Interview with Paola De Pascalis, Of Counsel, PAVIA E ANSALDO 

Leaders League: What are the greatest criminal risks associated with running a company today? 

The criminal risks an entrepreneur or those who manage a company may incur are certainly many and, given the increasing complexity of doing business and new technology, as well as associated legislation, its characteristics change over time. For example, the manifestations of crime, on the one hand, and the instruments of its detection and repression, on the other, are greatly influenced by the advances of technology. If the methods and forms of the offence change, the models of criminalisation of conduct and the areas of criminal law also evolves, depending on the legislative policy. In recent years, the type of criminal risk has been diversifying (since the provision of legal person liability onwards), going beyond the strict responsibility for the specific crime. For example, the application of the measure of prevention of judicial administration, pursuant to art. 34 of the Anti-Mafia Code: the prerequisite is not the commission of a crime but the mere culpable facilitation - due to the inadequacy of compliance systems and organizational schemes - illegal conduct of others, such as contractual counterparties. The consequences of the application of these measures are, extremely significant for companies and individuals.

“Risk and criminal liability is also gradually assuming an increasingly supranational and, in particular, European dimension.”

Should criminal risk also be assessed from a transnational perspective? 

Although we are a long way from a genuine codification of criminal and procedural subjects common to all European countries, risk and criminal liability is also gradually assuming an increasingly supranational and, in particular, European dimension. On the one hand, this is because of the moral and political authority of international conventions (as well as the development of sources of soft law) that have often been the engine of reforms and evolutions. On the other hand, case – law of supranational judicial bodies - whose effectiveness has gradually been increasing, also in reason of the recent provision for a remedy against judicial decisions taken in violation of the European Convention on Human Rights - ensures, also at the judicial level, the adaptation of the Italian legal system to the conventional one. Last, but not least, is the so called third pillar of the European Union. Even if its bodies don’t have their own criminal law powers, they may - nevertheless - draw up common minimum rules on the definition of criminal offences and sanctions in relation to certain criminal phenomena, with transnational dimension or in areas where national criminal law provisions need to be harmonised in order to ensure the implementation of EU policies (the I.C. directive PIF of 2017, with its relevance on our internal discipline in the matter 231/01, for example). In particular, as an expression of enhanced judicial cooperation, since June 1st 2021 the European Public Prosecutor’s Office (EPPO) is operational,and has jurisdiction over offences affecting the financial interests of the EU (as defined by Directive EU 2017/1371) and is articulated on two levels, one central and one national. According to the data, however, the activity of the European Public Prosecutor’s Office is growing - despite difficulties due to the need to coordinate 22 legal realities that require constant work, both operational and interpretative - and the role of Italy, in terms of investigations being carried out, it is considerable. 

What do you think are the main elements senior management needs to look out for preventing such risks?  

Like all risks, criminal ones can and must be managed and prevented. In particular, in complex organizations, this means controlling the work - in order to prevent any illegal acts - of internal subjects, but also - as far as possible - those of external third parties which interact with the company. To achieve this goal, it’s necessary having efficient and adequate organization of the activities, the processes and the resources that guarantees transparency and induces correct behavior and observance of the law by all. For this virtuous effect to be produced, organizational models must suit objectives which are adequate to the reality of the business, sustainable overtime and ready to be effectively and effectively implemented. Therefore, an integrated approach to compliance and risk management is needed that allows perfect coordination between all the existing prevention and control tools, in particular with the various management systems. For example, the uniformity of systems of detection and risk assessment makes for more effective coordination. 

What have been the most significant recent developments in the world of compliance? 

"Compliance" is a concept in continuous development, one with s dynamic interrelation with other disciplines and areas of law. It is difficult to pick out a single aspect of innovation. There are increased expectations as regards whistleblowing and its application. Imported from the tradition of common law countries, it has generated much uncertainty, both interpretative - because of the meager Italian discipline - and operative. Today, whistleblowing has been consecrated at European level by Directive 2019/1937, issued with the aim of standardizing the various national approaches to whistleblowing, especially with regard to more effective protection of whistleblowers. The obligation to establish internal reporting channels when a company reaches a certain number of employees entails a significant extension of the scope of the application, hitherto limited in Italy to specific sectors and entirely voluntary. The impact of the Directive on the Italian legal system is still to be assessed because the Government only approved - on December 9th - the relevant legislative decree in its preliminary examination. Also noteworthy is the development of a tech perspective in compliance management, both through the use of tools and specific technologies (such as big data, machine learning, cloud computing and blockchain) to support the company’s activities in automating processes - making it easier and faster to control - and in verifying that internal regulations and activities are "compliant" with current legislation (for example, in real-time monitoring of monetary and financial transactions, automatic verification of regulatory updates, identity and access management, and automated reporting). Finally, there is the tendency of compliance to constitute the yardstick for risk assessment and management - also related to the contractual counterpart - and there is progressive connection with ESG issues. Think, for example, about the proposal for a Directive adopted by the European Commission on the due diligence of companies for the purpose of sustainability: the control of the entire value chain to avoid negative impacts, both actual and potential, the environmental protection. The respect for human rights activities are governed by company policies and procedures that identify and eliminate negative impacts and prevent potential impacts. In the logic and spirit of the Directive, supply chain companies must, in turn, ensure adequate operating standards to prevent negative impacts in terms of sustainability: but the verification of the entire chain ends up also being a formidable instrument of internal control with respect to the risk facing enterprises, in all its forms, including the criminal.