Forty years after the adoption of the Foreign Corrupt Practices Act (“FCPA”) in the United States, twenty years after the adoption of the OECD Anti-Bribery Convention, and six years after the adoption of the U.K. Bribery Act (“UKBA”), the French law dated December 9, 2016, known as Sapin 2, obliges many French companies (with turnover greater than 100 million euros and at least 500 employees) to have to seriously and concretely integrate a strong anti-corruption approach to a risk that is often underestimated or poorly apprehended.

The tone is set. The French Anti-Corruption Agency (“AFA”), which has the power to control on-site or off-site companies to ensure compliance with the obligations set out on the frame of the fight against corruption, has made it clear since its recent creation that AFA will not carry out a facade check but will verify the actual reality of the actions taken and the company’s desire to fight against corruption. And its first controls have just begun.

The controls begin

AFA intends to play a role comparable to that of the U.S. and British authorities, who ensure that the effectiveness of compliance programs implemented and developed within domestic and foreign companies is under their control.

What must the company subject to Sapin 2 do to be (now very quickly) compliant? A vision that is probably simplistic would be to limit oneself to displaying measures that are really followed in reality by the company. The purpose of AFA’s control is to ensure that the risk of exposure or transgression within the company is as low as possible. This purposetherefore implies a control of the quality and effectiveness of the prevention device.

And, as Sapin 2 provides, AFA recalls, in its charter of the rights and duties of audit stakeholders, the duty of vigilance in the detection and prevention of corruption and influence trafficking weighs not only on the legal entity but also on the directors, natural or legal persons, of the companies concerned; in other words, they are personally liable—notwithstanding any delegation of powers—for any breach of this new obligation and the consequences which attach to it with regard to administrative or even criminal penalties. Faced with this new risk of controls, the company cannot be satisfied with amateurism by resorting to minimalist solutions. Only a personalized approach, specific to its organization, its history, and its particularities, will allow the company to justify the choices made and the priorities defined in the construction and development of its compliance program.

To do this, an initial step is essential and is rigorously assessed by the supervisory and investigation authorities: risk mapping.

“Real” risk mapping: tailor-made is not “luxury”

Too often, risk mapping is still understood as a very general tool or resembling, in part, to risk mapping already existing in the financial, industrial, or insurance sectors.

However, the aim of risk mapping required by the Sapin 2 law is quite different: conceived as a lever for managing corruption risks, this risk mapping aims to guard against the legal, human, financial, and media-related consequences that can be generated by insufficient or inappropriate vigilance. An essential tool for controlling the risks of corruption and related offenses, risk mapping must make it possible to identify, evaluate, prioritize, and manage these risks in order to guarantee a pragmatic, efficient, and appropriate compliance program for the organization of the company.

This risk mapping also implies that company managers are informed of the risks and that compliance officers have the necessary visibility to implement prevention and detection measures that are appropriate and proportionate to the issues identified by this mapping.

Indeed, how to define what must be implemented—the procedures to be followed by the employees of the company—if the company has not identified the specific risks to which it is exposed through its business lines, its customers, its suppliers, its intermediaries, or its geographical locations, in particular?

How to justify the relevance of the training choices and the effectiveness of the procedures implemented when the recurrence, the severity, or the impact of the risks have not been sufficiently and precisely taken into account? How to prevent an employee from considering himself as a whistleblower if he does not have a training, procedure, or hierarchy able to answer his questions and then considers himself isolated, thus opening the consequent risk—but provided for and authorized by Sapin 2—to a disclosure, by him, of these facts to third parties of the company?

The time of “leaks” has indeed come, with uncontrollable consequences if these risks are not previously taken care of.

Risk mapping should therefore:

  • be exhaustive and precise, which implies involving both management and operational teams in its development, in all sectors of the company;
  • formalized and accessible, which implies written, structured, synthetic documentation including quantified information by business, activity, and process; and
  • be progressive, which implies a regular reassessment of risks, in line with the changes in the company but also feedback, in order to ensure the durability and effectiveness of the compliance program.

A code of conduct to avoid “accidents”

For these purposes of efficiency and of construction of a tailor-made compliance program, particular attention must be paid to the code of conduct, which is also often neglected when it merely summarizes generalities or commitments that the company disseminates to third parties via its website, without realizing that the commitments thus displayed—if they are not based, at the same time, on concrete measures implemented within the company—may turn against the company in case of controls, or even through a whistleblower.

Beyond the obligations prescribed by the law regarding its content, a custom-made code of conduct must therefore describe the situations and behaviors to be avoided by being adapted to the reality of the company, using relevant examples.

In the end, faced with a risk of corruption and related offenses, which are often poorly apprehended, the French requirement of vigilance and compliance implies for companies a real self-analysis tailored to their needs. Which, alone, will then allow to appreciate, by the concrete measures implemented from this step, the good faith and the will of the company to respect these new obligations which are imposed upon it and thus to avoid the consequences of administrative, criminal, and reputational penalties.