Adoption and implementation. The methodological approach of RSM
The Legal Decree 231 was published on June 19, 2001.
The prescription of the Organization, Management and Control Model contained therein has gone through alternate phases, going from being considered an unnecessary faculty, to being considered a highly recommended fulfillment with the main purpose of avoiding the cleaver of the Courts, which had too easy game extending administrative liability to entities for crimes committed by their top management and subordinates. Even today, after all this time, the Organizational Model is in most cases of its application considered as a necessary evil, a formal and expensive fulfillment, to be addressed in the most efficient way possible.
As a natural consequence, the methodological approach in the implementation and adoption of the Organizational Models has so far been based on purely legal assumptions that have given rise to risk assessment procedures focused on the crime, rather than on the corporate processes and the people.
The main deficiency of an organizational model based on the centrality of the crime is that it does not intercept the company processes in their entirety, effectively leaving many areas of contiguity between the mechanisms that supervise the corporate operation and the crimes that can be committed swing.
Practical result: to date few Organizational Models are able to demonstrate that the company has a complete and effective tool in the prevention and control of the commission of the crimes contained in catalog 231.
Recently, thanks to the push of a strongly ethical wave provoked by both the legislator and by various bodies responsible for checks and surveillance on various sectors of the economy, the vision of the norm has changed:
- Organizational models are seen not only as mere tools designed to prevent and control the commission of crimes by the managers of the various corporate functions, but also as tools for reviewing and rationalizing the operating mechanisms underlying the functioning of the entire organization;
- the adoption and implementation of the Organizational Models is no longer seen as a mere "regulatory obligation", but as a real organizational opportunity, or as an unmissable opportunity to analyze and, if necessary, redesign the entire operating system of the company machine.
A new methodological approach that has overturned the operating logic and that RSM has made its own: the starting point is no longer the crime, but the business process that assumes its natural role as a pivot around which the risk assessment procedure rotates and the design of the Model.
An approach that allows you to support the company in the complete path, or to provide support within each individual phase according to specific needs.
RSM makes use of multidisciplinary professionals: auditors, business professionals, process engineers, audit and risk management experts, compliance experts, lawyers and system consultants able to assist the risk assessment process using both traditional and innovative techniques such as gamification.
Planning and implementation process of organizational model according to RSM approach
RSM application methodology for planning and implementing 231 models is based on three counsequential modular processes, but functionally independent.
The first process is Risk Assessment, which aims to get to know and to depict the company, highlighting the most interesting organizational areas so as to plan and implement the model.
The second process is proper Model 231 Planning and Implementation.
Lastly, the third process is controlling and monitoring the model through checking its compliance as well as its information flows coming from control units.
Below is a synoptic diagram that correlates the various stages of the process and a description of the individual activities:
RISK ASSESSMENT activity
- General framework of the company: it aims at collecting information to obtain the design of corporate active and passive cycle. Detailed level with which process design is made clearly depends on the formalization degree of the corporate organization system.
- Staff assessment: it means finding managers and employees, with collection of information and documents (proxy, power of attorney, job description, indoor regulation, compliance, etc.) constantly monitored and updated by the model.
- Crime assessment: risk analysis of any crime by managers and employees according to D.Lgs 231/2001. The main objective of the analysis is assessment, with reference to medium/high risk violation, of existing control units and to compare them with those theoretically necessary to prevent and control criminal conduct.
- Action Plan: the control body receives a status quo notification as well as details of necessary activities for planning and implementing 231 Model. There are cases of such efficient auditing functions so as to require little intervention. Others require structuring processes and formalizing control system.
- Production of executable document: an execution plan is provided which can also be implemented “stand alone” following the guidelines it contains.
PLANNING AND IMPLEMENTATION activity of 231 Model
- Organizational setup: it means doing organizational activities emerging from GAP analysis – see point 2 of Risk Assessment. For example proxy auditing,of power of attorney and of job description. Or more simply the creation or abolition of functions, processes or process phases.
- Setup of control units: preventing and controlling some types of crime provides the implementation of control units compulsory according by law. For example safety at workplaces or environmental crime, laundering crime for financial brokers or data protection. Other types of crime instead need the creation of control units on a voluntary basis. For example corporate or tributary crime The objective of this activity is, according to Gap Analysis – see phase 3 of Risk Assessment – to implement the necessary systems to prevent and control any 231 crime .
- Setup of prevention tools: this is the activity with which we typically refer to ethical and procedural code. Moreover we plan and implement lifelong learning to the whole staff.
- The final result is Organizational Model 231. It is not just an interactive digital output, but also and especially a set of procedures aimed at preventing and controlling any crime according to D.Lgs 231 made by managers and employees.
Vigilance body has two main functions: receiving alter from special control units about any change in risk potential; monitoring the “continuos” compliance condition of the model.
- Monitoring on model update. It means periodically “passing around ” the risk assessment procedure to see if there is any organisational change, or provided for by the Law, imposing correction and/or update of the model.
- Monitoring of information flow. The control units are planned and implemented to provide special biannual (or quarterly if necessary) reports on the possible risk for crime and any action taken by institutions for crime control.