Risk Compliance and Organizational Models 231 - RICO

Organisational Models 231

Adoption and implementation. The methodological approach of RSM

The Legal Decree 231 was published on June 19, 2001.

The prescription of the Organization, Management and Control Model contained therein has gone through alternate phases, going from being considered an unnecessary faculty, to being considered a highly recommended fulfillment with the main purpose of avoiding the cleaver of the Courts, which had too easy game extending administrative liability to entities for crimes committed by their top management and subordinates. Even today, after all this time, the Organizational Model is in most cases of its application considered as a necessary evil, a formal and expensive fulfillment, to be addressed in the most efficient way possible.

As a natural consequence, the methodological approach in the implementation and adoption of the Organizational Models has so far been based on purely legal assumptions that have given rise to risk assessment procedures focused on the crime, rather than on the corporate processes and the people.

The main deficiency of an organizational model based on the centrality of the crime is that it does not intercept the company processes in their entirety, effectively leaving many areas of contiguity between the mechanisms that supervise the corporate operation and the crimes that can be committed swing.

Practical result: to date few Organizational Models are able to demonstrate that the company has a complete and effective tool in the prevention and control of the commission of the crimes contained in catalog 231.

Recently, thanks to the push of a strongly ethical wave provoked by both the legislator and by various bodies responsible for checks and surveillance on various sectors of the economy, the vision of the norm has changed:

• Organizational models are seen not only as mere tools designed to prevent and control the commission of crimes by the managers of the various corporate functions, but also as tools for reviewing and rationalizing the operating mechanisms underlying the functioning of the entire organization;

• the adoption and implementation of the Organizational Models is no longer seen as a mere "regulatory obligation", but as a real organizational opportunity, or as an unmissable opportunity to analyze and, if necessary, redesign the entire operating system of the company machine.

A new methodological approach that has overturned the operating logic and that RSM has made its own: the starting point is no longer the crime, but the business process that assumes its natural role as a pivot around which the risk assessment procedure rotates and the design of the Model.

An approach that allows you to support the company in the complete path, or to provide support within each individual phase according to specific needs.

RSM makes use of multidisciplinary professionals: auditors, business professionals, process engineers, audit and risk management experts, compliance experts, lawyers and system consultants able to assist the risk assessment process using both traditional and innovative techniques such as gamification. 

Planning and implementation process of organizational model according to RSM approach

RSM application methodology for planning and implementing  231  models is based on three counsequential modular processes, but functionally independent.

The first process is Risk Assessment, which aims to get to know and to depict the company, highlighting the most interesting organizational areas so as to plan and implement the model.

The second process is proper  Model 231  Planning and Implementation.

Lastly, the third process is controlling and monitoring the model through checking its compliance as well as its information flows coming from control  units.

Below is a synoptic diagram that correlates the various stages of the process and a description of the individual activities:

RISK ASSESSMENT activity

1. General framework of the company: it aims at collecting information to obtain the design of corporate active and passive cycle. Detailed level with which process design is made clearly depends on the formalization degree of the corporate organization system.
2. Staff assessment: it means  finding managers and employees, with collection of information and documents (proxy, power of attorney, job description, indoor regulation, compliance, etc.) constantly monitored and updated by the model.
3. Crime assessment: risk analysis of any crime by managers and employees according to D.Lgs 231/2001. The main objective of the analysis is assessment, with reference to medium/high risk violation, of existing control units and to compare them with those theoretically necessary to prevent and control criminal conduct.
4. Action Plan: the control body receives a status quo notification as well as details of necessary activities for planning and implementing 231 Model. There are cases of such efficient auditing functions so as to require little intervention. Others require structuring processes and formalizing control system.
5. Production of executable  document: an execution plan is provided which can also be implemented “stand alone” following the guidelines it contains.

PLANNING AND IMPLEMENTATION activity of 231 Model

1. Organizational setup: it means doing organizational activities emerging from GAP analysis – see point 2 of Risk Assessment. For example proxy auditing,of power of attorney and of job description. Or more simply the creation or abolition of functions, processes or process phases.
2. Setup of control units: preventing and controlling some types of crime provides the implementation of control units compulsory according by law.  For example safety at workplaces or environmental crime, laundering crime for financial brokers or data protection. Other types of crime instead need the creation of control units on a voluntary basis. For example corporate or tributary crime   The objective of this activity is, according to Gap Analysis – see phase 3 of Risk Assessment – to implement the necessary systems to prevent and control any 231  crime .
3. Setup of prevention tools: this is the activity with which we typically refer to ethical and procedural code. Moreover we plan and implement lifelong learning to the  whole staff.
4. The final result is Organizational Model 231. It is not just an interactive digital output, but also and especially a set of procedures aimed at preventing and controlling any crime according to D.Lgs 231 made by managers and employees.

MONITORING activity

Vigilance body has two main functions: receiving alter from special control units about any change in risk potential; monitoring the “continuos” compliance condition of the model.

1. Monitoring on model update. It means periodically “passing around ” the risk assessment procedure to see if there is any organisational change, or provided for by the Law, imposing correction and/or update of the model.
2. Monitoring of information flow. The control units are planned and implemented to provide special biannual (or quarterly if necessary)  reports on the possible risk for crime and any action taken by institutions for crime control.

Management system for gender equality

Adopting a gender equality policy based on respect and enhancement of diversity and equal opportunities in the workplace is one of the practices that distinguish the most innovative and most profitable companies

The reference practice UNI / PdR 125: 2022, which entered into force on March 16, 2022, defines the guidelines on the management system for gender equality and is a candidate to be the first and only reference for all organizations that decide to pursue gender equality. To create an inclusive work environment, following the prescriptions contained in the Uni / PdR 125: 2022 practice, organizations must measure, report and evaluate gender data in order to fill gaps and produce sustainable and lasting change over time. To correctly identify the data and information relating to inclusion and gender equality, the organization must use certain performance indicators (KPIs), as required by practice, characterized by being practicable, relevant and comparable and able to guide change and represent the continuous improvements implemented.

How we support companies towards gender equality certification

The RICO Team of RSM, in light of the operational recommendations provided by the practice, supports companies in defining the strategic plan that must be implemented in order to protect and enhance gender equality and which translates into the setting of a management model which, through the preparation and continuous monitoring of adequate KPIs, allows the organization to maintain the defined and implemented requirements.

The operational support of the Team translates into the implementation of the following phases of the strategic plan, as required by the guidelines provided by UNI / PdR 125: 2022 (source UNI / PdR):

1. identification of company processes related to the identified issues relating to gender equality;
2. identification of strengths and weaknesses in regard to the issues;
3. definition of objectives;
4. definition of the actions decided to fill the gaps;
5. definition, frequency and responsibility for monitoring the defined KPIs.

RSM also assists the customer in maintaining all aspects of the management system, namely the collection and archiving of documentation, monitoring of indicators, internal and external communication, planning and implementation of internal compliance audits, the management of non-conformities and improvement actions and periodic review of the system.