Pursuant to Article 17 II 3° of the Sapin 2 Law, risk mapping must take the form of:
“a regularly updated documentation for the purpose of identifying, analyzing and ranking the company’s exposure to risks of external solicitations for the purpose of bribery, in accordance with the business sectors and locations where the company conduct its operations.”
Risk mapping is based on an objective, structured and documented analysis of the company’s exposure to corruption risks in the course of its business activities.
It must be:
- complete, i.e., it must cover all of the company’s managerial, operational and support processes for its dealings with third parties and the entire scope of the company’s business, taking into account in particular any de jure or de facto control of other entities,
- formalized, i.e., it must take the form of written and structured documentation with a detailed description of the methods used to produce the map, the measures taken to manage the risks and the roles and responsibilities of the various stakeholders, and
- dynamic, i.e., it must be updated whenever a significant change occurs within the company.
In this context and in order to assist its clients in the preparation of a risk map that meets all applicable legal requirements, Soulier Avocats has developed a methodological approach, inspired by the latest recommendations of the French Anti-Corruption Agency, divided into several steps. Each step requires a close collaboration between the various stakeholders within the company and our dedicated team.
Step1: Defining the roles and responsibilities of all risk mapping stakeholders
This step is an essential prerequisite as it allows for a clear assignment of the missions and responsibilities of the various stakeholders within the company (senior management, compliance officer, managers of decision-making and operational processes, risk manager, if any, and staff members).
Step 2: Identifying risks inherent to the company’s activities
Risk identification is based on a detailed analysis of the relevant company’ processes.
The company must first identify its processes on the basis of the operations it conducts. Then, exchanges and consultations are organized with staff members of all hierarchical levels, notably through workshops, individual and/or collective interviews, questionnaires, etc.
The objective is to draw up an accurate inventory to identify, in a detailed and documented manner, the risk scenarios that are specific to the company. These scenarios must take into account the general business environment in which the company operates (the countries where the company conducts operations, its business sectors, the nature of its operations, the nature and environment of third parties, the length of the sale cycle, the competitive pressure, the payment terms and means, past incidents, etc.)
Step 3: Assessing gross risks
The objective is to assess the company’s vulnerability to each identified risk scenario. In other words, the purpose of this step is to identify the “gross” risks to which the company is exposed, i.e., the risks considered before any measure are taken.
It identifies which people and operational functions are most exposed to risks.
Vulnerability is assessed using three indicators: Impact, frequency and aggravating factors.
An analysis of the reputational, financial, economic and legal impact of each risk scenario must be conducted.
At this stage, an initial risk register can be established, listing all the risks identified.
Step 4: Assessing net or residual risks
This step consists in re-assessing the “gross” risk scenarios taking into account the existing risk management measures implemented by the company in order to determine the “net” or “residual” risks to which it is exposed.
Existing risk management measures should be identified and assessed in order to be adapted and complemented.
Aggravating factors should be taken into account, such as the regular receipt or granting of gifts and invitations, habitual relationships with representatives of public authority or interest representatives, large purchase volumes from the same supplier, donations to charities, etc.
Step 5: Ranking the net or residual risks and preparing the action plan
Once the “net” or “residual” risks have been assessed, they must be ranked using an objective methodology based on a combination of several criteria such as country risk, turnover, the nature and type of relationships with third parties, etc.
This ranking is used to distinguish risks deemed to be adequately managed from risks for which the company would like to improve management, in particular by enhancing internal control processes.
This will result in the establishment of risk matrixes.
Then, based on these elements, an action plan must be prepared. The responsibility for the timetable, the implementation of the action plan and the related monitoring and reporting procedures must be assigned to specifically designated stakeholders within the company.
Step 6: Formalizing and updating the risk map
All of the elements identified, documented, ranked and prepared in the previous steps combine together to form the company’s risk map.
It can be organized and formalized by business line, by process, by entity or by geographical area, as the company elects.
It must include an annex describing how it was prepared and the methodology used for identifying, assessing, ranking and managing risks.
It is necessary to assess every year whether the risk map should be updated, in light of any potential changes in the company and its operations.