Sapin II
9 mins read
Risk Mapping Under Sapin II: A Step-by-Step Compliance Guide
Master Sapin II risk mapping to identify, assess, and monitor corruption risks for audit-ready compliance in French organizations.
Overview of Sapin II and Its Anti-Corruption Objectives
Sapin II (Law No. 2016-1691) set a clear expectation for larger French organisations: prevent and detect corruption and influence peddling, including risks linked to overseas business activities. The core operational requirement for companies is laid out in Article 17, which makes the leadership team responsible for putting a structured anti-corruption programme in place.
For managers, the practical point is simple: Sapin II is not only a legal policy. It is a system of controls that must exist, be used, and be provable through records, training evidence, and monitoring.
The Role of the Agence Française Anticorruption (AFA)
Supervisory powers and audit authority
AFA is the public body that checks whether the Article 17 measures exist, are well designed, and actually work. Its controls can examine the “existence, quality, and effectiveness” of an organisation’s anti-corruption measures.
Under Article 17, AFA can produce findings and recommendations, and where it identifies failures, it can escalate the matter to its sanctions process.
Guidance and compliance frameworks
AFA also publishes guidance to help organisations build programmes that match French expectations (and demonstrate maturity during a control). Its published recommendations and guidelines are widely used as the reference point for designing risk mapping, due diligence, training, and internal controls.
Companies in Scope Under Sapin II
Employee and revenue thresholds
Article 17 applies to companies (and groups) headquartered in France that meet both thresholds: at least 500 employees and more than €100 million turnover (or consolidated turnover).
Parent company liability
Where consolidated accounts exist, the obligations extend across the group. Subsidiaries that exceed thresholds can be treated as covered if the controlling company implements Article 17 measures across all relevant entities.
The Eight Mandatory Compliance Measures
Article 17 lists eight measures that must be implemented, maintained, and evidenced:
Code of conduct
A code defining prohibited behaviours related to corruption/influence peddling, integrated into internal rules where required.
Whistleblowing mechanism
An internal reporting channel for employees to raise concerns linked to breaches of the code of conduct.
Risk mapping
A documented, regularly updated risk map that identifies and prioritises corruption exposure (by sector, geography, and business model).
Third-party due diligence
Risk-based assessment procedures for clients, tier-one suppliers, and intermediaries, aligned to the risk map.
Accounting controls
Internal or external accounting controls designed to prevent books and records being used to hide corruption.
Training requirements
Targeted training for managers and staff most exposed to risk. One such training can be "Sapin II Compliance & Anti-Corruption for Managers" by French Compliance Institute.
Disciplinary sanctions
A disciplinary regime that supports enforcement when the code is breached.
Internal monitoring and evaluation
Ongoing testing and evaluation of whether the programme works in practice.
Sanctions and Deferred Prosecution Agreements (CJIP)
Financial penalties
If failures are confirmed via the AFA sanctions commission route, Article 17 provides for penalties up to €200,000 for individuals and €1 million for legal entities, plus potential publication of decisions.
Reputational consequences
Decisions may be published or displayed, and AFA controls themselves can create serious stakeholder pressure (banks, investors, tender panels, and large clients).
Compliance remediation obligations
A CJIP (Convention judiciaire d’intérêt public) can require: an “amende d’intérêt public” (capped as described by AFA), a compliance programme under AFA supervision (up to 3 years), and victim compensation where relevant.
Lessons from AFA Enforcement Actions
The consistent message from the French framework is that compliance must be structured, risk-based, documented, and monitored not “policy-only”. If your organisation cannot show evidence (risk map updates, due diligence trails, training completion, testing results), it is harder to defend the effectiveness of the programme during an AFA control.
Why Anti-Corruption Compliance Is a Leadership Responsibility
Sapin II is not only a legal requirement for compliance teams. It is a management duty because corruption risks are created and controlled inside day-to-day operations: sales targets, agent relationships, procurement decisions, sponsorships, and approvals. Sapin II (Article 17) expects a structured anti-corruption programme (eight measures) that is actually applied, monitored, and improved, not just written on paper.
Managers sit closest to the real risk signals: unusual commissions, pressure to use a specific intermediary, weak documentation, or “urgent” payments outside normal controls. If leaders do not set expectations, staff will copy shortcuts.
The Most Common Compliance Gaps Identified by the AFA
Incomplete risk mapping
A common failure is treating risk mapping as a one-off exercise. Sapin II expects a documented risk map that is regularly updated and used to prioritise controls by activity and geography.
Practical gap: business units do not feed real-life changes into the map (new markets, new distributors, new payment methods), so controls stay misaligned.
Weak third-party controls
The AFA’s guidance links third-party checks directly to the risk map: low-risk groups may have simplified checks, while higher-risk groups need deeper checks and stronger approvals.
Practical gap: “one-size-fits-all” screening, missing beneficial ownership checks, unclear escalation rules, and weak contract clauses (audit rights, anti-corruption undertakings, termination triggers).
Ineffective internal reporting channels
A reporting channel is not effective if staff do not trust it, cannot use it safely, or see no follow-up. The AFA recommendations stress checking deployment, analysing the number and types of reports, and reviewing the quality of responses.
Personal Liability of Executives and Managers
Failure to implement preventive measures
Under Sapin II, companies in scope must implement the eight measures (Article 17). If leadership does not implement, resource, and enforce them, the organisation faces AFA scrutiny and remediation expectations.
Criminal exposure under French Penal Code
Bribery offences can carry serious criminal penalties. For example, active bribery of a public official is covered in the Penal Code (Article 433-1).
For managers, the risk often arises through approvals, instructions, or wilful blindness around third parties and payments.
Building an Effective Anti-Corruption Framework
Designing a practical code of conduct
Make it role-based: procurement, sales, finance, HR. Define gift/hospitality limits, conflicts of interest, facilitation payments (prohibited), and approval routes. Sapin II lists a code of conduct as a core measure.
Establishing secure whistleblowing channels
Use secure channels, clear confidentiality rules, and clear response timelines. Track themes and outcomes so reporting becomes a control, not a mailbox.
Implementing proportionate due diligence
Apply checks based on risk level (country, sector, role of the intermediary, payment terms). Re-check periodically and when circumstances change.
Strengthening Accounting and Financial Oversight
Sapin II requires accounting controls that detect corrupt payments (false invoices, round sums, vague service descriptions, split payments, “success fees”). Build segregation of duties, tighter vendor onboarding, and exception reporting tied to the risk map.
A Practical 10-Step Anti-Corruption Checklist for Managers
-
Confirm your team’s top 5 corruption risks from the risk map.
-
List all third parties your team uses (agents, suppliers, sponsors).
-
Classify third parties by risk and apply matching checks.
-
Require written scope, pricing logic, and deliverables for intermediaries.
-
Enforce gift/hospitality approvals and conflict-of-interest declarations.
-
Block payments without contracts, invoices, and proof of service.
-
Watch for red flags: unusual commissions, offshore accounts, urgency pressure.
-
Promote the reporting channel and protect reporters from retaliation.
-
Ensure training is completed and role-specific.
-
Review incidents quarterly and update controls with compliance.
From Legal Obligation to Strategic Risk Management
When France introduced the Sapin II law in 2016, the objective was not only to punish corruption but also to transform how organisations manage corruption risks. The law requires large companies operating in France to establish structured anti-corruption compliance programmes designed to prevent and detect bribery and influence peddling within their operations.
For managers, this means that anti-corruption compliance is no longer a narrow legal function handled by the legal department. Instead, it has become a strategic risk management responsibility that involves leadership, governance structures, and operational decision-making.
The law obliges organisations to implement eight core compliance measures, including a code of conduct, whistleblowing mechanisms, corruption risk mapping, third-party due diligence, accounting controls, training programmes, disciplinary procedures, and internal monitoring systems.
Together, these requirements push companies to move from reactive enforcement to proactive prevention. Organisations must identify corruption risks early and build internal controls that reduce exposure before misconduct occurs.
Integrating Sapin II into Corporate Governance Structures
Board Oversight Responsibilities
Under Sapin II and the guidance of the French Anti-Corruption Agency (AFA), senior management and boards of directors are responsible for ensuring that anti-corruption programmes are effectively implemented and monitored. The AFA emphasises that leadership involvement is essential for building credible compliance frameworks and ensuring accountability across the organisation.
Boards are expected to:
-
Approve anti-corruption policies and codes of conduct
-
Monitor the effectiveness of compliance systems
-
Ensure adequate resources for compliance teams
This oversight ensures that anti-corruption efforts align with overall corporate governance strategies.
Compliance Officer Independence
An effective compliance function must operate with sufficient independence to investigate risks and recommend corrective actions. Many organisations appoint a dedicated compliance officer or ethics committee responsible for overseeing anti-corruption programmes and reporting findings to senior leadership.
Independence is important because compliance teams must be able to challenge management decisions when corruption risks arise.
Reporting Lines and Escalation Protocols
Strong reporting structures allow organisations to respond quickly to corruption risks. Sapin II requires internal reporting mechanisms that enable employees to raise concerns through whistleblowing channels without fear of retaliation.
Effective escalation protocols ensure that:
-
Suspected misconduct is reported quickly
-
Investigations are handled objectively
-
senior leadership is informed of significant risks
Risk Mapping as a Strategic Decision-Making Tool
Identifying High-Risk Sectors and Geographies
Risk mapping is considered one of the most critical elements of the Sapin II compliance programme. Companies must identify corruption risks associated with their activities, business sectors, and geographical areas of operation.
For example, companies operating in sectors with frequent government interaction, such as construction, defence, or public procurement, may face higher corruption risks. Similarly, organisations operating in regions with weak governance or high corruption indices require stronger controls.
Prioritising Mitigation Measures
Once risks are identified, organisations must analyse their likelihood and potential impact. Risk mapping allows managers to prioritise mitigation strategies and allocate resources efficiently.
According to AFA recommendations, the process typically includes identifying risk scenarios, assessing the probability and severity of risks, and designing action plans to address the most significant exposures.
Monitoring Third-Party Ecosystems
Supplier and Intermediary Exposure
Many corruption cases involve intermediaries, agents, or suppliers acting on behalf of a company. Sapin II therefore requires organisations to conduct due diligence on third parties, including customers, suppliers, and business partners.
This process typically includes:
-
Collecting background information on partners
-
Assessing ownership structures
-
Monitoring payments and contractual arrangements
Third-party oversight helps prevent companies from indirectly participating in corrupt activities.
Contractual Safeguards
Contracts with third parties often include anti-corruption clauses requiring partners to comply with ethical standards. Companies may also require certifications, audit rights, and termination clauses if corruption risks are identified.
These safeguards protect organisations from legal exposure and reputational damage.
Internal Controls and Audit Mechanisms
Sapin II emphasises strong accounting and financial controls to prevent corruption from being concealed within company records. Organisations must implement internal or external audit mechanisms to verify that financial transactions are accurate and transparent.
Regular audits help companies detect unusual payments, hidden commissions, or suspicious financial flows that may indicate bribery. Monitoring systems also evaluate whether anti-corruption measures remain effective over time.
Aligning Sapin II with International Standards
OECD Anti-Bribery Convention
Sapin II aligns France more closely with international anti-corruption frameworks such as the OECD Anti-Bribery Convention. These standards encourage countries to criminalise bribery of foreign public officials and strengthen corporate compliance systems.
UK Bribery Act Comparison
The UK Bribery Act is widely considered one of the strictest anti-corruption laws globally. Like Sapin II, it requires organisations to implement adequate procedures to prevent bribery and can impose liability on companies for failing to do so.
FCPA Alignment Considerations
The U.S. Foreign Corrupt Practices Act (FCPA) also shares similar principles with Sapin II, including accounting controls, anti-bribery provisions, and extraterritorial enforcement. Sapin II was partly designed to align France’s anti-corruption framework with these global standards.
For multinational companies, aligning compliance programmes across these frameworks helps ensure consistent global anti-corruption practices.
What Sapin II Means for Department Heads
For many managers in French organisations, Sapin II is not only a legal framework but also a daily operational responsibility. The law requires companies that meet certain size thresholds to implement anti-corruption programmes designed to prevent bribery and influence peddling across business operations.
Department heads therefore play a key role in ensuring these measures work in practice. They must enforce internal rules, monitor risks within their teams, and ensure that staff follow the organisation’s anti-corruption procedures.
Under Article 17 of Sapin II, companies must establish a structured compliance system that includes elements such as a code of conduct, whistleblowing procedures, risk mapping, third-party due diligence, training programmes, accounting controls, and internal monitoring mechanisms.
Managers are often responsible for implementing these controls within their departments, particularly where employees interact with suppliers, intermediaries, or public officials. Failure to do so may expose the organisation to enforcement action from the French Anti-Corruption Agency (AFA).
Red Flags Every Manager Should Recognise
Corruption risks rarely appear openly. Instead, they often emerge through patterns of behaviour that seem unusual or inconsistent with normal business practices.
Unusual commission structures
One common warning sign is an abnormal commission or fee structure. For example:
-
Excessively high commissions paid to consultants or intermediaries.
-
Payments linked to vague “facilitation” or “consulting” services.
-
Commission arrangements tied to winning public contracts.
These structures may hide bribery or influence-peddling arrangements.
Gifts and hospitality abuse
Corporate hospitality is normal in many industries, but it can cross the line into corruption if not controlled. According to AFA guidance, gifts and invitations are common in business life but must be regulated through clear internal policies.
Managers should monitor situations where:
-
Gifts are unusually expensive or frequent.
-
Hospitality is offered during sensitive procurement decisions.
-
Employees deal with government officials without oversight.
Cash payments or opaque intermediaries
Payments made through complex intermediary structures can also indicate corruption risks. Warning signs include:
-
Requests for cash payments or unusual banking arrangements.
-
Contracts involving intermediaries with unclear roles.
-
Suppliers operating through offshore or opaque ownership structures.
These situations require immediate review by compliance teams.
How to Conduct a Corruption Risk Review in Your Team
Risk mapping is one of the central obligations of Sapin II compliance programmes. It requires organisations to identify, assess, and prioritise corruption risks based on business activities and geographic exposure.
Managers can support this process by carrying out periodic risk reviews within their teams. Key steps include:
-
Identify business activities exposed to corruption risks, such as procurement, sales, or government relations.
-
Analyse how employees interact with third parties, including agents, distributors, and suppliers.
-
Assess the likelihood and potential impact of corruption scenarios.
-
Document mitigation measures such as approval procedures, financial controls, and reporting mechanisms.
This review helps organisations focus compliance resources on the areas that present the greatest risk.
Documentation Managers Must Maintain
Effective compliance depends on documentation that demonstrates the organisation’s preventive efforts.
Due diligence records
Sapin II requires companies to conduct integrity checks on certain third parties, including suppliers and intermediaries. The goal is to determine whether a relationship creates corruption risks.
Managers should maintain clear records of the checks performed before entering into new business relationships.
Training attendance logs
Employees working in risk-exposed functions must receive anti-corruption training. Maintaining attendance records helps demonstrate that the organisation actively educates staff on compliance obligations.
Conflict of interest declarations
Managers should also ensure that employees disclose potential conflicts of interest, particularly when dealing with procurement decisions or public authorities.
Preparing for an AFA Audit
The French Anti-Corruption Agency is responsible for supervising and assessing corporate compliance programmes under Sapin II.
What inspectors examine
During an audit, the AFA typically reviews:
-
The organisation’s corruption risk mapping.
-
The implementation of compliance policies.
-
Internal reporting mechanisms and investigations.
-
Training programmes and communication efforts.
How interviews are conducted
Auditors often interview executives, compliance officers, and operational managers. These interviews focus on whether staff understand anti-corruption policies and how they apply them in practice.
Immediate corrective actions
If gaps are identified, organisations may be required to implement corrective measures, strengthen controls, or revise compliance procedures.
Common Mistakes That Increase Exposure
Several recurring weaknesses have been identified in anti-corruption programmes across organisations:
-
Treating compliance as a legal formality rather than an operational responsibility.
-
Conducting risk mapping only once instead of updating it regularly.
-
Failing to monitor third-party relationships effectively.
-
Providing training without verifying whether employees apply the policies in practice.
Avoiding these mistakes requires consistent management involvement. When leaders actively support anti-corruption measures, organisations are far better positioned to prevent misconduct and demonstrate compliance with Sapin II.
Evolution of Anti-Corruption Enforcement in France (2025–2027 Outlook)
Over the past decade, France has strengthened its anti-corruption framework significantly. The Sapin II law, enacted in 2016, marked a turning point by introducing strict compliance obligations for large companies and establishing the French Anti-Corruption Agency (AFA) to supervise enforcement. The AFA now plays a central role in auditing corporate compliance programs and ensuring organisations implement preventive measures against bribery and influence peddling.
Looking ahead to 2025–2027, enforcement is expected to become more proactive and preventive rather than purely punitive. Authorities increasingly evaluate whether companies have effective anti-corruption programmes in place before misconduct occurs. Sapin II requires organisations to implement structured compliance systems, including risk mapping, internal reporting channels, and third-party due diligence procedures.
In practical terms, this means regulators will continue to focus on the quality and effectiveness of compliance programmes, not just whether companies formally adopted policies. Organisations that treat compliance as a strategic governance function—rather than a legal formality—will be better positioned to withstand regulatory scrutiny.
Sapin II and the Broader ESG & Corporate Governance Agenda
Anti-corruption compliance is increasingly linked to broader Environmental, Social, and Governance (ESG) expectations. Investors, regulators, and stakeholders now view corporate integrity as a key governance indicator.
Ethical culture expectations
Modern governance frameworks expect companies to actively promote a culture of integrity. Sapin II already reflects this philosophy by requiring internal training programmes and codes of conduct designed to prevent corruption and influence peddling.
In ESG reporting frameworks, ethical culture is assessed through leadership behaviour, internal accountability mechanisms, and transparency in decision-making processes. Companies that embed anti-corruption principles into their organisational culture are increasingly seen as lower-risk investments.
Transparency and stakeholder trust
Transparency has become a defining element of responsible governance. Anti-corruption compliance frameworks encourage organisations to document decision-making processes, monitor high-risk transactions, and disclose relevant information to regulators and stakeholders.
For multinational companies operating in high-risk sectors—such as construction, energy, and public procurement—transparent compliance systems help demonstrate that business operations follow ethical standards and legal obligations.
Digitalisation of Compliance Monitoring
Technological innovation is transforming how companies manage corruption risks.
Data analytics for risk detection
Many organisations now rely on data analytics to identify unusual financial patterns that may indicate corruption risks. Advanced monitoring tools can detect irregular payments, suspicious procurement activities, or abnormal commission structures.
These tools allow compliance teams to analyse large volumes of financial transactions in real time, helping organisations detect potential violations earlier and respond quickly.
Automated third-party screening
Third-party relationships remain one of the most common corruption risks. Sapin II explicitly requires companies to assess the integrity of business partners, suppliers, and intermediaries through due diligence procedures.
Digital compliance platforms now automate these checks by screening partners against sanctions lists, politically exposed persons databases, and adverse media reports. This approach reduces manual workload and improves risk detection accuracy.
Interaction with Whistleblower Protection Reforms
Whistleblowing frameworks have become a key pillar of anti-corruption enforcement in Europe.
EU Whistleblower Directive impact
The EU Whistleblower Protection Directive requires member states to ensure secure reporting channels and strong protections for individuals who report misconduct. France has updated its legislation to align with this directive, strengthening reporting procedures and safeguards.
These reforms expand the scope of reporting mechanisms and require organisations to establish confidential channels for employees and other stakeholders.
Expanded reporting protections
French whistleblower protections prohibit retaliation against individuals who report wrongdoing in good faith. Examples of prohibited reprisals include dismissal, denial of promotion, or damage to an employee’s reputation.
As a result, whistleblowing systems are increasingly viewed as a core component of corporate integrity frameworks.
Why Mid-Sized Companies Face Greater Scrutiny
Although Sapin II primarily targets companies with more than 500 employees and revenues exceeding €100 million, regulators increasingly expect mid-sized organisations to adopt similar compliance standards.
Recent regulatory guidance encourages companies outside the strict legal thresholds to voluntarily implement anti-corruption programmes aligned with Sapin II principles. This shift reflects the growing expectation that responsible governance should apply across the entire corporate ecosystem.
For mid-sized companies seeking international expansion, adopting structured compliance frameworks can also improve credibility with partners, regulators, and investors.
Turning Anti-Corruption Compliance into Competitive Advantage
Forward-thinking organisations increasingly recognise that anti-corruption compliance can create tangible business benefits.
Winning public contracts
Public procurement procedures often require companies to demonstrate strong compliance and anti-corruption safeguards. Organisations with well-documented compliance programmes are more likely to qualify for government tenders and public-sector partnerships.
Investor confidence and due diligence
Investors routinely evaluate corruption risk when conducting due diligence. A transparent compliance framework signals that a company actively manages regulatory risk and ethical governance.
International market access
For companies operating globally, strong anti-corruption systems help align with international regulations such as the OECD Anti-Bribery Convention, the UK Bribery Act, and the US Foreign Corrupt Practices Act (FCPA). This alignment reduces legal exposure and facilitates cross-border partnerships.
In this context, Sapin II should not be viewed merely as a regulatory obligation. When implemented effectively, it becomes a strategic tool that strengthens governance, protects reputation, and supports sustainable growth.
Frequently Asked Questions
Sapin II is France’s main anti-corruption law designed to improve corporate transparency and prevent bribery and corruption. It requires eligible companies to implement compliance measures such as risk mapping, whistleblowing systems, anti-corruption training, and internal controls.
The purpose of Sapin II is to strengthen anti-corruption compliance in France by helping organisations identify, prevent, and detect corruption risks. The law also promotes ethical business practices and greater corporate accountability.
Sapin II mainly applies to companies with more than 500 employees and annual revenue exceeding €100 million. However, many SMEs and international businesses also follow Sapin II compliance standards to meet client, investor, and regulatory expectations.
Companies covered by Sapin II must implement eight key anti-corruption measures, including: A code of conduct, Corruption risk assessment, Whistleblowing procedures, Third-party due diligence, Internal accounting controls, Employee training, Disciplinary procedures, Internal monitoring and evaluation systems.
A corruption risk assessment, also called risk mapping, helps businesses identify and evaluate areas where corruption risks may arise. It is one of the most important requirements under the Sapin II law and supports stronger compliance management.
Managers play a critical role in preventing corruption within organisations. Sapin II training helps managers recognise red flags, understand compliance obligations, and respond appropriately to risks such as bribery, conflicts of interest, and unethical business practices.
Failure to comply with Sapin II can result in financial penalties, regulatory investigations, reputational damage, and increased scrutiny from the French Anti-Corruption Agency (AFA). In some cases, company executives may also face personal liability.
The French Anti-Corruption Agency (AFA) oversees the implementation of anti-corruption compliance programmes in France. The agency conducts audits, issues recommendations, and evaluates whether organisations meet Sapin II compliance requirements.
An effective Sapin II compliance programme should include strong leadership support, regular risk assessments, employee training, third-party due diligence, internal controls, and continuous monitoring of compliance measures.
Sapin II focuses on anti-corruption compliance and corporate transparency, while GDPR focuses on data protection and privacy rights. Both regulations are important parts of corporate compliance for organisations operating in Europe.
Even when not legally required, many SMEs adopt Sapin II anti-corruption practices to improve governance, strengthen client trust, and meet international compliance standards in business partnerships and procurement processes.
Anti-corruption compliance helps organisations reduce legal risks, protect their reputation, and build trust with customers, investors, and regulators. In France, compliance expectations continue to grow as enforcement becomes stricter.
To prepare for a Sapin II audit, organisations should maintain updated risk maps, document compliance activities, provide employee training records, and regularly review the effectiveness of their anti-corruption programme.
Common corruption risks include bribery, improper gifts and hospitality, conflicts of interest, suspicious payments, third-party risks, and weak internal financial controls. Regular compliance reviews help businesses detect and reduce these risks.
Yes. A strong anti-corruption compliance programme demonstrates ethical business conduct and strengthens trust with clients, investors, and regulators. It can also improve long-term business sustainability and corporate reputation.
