Taking Small Steps Forward in 2023 – Building and Maintaining Business Policies

Taking Small Steps Forward in 2023 – Building and Maintaining Business Policies

Most small business leaders do a very poor job of documenting and maintaining business policies. In fact, many small business leaders spend little to no time thinking about policies.

This hands-off approach to small business policies works OK as long as:

• the business leader has no plans to grow a material size business with a high valuation,
• the business experiences no major problems, like cyber security breaches, and
• the business leader does not want to attract and retain quality, talented staff.

Across all market/industry sectors, documentation and policy requirements are expanding:

• insurance companies are making broad and significant changes, protecting themselves,
• major suppliers are increasing demands for environmental, social, and governance compliance, and
• major clients are imposing intense third-party risk management requirements on smaller businesses.

Four major policy areas are receiving increased attention and facing expanding compliance requirements:

1. privacy,
2. security,
3. human resources (DEI – diversity, equity, and inclusion), and
4. environment.

Small businesses face increased risks. They also possess less resources, limiting their ability to dedicate to documenting, implementing, and maintaining policies and the processes/procedures tied to those policies.

While leaders of small businesses cannot afford to match the policy practices of larger businesses, they can take “small steps forward in 2023” to begin to document and maintain policies.

Here are 3 examples of “small steps forward in 2023” to improve small business policies:

1. January 2023 – review and improve your Protection of Private Personal Information policy,
2. February 2023 – create/review and improve your Cyber Security policy, and
3. March 2023 – create/review and improve your Third-Party Risk Management policy.

Advantages to be gained

1. Canadian businesses and their leaders are required to adhere to privacy law (PIPEDA).
2. To properly apply for insurance and qualify to have claims covered, small businesses must plan cyber security, apply cyber security procedures, and prove these things have been done.
3. Tied to insurance coverage, supplier and clients needs, and competitors’ advancements, small businesses must begin to implement third-party risk management policies and procedures.