As the corporate world gears itself to achieve its governance, risk and compliance (GRC) objectives far more actively than ever before, many smaller organisations have been left feeling overwhelmed at the prospect of having to comply with the same regulations as larger enterprises.
The question begs, is it really necessary for SMBs to comply and if so, surely this will create complexity in an already resource stretched environment? Not so. GRC can be successfully woven into the fabric of the organisation provided a few guidelines are adhered to, says Jayen Vyravene, managing partner of Quency.
Ultimately the goals for SMBs and larger enterprises are the same. However, watching from the sidelines, many feel compliance is to some extent unnecessary at the SMB level; where directors and CEOs have a much greater ability to control what goes on within the organisation, and much higher levels of transparency exist.
They need more flexibility to survive, and as such, are hesitant to implement controls that may impede their ability to react to short-term issues quickly. Aside from this attitude, SMBs are also unable to dedicate a resource to the issue of GRC, unlike their larger counterparts, and thus the issue poses challenges when it comes to budgetary and time constraints.
However, the risk of non-compliance for SMBs is often even greater than that posed to large organisations, as they will be significantly harder hit by the fines imposed if caught guilty of non-compliance. It is often assumed that compliance is much easier for large organisations to implement because they have the money and the infrastructure to accommodate its requirements.
This is not often the case, and the good news is that achieving good corporate governance in SMBs can be more of a molehill than the mountain it seems to be; and is on the whole a much smoother process than that experienced by larger organisations, if the right steps are taken.
The most important issue – and challenge – to be considered is the same one that applies to larger organisations: developing an understanding throughout the organisation of what compliance is, and creating a culture of compliance that is manifest in the daily runnings and operations of the entire staff base. Training is therefore especially important, yet needn't be as complicated as one might imagine.
Simplicity is another key consideration for SMBs embarking on GRC. Keeping things simple, concise and to the point is the order of the day, and smaller organisations are naturally geared towards simplicity due to their lack of size.
For example, when designing and implementing a policy management strategy, SMBs don't necessarily need a professional GRC specialist to assist them, and a simple approach is often the best approach.
An 800 page policy document is simply a waste of paper, and it would be unrealistic to expect staff to be able to understand and implement such a policy. SMBs should try and condense the information they need to put across as much as possible, to avoid confusion and facilitate a clear understanding amongst their staff.
If SMBs work towards simplifying their GRC strategy, they will ensure that they do not need as much time as previously anticipated – and because this simplicity means they do not always require external assistance, costs can be kept down too.
Time spent complying and implementing a GRC framework in SMBs should not be seen as wasted – or merely a necessary evil: instead, SMBs should realise that they are equipping themselves with a very valuable competitive advantage.
Issues such as obtaining investor buy-in, growing into a larger organisation, or even just doing business with large enterprises are made considerably easier once an SMB has a GRC strategy and has successfully implemented it.
Not only will SMBs be able to leverage the same benefits that GRC offers to larger organisations – such as minimising risk, improving business processes, and driving innovation – but instead of impeding the agility they feared losing, they'll find that they are able to become even more agile and flexible than ever before.
Changing the culture of the organisation and aligning it with the GRC framework is the hardest part of the job – and for SMBs, this is considerably easier as training is typically more effective due to the smaller size of the organisation. It is imperative for organisations to ensure its staff understands GRC, why is it necessary to comply and most importantly, acknowledge the role that each individual plays.
SMBs contribute to a large portion of South Africa's GDP, and are a critical part of job creation and the overall social and economic landscape. As such, it is important that they realise the benefits of GRC so that they can ensure sustainability and growth.
Facing the challenge of GRC is not such an insurmountable one, and having the right tools and approaches can not only simplify compliance for SMBs, but also improve their business considerably.