Corporate Governance in small and mid-sized companies: How

Corporate Governance in small and mid-sized companies: 

How lean can you be and still be safe?

Small companies often eat the lunch of big multi-national groups because they are faster and adapt more quickly and easily to changes due to their leaner structures, less rigid process landscape and faster decision-making processes. 

However, when things go awry and you have an incident (e.g., an occupational injury or a compliance infringement in one of your subsidiaries), regardless of how small your group of companies is you want to be able to show that your house generally has been in order. The way you do that is to have a system in place that generally prevents bad things from happening. 

When advising small and mid-sized companies on corporate governance matters it is important to maintain the above-mentioned advantages of lean structures and avoid that the group gets bogged down in a big group-style enchilada of internal rules, regulations, and processes. However, the question is: “How lean can you be and still be safe?” I.e., how much minimum documentation of proper corporate governance and other processes do you need in a small or mid-sized group of companies to have a sufficient system in place? 

It goes without saying that what you need is a function of the business you are in. E.g., running an internet platform entails different risks than selling pharma products. Thus, the following can only be a generic first approximation to the issue, and the list always needs to be further tailored to the specifics of the business and company structure.

Now disclaimers aside, here is my suggested generic list of things you may want to think about (for a German GmbH with subsidiaries):

1.       Proper by-laws (Satzung, Gesch?ftsordnung für die Gesch?ftsführung) go without saying

2.      Governance policy: As soon as you have affiliated companies you need a one-page policy that ensures any policies, guidelines, etc. you set at the group level are also applied and implemented in your affiliates. Otherwise, any incidents that happen in an affiliate may lead to discussions whether the rules you set at the group level (e.g., on health and safety or compliance) were also applicable in the affiliate at hand.

3.      Accounting policy: You need to ensure uniform accounting standards throughout the group as soon as you operate across borders, i.e., as soon as one country’s generally accepted accounting principles (GAAP) do not apply to all of your affiliates.

4.      Signature guideline: Not sure when a company is big enough to need this but as soon as you have larger numbers of people who sign documents on behalf of your company: If someone signed something bad on behalf of your group you want to be able to show you have unequivocal rules in place that say who is authorized to sign what.

5.      Risk management guideline: Formally required in Germany only for Stock Corporations, not for LLCs. Still, whenever the mud hits the fan the question arises whether a risk materialized that was not properly seen or managed. In such a case it is not bad if are able to show that you have minimum rules in place on how the company manages risk. I am on the fence on this one. What is your view?

6.      Guideline on health, safety, and the environment (HSE): A tricky one because HSE legislation is very national. However, it is possible to define an internationally accepted set of standard rules.

7.      Guideline on cybersecurity and data protection: This one is becoming more and more important even for small companies.

8.      Transfer pricing guideline: For tax purposes you need to have a consistent method to calculate prices for intra-group supplies or services.

9.      Compliance manual and code of conduct: You want to implement a compliance management system (CMS) that documents how you prevent law infringements, what you do to detect them and how you respond if infringements happen.  In this context, it is important to set a very clear tone that employees who break the law cannot count on any kind of support or leniency by the company.

What do you think, is the list too long or too short? Any other essentials you see? Things you would dare to do without in an SME set-up?