Nov. 28, 2019


Reference : Frison-Roche, M.-A., General presentation of the cycle of conferences on Les outils de la Compliance  (Compliance Tools) and  "Théorie générale de la cartographie des risques" (Legal Theory of Risk Mapping), conference made in French, in Département d'Economie de Sciences Po & Journal of Regulation & Compliance (JoRC),  La cartographie des risques, outil de la Compliance (Risk Mapping, as Compliance Tool), November 28th, 2019, Sciences Po, Paris. 





Summary of the conference

Risk mapping is both central to the obligations or practices of companies and little apprehended by the legal systems. It is not expressly referred to by the French legal system, except for the special national laws known as "Sapin 2" and "Vigilance". But if we are out of this field, because there is only a description and not a legal definition, even less a legal notion, we do not know what legal regime to apply to the action of mapping risks. It is therefore useful, indeed compelling, to define the legal concept of risk mapping. Starting from what is still the safest ground, namely these two special laws, to go towards less secure legal grounds, such as the doctrine of the authorities or the commitments of the companies, even the ISO certifications obtained in this matter. Through a few judicial decisions and legal reasoning, a legal notion of the action of mapping risks emerges.

It is advisable to proceed in 5 steps (the working document follows another approach).
The first, based directly on the two available laws, apprehends the action of mapping when it comes into execution of a special legal obligation. The decision rendered in 2019 by the French Commission des sanctions of the Agence Française Anticorruption (French Corruption Agency's Sanctions Commission) draws probate games as to the demonstration of the execution of the obligation and the probationary system can be extended. In the same way the decision of the French Conseil constitutionnel (Constitutional Council) in 2017 on the "Vigilance Act" shows that a mechanism referred to as a "modality" is legitimate with regard to the goal, which is, concerning this tool, the establishment of a responsibility for others. It is therefore the concern for the situation of others that can be targeted by the Law thanks to Compliance Tool, especially Risk Mapping.

The second theme aims to map risks as a fact of good management for a company, while the enterprise is not constrained by a legal obligation. This fact is a paradox because the Regulatory Authority and the Judge may, where the conduct that was to be prevented occurs, for example a market abuse or an anti-competitive behavior, either qualify as an aggravating circumstance or as an attenuating circumstance. Consideration of the theory of incentives should lead to the adoption of the American solution, that is to say the qualification of an effective cartography as a mitigating fact. European case law is not yet fixed, especially in terms of Competition Law's compliance.

The third theme is the mapping action carried out by an entity which, in doing so, exercises power over a third party. Because cartography is as much an obligation as a power, possibly on a third party. The Conseil d'Etat (French Council of State) in 2017 qualified risk mapping as an act of grievance, but doing so legitimately, since it was to prevent forest fires efficiently. This solution based on the teleology attached to Compliance Law can be transposed to other areas.

Going further, one may consider transforming this action from de facto status to legal status on the part of the company, if it thus identifies risks for third parties. It would thus give third-party creditors the right to be in a position to measure the risks that weigh on them. Risk mapping would thus be part of a broader unilateral commitment by powerful companies, recognizing the existence of risks for third parties to enable them to know their nature and extent. If this responsibility Ex Ante (characteristic of Compliance Law) is fulfilled, then the Ex Post liability of the company could no longer be retained. This is the ongoing issue of the Johnson & Johnson trial (2019 American judgment), in terms of medical compliance. Because if one can argue that there exists through this kind of risk mapping that the posology a "subjective right to be worried about the risks related to the taking of the drug", the patient remains free in the use of it. The question of whether third-party education is included in the mapping, since the alert is already included in it, is an open question. For now, the answer is negative.

Indeed and in a fifth time, appears the liberal definition of Compliance Law through the apprehension that the Law must make of the cartography of the risks. Beyond the rational act that any person has to control their risks for their own interest, by preventing the damaging effects of that from the crystallization of risk has in fact proved, it is a question of preserving an external interest for the preservation of which the Law must intervene because the subject of law, in particular the company will be less likely to be concerned.

By the imprint of the law, risk mapping expresses the concern for an external interest, either of a system or of a third party. But this support in Ex Ante implies force (Sapin 2, Vigilance, financial market information obligation) or will (social responsibility, ethical commitment, adoption of non-financial standards) relates only to information, its constitution, its intelligibility and its hierarchy. Then it is the actors exposed to the risks, able to understand in Ex Ante the extent as far as they are concerned, either the entity itself, or the thirds, to choose to run them to no.



  • Consult the two sets of slides as basis of the conference: 




Nov. 27, 2019



This Working Paper served as the basis for an intervention in the conference organized in the conference cycle organized by the Journal of Regulation & Compliance (JoRC) on the theme: Compliance Tools, in collaboration with many university partners: this first conference is organized in collaboration with the Sciences po Economics Department and is held on November 28, 2019 at Sciences po and deals with the more specific theme of Risk mapping.

It also serves as the basis for the book edited by Marie-Anne Frison-Roche, Compliance Tools, which will be released in the Regulations & Compliance collection.




Introduction and Summary.

 Most often we only describe the risk mapping mechanism, without qualifying it legally. The legislator does not do more. Thus, in the French legal system, in the law adopted in 2016 for fighting againt corruption, the so-called "Sapin 2 law", the article 17 describes cartography  as "la forme d'une documentation régulièrement actualisée et destinée à identifier, analyser et hiérarchiser les risques d'exposition de la société à des sollicitations externes aux fins de corruption, en fonction notamment des secteurs d'activité et des zones géographies dans lesquelles la société exerce son activité" " ("the form of documentation regularly updated and intended to identify, analyze and prioritize the risks of exposure of the company to external solicitations at the end of corruption, depending in particular on the sectors of activity and the geographic areas in which the company operates.").

In the law adopted in 2017 for obliging big companies to be "vigilant", the article 1 of this so-called "Vigilance law" of March 27, 2017 aims to do a "cartographie des risques destinée à leur identification, leur analyse et leur hiérarchisation ("map the risks intended for their identification, analysis and prioritization").

This is a description, not a definition, with the text only targeting the "form" that this piece of information takes, without saying more. The letter of the descriptive text inserted in the second part of article 17 referring to the first part thereof, which expressly covers it as a "modality" of "the obligation" to take "measures intended to prevent and prevent detect the commission, in France or abroad, of acts of corruption or trading in influence ". In the same way when consulting the documents by which the regulatory authorities, for example the Financial Market Authority, presents the way to properly identify the risks, including the risks of "non-compliance"!footnote-1734, there is a description of the ways of doing things, no definition, often no rights. We find this same tendency in Compliance itself, so often reduced in its presentation to a mechanical process, often not very legal, or only becoming so in its bad light: that of the sanction. This mechanical conception of Compliance as a process leads to proposing that machines and not human beings establish the tools, notably the risk mapping.

Because it is understood that cartography is only a "tool", the law designated it as a "modality". It is therefore a given that we must look for what the tool is made for. Either it is done so that the law is not ignored, mapping identifying for example the increased risk that it is not: it is usually referred to by the strange name of "risk of compliance". The mapping then allows the company to execute its "compliance obligation", that is to say to ensure in Ex Ante that the law is respected by eliminating in advance the risk that it will not be . Thus, in 2008, the OECD defined risk mapping by its objectives, namely to put in place efficient means to reduce the risk of fraud and corruption and to set up efficient investigations by focusing efforts on effective procedures "!footnote-1739.

Then there are the risks which do not concern the Law, and which the company manages as so many considerations for its action, such as economic, natural or political risks, as well as "market risks", about which the Authorities markets, as the Financial Market Authority regularly draws up a "risk map"!footnote-1740. But this mapping does not seem to concern Law, even though it is no longer the sole responsibility of the company's internal management. The more we read cards, the more we observe their diversity, without knowing whether they constitute a "modality" of an obligation, therefore constituting a legal object, or if it constitutes a good way of doing things, which is neutral. for the Law. But what does law today not mix with? Especially of a fact as important and significant and expensive as this one ...

However, we observe to what extent "risk mapping" has so far been little thought in law. Indeed, when it is exposed, and so often, that it includes both "economic risks", "political risks", and "compliance risks", when however as a whole it is not instrument of a Compliance Law, which organizes all of compliance, the lawyer who constantly orders no longer manages to follow: as "compliance" could be only part of a mechanism that itself is only part of "compliance"? There are very many writings which detail the cartography, which by a kind of mirror effect, draw up cartographies of the requirements country by country, texts by texts, sectors by sectors, law by law, cartography requirements. .. We are faced with a house of cards, always more meticulously described, without ever meeting any legal qualification. For example, does drawing up such a card constitute a legal fact or a legal act? I don't see the question even asked. Yet the consequences of diet are immense. Assuming that this is only a legal fact, can it be justified? The lawyers thought about it and instead found the door closed ... But why should it not be a legal act? The legal category of unilateral legal acts is there to welcome it. In this case, the risk mapping commits the company and we feel that regulators and judges are seeing it more and more. But if the company is engaged, with whom is it? More precisely still, if it becomes debtor of the obligation to map, even if no specific law prescribes it in a precise way, then there is necessarily a creditor beneficiary of this obligation. Who is he ? And why is it?

The essence of this contribution is to ask these questions. They are elementary. They open up avenues, those that the exercise of legal qualification, legal categorization and legal definition, opens up.

If for the moment it has been little practiced, risk mapping being strangely left to algorithms, capable of heaping up data and incapable of defining and qualifying legally, this may be due to the fact more general than Law and risk are rarely directly associated. The mechanism of good management that constitutes risk mapping, especially in organizations that are not companies but are in charge of administering and adopting this good method without constraint!footnote-1735, incites it even less that we can read that it would be for the meticulous entity to identify in advance in particular the "legal risk"!footnote-1731, that is to say the application that could be made of law, uncertain application, annoying application. How many successful seminars on "penal risk" ... As in defense, lawyers explain too generally that the Law is constituted to fight against the risk, which is a fact. In fact, we repeat over and over again that the legal system is there to "secure", sometimes reducing it to this technical performance due to its very nature, by the principle of "legal security", that the State by its permanence , its legitimate violence, its imperium, gives us in exchange the peace, that the contract by the "little law" which it constitutes offers to the parties which enact it a haven of security for this island of stability in a future that never quite knows; beware of us if we get out of the legal order because we fall back into risk ... Thus, either one is in the Law, subject to the Law, and one benefits from its specific security, which economists would readily refer to as "regulation", or one is in the freedom of action, and the 'then we are at risk .... It would be like for the markets, about which we must choose between liquidity and security: if we want freedom of action, then we need less regulation , and therefore less security, more risk .... This traditional opposition, so often relayed in economics, is called into question by the obligation of risk mapping because if these are established, it is not for know in itself but to combat them, beyond the traditional obligation of information on risks, of which there are many anchors in the branches of Law, in particular Company Law, in particular those exposed to the financial markets (I) .

Consequently, since there is under the classic information of the political pretension, of the will to "prevent" the evil, which is quickly transformed into the will to "promote" the good, the new appears. The novelty is first of all institutional (II). In this, the so-called "Sapin 2" law, through the establishment of the French Anticorruption Agency, institutionalized this mechanism by which companies "exposed" to financial markets and / and to international investors, and / and to international trade , present in a clear and orderly manner - that is to say by a map - the risks they have identified in their present and future actions, must more concretely account for their structural organization. Public authorities will supervise the companies exposed to these risks. Certainly banks are legally accustomed to it, but banks are in a sector which is regulated and supervised. What is remarkable is that the Compliance Law applies via the risk mapping requirement the legal technique of supervision to companies which operate in sectors which are not supervised, which are sometimes not even regulated. Thus, they become structurally transparent. The liberal principle according to which a company only reports on its behavior and not on its internal organization is undermined. Thus, by the only technique imposed by law, the transparency method, specific to supervised companies becomes general, as soon as a risk exists. This is a radical innovation, since the risk in question is not a sector risk and a general crisis is no longer to be feared. The rupture is thus effected with the Law of supervision which until now was unbreakable from the Law of Regulation, the obligation of risk mapping applying to any "crucial operator" exposed to the risk of corruption, in that this must be fought in a global manner.

Therefore, risk mapping is a tool which, beyond the simple description, takes its definition in a teleological way. Its aim is to prevent risks which compromise ambitions which are not always of an economic nature but which are of a political nature (III). The fight against corruption is only one example, the so-called "vigilance" law also requiring a "risk mapping" in the area of ​​human rights, while this technique is taken up by more or less binding texts in environmental matter. Certainly companies in a position to carry such political ambitions, by force - because of their position - or willingly - by their reason for being or by their policy of social responsibility - must support it, transforming them into major political actors . They cannot, however, take the place of the Public Authorities, which on the one hand fix the "monumental goals" which it is a question of achieving on the one hand and which on the other hand supervise in Ex Ante and in Ex Post the implementation and operation of these tools within crucial companies.


OCDE, Bueb, J.-P., Risk mapping methodology. Developping practical tools for procurement, 2008,  : "OBJECTIVES OF RISKS MAPPING • Put in place efficient means to reduce risks of frauds and corruption; • Have more efficient investigations by concentrating the efforts on “sensitive” processes, methods or persons. "


Financial Markets Authority, Risk Mapping, 2017


Dyens, S., La nécessité de dresser une cartographie des risques juridiques, 2012. In this article which presents the Law as a risk for the action of the State and the good end of public policies, it is a question of organizing well in Ex Ante the administrations.

Sept. 13, 2019

Thesaurus : Doctrine

Référence complète : Hautereau-Boutonnet, M., Le risques de procès climatique contre Total : la mise à l'épreuve contractuelle du plan de vigilance, in Revue des contrats, n°3, Lextenso, 2019, p.95


Les étudiants de Sciences po peuvent lire l'article via le Drive dans le dossier "MAFR - Régulation & Compliance"

July 4, 2019

Thesaurus : Autorité de Contrôle Prudentiel et de résolution (A.C.P.R.)

July 1, 2019

Thesaurus : Soft Law

Référence complète : Cartographie AMF des marchés et des risques, in Bulletin Joly Bourse, Lextenso, n°04, 2019, p.7


Les étudiants de Sciences po peuvent lire l'article via le Drive dans le dossier "MAFR - Régulation & Compliance"



June 5, 2019

Thesaurus : Doctrine

Référence complète : Thierache, C., RGPD vs Cloud Act : le nouveau cadre légal américain est-il anti-RGPD ?, in La Revue juridique Dalloz IP/IT,  n°6, 2019, p.367


Les étudiants de Sciences po peuvent lire l'article via le Drive dans le dossier "MAFR - Régulation & Compliance"

Oct. 3, 2018

Thesaurus : Doctrine

Référence complète : Dyens, S., La cartographie des risques, outils central de la compliance publique, in AJCT, 2018, p.491


Les étudiants de Sciences po peuvent lire l'article via le Drive dans le dossier "MAFR - Régulation & Compliance"

Jan. 12, 2018

Thesaurus : Doctrine

Référence complète : Schlegel, F., La cartographie des risques, pierre angulaire de la réglementation Sapin 2, in La LJA, 2018.


Les étudiants de Sciences po peuvent lire l'article via le Drive dans le dossier "MAFR - Régulation & Compliance"

Dec. 22, 2017

Thesaurus : Soft Law

July 3, 2017

Thesaurus : Soft Law

Référence complète : AMF, cartographie des risques 2017, in Droit financier, Lextenso, 2017, 108 p.


L’AMF a publié sa cartographie 2017 qui constitue un panorama de l’évolution sur un an des risques liés à l’actualité économique, financière et réglementaire. Elle analyse le financement de l’économie, les marchés ainsi que l’épargne des ménages et la gestion collective.


Les étudiants de Sciences po peuvent lire l'article via le Drive dans le dossier "MAFR - Régulation & Compliance"

Feb. 2, 2017

Thesaurus : Doctrine

Référence complète : Brosses (de), S., Gestion, cartographie des risques. Un pilotage vigilant, in Juris associations, Dalloz, n°570, 2017, p.43


Les étudiants de Sciences po peuvent lire l'article via le Drive dans le dossier "MAFR - Régulation & Compliance"

Jan. 2, 2017

Thesaurus : Doctrine

Référence complète : Boursier, M.-E., L'impact de l'ordonnance du 1er décembre 2016 sur la cartographie des risques des entreprises, in Bulletin Joly Bourse, Lextenso, n°116, 2017, p. 6.


Les étudiants de Sciences po peuvent lire l'article via le Drive dans le dossier "MAFR - Régulation & Compliance"


Dec. 9, 2016

Thesaurus : 02. Lois

Oct. 3, 2016

Thesaurus : Doctrine

Référence complète : Samuelian, M., Les actions juridiques et réglementaires à l'épreuve des risques cartographiés par l'AMF, in Bulletin Joly Bourse, n°10, Lextenso, 2016, p. 440


Les étudiants de Sciences po peuvent lire l'article via le Drive dans le dossier "MAFR - Régulation & Compliance"

Dec. 11, 2013

Thesaurus : Doctrine

Référence complète : Collard, Christophe, et Christophe Roquilly. « Les risques juridiques et leur cartographie :proposition de méthodologie », La Revue des Sciences de Gestion, vol. 263-264, no. 5, 2013, pp. 45-55.


Les étudiants de Sciences po peuvent lire l'article via le Drive dans le dossier "MAFR - Régulation & Compliance"



Oct. 1, 2012

Thesaurus : Doctrine

Référence complète : Oster, T., Droit de la concurrence et assurance : cartographie des risques au lendemain de l'enquête sectorielle de la commission européenne et de l'adoption du nouveau règlement d'exemption catégorielle, in RGDA, n°4, Lextenso, 2012, p. 959.


Les étudiants de Sciences po peuvent lire l'article via le Drive dans le dossier "MAFR - Régulation & Compliance"

March 7, 2012

Thesaurus : Doctrine

Référence complète : Dyens, S., La nécessité de dresser une cartographie des risques juridiques, in AJ Collectivités Territoriales, 2012, p.131

July 8, 2008

Thesaurus : Doctrine

Référence générale: Bueb, J.-P., Risk mapping methodology. Developing practical tools for procurement. Workshop on Investment and Anti-Corruption Policies in the framework of the International Compact for Iraq, in OECD, Paris, 8-10 juillet 2008, 20 p.


Lire le rapport.