Published on 28 March 2024 by Thomas Caveng

Last session of our Compliance Task force – Risk Mapping: Definition, Issues at Stake, Methodology

The last session of the Compliance Task Force created by Soulier Avocats in partnership with the European American Chamber of Commerce Auvergne Rhone-Alps (EACC) took place on March 14, 2024.

The theme of this session was “Risk Mapping: Definition, Issues at Stake, Methodology”.

It was divided into two phases.

Compliance update

Our Counsel Claire Filliatre opened the session with an update on:

  • The negotiations on the draft Corporate Sustainability Due Diligence Directive (CSDDD), aimed at strengthening the protection of the environment and human rights, a compromise text of which was finally adopted in extremis on March 15, 2024 by the European Council;
  • The latest developments at the domestic level with the creation of a “chamber dedicated to emerging litigation” he attached to the Paris Court of Appeals, in charge of litigation related to corporate due diligence duty and environmental liability, and the first decision on the merits in corporate due diligence duty litigation handed down on December 5, 2023 in a dispute between SUD PTT and La Poste;
  • The political agreement reached on March 5, 2024 between the European Commission, the European Parliament and the European Council on the Regulation prohibiting products made with forced labor on the EU market, the scope of which will cover products manufactured in the EU for domestic consumption and exports, as well as imported products, without targeting specific companies or industries;
  • The entry into force on January 1, 2024 of the Corporate Sustainability Reporting Directive (CSRD) aimed at harmonizing corporate sustainability reporting and improving the availability and quality of published ESG (environmental, social and governance) data.

Risk mapping

Benjamin Bayard, Senior Manager Deloitte Risk Advisory, and Claire Filliatre then shared their experience in risk mapping.

After an introduction devoted to the societal and economic context in which companies find themselves confronted not only with proven risks that are increasingly publicized in the media, but also with emerging risks that are diversifying and intensifying, and to the ever-increasingly complex legislative and regulatory environment, Benjamin Bayard and Claire Filliatre emphasized that risk mapping is the cornerstone of many devices, and that it is precisely on the basis of risk mapping that risk prevention, detection and remediation plans are to be defined.

Then, they presented the different types of risk mapping and the main categories of major risks (economic, operational, geopolitical, industrial, strategic, governance, etc.), before outlining the methodological stages in the risk mapping process. These are briefly outlined below.

Step 1: Risk identification

This step involves identifying, consolidating and formalizing the list of major risks, in particular through a detailed documentary analysis and individual interviews with representatives of the organization’s various functions, using a specific methodology for identifying compliance risks on an international scale.

A risk sheet is drawn up for each major risk identified, including a description of the risk, its causes and consequences, its aggravating/mitigating factors and existing means of control.

Step 2: Risk assessment

This step requires an analysis of the risk’s impact, probability of occurrence and level of control.

The aim is to define risk assessment scales for each of the above criteria.

Step 3: Visualization and prioritization of risks

This step serves a dual purpose:

  • It should enable to assess the organization’s degree of exposure to each major risk (“gross” risk), using a criticality matrix;
  • It should enable to visualize the “net” risks according to the combination of their criticality and their level of control, using a prioritization matrix.

Step 4: Definition of risk action plans

This step aims at putting in place a sustainable risk management approach based on different risk treatment strategies (eliminating the source of the risk, reducing the criticality of the risk, transferring the risk to a third party, etc.).

Step 5: Regular updating

Risk mapping must be regularly updated to reflect changes in the organization and its activities.

Except in special cases, it is advisable to carry out a minor update every year, and a complete overhaul every 3 years.

Benjamin Bayard and Claire Filliatre then discussed methodological specificities in the context of the Sapin 2 Law (particularly with regard to corruption risks) and the General Data Protection Regulation (RGPD).

The update made by our Counsel Claire Filliatre is available here: Compliance Update – March 2024 (in French only).

You are interested in compliance-related issues? You would like to know more about the compliance measures and systems that must be implemented under French law?

Check out our Compliance Information Center!

Thomas Caveng

Legal Translator / Marketing Director

All publications by Thomas Caveng