Soc2 Compliance Governance Knowledge Hub

GRC for a 20-Person Startup: What Governance, Risk & Compliance Actually Means

Maciej 7 min read
GRC for a 20-Person Startup: What Governance, Risk & Compliance Actually Means
TL;DR

GRC = governance, risk, and compliance — coined by OCEG as the capabilities that let an organization reliably achieve objectives, address uncertainty, and act with integrity. For a 20-person startup that's three plain questions: how you make/record decisions (governance), what could go wrong and what you're doing about it (risk), and which rules apply (compliance). You don't need an enterprise program — a one-page risk register, a few real policies, clear owners, and a quarterly rhythm. Start lean, tie it to the framework buyers ask for (usually SOC 2®), and formalize as you grow.

Key Concept: What GRC (governance, risk & compliance) actually means for a small startup — and the lean version of each pillar
Reading Time: 8 minutes
Difficulty: Beginner
Relevant for: Founders, ops leads, and first security hires at 10–50-person startups

"GRC" is one of those acronyms that sounds like it belongs on a Fortune 500 org chart, not in a 20-person startup. Governance, risk, and compliance — three words that conjure committees, binders, and a department you definitely don't have. But strip away the enterprise packaging and GRC is just three practical questions every growing company already faces:

  • Governance — how do we make and record decisions?
  • Risk — what could go wrong, and what are we doing about it?
  • Compliance — which rules and standards actually apply to us?

You're already doing all three, informally. GRC just means doing them deliberately enough that they scale — and that you can prove it when a customer, investor, or auditor asks. This guide is about the lean version: what each pillar looks like when it's you and a couple dozen people, with no compliance team in sight.

What GRC actually is (the one-paragraph version)

The term GRC was coined by OCEG (originally the Open Compliance and Ethics Group). Their formal definition is useful precisely because it isn't about paperwork: GRC is the integrated set of capabilities that lets an organization reliably achieve its objectives, address uncertainty, and act with integrity. Read that with startup eyes — achieve objectives (governance), address uncertainty (risk), act with integrity (compliance). It describes a well-run company, not a bureaucracy.

If you want the full definitional breakdown, we cover it in what is GRC. Here, we're focused on what to actually do at 20 people.

Why a 20-person startup should care now (not "later")

The instinct is to file GRC under "problems for later." The trouble is that "later" tends to arrive as a deadline you didn't set: the first enterprise prospect who sends a security questionnaire, the investor doing due diligence, the EU customer asking about GDPR, or the incident that exposes how little was written down. Building the habits at 20 people is cheap and fast. Retrofitting them at 120 — under deadline pressure, across a bigger team — is neither.

The good news: at your size, "good GRC" is genuinely small. You're not building an enterprise program. You're writing a few things down and keeping them current.

What each pillar looks like at 20 people

Governance: decide clearly, write it down

At 20 people you don't need a board risk committee. You need clarity on who decides what and a habit of recording the decisions that matter. In practice:

  • Name an owner for each area that carries risk — security, data, finance, people. In a small team one person may own several; the point is that someone owns each, not "the team."
  • Keep a lightweight decision log for calls that would be expensive to reverse or reconstruct — vendor choices, data-handling decisions, access grants.
  • Write down the handful of principles you actually operate by (a short code of conduct, an acceptable-use rule) rather than leaving "good judgment" undefined.

Governance at this stage is less about hierarchy and more about avoiding the "I thought you owned that" gaps that turn into incidents.

Risk: one page, top risks, quarterly

Risk management sounds heavy; the lean version is a single risk register you can practically hold in your head. List your top 5–10 risks — data breach, key-person dependency, a critical vendor going down, a compliance gap that blocks a deal. For each, note how likely it is, how bad it would be, and what you're doing about it (fix it, reduce it, transfer it, or consciously accept it). Then revisit it quarterly.

That's it. A maintained one-pager beats an elaborate framework nobody updates. Our guide to the startup risk assessment framework walks through the cycle, and risk assessment methodologies covers how to score risks without overcomplicating it.

Compliance: only the rules that actually apply

Compliance is where founders tend to over- or under-react. The trick is to scope it to what genuinely applies to your business:

  • SOC 2® — the one most B2B SaaS startups meet first, because enterprise buyers ask for it. It's an independent attestation of your security controls, not a government certification. See the complete SOC 2 guide for founders.
  • GDPR — if you handle the personal data of people in the EU.
  • HIPAA — if you touch U.S. protected health information, often as a business associate.
  • ISO 27001 — an international information-security standard you'll meet when you sell globally.

You almost certainly don't need all of them. Ask your target customers which one they require, and start there. Whatever you pick, compliance comes down to written policies that match what you actually do — aspirational documents that don't reflect reality are the fastest route to audit findings.

Minimum viable GRC: your first 90 days

Starting from zero, this is enough to be in genuinely good shape for your size:

  1. Assign owners. One accountable person each for security, data/privacy, and people/HR.
  2. Write the core policies. A short information-security policy, acceptable-use, access control, and incident response — reflecting how you really work. Our 9 essential company policies is a good starting set.
  3. Stand up a one-page risk register. Top 5–10 risks, scored, with an owner each.
  4. Fix the security basics. MFA everywhere, least-privilege access, prompt offboarding, and backups you've actually tested.
  5. Pick your framework. Usually SOC 2® for SaaS — even a documented roadmap toward it can unblock deals.
  6. Set a rhythm. A quarterly 60-minute review of policies, risks, and access. Consistency beats intensity.

Ready to Streamline Your Compliance?

Discover how AuditBadger can simplify your compliance management process.

Common traps for small teams

  • Over-engineering. A 50-page framework you never revisit is worse than a one-pager you keep current. Match the effort to your size.
  • Treating it as a one-time project. GRC is a rhythm, not a milestone. Controls drift and policies go stale; the quarterly review is what keeps them honest.
  • Siloing it in one person's head. If your entire compliance posture lives with one founder, it leaks the moment they're busy or leave. Write it down and share ownership.
  • Buying enterprise tooling too early. You don't need a six-figure platform to manage a 20-person program — you need one place to keep policies, risks, and evidence current, without a heavy services contract.

How this scales

The point of starting lean is that nothing gets thrown away later. The owners you named become real roles. The one-page risk register grows columns. The policies that matched a 20-person reality get versioned as you grow. When a SOC 2® or ISO 27001 audit arrives, you're formalizing habits you already have — not inventing a program in a panic. That's the whole promise of doing GRC early: compliance becomes a byproduct of running the company well, instead of a fire drill.

Doing it without a compliance team

You don't need to hire a GRC function to run this. A platform like AuditBadger keeps your policies, risks, controls, and evidence in one place, tracks acknowledgments, and guides you through frameworks like SOC 2® and ISO 27001 step by step — so a small team can stay audit-ready without drowning in spreadsheets. Onboarding is run by our founding team, so you're not left to figure it out alone.

Start small, keep it consistent, and let GRC be what it's meant to be: a clearer, calmer way to run a company people trust.

FAQ

Frequently asked questions

What does GRC stand for? +

GRC stands for governance, risk, and compliance. The term was coined by OCEG to describe the integrated capabilities that let an organization reliably achieve its objectives (governance), address uncertainty (risk), and act with integrity (compliance). For a startup it boils down to three questions: how you make and record decisions, what could go wrong and what you're doing about it, and which rules and standards actually apply to you.

Does a 20-person startup really need GRC? +

Not as a formal program, but yes as a habit. At 20 people "good GRC" is small: clear owners for security, data, and people; a one-page risk register; a few real policies; and a quarterly review. Building these habits early is cheap and fast — retrofitting them under deadline pressure when an enterprise deal or investor due diligence suddenly requires them is neither.

How is GRC different from just getting SOC 2? +

SOC 2® is one compliance framework — the "C" in GRC, and usually the first one B2B SaaS startups meet. GRC is broader: it also covers how you govern decisions and how you manage risk. In practice, a solid GRC foundation — clear owners, real policies, and a maintained risk register — is exactly what makes a SOC 2® audit straightforward rather than a last-minute scramble.

What's the minimum GRC setup for a small startup? +

Assign an owner for security, data/privacy, and people; write a handful of core policies that match how you actually work (information security, acceptable use, access control, incident response); keep a one-page risk register of your top 5–10 risks; fix the security basics (MFA, least-privilege access, tested backups); pick the one framework your customers ask for (usually SOC 2®); and review it all quarterly. That's a genuinely solid GRC posture for your size.

Do we need to hire someone to run GRC? +

Not at 20 people. GRC at this stage is a shared responsibility with clear owners, not a dedicated hire. A compliance platform can carry most of the load — keeping policies, risks, and evidence in one place and guiding you through frameworks like SOC 2® and ISO 27001 — so existing team members can manage it alongside their day jobs until the company is large enough to justify a dedicated role.

Keep reading

More implementation notes and operator context from the same topic area.

Next step

Ready to replace scattered compliance work?

See how AuditBadger turns policies, evidence, risks, and audit prep into one operating system for lean teams.

Start Subscription