Sunday, December 7, 2025
Compliance risk management: a practical guide for SMEs
For many SMEs, compliance can feel like a moving target. This practical guide outlines a proportionate, risk‑based approach that aligns with widely used frameworks, reduces exposure to fines and operational disruption, and scales with your growth.
What compliance risk management means for SMEs
Compliance risk management is the disciplined process of identifying, assessing, and treating legal and regulatory risks that could impact your organization. For SMEs, proportionate is the keyword. Regulators and standards bodies, including the French Anti‑corruption Agency (AFA), ISO 37301, and Spain’s UNE standards, consistently promote a risk‑based, fit‑for‑purpose program rather than a copy of large‑enterprise playbooks.
In Europe and beyond, five areas tend to drive the core of an SME program:
- Anti‑bribery and corruption, including alignment with Loi Sapin II and ISO 37001
- Antitrust and competition, with guidance from the Spanish standard UNE 19603 and national competition authorities
- Criminal compliance in Spain, guided by UNE 19601
- Anti‑money laundering (AML), including customer due diligence and suspicious activity reporting obligations
- AI governance, notably the EU AI Act’s risk‑based requirements
Authoritative resources you can reference as you build your approach include the AFA’s practical guidance on risk mapping, ISO’s management system standards for compliance and anti‑bribery, the Spanish CNMC’s guide on competition compliance programs, the EU’s AML package adopted in 2024, and the European Commission’s AI Act Single Information Platform.
A simple, scalable process you can adopt now
The process below is deliberately lightweight. Each step can be executed with basic tooling and then progressively automated.
- Context and obligations inventory. Clarify where you operate, what products or services you sell, the partners you use, and which laws and standards actually apply.
- Risk identification and register. Translate obligations into potential events, causes, and consequences. Capture them in a structured register.
- Scoring and prioritization. Use a consistent scale for likelihood, impact, and velocity. Distinguish inherent risk from residual risk after controls.
- Controls and remediation planning. Map existing controls, define gaps, and assign remediation actions with deadlines and owners.
- Monitoring and reporting. Track control performance and incidents, review KPIs, and report to management and the board. Update the register as your business changes.
Map your obligations to your profile
Start with a practical crosswalk to confirm what matters for your size, sector, and footprint. The examples below are common triggers, not legal advice.
Topic | Typical triggers for SMEs | Core obligations or reference frameworks |
|---|---|---|
Anti‑bribery and corruption | Sales agents, distributors, public and private tenders, operations in higher‑risk jurisdictions | Loi Sapin II (for French entities), AFA guidance on risk mapping; ISO 37001 anti‑bribery management systems |
Antitrust and competition | Pricing, distribution networks, trade associations, market‑sharing risks | UNE 19603, national competition authority guidance such as the CNMC’s compliance guide |
Criminal compliance (Spain) | Labour conditions, consumer protection, processing of personal data or IT security. | UNE 19601 criminal compliance management systems |
AML | Financial services, crypto, payments, lending, high‑value goods, professional services in scope | EU AML package and national AML laws, FATF risk‑based approach |
AI governance | Building or deploying AI that could be high‑risk under the EU AI Act | EU AI Act, with prohibitions applying first and most high‑risk obligations phased in over several years |
Helpful references:
- French Anti‑corruption Agency practical guide to anti‑corruption risk mapping: https://www.agence-francaise-anticorruption.gouv.fr
- ISO compliance and anti‑bribery overview: https://www.iso.org
- CNMC guide on competition compliance programs: https://www.cnmc.es
- EU AML package adoption press release: https://www.consilium.europa.eu
- European Commission AI Act Single Information Platform: https://ai-act-service-desk.ec.europa.eu/en
Build a risk register that auditors and regulators will recognize
A clear, auditable risk register is the backbone of your program. Keep it concise, but include the fields below. If you already maintain an enterprise risk register, align the structures and scales.
Field | What to capture |
|---|---|
Risk title and description | A short, specific statement of the event, cause, and consequence |
Inherent risk | Likelihood, impact, and velocity before controls |
Existing controls | Policies, procedures, approvals, training, monitoring, or technical safeguards already in place |
Control effectiveness | Simple rating and evidence references |
Residual risk | Re‑scored risk after controls |
Owner and second‑line reviewer | Named individual and reviewer in compliance or legal |
Remediation actions | Action, owner, due date, and status |
Monitoring and KPIs | How the risk will be tracked going forward |
Evidence links | Where artifacts live, such as policy versions, training rosters, due diligence files |
Scoring that works and scales
You do not need a complex formula. All you need is a consistent methodology. What matters is consistency and clear thresholds for action.
- Likelihood. 1 to 5 scale, from rare to frequent in a 12 to 24 month horizon.
- Impact. 1 to 5 scale across four dimensions, financial, regulatory, operational, and reputational. Take the highest or use a weighted approach if agreed by leadership.
- Risk rating. Multiply or use a matrix (for example, likelihood x impact)
- Risk appetite. Define what ratings require escalation, remediation within 30, 60, or 90 days, or acceptance with documented rationale.
Document the method in your compliance manual and apply it the same way across risks.
Core risks and red flags to consider
Your list will vary. Use the examples below to jump‑start workshops or interviews with business owners.
Anti‑bribery and corruption (Sapin II, ISO 37001)
- Third‑party intermediaries paid success fees without documented due diligence or legitimate services
- Gifts, hospitality, or sponsorships involving public officials without pre‑approval or thresholds
- Charitable donations near tender deadlines, or requests for political contributions
- Cash reimbursements or off‑book accounts
AFA guidance puts risk mapping at the heart of Sapin II programs, and ISO 37001 requires documented risk assessment, proportionate controls, and third‑party due diligence.
Antitrust and competition (UNE 19603)
- Discussions with competitors about prices, discounts, market allocation, or future strategy at trade events
- Resale price maintenance in distributor agreements
- Exclusivities that foreclose markets without legal review
- Sensitive information sharing through industry benchmarking without safeguards
Spain’s CNMC encourages effective compliance programs with risk assessment, senior commitment, training, and incident response readiness.
Criminal compliance in Spain (UNE 19601)
- Decision‑making without documented delegation of authority or oversight
- Inadequate segregation of duties in payments and procurement
- Lack of case intake and investigation procedures for misconduct
- No evidence of periodic program review by governing bodies
UNE 19601 emphasizes governance, risk assessment, controls, training, and continuous improvement to prevent and detect criminal offenses.
Anti‑money laundering (AML)
- Onboarding customers from higher‑risk jurisdictions without enhanced due diligence
- Unusual payment methods, complex ownership structures, or rapid fund movements without economic rationale
- Lack of sanctions screening for customers and counterparties
- No documented suspicious activity reporting process
The risk‑based approach is central to AML, supported by FATF recommendations and the EU AML package adopted in 2024.
AI governance (EU AI Act)
- Deploying AI that could be high‑risk, such as systems for credit scoring, hiring, or critical infrastructure
- No data governance, testing, or human oversight defined for AI systems
- Missing technical documentation, logs, or post‑market monitoring plans
The AI Act entered into force in 2024, with bans on certain practices applying first and obligations for high‑risk systems phasing in over the next several years. The European Commission provides official timelines and guidance.
Controls that matter and how to right‑size them
You can meet expectations with targeted, well‑documented controls. Focus first on design quality, then on evidence.
- Policies and approvals. Keep policies short, role‑based, and version‑controlled. Require pre‑approval for high‑risk items like gifts, donations, and third‑party retention.
- Due diligence. Use proportionate tiers for third parties and customers. Document sources and decisions. Refresh due diligence based on risk triggers, not just dates.
- Contractual safeguards. Add anti‑bribery, competition, AML, and AI compliance clauses, audit rights, and termination for cause.
- Training and attestation. Prioritize high‑risk roles and refresh annually. Track completion and test comprehension for critical topics.
- Monitoring and testing. Sample payments, review discounts and credit notes, and test segregation of duties. For AI, log performance, errors, and overrides.
- Speak‑up and investigations. Provide multiple reporting channels, protect whistleblowers, and maintain a consistent investigation playbook.
Align these with recognized frameworks. For example, ISO 37001 expects third‑party due diligence and financial controls, UNE 19603 stresses training and incident management, and the AI Act requires risk management, data governance, human oversight, logging, and post‑market monitoring for high‑risk systems.
Monitoring, KPIs, and reporting
Pick a small set of indicators that reveal both activity and outcomes. Report quarterly to management and at least annually to the board.
Area | Suggested KPI | Why it matters |
|---|---|---|
Risk assessment | Percentage of risks with named owners and current residual scores | Confirms accountability and currency |
Third‑party risk | Percentage of high‑risk third parties with completed due diligence and contract clauses | Tracks exposure at the perimeter |
Training | Completion rate and test scores for in‑scope roles | Evidence of awareness and capability |
Controls | Number of key controls tested, pass rate, and remediation cycle time | Validates control effectiveness |
Incidents | Number of allegations, substantiation rate, time to closure | Signals program health and resourcing |
AI governance | High‑risk AI systems with risk management files, logs, and human oversight documented | Aligns to AI Act expectations |
Narrative matters as much as numbers. Explain major changes, root causes, and actions taken.
What auditors and regulators expect to see
Keep compliance documents and evidence organized, versioned, and easy to retrieve. The items below routinely come up in reviews and investigations.
- Documented risk assessment and risk register with version history
- Code of conduct, anti‑bribery, antitrust, AML, and AI governance policies
- Third‑party and customer due diligence files and screening evidence
- Training content, rosters, and attestations
- Control testing plans, samples, and issue logs with remediation evidence
- Speak‑up records, investigation reports, and disciplinary outcomes where appropriate
- Board and management reports and minutes referencing compliance topics
For Sapin II, the AFA has highlighted risk mapping, third‑party controls, accounting controls, training, discipline, and internal controls as core pillars. ISO and UNE standards call for similar documentation calibrated to your risk profile.
A practical 90‑day plan
Day 1 to 15, set scope and governance.
- Confirm applicable laws and standards. Approve the scoring method and risk appetite.
- Appoint owners for anti‑bribery, antitrust, AML, AI governance, and investigations, even if part‑time.
Day 16 to 45, build the register and quick‑win controls.
- Run short workshops with finance, sales, procurement, HR, IT, and operations to list risks and controls.
- Create the risk register and prioritize the top ten risks. Issue interim policies and approval thresholds.
- Launch tiered due diligence for high‑risk third parties. Close the highest‑priority gaps.
Day 46 to 75, train and test.
- Deliver targeted training for high‑risk roles. Roll out a simple speak‑up channel and investigation SOP.
- Test a sample of key controls. Validate AI system inventories and determine if any are high‑risk under the AI Act.
Day 76 to 90, report and automate.
- Produce a concise report for leadership with residual risk trends and remediation status.
- Decide what to automate next, such as data collection for KPIs, third‑party screening, or policy attestations.
Where technology and AI help right away
SMEs do not need a heavy stack to get value. The biggest time savers come from eliminating manual collection and follow‑ups, centralizing evidence, and orchestrating workflows.
- Automated data collection. Pull training completions, control test results, and due diligence evidence into one place.
- Regulatory risk assessment. Maintain an obligations library, link risks to specific articles or clauses, and reduce duplication across topics.
- Tailor‑made policies. Generate role‑specific policy summaries and approval checklists mapped to your risks.
- Remediation actions. Assign, track, and evidence remediation with clear owners and deadlines.
- Compliance workflow automation. Standardize third‑party onboarding, investigations, and periodic reviews with auditable trails.
If you want to move faster with AI‑assisted risk mapping and automated monitoring, explore how Naltilia supports compliance teams with regulatory risk assessment, remediation actions, tailor‑made policies, automated data collection, and compliance workflow automation.
Final thought
SMEs can build credible, proportionate compliance programs in weeks, not years. Start with a clear obligations inventory, a simple risk register, and a handful of high‑quality controls. Measure what you do, report it, and keep improving as your business evolves. Consistency, evidence, and ownership are what regulators look for, and they are achievable with a lean, risk‑based approach.