It always lands on a Friday.
A procurement manager from a multinational emails your sales team: "Please complete our anti-corruption due diligence questionnaire by next Wednesday. Attach supporting evidence."
Your commercial lead forwards it to legal with one line: "Can we do this fast?"
If you're an SME with 200 employees and €30M revenue, this is the moment you realize that "we have a code of conduct" is no longer an answer.
Why This Happens — and Why It's Getting More Common
Large companies face direct regulatory pressure: the UK Bribery Act, the US FCPA, France's Loi Sapin II, and the EU's growing anti-corruption framework all impose supply chain obligations. When a multinational is audited, its compliance team must demonstrate that the risk was managed — including through third parties.
That pressure gets passed downstream. To you.
They don't need you to be perfect. They need you to be credible, structured, and evidenced.
What Big Clients Actually Look For
Most due diligence questionnaires are written as if you already have a full ISO 37001 anti-bribery management system, a dedicated compliance team, and three years of audit trails.
You don't. That's fine.
What a multinational compliance team actually wants to see is:
- Exposure awareness: You can explain your bribery risks in your own words — not generic policy language.
- Risk assessment: You've identified, prioritized, and assigned ownership to your key risks.
- Honest gap acknowledgment: You can show what's in place and what's missing, without pretending everything is perfect.
- Dates and owners: You have a plan.
That's not a 60-page code of conduct. It's not a PDF folder named compliancefinalv7. It's a system you can explain and stand behind.
The Three-Week Sprint: A Real Example
Here's how we ran this with a 200-person client — a services company selling to multinationals whose due diligence requirements had suddenly become much more rigorous.
The questions they were now receiving were operational, not theoretical:
- Do you have a bribery risk assessment? When was it last updated?
- What controls exist for gifts and hospitality?
- How do you vet intermediaries and subcontractors?
- Who approves high-risk deals?
- What happens when someone raises a concern?
They came to Naltilia with one constraint: "We need to build trust fast, without pretending to be something we're not."
We didn't promise a perfect compliance program in three weeks. We promised something more useful: a defensible risk map and a tracked action plan they could put in front of customers and stand behind.
Here's how the three weeks broke down.
Week 1: Scope, Data Intake, and the Reality Check
Goal: Know exactly what exists, what's missing, and what evidence is retrievable — in five business days.
The first week is not about writing policies. It's about eliminating guesswork.
We used Naltilia to run targeted, automated data collection across the company — structured around the program building blocks customers expect: governance, risk assessment, third-party management, gifts and hospitality, training, and internal reporting.
Why targeted? Because "send me everything you have" produces a data dump, not a gap analysis. By mapping requests to specific anti-corruption building blocks, we got answers that were comparable, auditable, and directly useful in the questionnaire response.
What we found (almost always): Controls exist in practice but leave no proof. Documents exist but have no owner. Processes happen but aren't written down. This is where most SME compliance efforts fail — not because nothing works, but because nothing is visible.
The Week 1 deliverable was a simple inventory: what exists, what's documented, what's missing, and who owns what. That alone changes the conversation from anxiety to triage.
Week 2: Risk Mapping That's Actually Usable
Goal: Produce a risk map that any senior manager can explain in a client meeting — in days, not weeks.
Traditional risk mapping eats time. Workshops scheduled across three departments, notes consolidated manually, scenarios debated in a spreadsheet, a heat map produced two weeks later that nobody fully owns.
We did it differently.
The company fed Naltilia its existing documents — internal policies, process notes, contracts, onboarding files — alongside transcripts from short interviews and workshops conducted directly with the people who know the business: sales leads, procurement, finance, operations. No lengthy facilitation process. No abstract brainstorming. Just structured conversations, captured and fed into the platform.
Naltilia's algorithms then read those documents and matched their content against a library of corruption risk scenarios:
- Does this company interact with public officials?
- Do ntermediaries or agents appear in the business model?
- Do discounts, sponsorships, donations, hospitality, or expedited services create exposure?
The matching is automatic. The output — a structured risk map with scenarios, exposure levels, and control gaps — was ready in under ten minutes.
Why this matters: A risk map built from your actual documents and your people's words is inherently specific to your business. It doesn't describe generic corruption risk. It describes your sales team's exposure when entertaining municipal procurement officers in a regulated market, your agent network in emerging geographies, your approval gaps on high-value hospitality. That specificity is what makes the assessment defensible — to a client, to a regulator, to an auditor.
This risk-based approach is exactly what enforcement guidance converges on. The UK Bribery Act's six principles, the US DOJ's evaluation criteria for corporate compliance programs, and the AFA's control framework all start from the same premise: design your program around your actual risks, not a generic template. The difference Naltilia brings is speed — getting there in a day rather than a month, without sacrificing the rigor.
Week 3: An Action Plan You Can Show Customers (and Execute)
Goal: Turn the gap list into a credible external narrative — with owners, deadlines, and trackable status.
A customer doesn't want a promise. They want a plan with owners.
In week three, we built a remediation action plan in Naltilia connecting each gap to:
- A specific risk or control failure
- A named internal owner
- A realistic deadline
- A status flag (not started / in progress / complete)
- Supporting elements (draft policies, process notes, approval workflows)
This becomes the backbone of the external narrative: "Here is where we are. Here is what we're doing. Here is when each control will be in place."
One practical note on certification: if ISO 37001 is on your horizon, this sprint is not a detour — it's your starting point. The standard requires risk determination, controls, evidence, and management review. A well-built risk map and tracked remediation plan are the groundwork you'll need regardless.
What the Client Could Show Customers
Timeline | Built internally | Visible to customers |
|---|---|---|
Week 1 | Structured evidence inventory, gap list, ownership mapping | Consistent, coherent questionnaire responses |
Week 2 | Scenario-based risk map, initial control mapping | A credible risk narrative — not generic statements |
Week 3 | Remediation plan with owners and dates, draft priority policies | A "trust pack" with milestones and proof of progress |
The trust pack is not a marketing brochure. It's a controlled set of documents shared selectively: risk map summary, governance note, action plan milestones, and the policies directly relevant to the questionnaire.
That's how SME compliance becomes bankable to a large client — not by pretending you have everything, but by proving you run compliance like a system.
What Naltilia Did (and What It Didn't)
Let's be direct about the role of AI here.
Naltilia didn't "solve compliance." It accelerated the operational work that normally takes months.
Specifically, it:
- Structured risk assessment into a repeatable, auditable workflow
- Centralized remediation actions, owners, and deadlines in one place
- Generated policy drafts tailored to identified risks, ready for legal review
- Automated the evidence collection process, eliminating manual chasing across inboxes and shared drives
What it didn't do: make the judgment calls. Risk proportionality decisions, what to disclose, what to prioritize — those stayed with the compliance team. AI increases capacity. Accountability stays with the humans.
The Real Takeaway
If your revenue depends on multinationals, you are already inside their compliance perimeter. The question is whether you're prepared for it or scrambling when the questionnaire arrives.
Here's the shift worth making: stop treating due diligence questionnaires as forms to fill out. Start building a compliance system that generates answers and evidence on demand.
Three weeks is enough to move from "we're working on it" to "here is our risk map, here is our plan, here is what you can rely on."
ay that yet, you're not failing a questionnaire. You're failing a trust test.
Frequently Asked Questions
Can an SME really produce something credible in three weeks? Yes — if you scope tightly (anti-corruption only, not every compliance topic), commit cross-functional time for risk workshops, and focus on evidence you can actually retrieve. Credibility doesn't require completeness. It requires structure and honesty about gaps.
What should be in an anti-corruption risk map for customer due diligence? A clear scope, key risk scenarios, a transparent scoring logic, current controls, identified gaps, and priority treatments. The map must be explainable, not just visual. A heat map with no narrative is not a risk assessment.
How much should we share externally without oversharing? Share summaries, not raw registers. Show structure, ownership, and milestones. Keep investigation data, incident details, and internal scoring thresholds confidential unless contractually required.
Does this replace ISO 37001 certification? No but it's the shortest path to it. A solid risk map and tracked remediation plan are the groundwork you'll need for certification anyway. Starting here doesn't delay the certificate. It builds the system underneath it.
Facing tougher anti-corruption due diligence from large clients? Naltilia is built for this exact gap: turning regulatory obligations into a risk map, tracked remediation actions, and evidence you can stand behind. Start with a short call.
