ComplianceKeys#31. Compliance for SMEs
As explained in the previous ComplianceKeys#25, the reform of the Criminal Code by Organic Law 5/2010 of June 22 introduced criminal liability for legal entities for the first time. However, it was not until Organic Law 1/2015, with Article 31 bis of the Criminal Code, that it was established that legal persons could be exonerated or have their criminal liability mitigated if they demonstrated that they had implemented an adequate organizational and management model to prevent or reduce the risk of criminal activity arising from their business. At this point, Crime Prevention Models, now commonly referred to as Compliance Systems, became a key element in the prevention of legal risks.
Since their inception, compliance systems have often been associated with large corporations, characterized by complex structures and extensive financial resources. This association has led to the mistaken belief that risk detection and prevention is a requirement reserved exclusively for large companies. However, reality shows that small and medium-sized enterprises (hereinafter SMEs) are, in many cases, more vulnerable to sanctions and liabilities due to the lack of specialized departments or consolidated internal control systems. Added to this is their greater dependence on third parties and large corporations, which increases their vulnerability to potential contingencies.
It should be noted that the size of a company is not always proportional to the level of risk it faces. In fact, an SME, due to its specific activity, may have a much higher risk than a large corporation. Risk does not depend on size, but on the nature of the activity and the processes that are managed, as well as exposure to certain regulations and possible non-compliance with them. While the size of the company will influence the complexity and degree of development of the policies and regulations to be implemented, it is not directly related to the risks it faces.
According to the definition in Article 2, Annex I of Commission Regulation (EU) No. 651/2014, SMEs are defined as companies that employ fewer than 250 people and whose annual turnover does not exceed €50 million or whose annual balance sheet total does not exceed €43 million. This definition covers the vast majority of companies within the Spanish business. However, the size of a company does not mean that it is exempt from criminal or reputational risks arising from its activities, since, regardless of their size, all companies are subject to regulations and legal obligations and may face negative consequences both legally and in terms of their image, especially in contexts of regulatory non-compliance or inadequate risk management.
The importance of SMEs in the Spanish market is unquestionable, as they represent approximately 99.8% of all companies, thus forming the basis of the national productive fabric. Their presence is particularly significant in strategic sectors such as commerce, hospitality and construction, areas in which criminal risks are real, frequent and increasingly noticeable. However, despite their economic and social importance, many SMEs continue to perceive compliance as something alien, complex and unnecessary, which is a strategic error.
Regulatory developments, together with increasingly demanding requirements from customers, suppliers, financial institutions, and public authorities, make it essential for SMEs to integrate a culture of compliance into their business model. This means adopting standards of behaviour that project the organization’s identity to the outside world and consolidate the trust of its stakeholders.
Given these legal and reputational risks, it is essential for SMEs to have mechanisms in place that not only ensure regulatory compliance but also serve as a deterrent against potential illegal activities and practices that could jeopardize their stability. Despite the many legal requirements they already face, the incorporation of a Compliance System should not be seen as an additional burden, but rather as a strategic tool that allows them to manage these risks efficiently and reduce the consequences of possible violations.
The design and implementation of a crime prevention system tailored to the characteristics and needs of each SME is essential to mitigate these risks. In fact, an adequate Compliance System not only ensures regulatory compliance, but also acts as a backup against legal liabilities, offering companies a level of protection against criminal risks that may arise from their daily activities.
What should a Compliance System in SMEs look like?
For a Compliance System in SMEs to adequately fulfil its preventive and defensive function, it must not be limited to the mere implementation of a generic protocol. It is essential that the system be designed and adapted to the particular characteristics of each company, taking into account its size, organizational structure, sector of activity, and the specific risks arising from its operations. An effective Compliance System must be able to accurately identify these risks and establish clear, detailed, and effective internal procedures to prevent, detect, and manage any type of regulatory non-compliance or unlawful conduct.
In addition, the Compliance System must have a solid organisational culture that involves all levels of the company, from senior management to employees. This includes ongoing training, an accessible reporting channel, and the implementation of disciplinary measures for non-compliance. There must also be constant monitoring and a periodic evaluation process to ensure that the System is kept up to date with any regulatory or business environment changes.
For all these reasons, Compliance in SMEs is no longer an option but has become an unavoidable strategic necessity. Not only is it a key tool for managing legal and operational risks, but it is also crucial for safeguarding the company’s reputation and ensuring the long-term sustainability of the organisation in an increasingly regulated, competitive and corporate image-sensitive environment. Implementing a robust compliance system not only minimises risks, but also boosts stakeholder confidence, strengthening the SME’s position vis-à-vis its competitors and business partners.