9 compliance plan decisions for SMEs in 2026
Compliance for companies
9 compliance plan decisions for SMEs in 2026
A practical guide to implement a useful, proportionate and defensible compliance plan for SMEs without turning compliance into paperwork that no one applies.
Corporate, criminal and business compliance
Focus SMEs, directors, family businesses and growing companies.
Main risk Copying a generic model with no controls, training or evidence of application.
Useful decision Start with real risks, clear owners and proportionate evidence.
These are the 9 compliance plan decisions for SMEs that should be reviewed:
- 01 Define the real scope of the plan
- 02 Build a proportionate risk map
- 03 Appoint a compliance owner
- 04 Create an understandable code of ethics
- 05 Implement specific internal controls
- 06 Regulate the internal reporting channel
- 07 Train the team realistically
- 08 Document evidence of compliance
- 09 Review the plan when the business changes
A compliance plan for SMEs helps prevent legal risk, organise internal controls and show that the company acts diligently. It is not a decorative document: it should help detect breaches, correct them in time and protect directors, employees and the business.
Spain does not impose a single general compliance plan on every small or medium-sized company, but compliance has become a practical tool. It may be decisive if a corporate offence appears, if a strategic client requires controls, if the company participates in a tender or if the business operates in a regulated sector.
The key is proportionality. An SME does not need to copy a multinational’s system, but it should identify real risks, assign responsibilities, train the team, activate reporting channels and periodically review its controls.
This guide explains which decisions should be taken before implementing the plan, which documents should be prepared, which errors should be avoided and how criminal compliance, internal reporting, tax, employment, data and directors’ duties may interact.
9 decisions to create a compliance plan
1. Define the real scope of the plan
The first step is deciding what the plan covers. In an SME, it may include criminal compliance, data protection, anti-money laundering, employment risk, tax, supplier contracting and financial controls.
The criminal framework matters because Article 31 bis of the Spanish Criminal Code allows effective organisation and management models to be considered when assessing corporate criminal liability. The State Prosecutor’s Circular 1/2016 is also useful to understand which elements may be reviewed when assessing effectiveness.
2. Build a proportionate risk map
The risk map identifies where the company may fail: payments, contracting, suppliers, gifts, data, tax, subsidies, employment relationships or safety. It should rank risks by likelihood and impact instead of treating every risk as equally urgent.
An industrial company, a technology consultancy and a real estate business do not share the same risk map. The important point is to know where a serious breach may arise and which control can prevent it.
3. Appoint a compliance owner
Every company needs someone to oversee the model. In SMEs, the management body may assume the function, but the company should be clear about who coordinates, who reports and who preserves evidence.
If the owner has no time, minimum independence or adequate training, the plan loses effectiveness. Part of the function can be externalised for technical support, but the directors’ ultimate duty of supervision does not disappear.
4. Create an understandable code of ethics
The code of ethics should explain how the company acts in conflicts of interest, gifts, payments, suppliers, data, competition, harassment, equality and use of resources. It should be written in clear language: if no one understands it, no one applies it.
A brief, signed and communicated code is often more effective than a long manual no one reads. Its value is turning general principles into rules the team can use in daily decisions.
5. Implement specific internal controls
Controls are the operational part of the plan. They may include double approval of payments, supplier validation, expense limits, tax reviews, contract archiving and documentary traceability.
The goal is not to slow the business down, but to avoid sensitive decisions depending on one person with no evidence. For SMEs, controls should be simple, repeatable and proportionate.
6. Regulate the internal reporting channel
Law 2/2023 requires internal reporting systems for certain entities and sets guarantees on confidentiality, whistleblower protection and secure handling. Even where an SME is not obliged, a channel may be recommended if it has sensitive risks.
A poorly managed channel can create more risk than it solves. It should regulate receipt, investigation, deadlines, confidentiality, data protection and absence of retaliation. It should not be a forgotten mailbox.
7. Train the team realistically
The plan only works if people know the rules. Training should be adapted to each profile: administration, sales, purchasing, management, finance, human resources or technology.
Sending a PDF is not enough. It is useful to explain concrete scenarios: supplier gifts, suspicious invoices, personal data, conflicts of interest or use of confidential information. The company should preserve evidence of date, attendance, content and minimum understanding.
8. Document evidence of compliance
In compliance, what is not documented is difficult to prove. Minutes, policies, training, reviews, communications, investigations and controls should be preserved in an organised way.
Evidence is important if there is an inspection, a complaint, a criminal proceeding or a client claim. The purpose is not to accumulate papers, but to reconstruct decisions.
9. Review the plan when the business changes
Compliance is not static. It changes if the SME opens a new market, incorporates shareholders, hires more employees, starts tendering or enters a regulated sector.
The plan should also be reviewed after an incident, a regulatory change or when the risk map becomes outdated. Periodic review shows that the model is alive.
Risks and controls an SME should prioritise
A person looking for a compliance plan for SMEs usually does not want abstract criminal law theory. They want to know whether they need it, where the risk lies and how to implement it without paralysing the business. The search intent is often linked to a tender, a demanding client, internal growth or a management decision.
| Risk | Signal in an SME | Proportionate control |
|---|---|---|
| Sensitive payments and expenses | One person approves suppliers, payments, gifts or representation expenses. | Dual approval by amount, gifts policy and approval record. |
| Third-party contracting | Agents, sales representatives, key suppliers or collaborators act for the company. | Supplier onboarding, contract, compliance clauses and conflict review. |
| Data and reporting channel | Internal communications are received with no procedure or whistleblower protection. | Regulated channel, deadlines, confidentiality, owner and secure register. |
| Tax or accounting risk | Invoicing, collections, subsidies or expenses lack sufficient traceability. | Support file, periodic review and approval owners. |
| Directors’ duties | The management body does not approve or review the model. | Approval minutes, annual report and corrective action tracking. |
Practical criterion: an SME should not start with the longest document, but with the most real risk. First decide what can happen, who controls it and what evidence will exist if someone asks six months later.
Minimum documents and evidence
Compliance is not proven with a polished document. It is proven with evidence: training delivered, controls applied, periodic reviews, operating reporting channel, documented investigations, corrective measures and traceable decisions.
| Document | Purpose | Evidence to preserve |
|---|---|---|
| Approval minutes | Shows management commitment and the scope of the plan. | Date, attendees, resolution, owner and implementation calendar. |
| Risk map | Prioritises criminal, corporate, tax, employment or data risks. | Methodology, assessment, existing controls and pending actions. |
| Code of ethics and policies | Turns principles into rules the team can apply. | Approved version, communication to the team and acknowledgement. |
| Training register | Shows the rules were explained and not merely archived. | Date, attendees, content, evaluation and materials. |
| Periodic review | Checks whether the model remains alive and adapted to the business. | Report, incidents, controls reviewed and corrective measures. |
Minimum checklist to begin
- Organisation chart: who decides, who applies controls and who reports incidents.
- Sensitive processes: payments, purchasing, sales, suppliers, gifts, hiring and data.
- Key contracts: clients, suppliers, collaborators, agents and strategic partners.
- Past incidents: claims, inspections, internal conflicts or audit alerts.
- Current channels: how questions, complaints, alerts or sensitive communications are received.
Common mistakes when implementing compliance
Copying a large-company model
An overly complex plan is not applied. The SME needs clear controls, identifiable owners and proportionate documentation. If the system demands more than the structure can sustain, it will become disconnected from the business.
Creating policies with no follow-up
A document without training, controls and periodic review does not show a real compliance culture. The plan should leave evidence of application: decisions, registers, communications and corrective measures.
Forgetting the management body
Directors should promote, approve and supervise the model. Delegating tasks does not remove their duty of diligence. Without minutes, monitoring and review, it will be difficult to show that the system had real support.
Opening a reporting channel without a procedure
A whistleblowing or reporting channel cannot be only an email address. It must regulate receipt, confidentiality, deadlines, whistleblower protection, investigation, corrective measures and data processing.
How GraciaCalbet can help
At GraciaCalbet we help SMEs, directors and family businesses implement proportionate compliance models, connecting criminal law, corporate law, employment, tax and internal management. The key is for the system to be useful for the company and defensible if a problem appears.
We can design the criminal and corporate risk map, prepare the code of ethics, policies and internal controls, implement the internal reporting channel, train directors and teams, and periodically review the model and its evidence.
This work can connect with our criminal compliance, corporate law and tax advisory practices when the model has broader business implications.
GRACIACALBET
Proportionate compliance for SMEs
If your company needs controls because of growth, a tender, a strategic client or criminal risk, the model should be applicable and documented.
Frequently Asked Questions (FAQs)
Is a compliance plan mandatory for an SME?+
There is no general obligation for every SME to have one model, but it may be required by sector rules or contract demands. An effective model may also be important to exempt or mitigate corporate criminal liability if an offence occurs within the company.
What should a compliance plan for SMEs include?+
It should include a risk map, code of ethics, internal policies, controls, reporting channel where appropriate, training, compliance owner, disciplinary system and periodic review. The key is adaptation to the size, activity and risks of the company.
Can a director be liable if there is no compliance?+
Director liability may arise if diligent control measures are not adopted, especially where there are serious breaches, offences, debts or lack of supervision. Compliance does not eliminate all risks, but it helps show that the management body acted diligently.
How often should the compliance plan be reviewed?+
It should be reviewed periodically and whenever the activity, structure, rules, risks or business model changes. It is also advisable to review it after an incident, internal report or inspection. An outdated plan may lose effectiveness.
Is a whistleblowing channel part of compliance?+
Yes. The internal reporting channel is usually integrated into the compliance system because it helps detect irregularities, protect informants and manage internal investigations. In some cases it is mandatory under Law 2/2023; in others it can still be recommended.