The report and the criminal risk map
#ComplianceKeys16
Any Compliance Programme or System is made up of a set of elements that are usually always present regardless of the purpose or scope of the Programme or System in question. We are talking, for example, about elements such as having an internal Compliance body or person in charge, an internal communication mechanism, training, and so on.
Among these non-negotiable elements, we find the report and the criminal risk map. However, it is true that, depending on the specific purpose and scope of the Compliance Programme or System, the report and risk map can be extended beyond criminal risks, also incorporating other Compliance risks (tax; money laundering; environment; among others).
Article 31 bis 5.1 of the Criminal Code requires Compliance Programmes or Systems to include an assessment of criminal risks: “They shall identify the activities in whose scope the crimes that must be prevented may be committed”. Section 4.6 of ISO 37301 on Compliance Management Systems and section 6.2 of UNE 19601 on Criminal Compliance Management Systems also require the identification and assessment of risks.
What does the preparation of a criminal risk report and map consist of? In short, preparing a criminal risk report and map consists of analysing the activities, organisational structure and relations with third parties, i.e. the ecosystem of a given organisation, with the aim of detecting and prioritising, through an assessment, the criminal risks to which a given organisation is exposed due to its specific activities.
This is very important, as the assessment and prioritisation of criminal risks will determine the subsequent development and implementation of the Compliance Programme or System. Consequently, an ethereal analysis or copying a third party’s report and map cannot be done, as each organisation faces its own criminal risks. For example, the criminal risks of a construction company have nothing to do with those of a company in the pharmaceutical sector. Even between organisations in the same sector, the risk report and risk map may differ significantly depending on the dependence on public procurement, the countries of operation, the supply chain, and so on.
When should the criminal risk report and map be drawn up? Generally, it takes place during the initial phases of the design of the Compliance Programme or System, as it allows for an in-depth study of the organisation’s activities and organisational structure. Furthermore, the adoption of policies, procedures and other control mechanisms must be carried out on the basis of the risks detected, especially in those risks assessed as being of greater criticality.
However, the criminal risk report and map must be current at all times and should therefore be reviewed on a regular basis and duly updated when there are internal or external reasons that may lead to a change in the identification or assessment of criminal risks. For example, the launch of a new line of business, the acquisition of a company, changes in applicable legislation, sanctions or relevant breaches, among other reasons.
In this way, the criminal risk report and map is a key element in any Compliance Programme or System, which should take place at an early stage of its design and should be reviewed and updated appropriately.
Compliance Department of Molins Defensa Penal.