The risk map is not one of eight measures. It is the measure that makes the others possible.
Among the eight obligations imposed by Article 17 of Sapin II, the anti-corruption risk map occupies a position that is structurally different from the others. A code of conduct can be drafted without reference to anything else. A whistleblowing system can be implemented before the risk landscape is understood. Training can be delivered in the absence of a clear picture of who faces what risks.
But a compliance programme that is genuinely proportionate to the company's exposure — as Sapin II requires — cannot be built without knowing what that exposure actually is. The risk map is the analytical foundation on which the remaining seven measures must rest. A company that has implemented the other measures without a credible risk map has built its compliance architecture on assumption rather than analysis.
The AFA understands this. Its published methodology treats the risk map as a prerequisite, and its assessments evaluate not only whether a risk map exists but whether the other measures are consistent with what the map reveals. A training programme that does not address the highest-risk activities identified in the map is a structural weakness — regardless of its quality in other respects.
Analysis, not assumption.
The anti-corruption risk map required by Sapin II is a structured identification and evaluation of the scenarios in which the company, its employees, or its third parties could be involved in corruption — in either direction: giving or receiving a benefit to obtain or retain business, or being the party from whom such a benefit is solicited.
Constructing a credible map requires three inputs that cannot be substituted by desk research alone. The first is a thorough understanding of the business: its activities, its markets, its commercial model, the nature of its relationships with public officials and private parties, and the transactions that generate its revenue. The second is an honest assessment of the risk environment in each geography and sector where it operates — informed by objective sources, including Transparency International's Corruption Perceptions Index and sector-specific risk intelligence. The third is internal knowledge: the experience of the people who manage the highest-risk relationships, who know where the pressure points actually are and what the culture around them looks like in practice.
The output is a risk register that maps corruption scenarios by activity, geography, counterparty type, and likelihood — and assigns to each scenario a risk rating that reflects both the inherent level of exposure and the effectiveness of existing controls. The gap between inherent and residual risk is the space where the compliance programme must operate.
A useful test of a risk map's credibility is whether it contains any surprises. A map that confirms only what leadership already believed is probably a reflection of existing assumptions rather than a genuine analysis of actual exposure. The most valuable risk maps are the ones that surface scenarios the organisation had not previously prioritised — because those are precisely the ones that an insufficient programme will miss.
The risk map is not an event. It is an ongoing process.
The most common weakness that AFA investigations identify in risk mapping is not the quality of the initial analysis. It is the failure to maintain and update the map after it is first produced.
The business changes. New markets are entered. New products are launched. Acquisitions bring unfamiliar third-party portfolios. Senior relationships that carried risk retire and are replaced. The regulatory environment in key jurisdictions shifts. Each of these developments has the potential to alter the company's risk profile — and a risk map that was produced two years ago and not reviewed since may no longer reflect the exposure the company actually carries.
Sapin II does not prescribe a specific review cycle. But the AFA expects the map to be reviewed when material changes in the business occur, and at regular intervals regardless. In practice, annual review is the minimum that the agency considers adequate for a dynamic business. For companies operating in fast-changing environments, a more frequent cycle is appropriate.
The maintenance of the risk map also requires governance. Ownership should be clearly assigned. The review process should be documented. Changes to the map should be formally approved and communicated to the functions responsible for implementing the measures that depend on it. A risk map without governance is an analysis without consequence — and an analysis without consequence does not satisfy what Sapin II requires.
This article reflects the compliance advisory perspective of Compliance House and is intended for informational purposes. It does not constitute legal advice. Organisations seeking guidance on specific regulatory obligations should consult qualified legal counsel in the relevant jurisdiction.
Bu Makaleyi İndirin
Çevrimdışı okumak için bir PDF kopyası kaydedin veya faydalı bulabilecek bir meslektaşınızla paylaşın.