When businesses start to scale up, their management teams naturally expect to contend with a commensurate increase in costs: To sell more product, you have to sink more money into the likes of real estate, research and development, human resources, technology or machinery and equipment. Often overlooked, though, is the way in which a sharp growth trajectory can translate into a bigger burden with respect to regulatory compliance.
Whether the business is small or medium-sized, public or private, when it goes through a period of rapid expansion, it is likely to cross various thresholds that trigger new legal requirements. Suddenly, a startup that had operated with freewheeling autonomy finds itself subject to new regulatory demands related to employment/HR, employee health care, data privacy and security, or intellectual property. Depending on the company, laws such as Sarbanes-Oxley, Dodd-Frank or the Foreign Corrupt Practices Act could apply as well.
A natural human tendency is to be reactive, and so relatively few startups create detailed compliance plans for regulations that might not apply to them for years to come. The problem, though, is that this can lead to the company getting caught flat-footed: The pro forma for a fast-growing company might call for, say, 100 employees in two years based on the current growth trajectory. But if that plan omits the role of regulatory requirements that kick in at that scale, the directors and officers could be shocked to discover that proper compliance with state and local regulations actually will require many more people on the payroll.
That bigger payroll would itself carry a certain amount of potential risk. For example, employment risk, such as discrimination or wrongful termination claims, happens to be one of the top risk-management concerns for any business. The more people you hire, the more likely you are to run into a problematic individual or workplace situation — things like sexist, biased or harassing supervisors, or unethical employees whose actions create problems for the company. It is perhaps too strong to describe such an increase in claims as inevitable, but risks do tend to rise with scale simply as a matter of statistics.
Something similar could be said of cyber risk: As the company scales up, it will have more technology, more digital interactions with vendors and customers, and more opportunity for personnel to fall prey to devastating phishing or “social engineering” schemes perpetrated by hackers (clicking on a link to malware or inserting a flash drive loaded with ransomware). A data breach could involve the loss of sensitive company information, up to and including the privacy-sensitive, personally identifiable information of customers. An even worse nightmare, of course, would be a government investigation into possible criminal wrongdoing within the company itself.
So how should fast-growing companies manage the compliance-related costs and risks that come with scale? Start at the top. Executive officers should work closely with directors to make detailed, predictive compliance-planning a top priority for the company. Here, it pays to be optimistic with projections. If you grow twice as fast as you think you will, will the company still be ready to handle what government throws at it?
In particular, officers should be proactive in helping directors get the information they will need to plan for and then properly carry out their oversight responsibilities. The executive officers should also set the tone for the whole organization by walking the talk. An organization with a positive, open culture, where the ethos is in doing what is right, will face less risk than an organization that focuses only on rules and fear of noncompliance. Moreover, compliance should be incorporated into everyday operations, and executives should do all they can to remain accessible so that issues can be elevated swiftly and without fear of retaliation. Silos and groupthink are surefire recipes for trouble.
The CEO, in particular, should see all processes in the organization as opportunities to further the company’s culture of compliance. Actions matter much more than words (which certainly matter, too). When the CEO makes a visible, daily commitment to compliance, it is easy for everyone else in the organization to follow suit.
Employees also must be carefully trained in compliance. The basics include developing a code of conduct, issuing copies to all employees, and posting the code on the company’s intranet. Consider also posting it on your outward-facing website to demonstrate to external stakeholders your culture of compliance
As the company trains and retrains its employees, the CEO should make sure everyone understands that compliance-related policies have the force of “law”—with serious consequences for violations. Take the training yourself, ensure your executive leadership team does, too, and take it seriously. Doing so sets the example for all employees to follow.
With a forward-thinking culture of compliance firmly in place, the company can grow into its regulatory responsibilities with less stress and, ideally, reduced risk. Rather than playing an unfortunate game of catch-up after, say, being hit with an enforcement action or employee complaint, why not give compliance the consideration it deserves from the very beginning?
Brian C. Lansing is senior counsel in the Richmond office of LeClairRyan and leader of the national law firm’s General Counsel and Secondments team; [email protected]