Compared to the last version from 2014, the new guidelines investigate some additional issues, such as integrated risk management systems, control systems for tax compliance purposes, whistleblowing, and disclosure of non-financial information.
In particular, the General Partof the guidelines highlights the need to take an integrated approach to risk management with a specific focus on tax compliance. The chapter relating to supervisory boards has been made more detailed with reference to cases in which this role is entrusted to the board of statutory auditors. On the other hand, the appendix – Case study – has been expanded and in addition to cases relating to crimes already identified in the previous version new crimes are now included such as environmental crimes, new offenses against the public administration, tax offenses, and smuggling. As in the previous version, the guidelines first establish definitions of the relevant criminal offenses and then indicate the main areas at risk of direct and indirect crime and the preventive controls to be implemented for the purpose of risk mitigation.
As for whistleblowing, following Italian Law N. 179/2017, the Guidelines focus on the role of the Supervisory Board, in the event that this latter is not identified as the exclusive recipient of the reports. Indeed, based on the assumption that the whistleblowing management system should be only a part of the broad organizational model monitored by the Supervisory Board, the Guidelines suggest that this latter must be appropriately involved (simultaneously or afterwards) following the initial assessment by the recipient of the report, in case a 231 relevance is detected.
The guidelines do not exclude sending a report to an external party, such as outside criminal counsel, to allow the company to receive a qualified assessment of the report received and support for internal management. However, considering the forthcoming deadline for implementation of European directive No. 2019/1937 on whistleblowing, the guidelines confirm the need to guarantee balance between the protection of whistleblowers and the safeguarding of companies against abuse and disclosure of sensitive information to competitors. To this purpose, reference is made to the recent ANAC guidelines on procedures for the presentation and management of ANAC reports pursuant to Law N. 179/17 which suggest the use of cryptographic tools to guarantee the confidentiality of the identity of the whistleblower and for the content of the reports and related documentation.
In the chapter dedicated to the supervisory body, Confindustria highlights the importance of providing an annual budget to support the kind of autonomous and effective oversight necessary for the performance of the envisaged tasks. Furthermore, the new guidelines emphasize the need for internal board members to be “without operational roles,” in compliance with established case law. The update also concerns the recent introduction (in January 2020) of the Code of Corporate Governance, which provides that, in order to ensure the needed coordination between the various bodies and departments, when the board does not coincide with the board of statutory auditors, the board of directors shall consider the possibility of appointing at least one non-executive director and/or one member of the control body and/or the person assigned control functions for the company.
Despite this recommendation, it is still possible for a supervisory board to be made up of external members only, provided that coordination with the parties involved in the internal control and risk management system is ensured in another way, such as by guaranteeing adequate flow of information to the board of statutory auditors and internal audit function on the results of the respective oversight activities while respecting their respective roles within the internal control system.
On a different subject, the updated guidelines dedicate much attention to integrated risk management systems. Given that compliance risks expose companies to significant judicial and administrative sanctions, as well as significant financial losses and potential reputational damage, the guidelines stress that adapting to the numerous obligations provided by compliance rules can result in overlapping processes and controls and the production of potentially inconsistent information. On the other hand, the approach to the so-called “integrated compliance” allows companies to streamline activities (in terms of resources, systems, and so on), increasing effectiveness and efficiency and facilitating the sharing of information.
In this respect, the guidelines highlight the importance of an integrated vision of an entity’s varied compliance needs. This can be achieved through ongoing coordination between the main corporate parties involved and the execution of joint risk assessments, in order to adopt common procedures that guarantee efficiency and streamlining without generating overlapping roles that deal with the same processes (or, on the contrary, creating a gap in oversight) and duplicating oversight and corrective actions. Appropriate interaction between the relevant areas and management allows the processes at risk, the subjects involved, and the information flows necessary for the purpose of assessing the risks of noncompliance to be identified in a preventive manner.
Finally, in the wake of the integrated approach just mentioned, the guidelines now contain a section on “Control systems for tax compliance purposes” to address potential interaction between the 231 system, now called upon to provide specific protocols for the prevention of tax offenses, and other control instruments, for the purpose of creating synergy.
Central to this new dimension is the existence of an adequate compliance system for the management of tax risk, inserted and integrated into the broader context of the corporate governance and internal control system, called the “Tax Control Framework.”
In this respect the guidelines highlight the numerous similarities between the tax risk control system and 231 Model, with reference to the structure of the two tax risk containment systems, monitoring and reporting activities, and information flows. However, the existence of procedures compliant with the provisions of Legislative Decree No. 128/2015 may not be sufficient to merit exemption from liability, considering that the current fiscal risk mitigation mechanism does not contemplate the presence of a supervisory board or the introduction of a disciplinary system or whistleblowing mechanism. In this respect, it may be useful to consider the tax agency’s approval of the Tax Control Framework—necessary for admission to the collaborative compliance procedure—for the purpose of assessing the effectiveness of an organizational model.