license to operate requires more than just following the laws and rules of their environment. Risk Management is an essential part of the program, because not knowing the risks faced by the organization and the cost of those risks, make a Compliance program less effective.

Implementing Compliance and Governance with Risk Management, provides for a better understanding of threats and opportunities.


So in a small business or start up, many decisions are made daily, including decisions that affect all stakeholders. So it is important to have a decision making process that incorporates having adequate information to make the decision and implement it.


Good Governance provides a structure to protect the interests of shareholders and stakeholders, because they are not actively involved in running the company.


The advantages of having a Governance, Risk Management and Compliance Program (GRC) is not just following regulatory and legal conditions, related to your business and industry. But developing a strategic plan to achieve your business objectives, ensuring that your business goals do not exceed your risk appetite, developing a culture of accountability and transparency and having a reporting structure that designates responsibilities for compliance issues to the most qualified persons.


To build a Compliance Program, the first thing you need to do is set up an independent board of directors. I know what you’re probably thinking, I’m a small business or start up barely able to pay my bills. How can I afford a Board of Directors? The great thing is that there are many experienced business people, accountants, lawyers or retired professionals that would be happy to serve on your board. Not only do they bring valuable experience to your company, but they also have business contacts. The key is to have an independent board of directors.


Once you have selected your Board and have called your first board meeting. The first order of business is to develop a strategic plan of what your goals and objectives are for the company and then communicate it to all employees.


My experience working with and sitting on a number of boards is that management has great vision and strategy for their organization. However they have not put it into writing, what their goals are and how they will achieve them. Don’t confuse a strategic plan with a business plan. A business plan lays out the financial, marketing and operational goals of your business, a strategic plan states what your goals are for the business and how you’re going to get there. A business plan is usually developed by the owner, their accountant and perhaps several key employees. The strategic plan is developed by the board of directors. A strategic plan is an essential part of your overall business plan. Not having a strategic plan is like hiking in the woods without a compass or a map. After a very short time hiking, you get disorientated and you cannot tell what direction you are going, where you are or how to get back on the trail. A strategic plan maps out your objectives and the activities needed to get you there and provides you with the checks and balances to keep you on track.


Develop a Code of Conduct and Ethics: Whether you have been in business for 20 years or you are the only person in your start-up. Having a code of conduct and ethics is essential. A code of conduct governs decision making and how its employees and management should behave. A code of ethics governs actions and have five key areas, Integrity, Objectivity, Professional Competence, Confidentiality and Professional Behaviour. Typically they would be two separate documents, but many organizations do combine them.

I am a big believer in all firms having a code of conduct and ethics, regardless of their size and how long they have been in business. I have worked for companies where problems were identified and after implementing a Code of Conduct, communicating it to all employees and having them sign off on it annually. Behaviours such as theft, harassment, discriminations, and unproductive employees were reduced significantly. As a start-up it gives you a guide to good decision making by following the companies values.


Document all Job Descriptions, Processes, Policies and Procedures: Everything should be included, such as HR policies, financial, marketing and operations. The employees doing these jobs should be part of this documentation process. They can add valuable input, because they are the ones doing the job. The advantages of having everything documented are; Sets a standard for quality control, everyone is following the same procedures. Makes it easy for new employees or new locations to understand and follow company procedures. Provides an audit trail, as part of a risk assessment review. Are company policies being followed? As the business grows it maintains a level of consistency, reducing liability and financial issues, makes change management a lot smoother.


Have an Employee Handbook: Including the company history, mission, vision and the company goals. Your core values and culture, employee benefits and all policies and procedures. You should also have an orientation session with each new employee, to go over the items in the handbook and give examples of actual occurrences of how the policies apply to them. This step is extremely important as it helps to shape your corporate culture.



Perform Regular Risk Assessments: Conducting regular risk assessments will help you identify risks to your organization that can have negative consequences. By identifying them early, you can develop a risk mitigation plan to manage the risk. Traditional risk management looks at property, liability, and net income and people risks. Conducting regular risk assessments will also allow you to identify potential opportunities. Ask yourself, what are the three greatest risks facing my company? Ask your managers what are the three greatest risks facing their department?


Review Internal Controls: Internal controls are the guardians of your business. They are the methods, rules, and procedures used to maintain the integrity of the financial and accounting information. For any size business, the financial information is critical to managing the business. Protecting that information from fraud and theft, is essential to not just managing the business but the survival of the business. In my experience as a Certified Fraud Examiner, the number one reason that the perpetrator was able to commit the fraud. Was the complete lack of, or a breakdown in internal controls. Keep in mind that individuals who steal and commit fraud, are spending a lot of time on how to do it and not to get caught. They are looking for weaknesses or a lapse in the controls.

So it is essential that you spend enough time reviewing and testing your internal controls.


Have a Reporting Mechanism: As I have written about before, I am a big believer in having an anonymous reporting hotline. Where your employees, customers and suppliers can report potential wrongdoing to your company. See our Blog: “Not Having A Whistle Blower Hotline Is Like Leaving The Doors Unlocked At Night.” Having a reporting mechanism will result in wrongdoing being reported sooner, saving you time and money. It also sends a message that the company is serious about promoting moral and ethical behaviour in the company.


As a small business or start-up, here are some of the common issues that I have seen. Paying Income, Sales or other taxes, making payroll remittances, use of government funds and grants, Occupational Health & Safety, product and service liability, legal liabilities including discrimination and harassment, regulatory issues unique to your own industry, Anti Money Laundering regulations, conflicts of interest, protecting confidential customer and employee information.


So let’s look at the reasons why small businesses and start-ups need a compliance and governance program.


1. Having a CRG program provides the information necessary for management to make good business decisions and to be better leaders.

2. Better mechanisms in place to monitor and manage risk and identify potential opportunities.

3. Stakeholders will have more confidence in the owner and the business, by knowing that the business is being run in a responsible and ethical manner. If you’re looking for bank financing or to secure your first round in seed capital, and you have a GRC plan in place. This is going to probably work in your favor, compared to a company that does not.

4. It allows management to stay on track, because they have a plan to follow. If they lose their way the just go back to their strategic plan, values and mission statement.

5. It provides the framework for an organization to expand rapidly. By having a strategic plan, and all processes documented. If you open another branch or hire a lot of new employees, you have everything documented for them to follow. Allowing you to focus more on growth and less concern for compliance.

6. Reduced legal liability, by knowing what your greatest risks are and managing them.

7. Enhanced reputation in the business community, this is an advantage to getting customers, employees and financing.


I hate to use the old cliché, “they didn’t plan to fail they just failed to plan.” But when it comes to managing your small business or start-up effectively, growing sales and making a profit, you need to have a plan. Especially now with Covid 19 changing the way we work and do business.


While getting started may seem a little overwhelming, it’s not. Start with little steps, make a list of people you would like to have on your Board of Directors, review other companies Codes of Conduct, and think about what challenges and opportunities are ahead for your organization. The great thing with all of this is it doesn’t costs any money, unless you contract some of the work out. It just takes time, that will be well spent.


1 view0 comments

Recent Posts

See All


THE ART OF CONDUCTING EMPLOYEE REFERENCE CHECKS In risk management one of the four main categories of loss is Personnel Losses. Personnel losses include losing employees through death, disability, ret


bottom of page