Italy: The suitable 231 model according to the Court of Milan

published on 4 June 2024 | reading time approx. 4 minutes

In Judgement No. 1070 of 2024, the Court of Milan excluded the liability of a company for the administrative offence referred to in Article 25-ter, Legislative Decree No. 231/2001, dependent on the crime of false corporate communications, recognising the suitability of the organisational model adopted by the same.

This pronunciation is in line with the well-known “Impregilo Judgement” (Criminal Court of Cassation, Sec. VI, 15 June 2022, no. 23401), confirming that the organisational fault of the entity cannot be automatically deduced from the mere commission of a predicate offense, in the absence of a precise verification of the suitability and effective implementation of the organisational model implemented in the concrete case.

The disputed organisational model

The company involved in the criminal proceedings had already adopted its own organisational model in 2006, which was subsequently updated in 2011 and then in 2016. The Prosecutor’s consultant who had examined it had deemed the 2016 version to be suitable, but not the 2011 version, which was in force at the time of the commission of the offence by the top management. Specifically, this model had been deemed deficient in that it consisted only of the general part and lacked both an analysis of the risk of offense and internal control measures functional to preventing the commission of the offence in question.

The Court’s arguments

The Board, in order to verify the actual unsuitability of the model, specified what the elements of an “effectively structured” organisational model should be.

Recording the main best practices developed in the field of compliance 231, the Judges confirmed that the model must be divided into two parts, a general and a special one, specifying that the former must include:

the code of ethics
information and training activities on the model
an adequate whistleblowing system to report any violations;
the disciplinary system;
the establishment of a supervisory body.

However, reading the judgment, one is struck by the particular attention devoted to the special section and, more specifically, to the importance of risk assessment activities and preventive protocols.

In the opinion of the Judges, the risk assessment process must start from a preliminary analysis of the areas at risk, focusing on those so-called instrumental to the commission of the predicate offenses.

Subsequently, it is necessary to “map” the sensitive processes and activities, indicate the corporate roles involved, assess the degree of effectiveness of the operating systems and identify any critical issues. Finally, it is also important to describe the possible ways in which offenses may be committed.

Having assessed the risk assessment activities, the Judges stated that the “beating heart” of the model must be identified in the preventive operating protocols, which must provide for:

the indication of a person responsible for the process at risk of offense
the regulation of the process and the identification of the persons involved, in accordance with the principle of segregation of duties;
the specificity and dynamism of the protocol;
the guarantee of completeness of information flows;
effective monitoring and constant control.

The trial findings

Having said this, the trial findings have in fact refuted the shortcomings highlighted by the Prosecution:

the minutes of the Supervisory Board acknowledged that risk assessment activities had indeed been carried out, albeit with a less sophisticated methodology than the 2016 update;
moreover, even though the 2011 model did not formally provide for a special section, it referred to policies implemented at group level, relating to the methods for managing the main activities at risk of offenses, and implemented at local level.

The Court, therefore, excluded the liability of the entity, recognising the substantial suitability of the organisational model adopted and demonstrating its fraudulent evasion by the company management, which had engaged in a conduct of total circumvention of the existing controls (so-called “management override”).

Conclusions

If the aforementioned “Impregilo Judgement” had laid the foundations for a more accurate assessment of organisational models, the Court goes much further.

The judgment in question, in fact, has the merit of confirming the importance of adopting and effectively implementing organisational models that, even in the face of the commission of an offense, are able to exonerate entities from 231 liability, also thanks to adequate whistleblowing channels - the fraud had, in fact, emerged as a result of a report.

This judgement must, therefore, represent a beacon for companies towards which to direct their choices in terms of organisation, management and compliance.