THE ENACTMENT OF LEGISLATIVE DECREE 231. At the time of its enactment in 2001, Legislative Decree no. 231 had a revolutionary impact on the Italian legal system as it subverted a basic tenet of Italian criminal law according to which corporations bore no criminal liability. The assumption that only individuals could be directly subject to criminal sanctions was erased and a system aimed at punishing corporations for crimes committed by individuals to their advantage or in their interest was created. A specific set of sanctions able to punish the corporation and its shareholders was devised: monetary sanctions and blacklisting sanctions (inclusive of the prohibition to carry on the business activity and the appointment of receivers), which may also be ordered on an interim basis, apply instead of arrest and imprisonment of individuals.
THE PRINCIPLE OF LEGALITY. Along with the horrific prospect of monetary fines up to 1.5 million Euros and disqualification from contracting with the Italian public administration (which is the source of vital revenues for many companies, especially in the life sciences field) came a couple of good news. First of all, criminal liability of the corporation is subject to the principle of legality, i.e., it arises only if certain specific crimes listed in Legislative Decree no. 231 are committed. A corporation, therefore, does not have to face the Italian criminal code in its entirety and may focus on a subset of crimes. The list of crimes has however been increased time and again by the Italian legislator and crimes giving rise to corporate liability now span from terrorism to money-laundering (and with each new addition that initial sense of relief gradually fades…).
AN EXEMPTION FROM LIABILITY. In addition, Legislative Decree no. 231 expressly provides for an exemption from criminal corporate liability when the following circumstances are proven:
- prior to the commission of the fact, the management body has adopted and effectively implemented organizational and management models adequate to prevent crimes similar to those of the type that occurred;
- an internal corporate body (organismo di vigilanza) having autonomous powers of initiative and control has been entrusted with the task to oversee the application and compliance with such model, has ensured that the model is updated, and its vigilance has not been omitted or insufficient.
The key to shielding a company from criminal corporate liability is apparently easy as there are only two main ingredients required for this recipe: an “organizational model”, and an effective vigilance body. Once both are proven by the defendant, then the burden of proof shifts to the prosecutor. As often highlighted by case law, criminal corporate liability is not strict liability (responsabilità oggettiva), but applies only as a consequence of “organizational negligence” (colpa di organizzazione). But what is exactly an organizational model and which are its essential features in order for it to be an effective ground of exemption from liability?
WHAT IS AN ORGANIZATIONAL MODEL? In the course of the last decade or so, many corporations have tried to understand what an organizational model is, and how to set up one. The industry associations CONFINDUSTRIA, representing industrial companies, and ASSOBIOMEDICA, in the name of medical device manufacturers, have gone as far as drafting guidelines in order to shed light on this exemption from liability. In particular, ASSOBIOMEDICA has just released interesting Guidelines on this subject in November 2013.
Such guidance is very welcome as, in fact, Legislative Decree 231 deals with the issue only in a few sentences and the interpreters have been left with the difficult task of… making sense of them. A useful hint comes from the legislator’s requirement that a model meets the following conditions (which also serves as step-by-step method on setting up a model):
“a) identifies the activities which may give rise to the commission of crimes;
b) provides for specific protocols aimed at programming training and executing the decisions of the corporation in relation to the crimes that must be prevented;
c) identifies ways to manage financial resources adequate to prevent the commission of crimes;
d) foresees obligations to inform the vigilance body required to oversee the functioning and compliance of models;
e) introduces an adequate disciplinary system aimed at sanctioning any lack of compliance of measures set forth in the model”. (Section 6, paragraph 2)
The first step explains what I like to describe as the “soul searching” activity that the corporation must carry out in order to answer the following question: which business activities can lead to the commission of crimes? This also illustrates why a “cut & paste” organizational model will never work, since the law deems that the corporation has adequately prevented the commission of the 231 crimes only after understanding where and how likely they are committed. An organizational model must, at any given time, be extremely customized to its business, market, organizational structure and to the actual activities of the corporation.
Once risks are in focus, measures can be set up in order to prevent corporate crimes. The company is free to determine which measures to adopt, but preventive measures need to be sufficiently effective so that an individual must have fraudulently eluded them in order to commit the crime.
Only the corporation itself can determine which measures are appropriate and effective: measures, in fact, can range from a code of conduct to organizational measures, from policies, procedures and protocols mapping and regulating business activities to controls and monitoring systems adequate to verify if the prescriptions by the corporation are actually followed by employees. Specific attention is given to financial resources, which Legislative Decree no. 231/2001 believes should be managed with sufficient protocols, separation of functions and controls as to prevent any crimes from being committed with corporate funds. Last but not least, an organizational model needs some “teeth”: if employees do not abide by the rules, they need to be adequately sanctioned.
So, back to our original question: what is an organizational model? It is a system of structural and prescriptive measures that organizes a business in the most effective way to prevent the commission 231 crimes. In other words, the organizational model is not just a document, but reflects and memorializes the efforts undertaken by a company in order to prevent the commission of crimes foreseen by Legislative Decree 231/2001.
THE ORGANIZATIONAL MODEL’S WATCHDOG. The system is only regarded as effective if it is supervised by a specific body of the corporation (organismo di vigilanza, or ODV) having “autonomous powers of initiative and control” (Section 6 Paragraph 1). Much debate has been sparked by these few words of Legislative Decree 231/2001. If such words need to be interpreted as requiring autonomy, independence, continuity of action and competence, then the corporation is faced with a difficult task: finding one or more people who will be independent yet knowledgeable about the corporation’s activities, free and autonomous to make decisions yet informed about what is going on within the company. The near impossible balance is often achieved by appointing a mix of internal and external individuals who can bring professional skills, but also perspective, to the job. ASSOBIOMEDICA’s guidelines point out that the above requirements must be referred to the body in its entirety, and not to the single members of the organismo di vigilanza, and add that the body’s activity must be full-time, a feature rarely found in practice. The model must also set forth adequate information flows that sufficiently inform the ODV on activities within the areas at risk.
SO WHICH ORGANIZATIONAL MODEL DOES PROVIDE AN EXEMPTION FROM CRIMINAL CORPORATE LIABILITY? On the basis of the opinion of scholars, guidelines and case law on this issue, the answer is fairly simple: an effective one. What does this mean? Unapplied codes of conduct, policies and protocols are not going to help. A beautifully crafted model without a documented history of controls, monitoring and suggested sanctions by the ODV will not get very far. A passive ODV will show that the company is aiming at a pretense of compliance, rather than targeting actual compliance.
Interesting tips can be drawn from the assessment carried out by court appointed experts on the organizational models of pharmaceutical companies accused of criminal liability in connection with a fraud investigated by the office of prosecution in Bari, which ended with plea bargain. The experts concluded that the models were insufficiently preventing the concerned crimes. Although the protocols were “appreciably implemented”, the ODV was deemed to be too marginal within the life of the corporation, audits on the use of financial resources did not occur, while very high incentives to sales staff were granted.
In conclusion, the organizational model must become a living system, known to employees, strictly applied after adequate audits, and giving rise to sanctions in case of lack of compliance. A court must be able to see that the organizational model has truly become the DNA of a company, who has tried its very best to prevent that its business activities can lead to criminal conducts.
 The exercise of understanding how sanctions originally envisaged for natural persons apply to corporations is still ongoing. For example, a recent court decision (Supreme Court no. 44824 of September 26, 2012) has stated that bankruptcy of the corporation is not equal to death of the offender and thus does not extinguish the crime, thus contradicting prior judgments of lower courts (e.g., Court of Milan October 20, 2011).
 The concept of “colpa di organizzazione”, which appeared in case law as early as in the decision of the Court of Palermo of July 1, 2005, was well clarified by the Supreme Court in its decision no. 27735 of July 16, 2010. A useful discussion of the same principle can also be found in the decision by the Court of Milan of March 8, 2012, which argues that negligence in organization is constituted by planning negligence, management negligence and vigilance negligence.
 The latest guidelines by CONFINDUSTRIA have been updated on March 31, 2008.
 The Court of Milan (Ufficio Indagini Preliminari, November 3, 2010) has however excluded that the indeterminateness of Legislative Decree no. 231/2001 can give rise to a breach of the Constitution.
 Additionally, certain scholars argue that the legislator could not possibly suggest any preventive measures due to the constitutional principle of freedom of economic enterprise.
 The latest amendments to Legislative Decree no. 231 of 2001 allowing the board of statutory auditors (collegio sindacale), the supervisory committee (consiglio di sorverglianza) and the committee for management control (comitato per il controllo della gestione) to serve as organismo di vigilanza have given rise to further critiques as many scholars disagree on the ability of such bodies to have sufficient independence and adequate professional competence. See, e.g., the white paper of March 27, 2012 by Associazione dei Componenti degli Organismi di Vigilanza ex D.Lgs. 231/2001.
 Note that others disagree on this point (e.g., Carlo Piergallini “Paradigmatica dell’autocontrollo penale (dalla funzione alla struttura del “modello organizzativo” ex d.lg. n. 231/2001”, on Cassazione Penale, fasc. 1, 2013, pag. 0376B.)
 See the thorough analysis of Matteo Vizzardi “Prevenzione del rischio-reato e standard di adeguatezza delle cautele: i modelli di organizzazione e di gestione di società farmaceutiche al banco di prova di un’indagine peritale” published in Cassazione Penale, March 2010, no. 3.