Dec. 19, 2019

Publications : Chronicles MAFR - Compliance Law

Legal Theory of Risk Mapping, Center of Compliance Law

by Marie-Anne Frison-Roche

Complete reference : Frison-Roche, M.-A., Legal Theory of Risk Mapping, center of Compliance Law, 2019. 

This is an English translation of an article published in French, Théorie juridique de la cartographie des risques, centre du Droit de la Compliance, Recueil Dalloz, 2019, p.

This article written in English is based on a working paper, written also in English, with additional developments, technical references and hypertext links. It is accessible  here.

Summary. The act of mapping risks is not currently defined by Law. It is only described in special laws. While risks mapping is central to preventing in Ex Ante the occurrence of crises or behaviors from which the occurrence is excluded, no legal regime is available, due to the lack of a legal definition available. This legal definition is proposed here in 5 stages, starting from special laws and specific cases to go towards a general conception. Risk mapping then appears as a concern for others taken care of willingly or by force by crucial operators, through a new subjective right: the “right to be alarmed”, the map being the structural counterpart of the character of the whistleblower. Two articulated systems of Compliance Law.


Read below the article written in English below. 

Risk Mapping is central to the Compliance mechanisms. It is by identifying in advance the risks of ignorance of its obligations that the company can in Ex Ante ensure that these are not violated. Thus, the Ex Post sanctions never arrive, Law is always effective, Compliance Law designed to develop only in Ex Ante is fully materialized. Everything therefore rests on an effective and successful mapping. In practice, this is essential, not only in the banking and financial sector but in all companies exposed to the Compliance obligation.

Yet in a very surprising way, Risk Mapping is very little targeted by Law. Admittedly, it can be argued that it has always been so through the balance sheet, for example, if we name in this way all the mechanisms of prudence or of information on the future that conceal both Contract Law than Company Law. But as such, with its own requirements for risks analysis and prioritization, associated with the obligation to prevent the risks thus detected, Risk Mapping only appears in French legal system through two special laws: the law known as "Sapin 2" of December 9, 2016 and the law known as "Vigilance" of March 27, 2017. Out of this field and because these laws operate only one description and not a definition, and still less provide a notion, we do not know which legal regime to apply to the action of mapping risks.

It is therefore useful, even imperative, to define the legal concept of the action of mapping risks. It must be done because official documents such as the websites of ministries expressly target it as a modality of corporate social responsibility, presenting as an ethical and unconstrained commitment the mechanisms of the Sapin 2 law. Thus Criminal Law would be conceived as application of flexible law...; we therefore measure the need to bring order, the legal confusion contributing to the concern of the various actors concerned.

The construction of the legal concept of risk mapping must start from what is still the most certain ground, namely these two special French laws, to go to less secure legal grounds, such as the doctrine of the Authorities or the commitments of companies, or even the ISO certifications obtained in this area. Some court decisions have had to find solutions in various disciplines to resolve cases where risk maps have been drawn up, willingly or by force, by companies or even by administrations. This is very useful because beyond these two so special laws, we can deduce a general legal regime.

The method proposed here is in 5 steps. The first, directly based on the two available laws, apprehends the action of mapping when it comes in execution of a special legal obligation. The second stage aims at the action of mapping the risks as a fact of good management of a company, whereas it is not constrained there, which can constitute a voluntary engagement. The third stage targets the mapping action carried out by an entity no longer as an act of submission, including at its own will, but as an act of power over others. The fourth step is to look no longer towards the entity that lists the risks but towards those who run them and of which they must be informed. Can then set up in a fifth step a general and coherent system of risk mapping which aims to put third parties who are at risk, either to protect them or to put them in position to measure it and to run it nevertheless, because Compliance Law is a dynamic, relational and liberal Law. What no algorithm can design or implement.



Article 17 of the law known as "Sapin 2" of December 9, 2016 obliges the managers of companies of a certain size to  « prendre des mesures destinées à prévenir et à détecter la commission, en France ou à l’étranger, de faits de corruption ou de trafic d’influence », that could be translated as "take measures to prevent and detect the commission, in France or abroad, of acts of corruption or trading in influence".

To do this, the law aims among the "modalities" the adoption of a « cartographie des risques prenant la forme d’une documentation régulièrement actualisée et destinée à identifier, analyser et hiérarchiser les risques d’exposition de la société à des sollicitations externes aux fins de corruption, en fonction notamment des secteurs d’activités et des zones géographiques dans lesquels la société exerce son activité », that could be translated as a "risk mapping in the form of regularly updated documentation intended to identify, analyze and prioritize the risks of exposure of the company to external solicitations for the purpose of corruption, depending in particular on the business sectors and geographic areas in which the company carries out its activity".

The situation of customers, first-tier suppliers and intermediaries will be subject to an "assessment procedure ... with regard to risk mapping". Article 1 of the law of March 27, 2017 called "Vigilance" obliges in a similar way the parent companies and companies giving orders to build a un « plan de vigilance » comprenant « une cartographie des risques destinée à leur identification, leur analyse et leur hiérarchisation » ainsi que « des procédures d’évaluation … », that could be translated as a "vigilance plan" including "a risk mapping intended for their identification, their analysis and their hierarchy ”as well as“ evaluation procedures… ”.

Because the first law targets the fight against very serious acts (corruption, trading in influence), sanctions are associated with breaches and it is possible to qualify these sanctions attached to Ex Ante Compliance obligations, in particular the risk mapping, a  structural Criminal Law. What is true for this law must be for analogous texts which aim at the fight against money laundering, which have similar wordings, aims and spirit.

However, the Sanctions Commission of the Agence Française Anticorruption -AFA (French Anticorruption Agency) decision on July 4, 2019 is essential because it outlines the new probationary game resulting from this Ex Ante Repressive Law. It said that the company bears the burden of proving that it has adopted an effective, analyzed and hierarchical mapping and that it is free to construct it as it has chosen, not being bound by the recommendations of the Authority, of which the managing director is also the prosecuting authority if he considers that there has been a breach. But if the company follows AFA’s recommendations exactly, it’s a simple presumption of Compliance. If the prosecuting authority wants to obtain its conviction, however, this body will have to adduce other convincing facts.

This probative drawing, which replaces the discussions around the qualification "obligation of means / obligation of result", can be transposed for the other Structural Compliance Obligations resulting from the texts.



Toute entreprise a intérêt à mesurer maintenant ses risques pour qu’ils ne dégénèrent pas en crises pour elle demain. Toutes les organisations le font, depuis toujours. Mais le droit se referme comme un piège car les Autorités vont considérer qu’un risque identifié doit donc être détruit, sauf pour l’entreprise à répondre de son inertie par sa responsabilité Ex Post. Ce raisonnement logique a été adopté par des autorités européennes de la concurrence car le risque repéré d’un comportement anticoncurrentiel et non paré est une circonstance aggravante lorsque celui-ci advient.

Any company has an interest in measuring its risks today so that they do not degenerate into crises for itself tomorrow. All organizations have always done this. But Law closes as a trap because the authorities will consider that an identified risk must therefore be destroyed, except for the company to answer for its inertia by its responsibility Ex Post. This logical reasoning has been adopted by European Competition Authorities because the identified risk of anticompetitive and non successfully fought behavior is an aggravating circumstance when it occurs.

But Compliance Law is also based on Incentives. However, the message thus sent is to stop all Risk Mapping outside of special and binding laws…. On the contrary, this is why the American authorities, more sensitive to this Incentives argument, have in the event of a violation of Law an, for example front of a fact of a market abuse, transformed into a mitigating circumstance, the unconstrained establishment of a mapping of the risks of violation of Law by the company to try to hinder them. Provided that its effectiveness is checked, the burden o this proof remaining on the company.



A firm may not only care about its sole interests, it may care about others. It is then "responsible", here and now, for the distance and for tomorrow. What is designated as “social responsibility” corresponds to an Ex Ante responsibility.

Even if the French legal system struggles to recognize the concept of unilateral legal commitment, the texts of Financial Law on market information specifically target obligations to inform about risks, especially in occasion of takeovers and more generally about "non-financial information".

The integration of ISO standards, in particular in environmental matters, Compliance Law is today linked to the “monumental goals” of Environmental Law, in documents issued by companies, these standards having binding value, can lead to assume that the company then engages itself de jure.

If one leaves the Ex Post field of responsibility to go to that the Ex Ante one, the question is then to know to whom the company commits itself. In French case law, the Commercial Chamber of the Cour de Cassation Decision on March 7, 2018, Huis-Clos, is enlightening. The company criticized the sanction imposed by the Autorité des marchés financiers - AMF (French Financial Markets Authority) for hiding information from investors, when they could find it in its Risk Map. The Court said that the company should not only provide the raw data but also the analysis, that is to say communicate the alarm about the future. This was not done, the sanction was thus justified.

There would therefore exist a subjective right of third parties to "be alarmed", to "be worried" by those who know the risks that they run. It goes beyond intelligibility. This view is not limited to the financial markets. Indeed in the US, in the judgment on July 15, 2019 against the pharmaceutical company Johnson & Johnson, the Oklahoma State Court condemned the latter for not having alarmed people for the harmful effects of opiates than these have consumed heavily for years. While the laboratory had neither prescribed nor sold them. But it should have alarmed them. It is the same reasoning, because the dosage provided is a kind of mapping for the use of the third-party patient. 

A kind of "subjective right to be alarmed" is thus being born. Even if the one who has the knowledge has no legal relationship with the one who runs the risk.



La cartographie des risques apparaît ainsi comme avant tout un rapport avec les tiers. Un rapport établi de gré ou de force pour atteindre un but, soit fixé par l’entreprise qui se soucie des tiers (RSE) soit fixé par la loi (bon usage des médicaments, Sapin 2, Vigilance).

Risk Mapping thus appears above all to be a relationship with third parties. A report established willingly or by force to achieve a goal, either set by the company that cares about third parties (CSR) or set by biding Law (proper use of medicines, Sapin 2 Act, "Vigilance" Acte).

For this, the mapping being only a “modality”, the aim justifies that the mapping serves the third party thus protected by what should be legally called an “alarming information” but also that the entity which built the tool can use it as power on third parties in order to achieve the goal.

This is apparent from a decision of the Conseil d'Etat (French Council of State) of March 17, 2017, COFOR, which validates the legitimately binding scope of a risk mapping drawn up by the Ministry of Ecology and creating obligations on forest municipalities, because the goal of preventing forest fires justifies it.

This teleological reasoning specific to Compliance Law can be used in all other cases.



Compliance Law, an extension of Regulatory Law, is a liberal Law that puts people at the heart of the markets, protecting them while leaving them free. By the conception that Law has of it, Risk Mapping expresses beyond good management the concern for an interest external to the entity that draws it.

However, this support in Ex Ante carried out by force ("Sapin 2" Act, "Vigilance" Act, obligation to inform the financial market) or willingly (social responsibility, ethical commitment, spontaneous adoption of a-financial standards) only relates to information , its constitution, its intelligibility and its hierarchy, while creating a new form of information: the alarm.

This new subjective right is mirrored by this new character in Compliance Law: the whistleblower. Because he too is raising the alarm. Whistleblower is in character what Risk Mapping is in structure.

Then it is up to the actors exposed to risks, thus put in a position to understand in Ex Ante the extent as far as they are concerned, either the entity itself or third parties, of choosing to run them or not.







comments are disabled for this article