Plan for the Prevention of Risks of Corruption and Related Offenses (2024-2027)
Plan for the Prevention of Risks of Corruption and Related Offenses (2024-2027)
Document version: XP.EN.35.01
Introduction
On December 9, 2021, Decree-Law No. 109-E/2021 was published in the Diário da República. This legislation establishes the National Anti-Corruption Mechanism (MENAC) and approves the General Scheme for the Prevention of Corruption (RGCP).
Through the creation of MENAC and the RGPC, the Decree-Law aims to prevent, detect, repress, and sanction acts of corruption and related offenses. In this context, entities covered by the RGPC are required to adopt and implement a compliance program, which must include a Plan for the Prevention of Risks of Corruption and Related Offenses (hereinafter referred to as PPR or Plan), a code of ethics and conduct, a whistleblowing channel, and a training plan, among other specific measures applicable to both the public and private sectors.
The RGPC, which came into force in June 2022, applies to legal persons headquartered in Portugal employing 50 or more workers, as well as to branches located in Portuguese territory of legal persons headquartered outside Portugal employing 50 or more workers.
Considering this scope, the present PPR relates to Xpand Solutions – Informática e Novas Tecnologias Lda, headquartered in Portugal, covering all its offices within Portuguese territory, hereinafter referred to as Xpand IT.
Accordingly, this Plan seeks to comply with the obligations set forth in the RGPC, particularly Article 6, as well as to promote a culture of integrity and transparency that Xpand IT values highly.
The Plan results from an extensive analysis of the entire organization of Xpand IT, in which the risks associated with each area of activity were identified, along with the preventive and corrective measures to mitigate those risks.
With the implementation of this Plan, Xpand IT intends to reaffirm its commitment to the prevention and mitigation of corruption risks and related offenses, setting the following elements and prevention measures, among which the following stand out:
- This document, the PPR (Plan for the Prevention of Risks of Corruption and Related Offenses);
- A Code of Ethics and Conduct, which sets out a series of principles, values, and rules of conduct for all managers and employees of Xpand IT in matters of professional ethics, taking into account criminal standards related to corruption and associated offenses and the company’s exposure to such risks;
- An internal training program for all managers and employees to ensure that they understand the corruption prevention policies and procedures in place;
- A Whistleblowing Channel, governed by regulations, through which acts of corruption and related offenses can be reported. This channel can be accessed via the Intranet by employees and on the Xpand IT website.
Additionally, Xpand IT has appointed the Governance, Risk & Compliance Team as Responsible for Regulatory Compliance (RCN) responsible for ensuring and overseeing the implementation of the Compliance Program. These individuals carry out their duties independently, permanently, and
with decision-making autonomy, having access to internal information and the necessary human and technical resources to properly perform their role.
Together with the dissemination of internal rules, procedures, and the Code of Ethics and Conduct, the Plan forms the normative and value-based framework that guides the daily conduct of all employees, company bodies, service providers, suppliers, and third parties with a relevant connection to Xpand IT, informing them of the procedures in place and their responsibilities.
Xpand IT
Xpand IT was founded in late 2003 by two tech-savvy entrepreneurs. Their vision was to create a great company with a highly specialized team in cutting-edge software areas and technologies, capable of inspiring others to achieve amazing results.
With a highly specialized team and a disruptive approach compared to traditional IT Consultants and System Integrators, Xpand have supported companies and teams worldwide in bringing remarkable IT projects to life.
The company always operates based on its culture, values, and principles:
Excellence
We pursue innovation and invest in IT mastery to add value in everything we do.
People
We invest in everyone’s well-being inside and out of the company.
Integrity
We are genuine and transparent building trustworthy relationships.
Collaboration
We empower everyone to contribute to common successes through feedback and cooperation.
In the performance of its duties and exercise of its competencies, the conduct of Xpand IT, its Management, and employees is bound by strict compliance with the Law and high ethical standards.
Organizational Chart
The company is committed to offering innovative and high-quality solutions to meet the needs of Its clients in a constantly evolving digital world. Its management model reflects Its commitment to excellence, collaboration, and agility.
It is worth noting that Xpand IT reinforces its commitment to the implementation of preventive measures against corruption and related offenses. This commitment can be verified through the company’s official website, accessible at: https://xpand-it.com/en/legal/
Through this website, interested parties can obtain detailed information about Xpand IT’s compliance and risk prevention policies and practices, as well as the procedures established to ensure integrity and ethics in business. Xpand IT is committed to maintaining the highest standards of business conduct, ensuring transparency and compliance in all its activities.
The current organizational structure of Xpand IT is represented in the following chart:
Xpand IT’s management model is based on an organic and circular structure, as shown in Figure 1. Below are the main responsibilities of each area:
Area | Responsibility |
Management | Composed of two managing partners responsible for business strategy and key decisions. |
Executive Committee | Made up of seven members who lead the company’s overall strategy and oversee all operations. |
Business Units | Maintain positive client relationships, drive sales, acquire and retain clients, expand market share, and contribute to the company’s success. |
Marketing | Promote the brand, products, and services. Maintain positive relationships with clients and other stakeholders. |
Talent Management & Company Culture | Attract and recruit top talent for the company’s hiring needs. Ensure talent alignment with company values and goals. |
Governance, Risk & Compliance (GRC) and Logistics | Ensure ethical operations in compliance with applicable laws and regulations, support the Management Board and the Executive Committee in secure and sustainable decision-making. Also responsible for managing office and resource logistics to ensure a comfortable and functional workplace. |
Finance and Payroll & Benefits | Handle financial operations and employee compensation and benefits. |
Accounting | Manage the company’s accounting processes. |
IT Operations and IT Development | Ensure reliable system and network performance and protect systems and data from threats. |
Identification of Risks Areas
There are several factors that contribute to a higher or lower risk in each activity. As a structural measure to prevent corruption and related offenses, Xpand IT conducted a survey of the organizational areas that, due to the nature of their functions and the processes they manage, are more exposed to corruption and related risk scenarios:
Risk Area | Department / Team |
Management | Management Board, Executive Committee |
Sales | Business Units |
Public Procurement | Business Units, GRC (Governance, Risk & Compliance) |
Suppliers | Logistics |
Billing | Accounting, Business Units |
Financial Management | Finance |
People | Payroll & Benefits, Talent Management & Company Culture |
Marketing | Marketing |
Information Systems | IT Operations and IT Development |
Internal Control | Finance, GRC |
Legal | Decentralized in subcontracted third parties / GRC |
Responsible for the Implementation of the Plan
The Responsible for Regulatory Compliance (RCN) holds the key functional responsibility of ensuring the consistent and proper implementation of the Compliance Program instruments. Under Article 5 of the General Corruption Regime (RGCP), this includes the independent and autonomous coordination of all work involved in the development (when not yet existing), follow-up on the implementation and effectiveness of the measures defined, and their updating whenever necessary or legally required.
These conditions are essential to ensure that the execution of this important role is carried out properly and, above all, with a view toward continuous improvement, the promotion and
reinforcement of the organization’s integrity culture, the support and trust of all who serve it, the enhancement of quality standards in fulfilling the organization’s mission, and maintaining reputational credibility in its operational context and society as a whole.
In compliance with Article 6(5) of Decree-Law no. 109-E/2021, of December 9, the Xpand IT Plan for the Prevention of Risks of Corruption and Related Offenses (PLAN) will be reviewed every three years or whenever there is a change in duties or organizational structure.
Regarding monitoring, an annual report is prepared in April of the year following the implementation. If high or maximum risks are identified, an interim report will also be prepared in October of the same year, focusing only on the preventive measures adopted in response to those risks.
The Governance, Risk & Compliance Department is responsible for such monitoring and for proposing revisions.
The execution of mitigation measures related to each identified risk is the responsibility of the department or area to which the measure pertains.
Regarding those responsible for implementing and monitoring the plan, it should be noted that risk management should be part of daily activities and shared by all employees. Employees should be aware of the risks in their area and manage them according to Xpand IT’s established policies, regulations, and procedures.
Code Ethics and Conduct
Xpand IT is attentive to and acts in accordance with the principles and values established in both national and international legislation concerning Human and Social Rights. Accordingly, Xpand IT is committed to operating in line with the principles of the United Nations Global Compact, reflecting our commitment to universal values.
In the area of human rights, we ensure that all our operations respect and promote fundamental rights, eliminating all forms of discrimination and promoting equal opportunities.
In terms of labor rights, we guarantee safe and healthy working conditions for our employees, respecting labor rights including freedom of association and collective bargaining.
Regarding corruption, we uphold strict ethical standards, promoting transparency and integrity in all of our business interactions.
We fully comply with all legal obligations, regardless of the geography in which we operate, relying on expert entities. We reject ambiguous behavior, act with integrity, avoid conflicts of interest, and neither offer nor accept any form of bribery.
To this end, our actions are guided by an approved Code of Ethics and Conduct.
The Xpand IT Code of Ethics and Conduct can be consulted on the intranet here.
Corruption and Related Offenses
Corruption and related crimes can arise from various motivations, such as:
- Economic interests
- Debts and assets
- Personal gain
- Competitive activities
- Political affiliation
- Family interests
- Connections with decision-makers
- Negotiations for future employment
Recently, the traditional view of corruption as a phenomenon limited to the public sector has been abandoned. It is now widely recognized that corruption also occurs in the private sector, where it undermines private investment, disrupts fair market competition, and damages corporate credibility.
Why Prevention Matters in the Private Sector
Preventing corruption in the private sector is essential to ensuring the proper functioning of the market. It is a form of corruption control that seeks to protect the integrity of commercial relations.
Table of Crimes under the General Corruption Prevention Regime
As provided in Article 3 of Decree-Law No. 109-E/2021, of December 9, also referring to Penal Code (Decree-Law No. 48/95, of March 15) and Decree-Law No. 28/84, of January 20 (as amended).
Type | Definition | Practical Examples | Penalty |
Passive and Active Corruption (Art. 373 & 374) | Public or private employees who solicit, accept, offer, or promise undue advantages (monetary or not) in violation of their duties. | A company employee solicits or accepts a bribe to make a favorable decision. | Passive: Up to 5 years in prison or fine (600 days). Active: Up to 3 years (or 5 in serious cases), or fine (600 days). |
Influence Peddling (Art. 335) | Requesting or accepting an advantage to abuse influence (real or assumed) with a public or foreign entity. | Receiving money to influence a public official’s decision. | 1 to 5 years in prison. |
Money Laundering (Art. 368-A) | Concealing the origin or ownership of illicit proceeds to make them appear legal. | Intentionally hiding the illicit origin of assets or funds. | Up to 12 years in prison. |
Embezzlement (Art. 375) | Misappropriating money or assets entrusted to a public or private employee. | An employee misappropriates company funds or property. | 1 to 8 years in prison. |
Misuse of Property (Art. 376) | Using property for purposes other than those legally intended. | An employee uses company equipment for personal benefit. | Up to 1 year in prison or fine (120 days). |
Unlawful Receipt or Offer of Advantage (Art. 372) | Offering or receiving undue benefits due to one’s position. | A manager accepts gifts that compromise their impartiality. | Receiving: Up to 5 years or fine (600 days). Offering: Up to 3 years or fine (360 days). |
Unlawful Economic Participation (Art. 377) | Using one’s position to make decisions that benefit oneself or a third party. | A manager grants contracts to a friend’s company, harming the organization. | Up to 5 years in prison. In some cases: up to 6 months or fine (60 days). |
Extortion (Concussion) (Art. 379) | Receiving undue funds by misleading or exploiting a victim’s error. | A public official collects excessive fees by misleading citizens. | Up to 2 years in prison or fine (240 days). |
Abuse of Power (Art. 382) | Abusing one’s position to obtain benefits or cause harm. | A manager exploits their authority to favor a third party. | Up to 3 years in prison or fine. |
Misconduct in Office (Art. 369) | Knowingly making unlawful decisions during legal or disciplinary proceedings. | A manager is aware of internal corruption but does nothing to prevent it. | Up to 2 years in prison or fine (120 days). |
Subsidy/Credit Fraud (Arts. 36 & 38) | Obtaining subsidies or credit through false information or documents. | Submitting fraudulent data to receive public funds. | 2 to 8 years in prison and fine. |
Conflict of Interest | (As defined by the Portuguese Council for Corruption Prevention) | Any conflict (actual, apparent, or potential) that compromises impartiality. | Employees must handle all matters impartially and avoid undue influence. |
Plan for the Prevention of Risks of Corruption and Related Offenses
The preparation of this PLAN considered the provisions of Decree-Law No. 109-E/2021, of December 9, the recommendations of the Portuguese Council for Corruption Prevention, and best industry practices both nationally and internationally, including the requirements and recommendations of ISO 31000 (Risk Management).
Scope
This Plan covers all activity areas of Xpand IT and their respective employees.
Objectives
The following objectives were established in drafting this Plan:
- To identify, analyze, and classify risks and situations that may expose the organization to acts of corruption and related offenses, including those associated with the roles of management and executive bodies, considering the company’s sector and geographical areas of operation;
- To implement preventive and corrective measures that reduce the likelihood and impact of the identified risks and situations;
- To designate those responsible for monitoring and following up on this Plan.
This Plan covers all activity areas of Xpand IT and their respective employees.
Definitions
- Risk: The effect of uncertainty on the organization’s objectives, often expressed as a combination of the consequences of an event (including changes in circumstances) and the likelihood of its occurrence.
- Residual Risk: The level of risk remaining after risk mitigation actions, such as control activities, have been applied.
- Risk Management: The process by which organizations systematically analyze the risks inherent to their activities, aiming for sustained advantages in both individual and collective business processes.
- Probability (P): The frequency with which a risk event may occur in a process or business.
- Impact (I): The consequences that a risk event may have on the organization’s operations.
- Corruption and Related Offense Risk Event: A fact that gives rise to an act of corruption or related offense.
- Risk Level (RL): The product of Probability and Impact.
- Mitigation: Action taken to prevent the occurrence and/or impact of a risk event.
Methodology
Xpand IT adopted a methodology based on ISO 31000:2018 – Risk Management – Guidelines, which specifies the requirements for establishing, implementing, maintaining, and continuously improving risk management.
The risk mapping and assessment process consists of the following steps:
- Identify risk areas within the organization and the responsible persons. Risks were identified through meetings with area leads.
- Understand the risks involved, including their causes, sources, consequences (both positive and negative), and the likelihood of those consequences occurring.
- Analyze risks based on the defined impact (I) and probability (P) criteria.
- Assess and prioritize risks, allowing for the definition of potential scenarios.
- Identify internal control and prevention measures and define methods for annual monitoring and evaluation.
- Reassess risks, as risk areas may evolve or new/emerging risks may arise. This is a continuous process.
Identification of risks associated with Xpand IT’s activity
In accordance with the defined methodology, the company identified potential corruption and related offense risks that could arise due to the specific nature of activities carried out in each area of Xpand IT.
Risk Classification
Once identified and characterized by area, risks were classified based on:
- Probability Assessment Criteria, and
- Impact Assessment Criteria.
Probability
According to Xpand IT’s methodology, there are three probability levels, based on the adequacy of mitigation controls and the occurrence of risk events in the past three years:
Level | Definition | Cases |
Low (1) | Risk arises only in exceptional circumstances | 0 or 1 case in the last 3 years |
Medium (2) | Risk arises from a sporadic process expected to occur occasionally. Controls exist but are insufficient | 2 to 3 cases in the last 3 years |
High (3) | Risk arises from a frequent and ongoing process. Controls are absent or insufficient | More than 3 cases in the last 3 years |
Impact
Also assessed on three levels, based on financial loss, reputational damage and legal issues:
Level | Definition | Cases |
Low (1) | Minimal or no financial loss. No significant damage to reputation or operations | Loss < €10k, local / internal reputational impact |
Medium (2) | Financial loss and operational disruption | € 10k – €100k, reputational damage, potential legal Issues |
High (3) | Significant financial loss and serious breach of public interest principles, damaging Xpand IT’s credibility | >100k€ loss, regulatory sanctions, legal action or exclusion |
Risk Level = Probability × Impact
Using the scores above, a risk level is calculated for each case using the following matrix:
Low Impact (1) | Medium Impact (2) | High Impact (3) | |
Low Probability (1) | Low | Low | Medium |
Medium Probability (2) | Low | Medium | High |
High Probability (3) | Medium | High | High |
Decision Framework Based on Risk Level
Risk Level | Situation | Decision |
Low | Low probability and low impact on finances or reputation | Acceptable risk |
Medium | Could cause financial loss or reputational damage | Risk under evaluation – must decide whether to accept or reinforce prevention |
High | High probability and high impact, including serious legal or reputational consequences | Unacceptable risk – implement new and stronger mitigation measures |
Identification of Mitigation Measures
Após a avaliação e priorização dos riscos, devem ser identificadas medidas de mitigação para cada risco, juntamente com uma avaliação da sua adequação.
Classificação | Descrição |
Adequado | As medidas de mitigação implementadas são eficazes na redução dos riscos identificados. |
Fraco | As medidas de atenuação existentes devem ser reforçadas. |
Inadequado | As medidas existentes devem ser substituídas ou complementadas por novas estratégias de atenuação. |
Monitoring and Review of Risk Events
Xpand IT carefully monitors exposure to each corruption and related offense risk by implementing a risk control process. The frequency of monitoring is adjusted based on the risk level.
Risk Level | Monitoring Frequency |
Low | Every 3 years (triennial) |
Medium | Annually – Plan review |
High | Quarterly – Plan review and assessment reports |
The objectives of monitoring are to:
- Ensure the effectiveness and efficiency of the controls in place, especially through analysis of how often risk events may have occurred.
- Detect changes in risk events that may increase their likelihood or impact.
- Verify that mitigation actions are implemented on schedule and assess whether any measures or timelines need to be reviewed.
- Identify emerging risks that may not have been previously considered.
Risk management performance results
The risk management performance results are communicated to the Board and the Executive Committee and other relevant stakeholders in accordance with the internally established communication plan, specifically at two distinct moments: in October, through the issuance of the Interim Evaluation Report (RAI), and in April, through the issuance of the Annual Evaluation Report (RAA).
In line with the outlined methodology, the operationalization of the PPR aims to ensure the effective application of these procedures, thereby supporting the robust execution of internally defined treatment measures to manage the risks inherent to the organization.
Accordingly, recognizing that the risk management process at Xpand IT is continuous and dynamic, and following a comprehensive review of the information produced with the contribution of all Organizational Units, we hereby present the results of the company’s risk management efforts.
In 2024, a total of 14 risks were identified. Following their assessment, risks were classified and corresponding treatment strategies established, comprising 7 low risks, 5 medium risks, and 2 high risks.
High risks constitute 14% of the Identified risks.
The risks are distributed across the Organizational Units as follows:
A total of 27 risk mitigation measures has been defined and will be subject to monitoring in accordance with the aforementioned procedures.
