“231” infractions and companies’ administrative liability

Still haven’t complied with the requirements of Decree 231/2001?
That’s no good.
Still haven’t set up preventive measures and a control body?
That’s too bad! It would have been in your interest.
All the same there is a solution to everything. Late-comers would do well to move on this, because, although 231 compliance is not a legal obligation, it would be a missed opportunity not to.
Here’s why.

Marco Gradenigo

First set
For the few who don’t already know, the first thing is to illustrate what Legislative Decree 231 is and what it entails. That’s what we’ll do, briefly, in this chapter.
Legislative Decree 231, governing “administrative liability” of companies, which went into effect in Italy in 2001, extends liability to companies (to “bodies”) even for certain criminal acts. The sanctions provided for are of course administrative.

The first thing that needs to be said – and said clearly – is that this liability “of the company” does not replace the individual liability of executives, but rather adds to it. To put it bluntly, companies can also be held liable for committing crimes, and when that happens, the burden of proof is on them to prove their innocence.

There are some 18 well-defined types of “231” infractions for which a company can be held liable.
Among these, those most deserving of the attention of anyone running a business are those that have to do with workplace safety, corruption and extortion of public officials (crimes against public administration), copyright infringement and counterfeiting, money laundering and self-laundering (the latter recently introduced and particularly “attractive” to investigating authorities), so-called “environmental” crimes, and others, not necessarily less serious.

Applicable sanctions are of various type, and it is of course left to the judge’s discretion which to apply when a company is held liable. Some are purely financial, others consist in confiscating profits resulting from the crime or offense, but those applicable to the most serious cases can restrict the company’s very ability to do business.

Three conditions must be met in order for liability to be attributable to the company:
1) the crime is committed by so-called “apicals” (individuals responsible for managing or controlling the company), or anyone following their orders: management, company representatives, but also consultants and partners;
2) the crime has resulted in an economic benefit or other advantage for the company;
3) the crime has been committed in contravention to the requirements and dispositions provided for by the “organisational model”.

Let us not be intimidated by all this. In the second set, we will cover the burden of proof, which the law also addresses and instructs us on how to be prepared. We will see how to do just that by adopting and implementing an “Organisational, Management and Control Model”.

Second set
In the previous set we said there is a solution to everything. This is not to say that prevention isn’t always preferable to remedies after the fact. Here’s how to implement prevention.
The law provides for the company being “immune” (in technical terms, benefiting from a liability exemption) if the company has arranged and effectively implemented certain preventive measures. In such cases, the burden of proof is reversed The foundation of prevention lies in the company’s adoption of the “Organisational, Management and Control Model”.
This document must specify the procedures in place for dealing with any 231 infractions to which the company may be exposed and indicate control measures that it must enact in order to prevent such crimes from being committed.
Moreover, the company must avail itself of oversight structures to guarantee that the Model is updated and up to code. To this end, a Control Body must be appointed.

So how does applying these recommendations represent a potentially advantageous opportunity?
Firstly, because developing such a program as the one described above enables the company to avoid or at least mitigate attribution of liability, and, certainly no less importantly, to avoid or reduce resulting sanctions – a sort of “legal insurance”, a preventive shield.

For example, in workplace safety (D.Lgs. 81/2008), if the model is consistent with the principles of OHSAS certification, it is automatically considered in compliance with the law, and thus suffices to presume that the company is not liable, making it immune in cases of workplace accidents. At the very least, any sanctions in cases where liability is adjudicated will be drastically reduced. Sanctions in this area can be extremely harsh... just consider the inauspicious Thyssen-Krupp case.

Things took a very different turn in the Impregilo case, in which the upper management was investigated for manipulating markets (one of the listed 231 infractions), but the company was exonerated thanks to the finding that it was immune due to its having implemented the Model.

There is another aspect to be considered when developing a 231 program, which is equally if not more important.
As mentioned above, compliance with the requirements of this decree is not a legal obligation. It carries associated costs, but also benefits. Both can be intangible, but also very concrete (e.g. reputation, creditworthiness).

Analysis of a company’s so-called “sensitive” processes, a necessary first step to developing a Model, is in a practical sense an analysis of business/industrial risk, which lays the foundation for an organizational and procedural action plan for containing or eliminating such risks.

Consider compliance with the prescriptions pertaining to money laundering, which requires accounting for all customers and meeting a minimum threshold of detail in such accounting. This is certainly a form of onerous red tape, with associated administrative costs, but it also represents attention to the company’s creditworthiness, which in turn improves its portfolio and reduces the risk of insolvency.

Third set
How does a company go about developing and maintaining an Organisational, Management and Control Model, and keep it effective?
The business leadership, generally speaking the Board of Directors or Sole Director, formally decides to meet the requirements of the decree and forms a control body and appoints its members (one or more).

This process will involve an analysis of all business procedures. The core of this analysis lies in identifying individual activities which pose the risk to the company of breaking the law.
Often, but not always, this stage of the process is run with the support of a specialist consultant, who will employ proven methodologies and a predetermined analysis format.

Any gaps identified by the analysis will serve as the basis for the action plan, with timeframes, assigned to specific actors within the organization, who will be tasked with implementation. Once this is implementation has been carried out, the identified risks can be reduced or eliminated.

Control protocols and management procedures, as well as management roles and responsibilities, will be defined for each sensitive process or activity identified.

We come full circle
D.Lgs. 231 compliance effectively means reducing business risks.
Meeting the requirements of the decree is not only a preventive shield against liability, but also and especially a tool for proactively diagnosing weaknesses in the company’s internal control mechanisms, and for repairing them.

Consider workplace safety compliance. Has your company appointed a safety manager? Has it written up a risk analysis report? Does it have a unified assessment of risks generated by interference between activities conducted simultaneously in the same workplace (DUVRI), and is it up to date, complete and governed by a specific procedure? Has the company implemented a health oversight mechanism, and is it operational?

For businesses that have dealings with government agencies, adopting an organizational, management and control model is essential and practically obligatory in order to benefit from the liability exemption in cases of crimes against the public administration. The case law continues to expand, and the jurisprudence on the topic is already vast.

Preliminary risk analysis and identification of control mechanisms lay the groundwork for the model, and once the control body has been established, it can be put to the Board of Directors for adoption.

There are many other important and pressing issues worth delving into further: self-laundering, specific aspects of the model, the only very recently introduced practices concerning whistleblowing, what the Control Body does and how it should do it, etc. These are topics for further study. 

Marco Gradenigo
Temporary internal control system managerial consultant; member of 231 industrial and service company  control bodies.