AI GRC Director | AI Risk Manager | Quantitative Risk Lead
Speaker, Corporate Trainer and Executive Advisor
Corporate Criminal Liability And The Regulatory Case For Risk Mapping
The Spanish Criminal Code, as reformed by Organic Law 1/2015, establishes specific requirements for corporate compliance programs that regulate the criminal liability of legal entities. Article 31 bis sets out the conditions under which an organization may be exempted from or receive a reduction in criminal liability, provided it demonstrates that an effective compliance program was in place before the offense occurred. Among the program requirements enumerated in Article 31 bis paragraph 5, the organization must identify the activities within whose scope criminal offenses that must be prevented are likely to be committed. This requirement is, in substance, a mandate for criminal compliance risk mapping.
The Spanish framework shares a common logic with the U.S. Federal Sentencing Guidelines for Organizations under Chapter 8 of the USSG, which recognize an effective compliance and ethics program as a mitigating factor at sentencing. Similarly, the DOJ Evaluation of Corporate Compliance Programs guidance evaluates whether the organization has conducted a bona fide risk assessment that informs the design and resourcing of its compliance program. In both jurisdictions, the core principle is the same: demonstrated and adequate oversight efforts to prevent compliance breaches can materially reduce penalties and, in the Spanish case, provide a complete defense.
The Circular 1/2016 of the Spanish Attorney General's Office provides additional interpretive guidance on the elements of an effective compliance program under Article 31 bis, reinforcing that a meaningful risk assessment is foundational rather than optional. Organizations operating in Spain should also consider alignment with UNE 19601, the Spanish national standard for criminal compliance management systems, which provides a structured framework for implementing these requirements.
The Strategic Purpose Of A Compliance Risk Map
Building a compliance program that achieves high business values requires the chief compliance officer to address criminal, regulatory, and ethical risks in a coordinated and systematic manner. A compliance risk map is the instrument that makes this possible. It assesses business activities that may result in criminal offenses or, more broadly, in regulatory, legal, contractual, or ethical breaches.
The risk map serves two fundamental purposes. First, it guides prevention actions such as targeted training programs, the development of policies and procedures, and the design of internal controls proportionate to identified risks. Second, it informs contingency and response actions such as incident management, internal investigations, regulatory notifications, and remediation planning. Without a well-constructed risk map, the compliance program lacks a defensible basis for how it allocates its resources and prioritizes its activities.
Defining The Risk Mapping Scope
The foundation of any credible compliance risk map is a comprehensive risk universe. This universe should encompass all criminal offenses applicable to the organization under the relevant jurisdiction, including those enumerated under Article 31 bis of the Spanish Criminal Code, together with applicable regulations, contractual obligations, voluntary commitments such as industry codes of conduct, and known fraud schemes relevant to the organization's sector.
This risk universe allows the compliance function to classify risk factors in a way that facilitates both mitigation planning and communication to leadership. The compliance risk landscape should address industry-specific regulations, counterparty-related requirements such as anti-money laundering and sanctions obligations, and general regulatory frameworks including data protection, competition law, environmental standards, and occupational health and safety.
For multinational organizations, the risk universe must account for the jurisdictional complexity inherent in operating across multiple legal systems. A practical approach is to group compliance risk domains by general topic, such as bribery and corruption, fraud, data privacy, trade controls, or environmental compliance, and then map each topic to the specific local requirements applicable in each jurisdiction. This structure enables both enterprise-level aggregation and local operational relevance. The compliance requirement inventory should be validated by subject matter specialists from the compliance, legal, and where appropriate, regulatory affairs departments.
Integrating The Compliance Risk Map Into Enterprise Risk Management
A compliance risk map should not exist in isolation. It should be built upon and integrated into the organization's existing enterprise risk management framework. While ERM practices and internal audit risk assessments are not specifically designed to identify legal and regulatory compliance risks, they can be combined, calibrated, or linked to a compliance-specific risk map. The objective is to ensure that compliance risks are visible within the broader risk governance structure rather than siloed in a parallel process.
Following a global ERM policy ensures that the compliance risk map can be readily integrated into the organization's GRC management and reporting architecture. It also ensures that the risk taxonomy, rating scales, likelihood and impact definitions, and risk appetite thresholds are consistent across functions, enabling meaningful comparison and aggregation.
Assessing the financial impact of compliance risks is particularly important. A risk map that relies exclusively on qualitative categories without quantifying potential exposure, including regulatory fines, litigation costs, remediation expenses, and reputational harm, will struggle to compete for leadership attention and resource allocation against commercially quantified risks.
The methodological framework should be supported by recognized international standards. ISO 31000 provides the overarching principles and guidelines for risk management. ISO 37001 establishes requirements for anti-bribery management systems. ISO 37301, which replaced the former ISO 19600 in 2021, sets out requirements for compliance management systems. Alignment with these standards strengthens both the credibility and the defensibility of the risk assessment methodology.
Planning The Risk Assessment From The Top Down
Developing a comprehensive compliance risk map across a large or multinational organization can be time-consuming and resource-intensive. A pragmatic approach is to plan the assessment in phases, beginning at the enterprise level and progressively expanding into greater operational detail.
The chief compliance officer should perform an initial top-down risk assessment to identify the highest-priority risk domains and the organizational units, jurisdictions, and transaction types that warrant the most detailed analysis. This initial assessment should draw on available internal and external data sources to direct effort toward areas of greatest exposure.
The following is a simplified example of how a multinational organization might plan the phased expansion of its compliance risk mapping.
This initial framework can be progressively enriched with additional data from compliance exception reports, detailed whistleblowing and ethics hotline statistics, external audit and tax audit findings, transactional records, regulatory examination results, client complaints, employee surveys, and where relevant, social media and adverse media monitoring data.
Ensuring Broad Coverage And Operational Proximity
An effective compliance risk map must cover the actions and decisions of all individuals who act on behalf of or in connection with the organization, including board members, directors, managers, executives, employees, consultants, agents, and suppliers. Article 31 bis of the Spanish Criminal Code specifically addresses offenses committed by senior officers and by individuals subject to their authority or supervision, making breadth of coverage a legal requirement as well as a best practice.
The assessment process should involve personnel at multiple organizational levels, across jurisdictions and functional areas, to limit the cognitive and positional biases that inevitably arise when risk assessments are conducted exclusively by headquarters functions. Capturing perspectives from both senior leadership and operational staff ensures that the map reflects both strategic and ground-level risks. Performing assessments close to operations, at the site, business unit, or country level, significantly increases the probability of identifying the most relevant and material risks rather than generic or theoretical ones.
Clear ownership of each compliance risk must be established to facilitate the management of action plans, the tracking of remediation, and the escalation of issues through the governance structure. The chief compliance officer must maintain a comprehensive understanding of the full spectrum of compliance requirements and emerging issues across the organization's operating footprint. External legal advisors and specialized consultants can provide valuable support, particularly for jurisdictional-specific requirements and novel risk areas.
Building Trust To Surface Genuine Risks
The quality of a compliance risk assessment depends directly on the willingness of risk owners and operational managers to disclose their genuine risks and vulnerabilities. This willingness is a function of trust. Risk owners will provide candid and complete information only when they have confidence in the integrity and competence of the individuals conducting the assessment and believe that the process will lead to constructive action rather than punitive consequences.
Involving locally recognized and respected leaders in the risk mapping process is essential. Their participation signals organizational commitment and encourages open engagement from operational teams. Introducing the risk mapping initiative through compliance training sessions also creates a positive working environment and ensures that participants understand the purpose, methodology, and expected outcomes before they are asked to contribute.
Dynamic Follow-Up And The Compliance Culture
A compliance risk map that is produced once and then archived is not a compliance program. It is a document. In Spain, commentators and practitioners refer to this failure as compliance cosmético, the appearance of compliance without operational substance. The English-language equivalent is often described as paper compliance or window-dressing. Under both the Spanish Criminal Code and the DOJ Evaluation of Corporate Compliance Programs guidance, regulators evaluate whether the program is implemented and enforced in practice, not merely whether it exists on paper.
Compliance risks must be followed up dynamically and with a frequency proportionate to their exposure. This ongoing process includes reviewing the results of action plans against defined milestones, producing and monitoring key risk indicators, and escalating emerging or deteriorating risks to the appropriate risk committees, executive leadership, or the board.
The compliance risk landscape is not static. New risks emerge continuously from regulatory changes, enforcement trends, strategic decisions such as market entry or acquisitions, organizational restructuring, technological change, and the evolving sophistication of cybercrime and fraud schemes. A compliance risk map that does not evolve with the organization and its environment will rapidly become obsolete and will fail to provide the defensibility that the legal framework requires.
The dynamic follow-up of compliance risks and action plans is what transforms a risk map from a static inventory into a living instrument of the compliance culture. It is this ongoing discipline, visible to employees at all levels, that demonstrates the organization's genuine commitment to ethical and lawful conduct.
References
Spanish Criminal Code, including the framework relevant to legal entity liability and Article 31 bis
US Federal Sentencing Guidelines for Organizations
US Department of Justice. Evaluation Of Corporate Compliance Programs
ISO 31000 Risk Management Guidelines
ISO 37001 Anti Bribery Management Systems Requirements With Guidance For Use
ISO 37301 Compliance Management Systems Requirements With Guidance For Use
Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management Integrating With Strategy And Performance
Get the latest in corporate governance, risk, and compliance on Twitter