When “running lean” becomes legally risky: Why governance is non-negotiable for SMEs

By Rose Byass

Many small and mid-sized businesses pride themselves on speed, flexibility, and “lean” operations. But there’s a fine line between lean and legally exposed. In Australia—especially post-reform—companies that under-invest in governance face escalating penalties, reputational damage, civil claims, and in severe safety failures, even criminal liability. “We’re only a small business” is not a defence. Courts and regulators expect appropriate policies, competent people, compliant systems, and evidence of due diligence. This article lays out the major consequences of neglecting governance, explains why “non-specialists doing specialist work” (e.g., a finance manager running HR) is risky, and offers a practical roadmap for SMEs to lift their governance without becoming bureaucratic.

Governance = risk control for people, money and reputation

At its core, governance is how a business directs and controls risk: clear policies and procedures; compliant HR practices; trained leaders; auditable records; and feedback loops (assurance, audits, and corrective actions). In Australia, two regimes drive most employer risk:

• Work Health and Safety (WHS) – Duties under state/territory WHS laws (in WA: the Work Health and Safety Act 2020 (WA)) require PCBUs and officers to ensure, so far as reasonably practicable, worker health and safety—including adequate information, training, instruction and supervision. Breaches are prosecuted and penalties are substantial, with industrial manslaughter now legislated in WA. 
• Fair Work – The Fair Work Act 2009 (Cth) has been strengthened: from 6 March 2023, sexual harassment is expressly prohibited and workers can pursue remedies through the Fair Work Commission/courts. From 1 January 2025, intentional wage underpayment becomes a criminal offence with prison terms and very large fines in serious cases. 

SMEs are not exempt; penalties, compliance notices, enforceable undertakings, and public media releases routinely involve small employers. 

The cost of getting governance wrong: real cases

Sexual harassment & the price of not having (or enforcing) a policy

The landmark Richardson v Oracle decision radically reset damages for sexual harassment in Australia. The Full Federal Court criticised historically low awards and signalled six-figure general damages are appropriate, reshaping employer exposure where policies, training and complaint handling are weak. Translation: if you don’t have a live, enforced policy and trained leaders, your risk profile is high. 

Wage compliance & record-keeping failures

Fair Work continues to prosecute underpayments and payslip/record-keeping breaches—including at small venues. Penalties can exceed the underpayment amount, and (from 2025) intentional underpayment may lead to criminal liability. Courts have also highlighted that poor records make it hard to defend underpayment claims and can turn a matter into a serious contravention with higher penalties. Recent cases include small hospitality businesses and well-publicised multi-million-dollar penalties for deliberate schemes. 

Safety failures: training and supervision are not optional

Work, health and safety cases frequently cite inadequate training, poor supervision, and lack of safe systems of work as causes of serious harm. Regulators publish prosecutions where workers were injured or killed doing tasks without training or procedures; courts impose heavy fines—even when the paper procedure existed but was not actually implemented. 

Industrial manslaughter (WA)

In WA, industrial manslaughter is now an offence under the WHS Act 2020 (WA) with very severe penalties for duty holders whose failures cause a death. For directors and officers, this changes the calculus: due diligence can’t be delegated and forgotten—it must be demonstrable. The lesson across these cases is consistent: having policies is not enough—implementing, monitoring and training against them is what counts in court.

“Non-specialists doing specialist work” is a governance hazard

It’s common in lean SMEs for a finance manager to “look after HR” or for an ops lead to “handle safety”. The intent is good; the risk is real. HR/IR and WHS are technical disciplines with live legislative change, tribunal decisions, and regulatory guidance that shift obligations year-to-year. Consider just three examples where non-specialist administration can create liability:

1. Recruitment & contracts – Using templates that don’t reflect award coverage, NES, or modern Fair Work changes (flexible work, family & domestic violence leave, fixed-term contract limits) can lead to systemic underpayments or unlawful terms. Penalties escalate quickly and poor records cripple a defence. 
2. Complaint handling – Mishandled bullying or sexual harassment complaints (e.g., no impartial investigator, no written findings, poor confidentiality, lack of training) carry high legal, cultural and reputational costs—especially post-March 2023 reforms. 
3. Safety – A written SWMS/SOP on a shelf is not a defence. Courts look for competent risk assessments, training records, supervision logs, toolbox talks, contractor vetting, and evidence that controls are used. The difference between a near miss and a catastrophic incident is often a trained supervisor and a properly implemented procedure. 

Bottom line: It’s cheaper to engage a part-time HR/WHS specialist than to litigate a preventable failure. The direct legal costs are only part of the loss; add downtime, executive distraction, staff turnover, and brand damage.

The specific risks of “lean” policy suites

If you’re missing any of the following, your risk is elevated:

• Code of Conduct (including conflicts of interest, reporting channels, expected behaviours)
• Bullying, Harassment & Sexual Harassment Policy (linked to complaint pathways, natural justice, and the current Fair Work prohibition)
• WHS Policy & Risk Management Procedure (hazard ID, risk assessment, controls, consultation, incident response) 
• Grievance & Investigation Procedure (including when to appoint external, trauma-informed investigators)
• Leave & Entitlements / Payroll Compliance (accurate classification, overtime, penalty rates, payslips, record-keeping) with active audits ahead of the 2025 underpayment criminalisation. 
• Performance & Discipline (procedural fairness, support persons, evidence)
• Contractor Management (PCBU/PCBU shared duties; evidence of competency and insurance)

Courts and regulators repeatedly observe that out-of-date or unenforced policies are as risky as having none. In one recent safety case, a company had a documented procedure but failed to share and enforce it; after a severe injury, the court still imposed a $500,000 fine. 

What “good” looks like for SMEs (without bloat)

You don’t need a policy library the size of a bank. You need fit-for-purpose governance that you can evidence:

1. Board/Owner Duties & Assurance
   • Annual governance calendar (policy reviews, WHS due diligence checks, payroll audits).
   • Quarterly WHS and HR dashboards with lead/lag indicators (training completion, incidents, grievances, turnover, audit findings).
2. Minimum Policy Set (kept current)
   • Code of Conduct; Bullying/Harassment/Sexual Harassment; WHS; Incident & Investigation; Leave/Payroll; Performance & Discipline; Contractor Management.
   • Version control, last review dates, and staff acknowledgement logs.
3. Competence & Training
   • Induction + role-specific training; supervisor training in safety leadership and complaint handling; toolbox talks.
   • Evidence (sign-offs, attendance, assessment, refresher schedules). Model WHS laws explicitly require information, training, instruction and supervision. 
4. Fair Work Compliance
   • Confirm award coverage and classifications; test pays; keep records; fix errors quickly.
   • Implement a wage compliance plan ahead of the 1 Jan 2025 criminalisation of intentional underpayment. 
5. Investigations & Issue Resolution
   • Clear triage (what’s HR-managed vs. external independent).
   • Procedural fairness; secure documentation; timely actions aligned to your policy and the Fair Work Act sexual harassment prohibition. 
6. Safety in Practice
   • Risk registers, SWMS/SOPs that match real practice, pre-start checks, supervision rosters.
   • Post-incident reviews with documented corrective actions (engineering/administrative controls) and verification that controls are working. Recent cases show that training and supervision gaps are routinely cited in prosecutions. 

Consequence pathways when governance is weak

Regulatory – Improvement and prohibition notices; enforceable undertakings; civil penalties; public naming; in severe cases, criminal charges (e.g., intentional wage underpayment from 2025; industrial manslaughter in WA). Civil litigation – Employee claims for sexual harassment, bullying, unfair dismissal, or underpayment; class-style wage claims; general protections claims. Post-Richardson, sexual harassment damages are materially higher. Personal liability for officers – WHS due diligence duties require active oversight; courts will test whether officers received and interrogated safety information, allocated resources, and verified controls. Commercial – Contract loss, insurer scrutiny (higher premiums/exclusions), brand and talent damage, executive distraction, and reduced valuation in due diligence.

Case snapshots you can relate to (SME-scale impact)

• Hospitality owner fined: A Melbourne bar owner was personally penalised alongside the company for underpayments and payslip breaches—after ignoring a compliance notice. Small business, big consequences, public naming. 
• “Serious and deliberate” underpayments: A Queensland equipment firm and its director were fined after ignoring compliance notices on entitlements; insolvency followed. 
• Systemic exploitation: The Federal Court issued $4 million in penalties against a restaurant group and senior staff for deliberate underpayments and false records—illustrating both the size of penalties and personal exposure of managers. 
• Training failure → fatality: A metalworks employer with no safe operating procedure or adequate training was fined $300,000 after a worker was killed by ejected steel. Courts repeatedly emphasise the basic, achievable controls that would have prevented tragedy. 
• Procedure existed but not implemented: A WA manufacturer was fined $500,000 after severe injuries; the official finding stressed that safety procedures must be shared and enforced, not just written. 

“But we’re small…”: why that argument won’t hold

Regulators and courts accept that SMEs can scale processes, but they will not excuse absence of core duties. Model WHS laws and guidance explicitly require PCBUs to provide training, instruction, and supervision. Likewise, Fair Work’s 2023–2025 reforms raise the bar, including sexual harassment protections and criminal penalties for intentional underpayments. Ignorance, informality, or resourcing constraints are not defences.

A practical roadmap: fix the biggest risks first (90-day plan)

Days 1–30 – Diagnose & stabilise

• Conduct a Governance Health Check: WHS, HR/IR, payroll, complaint handling, records.
• Lock in a minimum policy set (above) with staff briefings and acknowledgements.
• Identify high-risk work; verify training, supervision, and SOPs are real and current.
• Address obvious Fair Work gaps: award coverage, payslips, record-keeping. 

Days 31–60 – Build competence

• Train leaders on bullying/harassment complaint handling, performance process, and WHS due diligence.
• Start monthly WHS and HR dashboards (KPIs + corrective actions).
• Engage a part-time HR/WHS advisor (internal or external) for specialist oversight.

Days 61–90 – Assure & improve

• Run a payroll mini-audit and rectify anomalies before 1 Jan 2025 underpayment criminalisation.
• Test emergency response and investigation process (table-top).
• Schedule quarterly policy reviews and annual independent assurance. 

The ROI of governance

The cost of a policy refresh, targeted training, and a half-day a week from a specialist is trivial compared to a single contested claim, underpayment prosecution, or safety incident. Courts consistently punish:

• No policies or out-of-date policies
• No training or supervision
• Poor records
• “Paper” procedures not implemented 

Conversely, organisations that can evidence their due diligence—competent systems, trained people, active oversight—are far better placed to prevent incidents, resolve complaints early, and defend claims if they arise.

11) A word on culture

Policies don’t drive behaviour—people do. The most effective SMEs make governance part of leadership identity: leaders talk about safety and respect, close the loop on reports, act on near misses, and model the Code of Conduct. When leaders are trained and measured on these behaviours, the policy becomes practice.

Conclusion: Governance is how small businesses grow safely

Australian regulators have made it clear: protections exist only if employers provide them. If your company lacks a Code of Conduct, bullying/harassment policy, current WHS framework, up-to-date payroll practices, and trained leaders, you are operating on borrowed time. Recent cases show that SMEs are squarely within enforcement focus—from sexual harassment damages (post-Richardson) to Fair Work prosecutions, to WHS fines where training and supervision failed. And in WA, the industrial manslaughter offence underscores the gravity of leadership duties. The risk is not theoretical; it’s operational and immediate. The fix is practical and achievable: a right-sized policy suite, competent people in HR and safety, live training and supervision, accurate records, and leadership that treats governance as a growth enabler—not red tape. For many SMEs, the smartest “lean” move is to bring in a part-time specialist rather than improvising with non-experts. It costs less than a single serious claim and protects the business you’ve built.

If you’d like a no-obligation Governance Health Check for your business, Robust Leaders can help you prioritise the highest-risk gaps and build a 90-day plan that sticks.