Full reference : Guillaume, N., Compliance risk mapping: first insights of challenges, limits and good practices, in Frison-Roche, M.-A. (ed.), Compliance Tools, série "Régulations & Compliance", Journal of Regulation & Compliance and Bruylant, 2021, p. 73-80.
Summary of the article (by Marie-Anne Frison-Roche)
The author gives an overview of what is risk mapping for a company, not only an obligation in certain cases, such as corruption, but also and beyond an excellent tool to design and control its strategy.
He shows that this is due to the fact that legislation now incorporates the risk-based approach, companies having to use these maps, sometimes demanding to put them at the service of an overall strategy, even if their handling may lead to initiating responsibility of the company and its managers. The author emphasizes that the maps are very diverse because their objectives are themselves different, their users also being different (which implies different insights into the same risks).
The author therefore identifies principles common to all maps, which always assess risks according to their probability of occurrence and the severity of their consequences if they materialize. It is also necessary to apprehend the "gross risk", seized in the absolute, and the "net risk" which integrates the company itself in this apprehension of the probability and the gravity, then release an acceptable level of risks for the company.
On these common principles are superimposed specificities relating to the various risks, the author taking more particularly the risk of corruption, since Compliance Law gives it a great place. The mapping that is specific to the specific risk then becomes finer to be relevant, while the criteria used here will be abandoned in another mapping.
The way of proceeding becomes common again, involving the commitment of the company's management bodies, internal surveys and interviews, benchmarks.
If the company thus deploys the art of risk mapping, then they cease to be only a requirement of Law to which the company must comply in order to be a central tool in the overall risk prevention system and strategy design, feeding codes of conduct, design of training and supervision, to finally deploy in the company a "risk culture", which is essential.