Welcome
The United States Law Week

INSIGHT: Small Businesses and Their Compliance Burdens

Nov. 8, 2019, 9:00 AM

Meet the Baker Family: Mr. and Mrs. Baker started the pastry business 20 years ago, and now it employs all three of their adult children and their spouses.

Most of their revenue comes not from the storefront bakery, but from sales to local restaurants and cafeterias, including the cafeterias of a local military base and a government office. Recently, the government has begun to require compliance certification from all its suppliers. The Bakers must get certified if they want to continue bidding on government contracts.

Meet also WebMarket Inc: Two college friends started this web marketing company and their growing reputation for creativity and analytical insight have brought them clients from all over the world. Sometimes they hire a couple of local students as contractors for temporary help.

Increasingly, WebMarket’s large corporate clients are asking Webmarket to certify that it has a “compliance program.”

In attempting to meet these requirements, the Bakers and WebMarket are experiencing some absurdities.

Policies and Procedures. They are expected to have written policies and procedures. They are advised to hire lawyers to write them. Who will read these policies? The Bakers don’t even write down their recipes: They know each one by heart!

Training. They are required to have proof of training on subjects like anti-corruption and data privacy. The Bakers can’t understand why they have to pay for legal training on these subjects just to make and sell pastry. WebMarket owners regularly keep up with data privacy issues as an integral part of their business, but now they have to “prove” what they know and do every day.

Internal Reporting System. They are told they must offer ways for employees to make anonymous complaints. Should Mr. Baker now expect his son-in-law to complain about his daughter-in-law “anonymously”? To whom? Should WebMarket owners expect their student contractors to complain to one of them about the other?

The Baker Family and WebMarket are fictional, but the experiences described here are very real. Nearly one out of five U.S. employees work for a company that employs fewer than 20 people.

In Europe, companies with fewer than 250 employees constitute more than 99% of businesses and contribute about 57% of net contributions to the economy in the region. In Latin America and the Caribbean, businesses with fewer than 250 employees constitute 99.5% of all businesses and contribute approximately 25% of total GDP in the region.

Although small businesses do not always stay that way—in 2012, Uber had merely 75 employees—small businesses are almost always found among large corporations’ supply chains as marketing vendors, sales intermediaries, training providers, and other relied-upon third parties.

As large corporations cascade out their compliance expectations, these small businesses are being forced to meet compliance standards that have been developed by and for large corporations hundreds of times their size. These unrealistic and impractical standards do not help small businesses achieve compliance, they only place disproportionate burdens on them and adversely impact productivity.

Today’s prevailing compliance standards have largely developed in reaction to U.S. federal criminal prosecutions. Federal prosecutors have discretion in choosing the cases they prosecute, and the considerations of impact and resources dictate that they choose large and well-known corporate targets to maximize the effects of the prosecution.

Large corporations also have the resources to fund the development of products and services, and hence dominate the interests of vendors who sell them. Consequently, compliance standards developed in responses to these realities have catered nearly exclusively to large corporations.

The certification regimes in compliance reflect the bias toward large corporations. The emphasis on formalities such as written policies and procedures, designated compliance functions, formal training records, and whistleblower systems make sense in large corporations of thousands of people, but seem absurd in organizations with dozens of people or that run on family dynamics.

In my conversations with regulators and business leaders, the absurdity of the compliance burden on small, medium, and family-owned businesses have emerged as a constant concern. Imposing outsized standards on these businesses is as effective in achieving compliance as expecting runners to perform well while wearing shoes three sizes too big for their feet.

If large corporations hope to have third-party partners that are compliant (rather than simply look compliant), the compliance community must recognize the chasm between the existing standards and the realities of small businesses. To properly scope that chasm, we need to remove the large corporate lens through which we are accustomed to viewing compliance.

Empirical studies and data-based analysis of the business realities of small, medium, and family-owned businesses in different industries and geographies will bear out realistic and outcome-driven compliance solutions that can actually help—rather than burden—these economic engines.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Hui Chen is an independent ethics and compliance consultant and was the Justice Department’s first-ever compliance counsel expert. She has served in global senior compliance lead positions at Microsoft, Pfizer, and Standard Chartered Bank.