Companies operating in multiple countries need compliance programs that take into account varying national requirements.
In Italy, for example, the Supreme Court recently established that in addition to Italian companies, foreign companies are required to implement compliance programs (known as “231 Models”) that meet the standards provided by Italian Decree No. 231/2001 (“Decree”) in order to avoid corporate criminal liability.[1]
What are these standards, and can they be reconciled with the understandable need of companies to have harmonized, coherent, and not overly fragmented compliance systems?
Without getting into specifics about individual nations, most of the characteristics of an adequate and effective compliance program are established by international best practices. The most recent valuable input can be found in the updated version of the U.S. Department of Justice (“DOJ“) guidance on “Evaluation of Corporate Compliance Programs” (“Guidance“), published on June 1, 2020, which enumerates the factors that U.S. prosecutors weigh when assessing a company’s compliance program.[2] A prior version of the Guidance was issued in February 2017 and revised in April 2019.
The Guidance describes the elements that make a compliance program adequate: it should be not only well-designed and tailored to the specific company’s risk profile, but also supported by management, integrated into business operations, and properly resourced and empowered to function effectively. These qualities are largely comparable to the adequacy requirements for 231 Models set out in Section 6 of the Decree.
It is worth noting, for example, that similarly to recommendations in Italy, the Guidance explains that companies should:
- periodically refresh their risk assessments: A risk assessment should not be a “snapshot in time” but instead must be “based upon continuous access to operational data and information across functions” and incorporate lessons learned from the company’s own prior issues as well as from the issues of other companies operating in the same industry and/or geographical region. A risk assessment needs to be completed with a gap analysis that leads to updates for policies, procedures, and controls. The same principles are the foundation of the methodology for crafting an adequate 231 Model.
- invest in training and communications: It is crucial that training for employees be “tailored to the audience’s size, sophistication, or subject-matter expertise” and that policies and procedures be easily accessible – “published in a searchable format for easy reference” — and understood by all employees. Similarly, Model 231 documentation and related policies and procedures need to be communicated to personnel and embedded in the company’s compliance culture through proper training. Useful hints from the Guidance are related to the advisability of having a process under which employees can ask questions “arising out of the trainings” and mechanisms to evaluate “the extent to which the training has an impact on employee behavior or operations.”
- set up confidential reporting structures and investigation processes: It is not news that whistleblowing is one of the key tools used to test the effectiveness of compliance programs. But in order to work properly, reporting mechanisms need to be embedded into a company’s culture and employees need to feel comfortable using them. According to the Guidance, reports must be investigated in an independent, objective, and appropriate way and companies should periodically “test the effectiveness of the hotline, for example by tracking a report from start to finish.” Likewise, in Italy, companies’ compliance systems include whistleblowing procedures; however, the focus is more on ensuring confidentiality of the whistleblower’s identity and protecting him/her from retaliation.
- react to compliance violations: Establishing and applying disincentives for noncompliance are key factors of a well-designed and effective compliance program. Companies should have clear disciplinary procedures in place, enforce them consistently across the organization, and ensure that the procedures are commensurate with the violations. Likewise, in Italy, the 231 Model must include a section dedicated to the disciplinary system where sanctions are imposed in relation to compliance violations. It is interesting to note that the Guidance goes a step further than Italian standards by encouraging rewards for virtuous behavior. The DOJ observed that “some companies have also found that providing positive incentives — personnel promotions, rewards, and bonuses for improving and developing a compliance program or demonstrating ethical leadership — have driven compliance. Some companies have even made compliance a significant metric for management bonuses and/or have made working on compliance a means of career advancement.”
- apply risk-based due diligence to their third party relationships: Implementing proper third-party due diligence means not only adopting screening procedures, but also having an “understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors,” as well as knowing the business rationale for needing a third party in a transaction. In this respect, according to the Guidance but also in light of Italian best practices, it is crucial that: i) contract terms with third parties specifically describe the services to be performed; ii) compensation be commensurate with the work being provided in that industry and geographical region; iii) controls are in place to oversee actual performance of third parties’ work; iv) risk management of third parties exists throughout the lifespan of the relationship, not only during the onboarding process.
Although there is no official manual on how to structure global compliance programs, the Guidance seems to be an updated overview of virtuous mechanisms and best practices that can inspire global and local compliance experts to face the challenges of contemporary compliance.
[1]Please refer to our previous article at the following link: https://portolano.it/newsletter/portolano-cavallo-inform-litigation-arbitration/italian-supreme-court-confirmed-corporate-criminal-liability-of-foreign-companies-pursuant-to-legislative-decree-no-2312001.
[2] Given the extraterritorial scope of U.S. regulations (e.g., FCPA), the Guidance represents a useful benchmark for all companies with links to the U.S.
