Introduction

Scope of application

Compliance program

Protection of whistleblowers

Audit and sanctions

Rules arising from the Sapin II Law

EU law

French law

Rules derived from competition law

Sapin II Law/Competition

Scope ratione personae

Scope ratione materiae

Scope

Development of plan

Measures included in plan

Inclusion in management report

Vigilance plan

Injunctions

Civil liability

Sanctions

Duty of vigilance (devoir de vigilance)

CSR programs

Reporting

Communication

Reporting and communication

Judicial sanctions

Risk to reputation, strategy and stability

Corporate Social Responsability (CSR)

Middlenext Code

IFA Corpus

AFEP - MEDEF Code

Types

Principles of governance

Principles incorporating CSR values

Principles

Comply or explain

Binding force

Private codes of conduct

Compliance

Precise knowledge of the undertaking, its activities and the processes they require, as well as the roles and responsibilities of the undertaking's stakeholders, whatever their level, is a prerequisite for risk mapping. This knowledge ensures that the map accurately reflects the risks to which the undertaking is actually exposed when interacting with third parties. Once this condition has been met …

Stages in the risk mapping process

Precise knowledge of the undertaking, its activities and the processes they require, as well as the roles and responsibilities of the undertaking's stakeholders, whatever their level, is a prerequisite for risk mapping. This knowledge ensures that the map accurately reflects the risks to which the undertaking is actually exposed when interacting with third parties. Once this condition has been met, the French Anti-corruption Agency (Agence française anticorruption -AFA) recommends that a risk identification methodology be put in place, to ensure that the company is in a position to carry out a detailed analysis of existing vulnerabilities across all its processes in France, as in other countries where it operates. The AFA recommends a six-step process  for the mapping process.

The first step is to organize and allocate the roles and responsibilities of the parties involved in risk mapping. The governing body will be responsible for promoting the risk mapping exercise and providing the compliance officer with the means to implement it, validating the risk management strategy implemented on its basis, and ensuring that the action plan adopted is implemented. The compliance officer is responsible for coordinating the risk mapping process, assisting the undertaking in mapping processes, identifying corruption risks, assessing and prioritizing these risks, and defining and implementing measures to control them. He or she will also be responsible for communicating the risk map to the governing body each time it is updated, and keeping it informed of the progress of the action plan. Those in charge of decision-making, operational, accounting and other support activities are responsible for contributing, each and every one of them in their own right, to the development and updating of the risk map, by identifying the risks specific to their activities in accordance with the anti-corruption procedures in force within the undertaking. The person in charge of risk management, if the undertaking has appointed one, is also responsible for helping to define the methodology used to identify, analyze, prioritize and manage corruption risks, in close collaboration with the compliance officer. Finally, the undertaking's staff, with their practical experience of the undertaking's processes, must contribute to the mapping exercise by reporting on the factors specific to the functions they perform and the risks they incur, so that the consequences can be drawn for the identification, assessment and prioritization of risks.

The second step is to identify processes and risk scenarios. The identification of undertaking risks must be based on a detailed analysis of its processes. The undertaking must first identify these processes on the basis of the activities it carries out, without prejudging the results of risk mapping, by drawing up an a priori list of those it considers to be the most representative or the most exposed to risk. Secondly, it must organize discussions, in particular through workshops, interviews or questionnaires with staff from all hierarchical levels and from throughout the undertaking, selected for their operational mastery of these processes. The aim is to identify the risk scenarios to which the undertaking is exposed in the course of its business activities, and which may relate to certain business lines, subsidiaries or geographical areas in particular. According to the Sanctions Committee, the AFA's recommendation does not require undertakings to demonstrate exhaustive representation of all functions and businesses, or of all the sites where they operate. They should remain free to select the functions, businesses or sites they feel are representative of their activities, or the managers they feel are best placed to express useful opinions on risk scenarios, provided this results in a relevant identification of the company's specific risks . Similarly, the AFA recommendation does not impose any predefined level of granularity: the undertaking may decide not to treat a country or a level below the country, such as a site, in a particular way, if it demonstrates that this situation results from a choice based on a precise analysis of its value chain and its own activities . Risk scenarios are identified taking into account the environment in which the undertaking operates, which may be affected in particular by : the countries in which the undertaking operates; the business sectors; the nature of the operations ; the nature of the third party, its business sector, the nature of the relationships (direct or indirect), the presence of politically exposed persons, the degree of economic dependence; the length of the sales cycle and competitive pressure, the methods of remunerating sales staff; the terms and means of payment; the history of incidents observed within the undertaking  or facts that have given rise to court decisions concerning undertakings with comparable risks. 

The third step is to assess the “gross” risks to which the undertaking is exposed, i.e. risks considered upstream of the control measures implemented. This involves assessing the undertaking's level of vulnerability for each risk scenario identified during the second stage, using three indicators: impact , frequency  and aggravating factors . The assessment of gross risks must be carried out on the basis of a consistent methodology: the undertaking must ensure that gross risk assessments from different business lines, subsidiaries or geographical areas can be aggregated in a coherent manner. In addition, the Sanctions Committee has indicated that it would be a methodological mistake to apply the aggravating risk-weighting factors, relating to sales and geographical sensitivity, at group level, whereas the assessment phase focused on specific geographical areas .

The fourth stage consists of assessing “net” or “residual” risks, i.e. those which remain after the implementation of measures designed to contain them. Existing and implemented risk control measures are identified during discussions with employees, as part of the process of identifying the risks inherent in the undertaking's activities. The assessment of their effectiveness, which may be based on audits already realized, is carried out by the compliance officer, in liaison if necessary with the heads of the undertaking functions concerned, and with the possible support of the internal audit department and the risk control manager, when the undertaking has such a function.

In the fifth stage, the net or residual risks are ranked and an action plan drawn up. Once the “net” or “residual” risks have been assessed, the risk scenarios are ranked by level. When the defined risk scenarios present a net assessment of the same level, and if the undertaking deems it useful to distinguish between them in order to prioritize the actions to be implemented, it can prioritize them using an objective method adapted to its specific activities, based on the combination of several criteria such as country risk, sales, and the nature and type of relations with third parties. This risk hierarchy makes it possible to distinguish between risks for which the level of control is considered sufficient, and those for which the management wishes to improve control, notably by strengthening internal control. The undertaking is free to choose the method of prioritizing risks: it can classify them according to admissibility thresholds, or by order of priority . Once the limit of risk acceptability has been set and documented, the AFA recommends that undertakings determine, as part of their risk management strategy, the measures to be implemented to control them. In this respect, it recommends that an action plan be drawn up on the basis of these elements, with the timetable, implementation, monitoring and reporting procedures entrusted to the responsibility of precisely designated players. In its second sanction decision, however, the AFA Sanctions Committee considered that this last requirement added to the law. No criticism based on the absence or inadequacy of the action plan provided for in the recommendation can therefore be levelled against an undertaking to characterize a breach of the Sapin II Law that would justify the imposition of a sanction .

The sixth step consists in formalizing, updating and archiving the risk map. Presenting the risk map helps to ensure that it is taken on board as a tool for managing corruption risks. The AFA recommends that the need to update the risk map be assessed each year . Such an update enables the undertaking to adapt its methodology or adopt a new one, if necessary, so that the resulting map provides reasonable assurance that the risks identified accurately reflect the risks to which the undertaking is actually exposed, are assessed at the right level and correctly prioritized. A change in methodology between the date of the inspection and the date of the AFA Sanctions Committee's decision also enables the undertaking to avoid any sanction, if it can demonstrate that the changes made to a mapping system initially deemed too generic have strengthened the relevance of the risk identification methodology used, and improved its quality and effectiveness at group level . Lastly, the AFA recommends that certain elements be retained, in order to assess the effective implementation of the mapping. These include: exchanges with the staff concerned (timetables, notes, written summaries); the method used to calculate “gross” risks, and the definitions adopted; the method used to calculate net or residual risks, and the definitions adopted; risk identification and classification procedures; the various versions of the risk maps presented to management bodies, their validation and the related validated action plans; the minutes of the various dedicated committees. The various versions of the risk maps, as well as their audit trail, must be dated, referenced and archived.

AFA recommendations designed to help public and private legal entities prevent and detect corruption, influence peddling, misappropriation of public funds and favoritism of 4 December 2020, JORF of 12 January 2021, pts 128 f.

AFA, 7 February 2020, LawLex202200001353JBJ.

See however AFA, 7 February 2020, LawLex202200001353JBJ, which considers that the AFA is incompetent to impose an obligation to update risk mapping annually.

AFA, 4 July 2019, LawLex202200001320JBJ. See also AFA, 7 February 2020, LawLex202200001353JBJ, admitting methodological evolutions during the mapping process, as long as they are justified.

These include strategic operations such as mergers & acquisitions, asset disposals, association with a new strategic partner, etc.

In particular, those revealed by internal audits or the internal whistleblowing system, which may have led to the application of disciplinary measures.

The impact of a risk scenario can be reputational, financial, economic or legal. A single risk scenario may combine several types of impact.

A probability of occurrence is determined using the most complete information available, based on the specific nature of the risk identified, and drawn in particular from the incident history.

Aggravating factors are assessed by applying severity coefficients. For undertakings with international operations, this coefficient enables the impact of geographical location to be taken into account at the gross risk assessment stage.

Compliance

32. Stages in the risk mapping process

Demandez un accès gratuit
au contenu exclusif Livv – juristes d’entreprise

Les décisions de justice citées dans ce paragraphe :

Les notions juridiques connexes

32. Stages in the risk mapping process

Demandez un accès gratuit au contenu exclusif Livv – juristes d’entreprise

Les décisions de justice citées dans ce paragraphe :

Les notions juridiques connexes

Demandez un accès gratuit
au contenu exclusif Livv – juristes d’entreprise