Back to blog

Monday, December 22, 2025

Reinforcing anticorruption risk training, AFA multiannual plan's priority

Regulatory Updates & Insights
Iratxe Gurpegui
Written by
Iratxe Gurpegui
9 min read
Reinforcing anticorruption risk training, AFA multiannual plan's priority

The French Anticorruption Agency (Agence Française Anticorruption, AFA) has placed a clear emphasis on protecting economic actors against breaches of probity. In its multiannual plan, the AFA elevates anticorruption risk training from a supporting activity to a strategic lever. For intermediate-sized enterprises, this is both an opportunity and a near term priority. Reinforcing training is one of the fastest ways to reduce exposure, demonstrate program effectiveness, and align with Loi Sapin II and ISO 37001 expectations.

Why training is front and center in the AFA plan

Under the section “Protéger les acteurs économiques contre les atteintes à la probité,” the AFA underscores that prevention hinges on people’s ability to recognize risk and respond correctly in real time. Box ticking awareness is not enough. The plan points toward risk targeted upskilling for exposed roles, stronger integration of training with risk mapping and controls, and better measurement of outcomes.

For companies, three implications stand out:

  • Prioritize the people who sit at the highest risk front lines, for example sales and channel partners, procurement, project delivery, finance shared services, customs and logistics, and anyone interfacing with public officials.
  • Make training concrete, scenario based and localized, so employees practice decisions on gifts and hospitality, sponsorships and donations, use of intermediaries, cash equivalents, discounts and rebates, facilitation payments, and public procurement interactions.
  • Prove effectiveness with coverage, knowledge and behavioral indicators, not only completion certificates.

This dovetails with obligations already in place. Loi Sapin II requires companies within scope to train staff most exposed to corruption risks, and the AFA’s recommendation clarifies the risk based principle and expected evidence. ISO 37001 also requires competence, awareness and communication aligned to exposure, which means proportionate depth and frequency for different audiences.

What Sapin II already expect

Loi Sapin II, article 17, requires a training program for exposed staff. The AFA expects a documented plan, a risk based audience matrix, adapted content by role and geography, recurring refreshers, and audit proof records.

If you already align to these framework, the AFA plan is not a new burden. It is a call to deepen risk alignment and to show that training changes behavior.

In a modern meeting room, a compliance officer facilitates a scenario based anti bribery workshop with a procurement buyer, a regional sales manager and a project lead. On a wall screen, a simple risk map highlights high exposure processes such as public tenders, use of agents and gifts and hospitality. Participants discuss a realistic dilemma about a distributor asking for an unusual success fee.

From awareness to risk training

Traditional awareness modules raise general knowledge. Risk training builds judgment at the exact point where incidents occur. To pivot from awareness to risk training, focus on five design choices:

  • Start from your risk map. Map each significant risk to one or two decisions employees must get right and build the learning around those decisions.
  • Make it role based. Sales and channel teams need different scenarios than accounts payable or tendering teams.
  • Use real documentation. Show excerpts from your actual policy, due diligence checklist or approval workflow so learners practice with the tools they will use at work.
  • Include red flags and escalation anchors. Teach the signs of third party risk and where to seek help or pause the transaction.
  • Localize. Add country specific thresholds, gift rules and public procurement constraints where relevant.

A 60 day action plan for intermediate sized enterprises

Day 0 to 15, align scope and risks

  • Confirm the top five corruption risk scenarios from your latest risk map, for example agents and distributors, gifts and hospitality around tenders, charitable contributions linked to sales, single source awards, cash like marketing rebates.
  • Segment audiences by exposure, for example very high, high, medium, and low, covering employees and key contractors who act on your behalf.
  • Inventory what already exists, for example policies, job aids, onboarding briefings, manager talking points.

Day 15 to 30, design and pilot

  • Build short, scenario based modules, 15 to 25 minutes, including decisions with immediate feedback and references to your policy and approval paths.
  • Prepare manager toolkits, two pages to run a 10 minute huddle, and concise job aids, one page red flag checklists and do not proceed triggers.
  • Pilot with two high exposure teams and gather feedback.

Day 30 to 60, scale and measure

  • Roll out to all very high and high exposure roles. Schedule onboarding plus annual refreshers, with microlearning nudges during high risk seasons.
  • Implement measurement, knowledge checks, scenario pass rate, red flag escalations, hotline health, and quality of justifications for exceptions.
  • Document evidence, a training plan, completion and assessment logs, materials, updates, and management reviews.

For deeper program context, see our explainer on Sapin II obligations and evidence the AFA expects in audits: compliance under Loi Sapin II explained.

a role based matrix you can adapt

Audience

Core topics

Typical cadence

Format

Evidence to retain

Board and C suite

Tone at the top, oversight duties, gifts and hospitality thresholds, sensitive sponsorships, high risk third parties, investigations and sanctions posture

Onboarding, annual refresher

Briefing plus case workshop

Agenda, deck, attendance, declarations of commitment

Sales, bid and channel teams

Public procurement interactions, tenders and bid rigging red flags, intermediaries and success fees, rebates, gifts and hospitality around deals, travel and events

Onboarding, annual, pre tender microlearning

Scenario based module plus manager huddles

Completion logs, quiz scores, huddle notes, red flag escalations

Procurement and finance

Single source justification, conflicts of interest, payment terms, cash equivalents and gift cards, vendor onboarding red flags, sponsorships linked to suppliers

Onboarding, annual

Scenario based module plus checklists

Completion, checklist usage, exception approvals

Projects and operations

Permits, customs brokers, facilitation pressure, site gifts, charitable giving in communities, third party oversight

Onboarding, annual, country specific addenda

Field scenarios plus pocket cards

Completion, local attendance sheets, translations

Control functions and compliance champions

Due diligence depth and refresh, investigations hygiene, accounting anomalies, monitoring and reporting

Onboarding, annual, update on changes

Deep dive workshops

Minutes, updated playbooks, action items

Measure effectiveness, not only completion

AFA controls increasingly focus on effectiveness, which means outcomes and signals of behavior change. Build a compact set of indicators the board understands. Our guide on risk metrics details what works in practice, including measurement tips and data sources, see 10 compliance dashboard risk metrics your board actually cares about.

A practical measurement set for anticorruption training includes:

  • Coverage rate for very high and high exposure roles, target above 95 percent within 45 days of assignment.
  • Knowledge retention, scenario pass rates and second attempt improvement.
  • Speak up health, hotline volume and quality of reports, pre and post campaign.
  • Red flag escalations, uptick in consults before transactions and decrease in after the fact exceptions.
  • Control quality, fewer missing approvals or incomplete due diligence files in high risk processes.
  • Remediation timeliness, time from red flag to mitigation decision.

Document the method, data sources, frequency and who reviews the findings. This is what turns training into a living component of the program rather than a static activity.

Avoid recurring pitfalls in AFA controls

  • Generic content for everyone. Fix by linking every module to your risk map and by tailoring to processes and geographies.
  • Training that ignores third party touchpoints. Fix by covering the lifecycle, onboarding, due diligence depth, contract clauses, payment controls and monitoring.
  • No link to policies and approvals. Fix by embedding your actual thresholds, forms and approval steps.
  • Weak records. Fix by centralizing a training plan, materials, attendance or completion logs, quiz records, and minutes of management reviews.
  • No refresh at job change. Fix by integrating training assignment with HR role changes and transfers.

If you need to upgrade your risk map first, follow our pragmatic methodology and templates in how to build a compliance risk map in 6 steps and our ISO 37001 aligned approach in risk assessment methodology for ISO 37001, practical steps.

How technology accelerates delivery and evidence

You do not need a new learning system to align with the AFA plan. You need a risk aligned way to assign, remind, and evidence what you already train.

Naltilia helps compliance teams do exactly that:

  • Use regulatory risk assessment to pinpoint very high and high exposure roles and processes, which drives who must be trained and on what.
  • Turn remediation actions into assignable tasks, for example a scenario module for all tender facing sales reps in specific regions, with owners and deadlines.
  • Generate tailor made policies and job aids that become the backbone of scenario based training and manager huddles.
  • Rely on automated data collection to consolidate evidence from your existing tools, for example attendance exports, quiz results or attestation forms, into a single audit ready register.
  • Orchestrate compliance workflow automation so training assignments, reminders and escalations follow your risk policy and so management can see completion and effectiveness on one dashboard.

If you want an end to end view that auditors trust, read our guidance on documentation that stands up in reviews, build a compliance program that auditors trust.

Extend awareness to key third parties, with proportionality

The AFA plan’s protection focus is not limited to employees. Many incidents occur through intermediaries and suppliers. While Loi Sapin II centers the training obligation on employees most exposed, it is good practice to raise awareness for high risk third parties who represent you or act in your name.

  • Include anticorruption clauses and policy acknowledgements for high risk intermediaries.
  • Share short guidance notes or scenario cards with distributors and agents about red flags and escalation routes.
  • Integrate awareness with your due diligence refresh cycle and with periodic business reviews.

For a proportionate vendor approach, see our practical guide, from red flags to trust: vendor risk management.

Frequently Asked Questions

Does the AFA multiannual plan create new legal obligations to train third parties? No. Loi Sapin II obligations target employees most exposed to corruption risks. The AFA plan emphasizes strengthening prevention and effectiveness, which can include proportionate awareness measures for high risk third parties as good practice.

What will AFA controllers look for on training? A documented plan linked to your risk map, a role based audience matrix, adapted materials and scenarios, coverage and knowledge indicators, evidence of completion and assessment, and management review of effectiveness with improvements recorded.

How often should exposed staff be trained? At onboarding and with at least annual refreshers for high exposure roles. Add microlearning before high risk moments, for example tender cycles, major sponsorships, new agent onboarding, or market entries.

What counts as evidence during an AFA control? Approved training plan, list of audiences by exposure, materials used and versions, attendance or completion and quiz records, manager huddle notes, evaluations, corrective actions and minutes of management review.

How do ISO 37001 and Sapin II align on training? Both require risk based competence and awareness. ISO 37001 uses competence, awareness and communication clauses, while Sapin II’s article 17 and the AFA recommendation frame training as a mandatory component for exposed staff. The practical approach is similar, proportionate depth, recurring cadence and documented evidence.

Can AI help without replacing human judgment? Yes. AI can help identify exposure from your risk assessment, route assignments, and consolidate evidence. Human experts must still own content, context and decisions, especially in gray areas.

Put the AFA priority into practice

Reinforcing anticorruption risk training is the fastest path to align with the AFA multiannual plan and to reduce real exposure. Start with a sharp risk map, design role based scenarios, measure effectiveness and keep audit ready evidence. If you want to accelerate the heavy lifting, see how Naltilia can operationalize risk alignment, remediation actions, policy generation, data collection and workflow automation in one place. Request a short walkthrough of Naltilia.

Back to blog