{"id":1776,"date":"2025-11-06T07:00:31","date_gmt":"2025-11-06T07:00:31","guid":{"rendered":"https:\/\/icompliance.eu\/?p=1776"},"modified":"2025-11-06T10:25:06","modified_gmt":"2025-11-06T10:25:06","slug":"rgpc-for-smes-a-practical-90-day-implementation-guide","status":"publish","type":"post","link":"https:\/\/icompliance.eu\/en\/rgpc-for-smes-a-practical-90-day-implementation-guide\/","title":{"rendered":"RGPC for SMEs: A Practical 90-Day Implementation Guide"},"content":{"rendered":"<p>A step-by-step plan to make a small or mid-sized company compliant with the Portuguese Anti-Corruption Compliance Programme (RGPC) in 90 days, including responsibilities, practical examples, and a ready-to-use checklist.<\/p>\n<h2><strong>Why act now?<\/strong><\/h2>\n<ul>\n<li><strong>Avoid fines and reputational harm:<\/strong> non-compliance risks sanctions and loss of trust.<\/li>\n<li><strong>Professionalise management:<\/strong> clear controls, policies and training reduce legal and operational exposure.<\/li>\n<li><strong>Competitive edge:<\/strong> large clients and public sector tenders increasingly expect demonstrable integrity practices.<\/li>\n<\/ul>\n<h2><strong>Core RGPC elements for SMEs<\/strong><\/h2>\n<ol>\n<li><strong>Governance &amp; leadership<\/strong> \u2013 appoint a Compliance Officer and secure leadership buy-in.<\/li>\n<li><strong>Risk assessment<\/strong> \u2013 map exposure across processes (procurement, contracting, gifts\/hospitality, sponsorships, third parties, hiring).<\/li>\n<li><strong>Policies &amp; procedures<\/strong> \u2013 code of conduct; conflicts of interest; gifts &amp; hospitality; third-party due diligence; sponsorships\/donations.<\/li>\n<li><strong>Whistleblowing channel<\/strong> \u2013 secure, confidential\/anonymous, with routing and deadlines.<\/li>\n<li><strong>Training &amp; communication<\/strong> \u2013 tailor by role and risk.<\/li>\n<li><strong>Monitoring &amp; improvement<\/strong> \u2013 KPIs, audits, periodic reporting to management.<\/li>\n<\/ol>\n<h2><strong>The 90-day plan (week by week)<\/strong><\/h2>\n<h3><strong>Days 1\u201315: Kick-off and programme governance<\/strong><\/h3>\n<ul>\n<li><strong>Executive sponsorship:<\/strong> formal decision to implement RGPC.<\/li>\n<li><strong>Appoint Compliance Officer (CO):<\/strong> mandate, autonomy, reporting line.<\/li>\n<li><strong>Project plan &amp; timeline:<\/strong> weekly milestones, responsibilities (RACI), project risks.<\/li>\n<li><strong>Document inventory:<\/strong> existing policies, org chart, template contracts, core process maps.<\/li>\n<\/ul>\n<h4><strong>Deliverables:<\/strong><\/h4>\n<ul>\n<li>Board\/management resolution and CO appointment note.<\/li>\n<li>Project plan &amp; Gantt\/timeline.<\/li>\n<li>Stakeholder map (Finance, Procurement, HR, Sales, Legal\/IT).<\/li>\n<\/ul>\n<h3><strong>Days 16\u201330: Integrity risk assessment<\/strong><\/h3>\n<ul>\n<li><strong>Risk workshops by process:<\/strong> procurement, public\/private contracting, sales, logistics, sponsorships, marketing, HR.<\/li>\n<li><strong>Identify risk events:<\/strong> fraud, favouritism, conflicts of interest, bribery, facilitation payments, misuse of assets.<\/li>\n<li><strong>Score &amp; prioritise:<\/strong> likelihood \u00d7 impact; evaluate current controls and gaps.<\/li>\n<li><strong>Risk map &amp; treatment plan:<\/strong> prioritise 5\u201310 critical risks; define controls (policy, approvals, segregation of duties, logs).<\/li>\n<\/ul>\n<h4><strong>Deliverables:<\/strong><\/h4>\n<ul>\n<li>Risk matrix (owners, controls, priorities).<\/li>\n<li>Treatment plan (actions, deadlines, owners).<\/li>\n<\/ul>\n<h3><strong>Days 31\u201345: Essential policies and procedures<\/strong><\/h3>\n<ul>\n<li><strong>Code of Conduct:<\/strong> principles, practical scenarios, Q&amp;A contact.<\/li>\n<li><strong>Conflicts of Interest:<\/strong> annual and ad hoc declarations; approval\/mitigation flow.<\/li>\n<li><strong>Gifts &amp; Hospitality:<\/strong> thresholds, mandatory register, approvals.<\/li>\n<li><strong>Third parties &amp; suppliers:<\/strong> risk-based due diligence; integrity clauses.<\/li>\n<li><strong>Sponsorships\/Donations:<\/strong> criteria, transparency, record-keeping.<\/li>\n<li><strong>Records &amp; evidence:<\/strong> simple templates (Excel\/SharePoint) for gifts, conflicts, due diligence.<\/li>\n<\/ul>\n<h4><strong>Deliverables:<\/strong><\/h4>\n<ul>\n<li>Policy pack v1.0 submitted to management.<\/li>\n<li>Registers (gifts\/hospitality; conflicts; third-party DD).<\/li>\n<li>Standard contract clauses.<\/li>\n<\/ul>\n<h3><strong>Days 46\u201360: Whistleblowing channel and response<\/strong><\/h3>\n<ul>\n<li><strong>Select the channel solution:<\/strong> internal\/external; confidentiality, anonymity, audit trail, SLA.<\/li>\n<li><strong>Whistleblowing &amp; anti-retaliation policy:<\/strong> scope, how to report, protections, feedback timelines.<\/li>\n<li><strong>Triage &amp; investigation procedure:<\/strong> severity criteria, investigation team, chain of custody, reporting template.<\/li>\n<li><strong>End-to-end test:<\/strong> submission, acknowledgement, investigation, closure with feedback.<\/li>\n<\/ul>\n<h4><strong>Deliverables:<\/strong><\/h4>\n<ul>\n<li>Live, tested whistleblowing channel.<\/li>\n<li>Investigation procedure + templates (NDA, investigation plan, report).<\/li>\n<\/ul>\n<h3><strong>Days 61\u201375: Training and awareness<\/strong><\/h3>\n<ul>\n<li><strong>Role-based plan:<\/strong> executives (tone from the top); risk-exposed areas (Procurement\/Sales\/HR); all-hands; onboarding.<\/li>\n<li><strong>Materials:<\/strong> slide deck, short video, FAQs, intranet posters\/banners.<\/li>\n<li><strong>Internal campaign:<\/strong> CEO email, QR code to channel, \u201cdo &amp; don\u2019t\u201d examples.<\/li>\n<li><strong>Tracking &amp; evaluation:<\/strong> sign-in or LMS; short quiz; target \u226590% coverage.<\/li>\n<\/ul>\n<h4><strong>Deliverables:<\/strong><\/h4>\n<ul>\n<li>Awareness kit and training pathway.<\/li>\n<li>Coverage report &amp; quiz results.<\/li>\n<\/ul>\n<h3><strong>Days 76\u201390: Monitoring, KPIs and final approval<\/strong><\/h3>\n<ul>\n<li><strong>Baseline KPIs:<\/strong> number of reports\/resolved; average response time; % trained; conflicts declared\/resolved; % third parties with DD; number of approved exceptions.<\/li>\n<li><strong>Monitoring plan:<\/strong> quarterly reviews, light annual audit, effectiveness testing.<\/li>\n<li><strong>Final management report:<\/strong> compliance status, remaining gaps, 6\u201312-month improvement plan.<\/li>\n<li><strong>Approval &amp; publication:<\/strong> policies approved; external notice on website; embed in onboarding.<\/li>\n<\/ul>\n<h4><strong>Deliverables:<\/strong><\/h4>\n<ul>\n<li>Compliance dashboard (monthly\/quarterly).<\/li>\n<li>Final implementation report and improvement roadmap.<\/li>\n<\/ul>\n<h2><strong>SME-friendly good practices<\/strong><\/h2>\n<ul>\n<li><strong>Proportionality:<\/strong> keep policies lean, unambiguous; scale DD to risk.<\/li>\n<li><strong>Reuse what exists:<\/strong> integrate with quality\/H&amp;S controls where sensible.<\/li>\n<li><strong>Evidence culture:<\/strong> \u201cif it isn\u2019t recorded, it didn\u2019t happen.\u201d<\/li>\n<li><strong>Lightweight tech:<\/strong> online forms, central repository, automated reminders (e.g., annual conflict declarations).<\/li>\n<\/ul>\n<h2><strong>RGPC Checklist for SMEs (grab &amp; use)<\/strong><\/h2>\n<h3><strong>Governance<\/strong><\/h3>\n<ul>\n<li>Formal management decision and CO appointment.<\/li>\n<li>90-day plan with milestones.<\/li>\n<\/ul>\n<h3><strong>Risk<\/strong><\/h3>\n<ul>\n<li>Risk workshops and matrix by core process.<\/li>\n<li>Treatment plan with owners and deadlines.<\/li>\n<\/ul>\n<h3><strong>Policies<\/strong><\/h3>\n<ul>\n<li>Code of Conduct approved and published.<\/li>\n<li>Policies: Conflicts of Interest; Gifts &amp; Hospitality; Third Parties; Sponsorships\/Donations.<\/li>\n<li>Integrity clauses inserted in contracts.<\/li>\n<li>Registers active (gifts; conflicts; DD).<\/li>\n<\/ul>\n<h3><strong>Whistleblowing<\/strong><\/h3>\n<ul>\n<li>Channel live (confidential\/anonymous), policy and investigation procedure.<\/li>\n<li>Documented end-to-end test.<\/li>\n<\/ul>\n<h3><strong>Training &amp; Comms<\/strong><\/h3>\n<ul>\n<li>Role-based plan, materials, and attendance evidence.<\/li>\n<li>Internal campaign and FAQs.<\/li>\n<\/ul>\n<h3><strong>Monitoring<\/strong><\/h3>\n<ul>\n<li>KPIs defined and dashboard set.<\/li>\n<li>Final report and 6\u201312-month plan.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/icompliance.eu\/wp-content\/uploads\/2025\/11\/iCompliance_RGPC_EN.pdf\" target=\"_blank\" rel=\"noopener\"><strong>Download the SME RGPC checklist<\/strong> to fast-track your 12-week rollout.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A step-by-step plan to make a small or mid-sized company compliant with the Portuguese Anti-Corruption Compliance Programme (RGPC) in 90 days, including responsibilities, practical examples, and a ready-to-use checklist. Why act now? Avoid fines and reputational harm: non-compliance risks sanctions and loss of trust. Professionalise management: clear controls, policies and training reduce legal and operational [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1777,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1776","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sem-categoria"],"_links":{"self":[{"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/posts\/1776","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/comments?post=1776"}],"version-history":[{"count":4,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/posts\/1776\/revisions"}],"predecessor-version":[{"id":1802,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/posts\/1776\/revisions\/1802"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/media\/1777"}],"wp:attachment":[{"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/media?parent=1776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/categories?post=1776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icompliance.eu\/en\/wp-json\/wp\/v2\/tags?post=1776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}