RGPC for SMEs: A Practical 90-Day Implementation Guide

A step-by-step plan to make a small or mid-sized company compliant with the Portuguese Anti-Corruption Compliance Programme (RGPC) in 90 days, including responsibilities, practical examples, and a ready-to-use checklist.

Why act now?

• Avoid fines and reputational harm: non-compliance risks sanctions and loss of trust.
• Professionalise management: clear controls, policies and training reduce legal and operational exposure.
• Competitive edge: large clients and public sector tenders increasingly expect demonstrable integrity practices.

Core RGPC elements for SMEs

1. Governance & leadership – appoint a Compliance Officer and secure leadership buy-in.
2. Risk assessment – map exposure across processes (procurement, contracting, gifts/hospitality, sponsorships, third parties, hiring).
3. Policies & procedures – code of conduct; conflicts of interest; gifts & hospitality; third-party due diligence; sponsorships/donations.
4. Whistleblowing channel – secure, confidential/anonymous, with routing and deadlines.
5. Training & communication – tailor by role and risk.
6. Monitoring & improvement – KPIs, audits, periodic reporting to management.

The 90-day plan (week by week)

Days 1–15: Kick-off and programme governance

• Executive sponsorship: formal decision to implement RGPC.
• Appoint Compliance Officer (CO): mandate, autonomy, reporting line.
• Project plan & timeline: weekly milestones, responsibilities (RACI), project risks.
• Document inventory: existing policies, org chart, template contracts, core process maps.

Deliverables:

• Board/management resolution and CO appointment note.
• Project plan & Gantt/timeline.
• Stakeholder map (Finance, Procurement, HR, Sales, Legal/IT).

Days 16–30: Integrity risk assessment

• Risk workshops by process: procurement, public/private contracting, sales, logistics, sponsorships, marketing, HR.
• Identify risk events: fraud, favouritism, conflicts of interest, bribery, facilitation payments, misuse of assets.
• Score & prioritise: likelihood × impact; evaluate current controls and gaps.
• Risk map & treatment plan: prioritise 5–10 critical risks; define controls (policy, approvals, segregation of duties, logs).

Deliverables:

• Risk matrix (owners, controls, priorities).
• Treatment plan (actions, deadlines, owners).

Days 31–45: Essential policies and procedures

• Code of Conduct: principles, practical scenarios, Q&A contact.
• Conflicts of Interest: annual and ad hoc declarations; approval/mitigation flow.
• Gifts & Hospitality: thresholds, mandatory register, approvals.
• Third parties & suppliers: risk-based due diligence; integrity clauses.
• Sponsorships/Donations: criteria, transparency, record-keeping.
• Records & evidence: simple templates (Excel/SharePoint) for gifts, conflicts, due diligence.

Deliverables:

• Policy pack v1.0 submitted to management.
• Registers (gifts/hospitality; conflicts; third-party DD).
• Standard contract clauses.

Days 46–60: Whistleblowing channel and response

• Select the channel solution: internal/external; confidentiality, anonymity, audit trail, SLA.
• Whistleblowing & anti-retaliation policy: scope, how to report, protections, feedback timelines.
• Triage & investigation procedure: severity criteria, investigation team, chain of custody, reporting template.
• End-to-end test: submission, acknowledgement, investigation, closure with feedback.

Deliverables:

• Live, tested whistleblowing channel.
• Investigation procedure + templates (NDA, investigation plan, report).

Days 61–75: Training and awareness

• Role-based plan: executives (tone from the top); risk-exposed areas (Procurement/Sales/HR); all-hands; onboarding.
• Materials: slide deck, short video, FAQs, intranet posters/banners.
• Internal campaign: CEO email, QR code to channel, “do & don’t” examples.
• Tracking & evaluation: sign-in or LMS; short quiz; target ≥90% coverage.

Deliverables:

• Awareness kit and training pathway.
• Coverage report & quiz results.

Days 76–90: Monitoring, KPIs and final approval

• Baseline KPIs: number of reports/resolved; average response time; % trained; conflicts declared/resolved; % third parties with DD; number of approved exceptions.
• Monitoring plan: quarterly reviews, light annual audit, effectiveness testing.
• Final management report: compliance status, remaining gaps, 6–12-month improvement plan.
• Approval & publication: policies approved; external notice on website; embed in onboarding.

Deliverables:

• Compliance dashboard (monthly/quarterly).
• Final implementation report and improvement roadmap.

SME-friendly good practices

• Proportionality: keep policies lean, unambiguous; scale DD to risk.
• Reuse what exists: integrate with quality/H&S controls where sensible.
• Evidence culture: “if it isn’t recorded, it didn’t happen.”
• Lightweight tech: online forms, central repository, automated reminders (e.g., annual conflict declarations).

RGPC Checklist for SMEs (grab & use)

Governance

• Formal management decision and CO appointment.
• 90-day plan with milestones.

Risk

• Risk workshops and matrix by core process.
• Treatment plan with owners and deadlines.

Policies

• Code of Conduct approved and published.
• Policies: Conflicts of Interest; Gifts & Hospitality; Third Parties; Sponsorships/Donations.
• Integrity clauses inserted in contracts.
• Registers active (gifts; conflicts; DD).

Whistleblowing

• Channel live (confidential/anonymous), policy and investigation procedure.
• Documented end-to-end test.

Training & Comms

• Role-based plan, materials, and attendance evidence.
• Internal campaign and FAQs.

Monitoring

• KPIs defined and dashboard set.
• Final report and 6–12-month plan.

Download the SME RGPC checklist to fast-track your 12-week rollout.