{"id":5474,"date":"2026-06-19T11:18:21","date_gmt":"2026-06-19T09:18:21","guid":{"rendered":"https:\/\/graciacalbet.com\/blog\/compliance-plan-smes-2026\/"},"modified":"2026-06-19T11:18:21","modified_gmt":"2026-06-19T09:18:21","slug":"compliance-plan-smes-2026","status":"publish","type":"post","link":"https:\/\/graciacalbet.com\/en\/mercantil\/compliance-plan-smes-2026\/","title":{"rendered":"9 compliance plan decisions for SMEs in 2026"},"content":{"rendered":"<article style=\"width:100%;max-width:1180px;box-sizing:border-box;margin:0 auto;padding:0 clamp(18px,4vw,30px) clamp(40px,8vw,72px);color:#2b2b2b;font-family:Raleway,Arial,sans-serif;font-size:clamp(16px,3.8vw,18px);line-height:1.72;overflow-x:hidden;overflow-wrap:anywhere;word-break:break-word;\">\n<header style=\"position:relative;margin:0 0 clamp(34px,7vw,58px);padding:clamp(32px,8vw,78px) 0 clamp(28px,7vw,54px);text-align:center;border-bottom:1px solid #e6e6e6;overflow:hidden;\">\n    <img decoding=\"async\" style=\"position:absolute;right:-8%;top:4%;width:min(460px,72vw);max-width:none;opacity:.045;z-index:0;\" src=\"https:\/\/graciacalbet.com\/images\/graciacalbet-logo-transparent.svg\" alt=\"\"><\/p>\n<div style=\"position:relative;z-index:1;max-width:1040px;margin:0 auto;\">\n<p style=\"margin:0 0 18px;color:#797979;font-size:clamp(11px,3vw,13px);line-height:1.35;font-weight:700;letter-spacing:.14em;text-transform:uppercase;\">Compliance for companies<\/p>\n<h1 style=\"max-width:1020px;margin:0 auto 20px;color:#000;font-family:PlayfairDisplay,Georgia,serif;font-size:clamp(30px,6.8vw,68px);line-height:1.02;font-weight:600;overflow-wrap:anywhere;word-break:break-word;hyphens:auto;\">9 compliance plan decisions for SMEs in 2026<\/h1>\n<p style=\"max-width:860px;margin:0 auto 22px;color:#2b2b2b;font-size:clamp(18px,4.2vw,22px);line-height:1.55;overflow-wrap:anywhere;word-break:break-word;\">A practical guide to implement a useful, proportionate and defensible compliance plan for SMEs without turning compliance into paperwork that no one applies.<\/p>\n<div style=\"display:flex;flex-wrap:wrap;gap:10px 18px;align-items:center;justify-content:center;margin:0;color:#797979;font-size:14px;line-height:1.4;\">\n        <span style=\"display:inline-block;\">Last reviewed: June 2026<\/span><br \/>\n        <span style=\"display:inline-block;width:28px;height:1px;background:#d7d7d7;\"><\/span><br \/>\n        <span style=\"display:inline-block;\">Corporate, criminal and business compliance<\/span>\n      <\/div>\n<\/p><\/div>\n<\/header>\n<figure style=\"max-width:960px;margin:0 auto clamp(34px,7vw,52px);padding:0;\">\n    <img decoding=\"async\" style=\"display:block;width:100%;max-height:clamp(300px,58vw,520px);object-fit:cover;background:#f3f3f3;\" src=\"https:\/\/graciacalbet.com\/images\/graciacalbet-derecho-laboral.webp\" alt=\"Professional meeting to define internal controls and an SME compliance plan\"><figcaption style=\"margin:0;padding:12px 0 0;color:#797979;font-size:14px;line-height:1.45;border-top:1px solid #e6e6e6;\">An effective compliance plan relies on real risks, identified responsibilities, simple controls and verifiable evidence.<\/figcaption><\/figure>\n<div style=\"display:grid;grid-template-columns:repeat(auto-fit,minmax(min(100%,260px),1fr));gap:0;margin:0 0 clamp(30px,6vw,46px);border-top:1px solid #000;border-bottom:1px solid #e6e6e6;\">\n<p style=\"margin:0;padding:18px 18px 18px 0;color:#2b2b2b;font-size:15px;line-height:1.5;border-bottom:1px solid #e6e6e6;\"><strong style=\"display:block;margin:0 0 4px;color:#000;font-weight:800;\">Focus<\/strong> SMEs, directors, family businesses and growing companies.<\/p>\n<p style=\"margin:0;padding:18px;color:#2b2b2b;font-size:15px;line-height:1.5;border-bottom:1px solid #e6e6e6;\"><strong style=\"display:block;margin:0 0 4px;color:#000;font-weight:800;\">Main risk<\/strong> Copying a generic model with no controls, training or evidence of application.<\/p>\n<p style=\"margin:0;padding:18px 0 18px 18px;color:#2b2b2b;font-size:15px;line-height:1.5;border-bottom:1px solid #e6e6e6;\"><strong style=\"display:block;margin:0 0 4px;color:#000;font-weight:800;\">Useful decision<\/strong> Start with real risks, clear owners and proportionate evidence.<\/p>\n<\/p><\/div>\n<nav aria-label=\"Table of contents\" style=\"max-width:860px;margin:0 auto clamp(30px,6vw,48px);padding:0;border-top:1px solid #000;border-bottom:1px solid #e6e6e6;\">\n<p style=\"margin:0;padding:16px 0 12px;color:#000;font-size:13px;font-weight:800;letter-spacing:.16em;text-transform:uppercase;\">Article contents<\/p>\n<ol style=\"display:block;margin:0;padding:0;color:#2b2b2b;font-size:clamp(15px,3.8vw,16px);line-height:1.45;list-style:none;\">\n<li style=\"margin:0;padding:14px 0;border-top:1px solid #e6e6e6;\"><a style=\"display:flex;gap:14px;color:#2b2b2b;font-weight:700;text-decoration:none;overflow-wrap:anywhere;word-break:break-word;\" href=\"#compliance-plan-decisions\"><span style=\"flex:0 0 auto;color:#797979;font-weight:800;white-space:nowrap;\">01<\/span><span>9 decisions to create a compliance plan<\/span><\/a><\/li>\n<li style=\"margin:0;padding:14px 0;border-top:1px solid #e6e6e6;\"><a style=\"display:flex;gap:14px;color:#2b2b2b;font-weight:700;text-decoration:none;overflow-wrap:anywhere;word-break:break-word;\" href=\"#sme-risks-controls\"><span style=\"flex:0 0 auto;color:#797979;font-weight:800;white-space:nowrap;\">02<\/span><span>Risks and controls an SME should prioritise<\/span><\/a><\/li>\n<li style=\"margin:0;padding:14px 0;border-top:1px solid #e6e6e6;\"><a style=\"display:flex;gap:14px;color:#2b2b2b;font-weight:700;text-decoration:none;overflow-wrap:anywhere;word-break:break-word;\" href=\"#documents-evidence-compliance\"><span style=\"flex:0 0 auto;color:#797979;font-weight:800;white-space:nowrap;\">03<\/span><span>Minimum documents and evidence<\/span><\/a><\/li>\n<li style=\"margin:0;padding:14px 0;border-top:1px solid #e6e6e6;\"><a style=\"display:flex;gap:14px;color:#2b2b2b;font-weight:700;text-decoration:none;overflow-wrap:anywhere;word-break:break-word;\" href=\"#compliance-plan-mistakes\"><span style=\"flex:0 0 auto;color:#797979;font-weight:800;white-space:nowrap;\">04<\/span><span>Common mistakes when implementing compliance<\/span><\/a><\/li>\n<li style=\"margin:0;padding:14px 0;border-top:1px solid #e6e6e6;\"><a style=\"display:flex;gap:14px;color:#2b2b2b;font-weight:700;text-decoration:none;overflow-wrap:anywhere;word-break:break-word;\" href=\"#graciacalbet-compliance-plan\"><span style=\"flex:0 0 auto;color:#797979;font-weight:800;white-space:nowrap;\">05<\/span><span>How GraciaCalbet can help<\/span><\/a><\/li>\n<li style=\"margin:0;padding:14px 0;border-top:1px solid #e6e6e6;\"><a style=\"display:flex;gap:14px;color:#2b2b2b;font-weight:700;text-decoration:none;overflow-wrap:anywhere;word-break:break-word;\" href=\"#frequently-asked-questions\"><span style=\"flex:0 0 auto;color:#797979;font-weight:800;white-space:nowrap;\">06<\/span><span>Frequently Asked Questions (FAQs)<\/span><\/a><\/li>\n<\/ol>\n<\/nav>\n<div style=\"margin:0 0 clamp(30px,6vw,44px);padding:clamp(20px,5vw,28px);background:#f3f3f3;border-left:2px solid #000;\">\n<p style=\"margin:0 0 14px;\"><strong style=\"color:#000;font-weight:800;\">These are the 9 compliance plan decisions for SMEs that should be reviewed:<\/strong><\/p>\n<ol style=\"display:grid;grid-template-columns:repeat(auto-fit,minmax(min(100%,300px),1fr));gap:10px 22px;margin:0;padding:0;list-style:none;color:#2b2b2b;\">\n<li style=\"margin:0;padding:0 0 10px;border-bottom:1px solid #d7d7d7;\"><strong style=\"color:#000;font-weight:800;\">01<\/strong> Define the real scope of the plan<\/li>\n<li style=\"margin:0;padding:0 0 10px;border-bottom:1px solid #d7d7d7;\"><strong style=\"color:#000;font-weight:800;\">02<\/strong> Build a proportionate risk map<\/li>\n<li style=\"margin:0;padding:0 0 10px;border-bottom:1px solid #d7d7d7;\"><strong style=\"color:#000;font-weight:800;\">03<\/strong> Appoint a compliance owner<\/li>\n<li style=\"margin:0;padding:0 0 10px;border-bottom:1px solid #d7d7d7;\"><strong style=\"color:#000;font-weight:800;\">04<\/strong> Create an understandable code of ethics<\/li>\n<li style=\"margin:0;padding:0 0 10px;border-bottom:1px solid #d7d7d7;\"><strong style=\"color:#000;font-weight:800;\">05<\/strong> Implement specific internal controls<\/li>\n<li style=\"margin:0;padding:0 0 10px;border-bottom:1px solid #d7d7d7;\"><strong style=\"color:#000;font-weight:800;\">06<\/strong> Regulate the internal reporting channel<\/li>\n<li style=\"margin:0;padding:0 0 10px;border-bottom:1px solid #d7d7d7;\"><strong style=\"color:#000;font-weight:800;\">07<\/strong> Train the team realistically<\/li>\n<li style=\"margin:0;padding:0 0 10px;border-bottom:1px solid #d7d7d7;\"><strong style=\"color:#000;font-weight:800;\">08<\/strong> Document evidence of compliance<\/li>\n<li style=\"margin:0;padding:0 0 10px;border-bottom:1px solid #d7d7d7;\"><strong style=\"color:#000;font-weight:800;\">09<\/strong> Review the plan when the business changes<\/li>\n<\/ol><\/div>\n<p style=\"margin:0 0 18px;\">A <strong style=\"color:#000;font-weight:800;\">compliance plan for SMEs<\/strong> helps prevent legal risk, organise internal controls and show that the company acts diligently. It is not a decorative document: it should help detect breaches, correct them in time and protect directors, employees and the business.<\/p>\n<p style=\"margin:0 0 18px;\">Spain does not impose a single general compliance plan on every small or medium-sized company, but compliance has become a practical tool. It may be decisive if a corporate offence appears, if a strategic client requires controls, if the company participates in a tender or if the business operates in a regulated sector.<\/p>\n<p style=\"margin:0 0 18px;\">The key is proportionality. An SME does not need to copy a multinational&#8217;s system, but it should identify real risks, assign responsibilities, train the team, activate reporting channels and periodically review its controls.<\/p>\n<p style=\"margin:0 0 22px;\">This guide explains which decisions should be taken before implementing the plan, which documents should be prepared, which errors should be avoided and how criminal compliance, internal reporting, tax, employment, data and directors&#8217; duties may interact.<\/p>\n<h2 id=\"compliance-plan-decisions\" style=\"margin:clamp(48px,9vw,68px) 0 20px;padding-top:20px;border-top:1px solid #000;color:#000;font-family:PlayfairDisplay,Georgia,serif;font-size:clamp(27px,5.8vw,42px);line-height:1.04;font-weight:600;\">9 decisions to create a compliance plan<\/h2>\n<h3 style=\"margin:30px 0 12px;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(18px,4.6vw,22px);line-height:1.25;font-weight:800;\">1. Define the real scope of the plan<\/h3>\n<p style=\"margin:0 0 16px;\">The first step is deciding what the plan covers. In an SME, it may include criminal compliance, data protection, anti-money laundering, employment risk, tax, supplier contracting and financial controls.<\/p>\n<p style=\"margin:0 0 16px;\">The criminal framework matters because <a style=\"color:#000;font-weight:700;text-decoration:underline;text-decoration-color:#797979;text-underline-offset:4px;\" href=\"https:\/\/www.boe.es\/buscar\/act.php?id=BOE-A-1995-25444#a31bis\" target=\"_blank\" rel=\"noopener\">Article 31 bis of the Spanish Criminal Code<\/a> allows effective organisation and management models to be considered when assessing corporate criminal liability. The <a style=\"color:#000;font-weight:700;text-decoration:underline;text-decoration-color:#797979;text-underline-offset:4px;\" href=\"https:\/\/www.boe.es\/buscar\/doc.php?id=FIS-C-2016-00001\" target=\"_blank\" rel=\"noopener\">State Prosecutor&#8217;s Circular 1\/2016<\/a> is also useful to understand which elements may be reviewed when assessing effectiveness.<\/p>\n<h3 style=\"margin:30px 0 12px;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(18px,4.6vw,22px);line-height:1.25;font-weight:800;\">2. Build a proportionate risk map<\/h3>\n<p style=\"margin:0 0 16px;\">The risk map identifies where the company may fail: payments, contracting, suppliers, gifts, data, tax, subsidies, employment relationships or safety. It should rank risks by likelihood and impact instead of treating every risk as equally urgent.<\/p>\n<p style=\"margin:0 0 16px;\">An industrial company, a technology consultancy and a real estate business do not share the same risk map. The important point is to know where a serious breach may arise and which control can prevent it.<\/p>\n<h3 style=\"margin:30px 0 12px;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(18px,4.6vw,22px);line-height:1.25;font-weight:800;\">3. Appoint a compliance owner<\/h3>\n<p style=\"margin:0 0 16px;\">Every company needs someone to oversee the model. In SMEs, the management body may assume the function, but the company should be clear about who coordinates, who reports and who preserves evidence.<\/p>\n<p style=\"margin:0 0 16px;\">If the owner has no time, minimum independence or adequate training, the plan loses effectiveness. Part of the function can be externalised for technical support, but the directors&#8217; ultimate duty of supervision does not disappear.<\/p>\n<h3 style=\"margin:30px 0 12px;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(18px,4.6vw,22px);line-height:1.25;font-weight:800;\">4. Create an understandable code of ethics<\/h3>\n<p style=\"margin:0 0 16px;\">The code of ethics should explain how the company acts in conflicts of interest, gifts, payments, suppliers, data, competition, harassment, equality and use of resources. It should be written in clear language: if no one understands it, no one applies it.<\/p>\n<p style=\"margin:0 0 16px;\">A brief, signed and communicated code is often more effective than a long manual no one reads. Its value is turning general principles into rules the team can use in daily decisions.<\/p>\n<h3 style=\"margin:30px 0 12px;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(18px,4.6vw,22px);line-height:1.25;font-weight:800;\">5. Implement specific internal controls<\/h3>\n<p style=\"margin:0 0 16px;\">Controls are the operational part of the plan. They may include double approval of payments, supplier validation, expense limits, tax reviews, contract archiving and documentary traceability.<\/p>\n<p style=\"margin:0 0 16px;\">The goal is not to slow the business down, but to avoid sensitive decisions depending on one person with no evidence. For SMEs, controls should be simple, repeatable and proportionate.<\/p>\n<h3 style=\"margin:30px 0 12px;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(18px,4.6vw,22px);line-height:1.25;font-weight:800;\">6. Regulate the internal reporting channel<\/h3>\n<p style=\"margin:0 0 16px;\"><a style=\"color:#000;font-weight:700;text-decoration:underline;text-decoration-color:#797979;text-underline-offset:4px;\" href=\"https:\/\/www.boe.es\/eli\/es\/l\/2023\/02\/20\/2\/con\" target=\"_blank\" rel=\"noopener\">Law 2\/2023<\/a> requires internal reporting systems for certain entities and sets guarantees on confidentiality, whistleblower protection and secure handling. Even where an SME is not obliged, a channel may be recommended if it has sensitive risks.<\/p>\n<p style=\"margin:0 0 16px;\">A poorly managed channel can create more risk than it solves. It should regulate receipt, investigation, deadlines, confidentiality, data protection and absence of retaliation. It should not be a forgotten mailbox.<\/p>\n<h3 style=\"margin:30px 0 12px;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(18px,4.6vw,22px);line-height:1.25;font-weight:800;\">7. Train the team realistically<\/h3>\n<p style=\"margin:0 0 16px;\">The plan only works if people know the rules. Training should be adapted to each profile: administration, sales, purchasing, management, finance, human resources or technology.<\/p>\n<p style=\"margin:0 0 16px;\">Sending a PDF is not enough. It is useful to explain concrete scenarios: supplier gifts, suspicious invoices, personal data, conflicts of interest or use of confidential information. The company should preserve evidence of date, attendance, content and minimum understanding.<\/p>\n<h3 style=\"margin:30px 0 12px;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(18px,4.6vw,22px);line-height:1.25;font-weight:800;\">8. Document evidence of compliance<\/h3>\n<p style=\"margin:0 0 16px;\">In compliance, what is not documented is difficult to prove. Minutes, policies, training, reviews, communications, investigations and controls should be preserved in an organised way.<\/p>\n<p style=\"margin:0 0 16px;\">Evidence is important if there is an inspection, a complaint, a criminal proceeding or a client claim. The purpose is not to accumulate papers, but to reconstruct decisions.<\/p>\n<h3 style=\"margin:30px 0 12px;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(18px,4.6vw,22px);line-height:1.25;font-weight:800;\">9. Review the plan when the business changes<\/h3>\n<p style=\"margin:0 0 16px;\">Compliance is not static. It changes if the SME opens a new market, incorporates shareholders, hires more employees, starts tendering or enters a regulated sector.<\/p>\n<p style=\"margin:0 0 16px;\">The plan should also be reviewed after an incident, a regulatory change or when the risk map becomes outdated. Periodic review shows that the model is alive.<\/p>\n<h2 id=\"sme-risks-controls\" style=\"margin:clamp(48px,9vw,68px) 0 20px;padding-top:20px;border-top:1px solid #000;color:#000;font-family:PlayfairDisplay,Georgia,serif;font-size:clamp(27px,5.8vw,42px);line-height:1.04;font-weight:600;\">Risks and controls an SME should prioritise<\/h2>\n<p style=\"margin:0 0 16px;\">A person looking for a compliance plan for SMEs usually does not want abstract criminal law theory. They want to know whether they need it, where the risk lies and how to implement it without paralysing the business. The search intent is often linked to a tender, a demanding client, internal growth or a management decision.<\/p>\n<div style=\"overflow-x:auto;margin:24px 0;border:1px solid #e6e6e6;\">\n<table style=\"width:100%;min-width:760px;border-collapse:collapse;background:#fff;\">\n<thead>\n<tr>\n<th style=\"padding:14px;background:#000;color:#fff;text-align:left;font-weight:800;border-bottom:1px solid #e6e6e6;\">Risk<\/th>\n<th style=\"padding:14px;background:#000;color:#fff;text-align:left;font-weight:800;border-bottom:1px solid #e6e6e6;\">Signal in an SME<\/th>\n<th style=\"padding:14px;background:#000;color:#fff;text-align:left;font-weight:800;border-bottom:1px solid #e6e6e6;\">Proportionate control<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\"><strong style=\"color:#000;font-weight:800;\">Sensitive payments and expenses<\/strong><\/td>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\">One person approves suppliers, payments, gifts or representation expenses.<\/td>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\">Dual approval by amount, gifts policy and approval record.<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\"><strong style=\"color:#000;font-weight:800;\">Third-party contracting<\/strong><\/td>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\">Agents, sales representatives, key suppliers or collaborators act for the company.<\/td>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\">Supplier onboarding, contract, compliance clauses and conflict review.<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\"><strong style=\"color:#000;font-weight:800;\">Data and reporting channel<\/strong><\/td>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\">Internal communications are received with no procedure or whistleblower protection.<\/td>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\">Regulated channel, deadlines, confidentiality, owner and secure register.<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\"><strong style=\"color:#000;font-weight:800;\">Tax or accounting risk<\/strong><\/td>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\">Invoicing, collections, subsidies or expenses lack sufficient traceability.<\/td>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\">Support file, periodic review and approval owners.<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:14px;vertical-align:top;\"><strong style=\"color:#000;font-weight:800;\">Directors&#8217; duties<\/strong><\/td>\n<td style=\"padding:14px;vertical-align:top;\">The management body does not approve or review the model.<\/td>\n<td style=\"padding:14px;vertical-align:top;\">Approval minutes, annual report and corrective action tracking.<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<div style=\"margin:24px 0;padding:20px 22px;background:#f3f3f3;border:1px solid #e6e6e6;border-left:2px solid #000;\">\n<p style=\"margin:0;\"><strong style=\"color:#000;font-weight:800;\">Practical criterion:<\/strong> an SME should not start with the longest document, but with the most real risk. First decide what can happen, who controls it and what evidence will exist if someone asks six months later.<\/p>\n<\/p><\/div>\n<h2 id=\"documents-evidence-compliance\" style=\"margin:clamp(48px,9vw,68px) 0 20px;padding-top:20px;border-top:1px solid #000;color:#000;font-family:PlayfairDisplay,Georgia,serif;font-size:clamp(27px,5.8vw,42px);line-height:1.04;font-weight:600;\">Minimum documents and evidence<\/h2>\n<p style=\"margin:0 0 16px;\">Compliance is not proven with a polished document. It is proven with evidence: training delivered, controls applied, periodic reviews, operating reporting channel, documented investigations, corrective measures and traceable decisions.<\/p>\n<div style=\"overflow-x:auto;margin:24px 0;border:1px solid #e6e6e6;\">\n<table style=\"width:100%;min-width:760px;border-collapse:collapse;background:#fff;\">\n<thead>\n<tr>\n<th style=\"padding:14px;background:#000;color:#fff;text-align:left;font-weight:800;border-bottom:1px solid #e6e6e6;\">Document<\/th>\n<th style=\"padding:14px;background:#000;color:#fff;text-align:left;font-weight:800;border-bottom:1px solid #e6e6e6;\">Purpose<\/th>\n<th style=\"padding:14px;background:#000;color:#fff;text-align:left;font-weight:800;border-bottom:1px solid #e6e6e6;\">Evidence to preserve<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\"><strong style=\"color:#000;font-weight:800;\">Approval minutes<\/strong><\/td>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\">Shows management commitment and the scope of the plan.<\/td>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\">Date, attendees, resolution, owner and implementation calendar.<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\"><strong style=\"color:#000;font-weight:800;\">Risk map<\/strong><\/td>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\">Prioritises criminal, corporate, tax, employment or data risks.<\/td>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\">Methodology, assessment, existing controls and pending actions.<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\"><strong style=\"color:#000;font-weight:800;\">Code of ethics and policies<\/strong><\/td>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\">Turns principles into rules the team can apply.<\/td>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\">Approved version, communication to the team and acknowledgement.<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\"><strong style=\"color:#000;font-weight:800;\">Training register<\/strong><\/td>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\">Shows the rules were explained and not merely archived.<\/td>\n<td style=\"padding:14px;border-bottom:1px solid #e6e6e6;vertical-align:top;\">Date, attendees, content, evaluation and materials.<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:14px;vertical-align:top;\"><strong style=\"color:#000;font-weight:800;\">Periodic review<\/strong><\/td>\n<td style=\"padding:14px;vertical-align:top;\">Checks whether the model remains alive and adapted to the business.<\/td>\n<td style=\"padding:14px;vertical-align:top;\">Report, incidents, controls reviewed and corrective measures.<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<div style=\"margin:24px 0;padding:22px;background:#ffffff;border:1px solid #e6e6e6;\">\n<h3 style=\"margin:0 0 12px;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(20px,5.2vw,23px);line-height:1.25;font-weight:800;\">Minimum checklist to begin<\/h3>\n<ul style=\"margin:0 0 0 22px;padding:0;\">\n<li style=\"margin:0 0 7px;\"><strong style=\"color:#000;font-weight:800;\">Organisation chart:<\/strong> who decides, who applies controls and who reports incidents.<\/li>\n<li style=\"margin:0 0 7px;\"><strong style=\"color:#000;font-weight:800;\">Sensitive processes:<\/strong> payments, purchasing, sales, suppliers, gifts, hiring and data.<\/li>\n<li style=\"margin:0 0 7px;\"><strong style=\"color:#000;font-weight:800;\">Key contracts:<\/strong> clients, suppliers, collaborators, agents and strategic partners.<\/li>\n<li style=\"margin:0 0 7px;\"><strong style=\"color:#000;font-weight:800;\">Past incidents:<\/strong> claims, inspections, internal conflicts or audit alerts.<\/li>\n<li style=\"margin:0;\"><strong style=\"color:#000;font-weight:800;\">Current channels:<\/strong> how questions, complaints, alerts or sensitive communications are received.<\/li>\n<\/ul><\/div>\n<h2 id=\"compliance-plan-mistakes\" style=\"margin:clamp(48px,9vw,68px) 0 20px;padding-top:20px;border-top:1px solid #000;color:#000;font-family:PlayfairDisplay,Georgia,serif;font-size:clamp(27px,5.8vw,42px);line-height:1.04;font-weight:600;\">Common mistakes when implementing compliance<\/h2>\n<h3 style=\"margin:30px 0 12px;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(18px,4.6vw,22px);line-height:1.25;font-weight:800;\">Copying a large-company model<\/h3>\n<p style=\"margin:0 0 16px;\">An overly complex plan is not applied. The SME needs clear controls, identifiable owners and proportionate documentation. If the system demands more than the structure can sustain, it will become disconnected from the business.<\/p>\n<h3 style=\"margin:30px 0 12px;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(18px,4.6vw,22px);line-height:1.25;font-weight:800;\">Creating policies with no follow-up<\/h3>\n<p style=\"margin:0 0 16px;\">A document without training, controls and periodic review does not show a real compliance culture. The plan should leave evidence of application: decisions, registers, communications and corrective measures.<\/p>\n<h3 style=\"margin:30px 0 12px;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(18px,4.6vw,22px);line-height:1.25;font-weight:800;\">Forgetting the management body<\/h3>\n<p style=\"margin:0 0 16px;\">Directors should promote, approve and supervise the model. Delegating tasks does not remove their duty of diligence. Without minutes, monitoring and review, it will be difficult to show that the system had real support.<\/p>\n<h3 style=\"margin:30px 0 12px;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(18px,4.6vw,22px);line-height:1.25;font-weight:800;\">Opening a reporting channel without a procedure<\/h3>\n<p style=\"margin:0 0 16px;\">A whistleblowing or reporting channel cannot be only an email address. It must regulate receipt, confidentiality, deadlines, whistleblower protection, investigation, corrective measures and data processing.<\/p>\n<h2 id=\"graciacalbet-compliance-plan\" style=\"margin:clamp(48px,9vw,68px) 0 20px;padding-top:20px;border-top:1px solid #000;color:#000;font-family:PlayfairDisplay,Georgia,serif;font-size:clamp(27px,5.8vw,42px);line-height:1.04;font-weight:600;\">How GraciaCalbet can help<\/h2>\n<p style=\"margin:0 0 16px;\">At GraciaCalbet we help SMEs, directors and family businesses implement proportionate compliance models, connecting criminal law, corporate law, employment, tax and internal management. The key is for the system to be useful for the company and defensible if a problem appears.<\/p>\n<p style=\"margin:0 0 16px;\">We can design the criminal and corporate risk map, prepare the code of ethics, policies and internal controls, implement the internal reporting channel, train directors and teams, and periodically review the model and its evidence.<\/p>\n<p style=\"margin:0 0 16px;\">This work can connect with our <a style=\"color:#000;font-weight:700;text-decoration:underline;text-decoration-color:#797979;text-underline-offset:4px;\" href=\"https:\/\/graciacalbet.com\/servicios\/penal\/compliance-penal\/\">criminal compliance<\/a>, <a style=\"color:#000;font-weight:700;text-decoration:underline;text-decoration-color:#797979;text-underline-offset:4px;\" href=\"https:\/\/graciacalbet.com\/servicios\/mercantil-y-societario\/\">corporate law<\/a> and <a style=\"color:#000;font-weight:700;text-decoration:underline;text-decoration-color:#797979;text-underline-offset:4px;\" href=\"https:\/\/graciacalbet.com\/servicios\/fiscal\/\">tax advisory<\/a> practices when the model has broader business implications.<\/p>\n<div style=\"position:relative;margin:clamp(28px,6vw,44px) 0;padding:clamp(26px,6vw,42px);background:#000;color:#fff;overflow:hidden;\">\n    <img decoding=\"async\" style=\"position:absolute;right:-6%;bottom:-18%;width:min(520px,82vw);max-width:none;opacity:.12;\" src=\"https:\/\/graciacalbet.com\/images\/graciacalbet-logo-transparent-alt.svg\" alt=\"\"><\/p>\n<div style=\"position:relative;z-index:1;display:grid;grid-template-columns:repeat(auto-fit,minmax(min(100%,280px),1fr));gap:clamp(18px,5vw,34px);align-items:end;\">\n<div>\n<p style=\"margin:0 0 10px;color:#fff;font-size:13px;font-weight:800;letter-spacing:.16em;text-transform:uppercase;\">GRACIACALBET<\/p>\n<p style=\"margin:0;color:#fff;font-family:PlayfairDisplay,Georgia,serif;font-size:clamp(28px,6vw,44px);line-height:1.02;font-weight:600;\">Proportionate compliance for SMEs<\/p>\n<\/p><\/div>\n<div>\n<p style=\"margin:0 0 18px;color:#f3f3f3;line-height:1.62;\">If your company needs controls because of growth, a tender, a strategic client or criminal risk, the model should be applicable and documented.<\/p>\n<p style=\"display:flex;flex-wrap:wrap;gap:10px;margin:0;\">\n          <a style=\"display:inline-block;padding:13px 20px;background:#ffffff;color:#000;border:1px solid #ffffff;font-weight:800;line-height:1;text-decoration:none;\" href=\"https:\/\/graciacalbet.com\/contacto\/\">Request a consultation<\/a><br \/>\n          <a style=\"display:inline-block;padding:13px 20px;background:transparent;color:#fff;border:1px solid #ffffff;font-weight:800;line-height:1;text-decoration:none;\" href=\"https:\/\/graciacalbet.com\/servicios\/penal\/compliance-penal\/\">View criminal compliance<\/a>\n        <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<h2 id=\"frequently-asked-questions\" style=\"margin:clamp(48px,9vw,68px) 0 20px;padding-top:20px;border-top:1px solid #000;color:#000;font-family:PlayfairDisplay,Georgia,serif;font-size:clamp(27px,5.8vw,42px);line-height:1.04;font-weight:600;\">Frequently Asked Questions (FAQs)<\/h2>\n<div style=\"margin:0 0 clamp(32px,7vw,48px);border-top:1px solid #000;\">\n<details style=\"border-bottom:1px solid #e6e6e6;\">\n<summary style=\"cursor:pointer;list-style:none;padding:18px 0;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(17px,4.4vw,21px);line-height:1.25;font-weight:800;\"><span style=\"display:flex;align-items:center;justify-content:space-between;gap:18px;\"><span>Is a compliance plan mandatory for an SME?<\/span><span aria-hidden=\"true\" style=\"flex:0 0 auto;display:inline-flex;align-items:center;justify-content:center;width:28px;height:28px;border:1px solid #000;color:#000;font-size:20px;line-height:1;font-weight:400;\">+<\/span><\/span><\/summary>\n<p style=\"margin:0 0 18px;color:#2b2b2b;line-height:1.68;\">There is no general obligation for every SME to have one model, but it may be required by sector rules or contract demands. An effective model may also be important to exempt or mitigate corporate criminal liability if an offence occurs within the company.<\/p>\n<\/details>\n<details style=\"border-bottom:1px solid #e6e6e6;\">\n<summary style=\"cursor:pointer;list-style:none;padding:18px 0;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(17px,4.4vw,21px);line-height:1.25;font-weight:800;\"><span style=\"display:flex;align-items:center;justify-content:space-between;gap:18px;\"><span>What should a compliance plan for SMEs include?<\/span><span aria-hidden=\"true\" style=\"flex:0 0 auto;display:inline-flex;align-items:center;justify-content:center;width:28px;height:28px;border:1px solid #000;color:#000;font-size:20px;line-height:1;font-weight:400;\">+<\/span><\/span><\/summary>\n<p style=\"margin:0 0 18px;color:#2b2b2b;line-height:1.68;\">It should include a risk map, code of ethics, internal policies, controls, reporting channel where appropriate, training, compliance owner, disciplinary system and periodic review. The key is adaptation to the size, activity and risks of the company.<\/p>\n<\/details>\n<details style=\"border-bottom:1px solid #e6e6e6;\">\n<summary style=\"cursor:pointer;list-style:none;padding:18px 0;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(17px,4.4vw,21px);line-height:1.25;font-weight:800;\"><span style=\"display:flex;align-items:center;justify-content:space-between;gap:18px;\"><span>Can a director be liable if there is no compliance?<\/span><span aria-hidden=\"true\" style=\"flex:0 0 auto;display:inline-flex;align-items:center;justify-content:center;width:28px;height:28px;border:1px solid #000;color:#000;font-size:20px;line-height:1;font-weight:400;\">+<\/span><\/span><\/summary>\n<p style=\"margin:0 0 18px;color:#2b2b2b;line-height:1.68;\">Director liability may arise if diligent control measures are not adopted, especially where there are serious breaches, offences, debts or lack of supervision. Compliance does not eliminate all risks, but it helps show that the management body acted diligently.<\/p>\n<\/details>\n<details style=\"border-bottom:1px solid #e6e6e6;\">\n<summary style=\"cursor:pointer;list-style:none;padding:18px 0;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(17px,4.4vw,21px);line-height:1.25;font-weight:800;\"><span style=\"display:flex;align-items:center;justify-content:space-between;gap:18px;\"><span>How often should the compliance plan be reviewed?<\/span><span aria-hidden=\"true\" style=\"flex:0 0 auto;display:inline-flex;align-items:center;justify-content:center;width:28px;height:28px;border:1px solid #000;color:#000;font-size:20px;line-height:1;font-weight:400;\">+<\/span><\/span><\/summary>\n<p style=\"margin:0 0 18px;color:#2b2b2b;line-height:1.68;\">It should be reviewed periodically and whenever the activity, structure, rules, risks or business model changes. It is also advisable to review it after an incident, internal report or inspection. An outdated plan may lose effectiveness.<\/p>\n<\/details>\n<details style=\"border-bottom:1px solid #e6e6e6;\">\n<summary style=\"cursor:pointer;list-style:none;padding:18px 0;color:#000;font-family:Raleway,Arial,sans-serif;font-size:clamp(17px,4.4vw,21px);line-height:1.25;font-weight:800;\"><span style=\"display:flex;align-items:center;justify-content:space-between;gap:18px;\"><span>Is a whistleblowing channel part of compliance?<\/span><span aria-hidden=\"true\" style=\"flex:0 0 auto;display:inline-flex;align-items:center;justify-content:center;width:28px;height:28px;border:1px solid #000;color:#000;font-size:20px;line-height:1;font-weight:400;\">+<\/span><\/span><\/summary>\n<p style=\"margin:0 0 18px;color:#2b2b2b;line-height:1.68;\">Yes. The internal reporting channel is usually integrated into the compliance system because it helps detect irregularities, protect informants and manage internal investigations. In some cases it is mandatory under Law 2\/2023; in others it can still be recommended.<\/p>\n<\/details><\/div>\n<\/article>\n","protected":false},"excerpt":{"rendered":"<p>A practical guide to implement a useful, proportionate and defensible compliance plan for SMEs without turning compliance into paperwork that no one applies.<\/p>\n","protected":false},"author":1,"featured_media":389,"comment_status":"","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[388],"tags":[],"class_list":["post-5474","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mercantil"],"acf":[],"_links":{"self":[{"href":"https:\/\/graciacalbet.com\/en\/wp-json\/wp\/v2\/posts\/5474","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/graciacalbet.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/graciacalbet.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/graciacalbet.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/graciacalbet.com\/en\/wp-json\/wp\/v2\/comments?post=5474"}],"version-history":[{"count":0,"href":"https:\/\/graciacalbet.com\/en\/wp-json\/wp\/v2\/posts\/5474\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/graciacalbet.com\/en\/wp-json\/wp\/v2\/media\/389"}],"wp:attachment":[{"href":"https:\/\/graciacalbet.com\/en\/wp-json\/wp\/v2\/media?parent=5474"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/graciacalbet.com\/en\/wp-json\/wp\/v2\/categories?post=5474"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/graciacalbet.com\/en\/wp-json\/wp\/v2\/tags?post=5474"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}