Oct. 15, 2019


Drawing up Risk Maps as an Obligation and the paradoxe of the "Compliance Risks"

by Marie-Anne Frison-Roche

ComplianceTech®. Pour lire ce document de travail en français, cliquer

This working paper has been the basis for the introduction in the presentation made in the conference organized by the Journal of Regulation & Compliance (JoRC) on the topic : Compliance Tools, in collaboration with many Universities partners

This first conference has been organized with the Sciences po Economic Department on November 28, 2019 on Risks Mapping


This working paper is articulated with a second working paper, being the basis of the first development of this conference, on the caractère nouveau ou non en Droit de l'obligation de cartographie des risques.


These two working papers are the basis for two articles published in the collective book, Compliance Tools, in the Series Regulations & Compliance

This could be the basis of a general obligation to establish risk maps, an obligation incumbent on entities in a position to draw them up, then to publish them, secrecy being the exception. In this, the law known as "Sapin 2", through the establishment of the French Anticorruption Agency (AFA), institutionalized this mechanism by which companies "exposed" to the financial markets or / and to international investors, or / and in international trade, present in a clear and orderly manner - that is to say through a mapping - the risks that they have identified in their present and future actions, rendering more concrete accounts of their structural analysis organization risks.So little noise for so much

When looking at the practice and its factual description, one can observe that the heart of the Compliance systems is constituted by the Risks Mapping of risks while relatively few legal studies present more abstractly this technical, while so little case law has taken into account this way of doing things, sometimes required by the texts and severely framed and sanctioned by them.

This could be explained in two ways. Either from the fact that everything would always go well and that, in the same way that happy peoples have no History, risk mapping would therefore be so flourishing, so peaceful, so daily harmonious, that Law, which does not often exist other than in a pathological way would not look into it. Either that drawing up these maps which describe the ferments of the future of the enterprise's activities was rather a matter of good management, justifying that this exercise has not yet been legally qualified, not triggering this negative recognition constituted by the sanction, which did not allow Risks Mapping to pass the granting of legal space by the seal of Qualification.


Risk mapping, a process often described but poorly qualified by Legislation

In fact, most often Risks Mapping is only described, without qualifying it legally, which prevents it from being clearly situated in the legal Order. The Legislator does not do more. Taking the French example, in the article 17 of the French Law known as "Sapin 2", mapping is described as "la forme d'une documentation régulièrement actualisée et destinée à identifier, analyser et hiérarchiser les risques d'exposition de l'entreprise à des sollicitations externes aux fin de corruption, en fonction notamment des secteurs d’activité et des zones géographiques dans lesquels l'entreprise exerce son activité" (what can be translated as"the form of regularly updated documentation intended to identify, analyze and prioritize the risks of the enterprise's exposure to external requests to corruption, depending in particular on the business sectors and geographic areas in which the enterprise operates"). ". In the same way, Article 1 of the French law known as "Vigilance" of March 27, 2017 aims "une cartographie des risques destinées à leur identification, leur analyse et leur hiérarchisation" (what can be translated as "a mapping of risks intended for their identification, their analysis and their prioritization)". 


The lack of legal qualification of Risk Mapping, reflecting the uncertainties about the legal qualification of Compliance mechanisms themselves 

The same tendency exists to not define what is aimed in every Compliance mechanismMaybe because for the moment Compliance has been very much a matter of practices and regulations, what is related to what is done or what is prescribe to do or not to do, more than a conceptually developed branch of Law, that it would therefore suffice to accumulate processes and prescriptions without requiring definitions,that pragmatism would be satisfied with this set of technical "regulations", in which the Law itself hardly differs from other "technical standards", such as accounting standards or rail spacing standards or those that standardize electrical connections.

Indeed, this lack of a legal definition of Risk Mapping appears to be itself a reflection not only of the difficulties in defining Compliance Law but also of the more general absence of Law in all Compliance mechanisms. This absence is paradoxical  for a space so full of criminal fury, maybe because, so often reduced in its presentation to a mechanical process, Compliance would only appear "legal" in its bad light: that of sanction. This mechanical conception of Compliance as a process leads to proposing that machines and not humans establish the tools, in particular Risk Mapping. No more compasses and staff maps, hello databases and automatic connections for warning lights to come on.

A contrario, if Compliance Law should receive a non-mechanical definition, not be a simple process of effectiveness of any rule to which some importance is attached, in a sort of happy return to a substantive definition of Compliance Law, it will be necessary to clearly define what Risk Mapping is legally.

If this requirement is formulated, maybe the first request of any lawyer who works with definitions and qualifications techniques, one can only be skeptical about this so strange category that constitutes in Risk Mapping this very singular category that would constitute " conformity risks " (ou "compliance risks")....



"Conformity risks" or "Compliance risks", specific elements of Risk Mapping, implicit reference to the substantive definition of Compliance Law 

En effet, lorsqu'il est exposé  que la cartographie doit viser à la fois les "risques économiques", les "risques politiques", et les "risques de conformité" (c'est-à-dire de violation future du Droit), le juriste a du mal à comprendre comment les "risques de conformité" pourraient ainsi être un élément d'un outil qui n'est pourtant lui-même qu'un élément d'un "Droit de la Compliance", dont on lui affirme par ailleurs qu'il faudrait l'appeler "Droit de la Conformité" ? 

Indeed, when it is stated that the mapping must target both "economic risks", "political risks", and "conformity risks" (or "compliance risks"), that is to say risks of future violation of Law, the lawyer has difficulty understanding how "compliance risks" could thus be an element of a tool which is however itself only an simple element of a "Compliance Law", if we do not have to distinguish the conformity to legal rules and another conception of Compliance Law ?

If, as it is sometimes argued, Compliance Law would be  only defined as a sort  "Law of Conformity", consisting simply of showing in advance that everyone complies with the applicable legal rules,  regulations (which are also Law), every regulatory standards (soft Law, which are also Law), even without being an expert in set theory, one can only express his/her incomprehension in front of this element of "conformity" which would then be at the same time an element this subset of the cartography which is the "risk of conformity" (prospect identified in Ex Ante of violation of the legal rules) and the whole "Compliance Law" (obedience shown in Ex Ante to legal rules) in which the mapping tool is inserted!footnote-1888.

Unless eliminating the expressly and literally reference made to "compliance risks" in the risk maps, the resolution of this aporia leads to adopting a definition of Compliance Law which exceeds "Conformity", that is to say the only concern of obedience to legal rules to move towards a substantial definition of this new branch of Law, the new term of "Compliance", including in foreign languages (for instance in French "Droit de la Compliance") offering the opportunity to distinguish "Compliance" from the "conformity" of a rule to another rule or from a behavior to a standard, "conformity always referring to a mechanical vision of the system.

If adopting a substantial and teleological conception of Compliance Law, anchored in "monumental goals" where the very definition of this Law is located, one of the tools is then risk mapping, one of the risks among others may then effectively be the prospect of not behaving in accordance with the applicable legal standards, "conformity risks" taking place among other types of risks.

Thus the distinction between the two terms, "conformity" to refer to the fact of mecanically obeying and the term "compliance" to refer to an ambition to achieve monumental goals converging towards the protection of persons, allows to conceive of "legal conformity" as being only one tool among others of Compliance Law, in the same way as, not without difficulty and discussions in particular around the stakes of translation (for example in French about English documentation which speak on "compliance"...).

But it was exactly the same story when, 20 years ago the "regulations" were been identified as being only one tool of the Law of the Regulation and not its definition... And precisely, Compliance Law is the continuation of Regulation Law, with the same linguistic and definition difficulties. As Regulation Law has overcome these difficulties, Compliance Law will do.


The hypothesis of Risk Mapping, as legal obligation of result, ancillary to the main obligation of means to achieve "Monumental Goals"

The Legislator does not contradict the reduction of Risk Mapping to being just an instrument, of which "compliance risks" are themselves only a part, since when reading the laws, for example French Law, it is accepted for the legislator that cartography is only a "tool", the French law known as "Sapin 2" designating it as a "modality", as of stewardship therefore.

Without disputing this but instead relying on this instrumental nature, it is required to look for what the tool is made for, because if a tool is offered or its handling is imposed to enterprises, this is de jure to achieve a "goal". If Risk Mapping is only a "modality", this necessarily means that its legal qualification has its source in the goal, the legal status of the tool of the mapping resulting from it, in a teleological way.

The instrument is designed to obtain that Law would be not subsequently disregarded, the mapping identifying through the "compliance risks" the increased risk of this possible disregard: the well-know expressions of "criminal risk" or "legal risk"!footnote-1731are undoubtedly the ancestors of these "risks of conformity". The existence of this risk of future violation of Law, expressed by this expression of "compliance risk" may have its roots in the company, in its sector, in its activities, or in everything that surrounds it and in the novelties which may happen tomorrow, Risk Mapping oscillating between an exercise of probability and prudence.

It is in this that Risk Mapping is a "modality", attached to an "obligation" which resides in a principal obligation of the enterprise, which is to prevent the transformation of this risk into a negative event, for example the risk of a Law violation  in an actual violation. 

Drawing up a map would therefore be a secondary obligation, constituting the necessary accessory of a main obligation, which is the prevention of negative events (barrier against systemic disasters, corruption, money laundering, pollution, cataclysms) or achievement of positive events (realization of happy ambitions, constituting "positive monumental goals").

Case Law has underlined that if the main obligation, constituted by this barrier against a future event which must not happen (negative monumental goals) or this bridge towards a future event which must occur (positive monumental goals), is an obligation of means, the establishment of its modality which is the establishment of Risk Mapping is an obligation of result.

Indeed if no one  can master the future, even less when it involves others than oneself, the future being the time of Compliance Law constituted by its "monumental goals" (Compliance Law is an Ex Ante corpus), it is possible to organize the present exercise of establishing maps.

Thus, the exercise of mapping allows the enterprise to fulfill its "Compliance obligation" (and not only its Conformity obligation), that is to say to ensure that the facts of fragility that compromise the achievement of monumental goals are identified in Ex Ante. negative or positive (for example facts giving rise to corruption), projection exercise which increases the probability of full fulfillment of the obligation of means constituted by its obligation to achieve monumental goals (for example, eliminating corruption).

C'est le lien entre l'outil et le but, mécanisme de base dans toute branche du Droit téléologique qui part de la norme située dans les buts, qui permet de définir l'outil : la cartographie des risques a pour objet de "réduire les risques", c'est-à-dire d'accroître la perspective future pour l'entreprise de concrétiser le but monumental que les Autorités publiques lui ont affecté.  Ainsi dès 2008, l'OCDE définissait la cartographie des risques par ses objectifs, à savoir "mettre en place des moyens efficients pour réduire des risques de fraudes et de corruption et pour mettre en place des enquêtes efficientes en concentrant les efforts sur les procédés efficaces". !footnote-1739

The goals pursued function themselves in concentric circles, that explains the diversity of the maps established. Thus, while the notion of corruption appears in Criminal Law, the notion of fraud is broader than the legal apprehension because if "fraud corrupts everything" all fraud is no apprehended by Law as soon as the fight against it does not take the form of  a legal instrument. The cards are therefore not the sames and companies are issuing multiple ones.

More generally and elsewhere, many risks do not concern Law at all and must nevertheless be taken into consideration by the enterprise as information to be considered for its action: economic risks, natural risks!footnote-1908 or political risks, as well as "market risks", about which the public bodies, such as the French Financial Market Authority, like the Financial Market Authority regularly draw up a "risk map"!footnote-1740 But this mapping does not seem to concern the legal system, even though it is no longer the sole initiative of good internal management of the company.

This makes it all the more difficult to capture by a single legal qualification these diverse cards.


The hypothesis of Risk Mapping as a legal fact

Thus, if the analysis no longer starts from the laws which impose or suggest them, but rather from the maps drawn up by enterprises for taking advantage of them, in particular vis-à-vis investors or consumers, their diversity is their first characteristic , since it is not certain that all these maps constitute a "modality" of a legal obligation, becoming by transitivity a legal object:  these carts do rather constitute an element of determination of the strategy of the company, therefore calling for a qualification as an "act of management"! footnote-1735!footnote-1735.

Risk Mapping therefore would become a fact. It does not directly produce per se legal obligations. But its existence nonetheless constitutes its constitution in a legal fact, to which legal effects can be attached by the legal system. In particular when  the Risk Mapping has generated trust effects on the heads of third parties and moreover when the production of this Risk Mapping has been made to obtain it, for example when the entreprise traces the risks upstream in the development of the products that it offers the public downstream.

The question of the enterprise's legal commitment arises all the more since it is today impossible to enclose Compliance Law - and its main Ex Ante tool, which is Risk Mapping - in which are only two particular monumental goals, fighting against corruption and fighting against human rights violations.


The hypothesis of a general and autonomous legal obligation to do Risks Mapping in favor of those who are not in position to know them

If Risk Mapping were not just a simple legal fact, it is possible de consider that it could be firstly a unilateral legal act  or secondly the fulfillment of a general and autonomous obligation. at the burden of legal subjects who are in a position to know risks that others do not know.

In the first case, it is for example a company which, by its will, in particular under its various societal commitments, undertakes to prevent such or such negative event (for example pollution) or to put in place techniques to achieve positive situations, for example equal relationship between people. To do this, in particular because these goals are expressed into its "ethics charter" or its "code of conduct", or even what is now sometimes expressly presented as a "Compliance charter", this obligation of means triggers by its existence and without the need of binding legal text an ancillary obligation of result, consisting in the obligation to draw up a risk map relating to such a "project".

In the second case and more generally, it is possible to consider that all the subjects of law who must concretize the Compliance Law monumental goals must by the fact of the public authorities supervision, according to the aforementioned reasoning above of the necessary accessory nature, establish the corresponding maps.

Then it could be considered that any entity which is in a structural position to be aware of risks, giving it a better anticipation of the future, not only for itself but for others, must have a general obligation to bring to the attention of others directly concerned the risks involved these others run in the exercise they must make of their own freedom. Indeed, for the enterprise it is as much the exercise of a freedom for itself, in an act of good management, to which a company proceeds by drawing up Risk Mapping for deciding to act in a certain direction (definition of strategy) than the exercise of an act of power to inform, exercised for others in an act of Compliance.

In this regard, the Regulatory Authorities which themselves draw up risk maps to enlighten the operators would only be models for them, having in turn, through their own maps, to enlighten the parties "concerned" by these risks. 

In a liberal conception of Law, no one can be legally forced to be a good strategist, moreover a great strategist, any more than a company which is in a position to know the risks that others run must not necessarily be obliged to directly protect them ; but Law should be legitimate to force the enterprise, as a centrailisation and production of information, to make others aware of the risks concerning them and of which it is aware - or must be - ; these risks have mapped so that these third parties, thus instructed and thus alerted (the notion of Ex Ante alert being a central notion of Compliance Law) to enable them to measure these risks and to take them or not. No more than this general obligation, but this one.

If this general obligation were accepted, it would give concrete reality to a subjective right for third parties potentially "affected" by these risks.


The third parties subjective right to be "concerned" by the knowledge through Risk Mapping, in order  to be empowered to exercise their freedom of action

This could be the basis of a general obligation to establish Risk Mapping, an obligation borne by entities in position to draw them up, then to publish them, secrecy becoming the exception. In this general perspective, is only an example the French law known as "Sapin 2", through the establishment of the Agence française anticorruption - AFA French Anticorruption Agency), institutionalizing this mechanism by which almost all companies "exposed" to the financial markets or / and to international investors, or / and in international trade, present in a clear and orderly manner - that is to say through a mapping - the risks that they have identified in their present and future actions, rendering more concrete accounts of their structural analysis organization risks.

Public authorities supervise companies exposed to these risks. Certainly the banks are accustomed to this type of legal binding, but the banks are alreaddy in a regulated and supervisored sector and the move is not so important for them. But the general movement is remarkable, and marks the totality of Compliance Law in comparaison with Regulatory Law (what it prolonges yet) in that this Compliance system would apply, via the requirement of risk mapping, to companies operating in sectors that are not supervised, or even which are sometimes not even regulated, for example the immense field of international trade. In this way, these enterprises , which are not sectorally regulated, become structurally transparent and supervised under Compliance Law, which notably controls the effectiveness and efficiency of the risk mapping mechanism.

The liberal principle according to which an enterprise is only accountable for its behavior and not on its internal organization has been undermined, since Risk Mapping is an Ex Ante mechanism which falls within the structure of Corporate Law and whose effectiveness is controlled by public authorities, Compliance Law expressing an "Ex Ante responsibility" desired by many.

But this does not create an obligation of conduct consisting of an obligation of result and even less an obligation to protect third parties.This creates an obligation of results consisting the Risk Mapping, this and only this.

By this general structural obligation weighing on enterprises in position to establish Risk Mapping and to make it known, Law gives rise to the benefit of third parties a specific subjective right, the "right to be concerned", by knowledge of the risks they run and of which they were not necessarily aware since they are not in the same "position" as economic operators, a concern which thus enables them to better exercise the freedom to run or not run these risks thus brought to their attention.






Sur les risques de climat et leur appréhension par le Droit de l'environnement, v.

comments are disabled for this article