Introducing the French Anti-Corruption Guidelines (3/4)
The Guidelines explain that the anti-corruption risk mapping exercise must be treated as a matter of priority as it will allow the organization to tailor its compliance program. This is an important indication for companies where Sapin II compliance is still a work in progress. It is difficult to predict the level of understanding and patience that may be expected from the Agence française anticorruption (AFA) in case of control, but it certainly will help if the controlled company is able to show that it understands the logic of the Guidelines and has started at the right place…which is risk mapping.
Linking risk mapping with other key issues such, as tone at the top and the personal liability of the CEO under the Sapin 2 Law, the Guidelines expressly state that the “governing body” is solely responsible for launching the exercise and validating the results. “This responsibility may not be delegated” (Guidelines, p. 16).
Although the AFA has somewhat tuned down its expectations in the final version of the Guidelines (as compared to the draft version), there is no doubt that it still views risk mapping as a thorough process that involves potentially significant time and resources:
- It rests on a comprehensive “end-to-end” analysis of company “managerial, operational and support” processes, with the participation of the relevant company employees for each process at various hierarchical levels.
- The AFA recommends a six-steps methodology allowing for the evaluation, for each risk and each corporate process, of the inherent risk, the aggravating factors, the mitigating factors and the resulting residual risk.
- Wherever a residual risk remains, the risk map must record corresponding mitigation action plans and follow-up status.
In the AFA’s view, the risk map is therefore nothing less than a full dashboard of the anti-corruption compliance program.
The Guidelines explain that the anti-corruption risk mapping exercise must be treated as a matter of priority as it will allow the organization to tailor its compliance program. This is an important indication for companies where Sapin II compliance is still a work in progress. It is difficult to predict the level of understanding and patience that may be expected from the Agence française anticorruption (AFA) in case of control, but it certainly will help if the controlled company is able to show that it understands the logic of the Guidelines and has started at the right place…which is risk mapping.
Linking risk mapping with other key issues such, as tone at the top and the personal liability of the CEO under the Sapin 2 Law, the Guidelines expressly state that the “governing body” is solely responsible for launching the exercise and validating the results. “This responsibility may not be delegated” (Guidelines, p. 16).
Although the AFA has somewhat tuned down its expectations in the final version of the Guidelines (as compared to the draft version), there is no doubt that it still views risk mapping as a thorough process that involves potentially significant time and resources:
- It rests on a comprehensive “end-to-end” analysis of company “managerial, operational and support” processes, with the participation of the relevant company employees for each process at various hierarchical levels.
- The AFA recommends a six-steps methodology allowing for the evaluation, for each risk and each corporate process, of the inherent risk, the aggravating factors, the mitigating factors and the resulting residual risk.
- Wherever a residual risk remains, the risk map must record corresponding mitigation action plans and follow-up status.
In the AFA’s view, the risk map is therefore nothing less than a full dashboard of the anti-corruption compliance program.
