Organizational Model Management and Control 231
The importance of adopting an Organizational Management and Control Model (Legislative Decree 231/01 and subsequent amendments, Law 123 of 3 August 2007) has grown significantly in recent years in relation to the increase:
- legislative and regulatory measures that recognize their ability to prevent crimes;
- the types of risk and related management requirements;
- of risk assessment tools and related need for integration;
- of data production and related validation requirements.
Both Legislative Decree 231/2001 and s.m.i., and Legislative Decree no. 81/2008 refers to the obligation of Organizational, Management and Control Models suitable to have "exemplary effectiveness of administrative responsibility" that must be effectively adopted and implemented, ensuring a corporate system for the fulfillment of all legal obligations related not only to health and safety crimes, but to all crimes in which the company may incur.
An Organizational Model of Management and Control consists in the definition, implementation and progressive adaptation of a complex and homogeneous system of:
- rules of conduct through the code of ethics;
- organization through the definition of organization charts, responsibilities and delegations;
- management through the definition of risk maps, protocols and procedures;
- control systems through the establishment of the supervisory body, communication and implementation of the disciplinary and sanctioning system.
The purpose of the Model is to protect and balance the interests of all stakeholders:
- Investors, Shareholders and Members
- Workers and their representatives
- Customer, Partner and Supplier companies
- Committees, Population
The ability of the company to set efficient and effective operating rules and activate a suitable supervisory process, is also a tool to strengthen the reputation, reliability and transparency of the Directors.
The Organizational Model consists of:
- a risk management methodology that acts simultaneously and in an integrated way on organizational development (system of responsibilities and delegations), on the development paths of people (repertoire of skills, training plans) and on the development of knowledge (definition of good practices and behaviors);
- a knowledge management methodology that explicates and engineers the procedural, operational and documental aspects, becoming a company guideline aimed at simplifying and enriching the organization of work;
- a human resource management methodology extended to security aspects:
- the role area that involves defining managerial skills for managers, analyzing delegations in the light of the new regulatory guidelines, defining objectives;
- the person area that involves the classification of limitations and how they impact on the current organizational flexibility model, the definition of training;
- of the security observatory area which involves monitoring and analyzing behavior through the mapping of events during operational practices;
- of the RAD area that involves acquiring the level of risk per job.
- an IT platform for the active management of processes, data and documents that are monitored, processed and tracked in order to build continuous decision support.
KEISDATA integrates its methodologies adopting a multidisciplinary approach that allows:
- evaluate and integrate the existing procedures in the Company Management Systems avoiding dangerous interferences;
- involve and take responsibility for all levels of the organization (managerial, technical, etc.) characterized by different skills and sensibilities.
The conditions for success
In order for the Model to be effective and recognized as effective in any court of law, it must fulfill the following requirements:
- it must be based on a mapping of the risks of specific and comprehensive crime and must provide for systematic procedures for the search, identification and assessment of risks when particular circumstances exist;
- it must be based on an adequate distribution of roles and responsibilities in line with an effective delegation system;
- it must provide that the members of the Supervisory Body possess specific skills in terms of inspection and consultancy activities and operate in harmony with the other roles involved in the supervision activity;
- must expressly provide for disciplinary sanctions against directors, general managers and compliance officers who, due to negligence or inexperience, have not been able to identify, and consequently eliminate, violations of the model and, in the most serious cases, perpetration of crimes;
- it must provide for periodic checks and continuous monitoring of indicators with regard to sensitive corporate activities;
- must differentiate the training paths towards all employees, and in particular towards employees who work in specific risk areas, the members of the Supervisory Body and the persons in charge of internal control;
- it must be aligned with the internal procedures of management and certification systems.
- Definition of the company strategy and policy through the construction of the Code of Ethics and of any Code of Business Conduct;
- Development of the Organizational-Delegation-Powers System through the activities of:
- analysis of the conformity of the delegation system and alignment with the areas of responsibility defined in the procedures;
- definition of the process and construction of the organization charts.
- Development of the Human Resources System for alignment with:
- training system;
- corporate performance management;
- disciplinary and sanctioning system.
- Risk Assessment through the activities of:
- examining the business areas of activity, identifying activities and / or sensitive functions and / or processes, in order to define a map of the areas at risk;
- analysis of potential risks, in order to define a documented map of the potential ways of committing the offenses in the areas at risk already identified previously;
- evaluation, and possible adaptation, of the system of procedures and protocols (Special Parts of the Model).
- detection and monitoring of data and information through the design and implementation of information systems for the reporting, analysis and treatment of adverse events, near-events, sentinel events, etc.;
- construction of the Supervisory Body by identifying the necessary skills, assessing the requirements, assigning tasks and defining information flows;
- definition of the Disciplinary System through a process of sharing with the resource managers to ensure an application of homogeneous and objective sanctions.
Organization Management and Control Model
General Section structured in:
- Ethical code
- General and detail organization charts for sensitive areas
- Maps of Risk
- Supervisory Body and Regulations
- Disciplinary and Sanctions System
Special Parts for each type of crime hypothesized: Prevention procedures for:
- Reati Societari
- Reati contro la Pubblica Amministrazione
- Reati di Salute e Sicurezza dei Lavoratori
- Reati Ambientali
The Code of Ethics is the document that illustrates the principles of correctness, integrity and transparency that the Company adopts towards all the subjects with whom it interacts for the achievement of its corporate purpose (employees, suppliers, customers, Public Administration, shareholders, market financial, etc.). The Code aims to recommend, promote or prohibit certain behaviors, beyond and regardless of what is provided for by law, and may provide for penalties proportionate to the seriousness of any infringements committed. The adoption of ethical principles relevant to the prevention of criminal offenses (Lgs. N. 231/01) is an essential element of the preventive control system.
KEISDATA uses the following methodologies:
- analysis of the company organization and related processes;
- analysis of the history, culture and corporate values;
- analysis of the Company's development strategy.
KEISDATA integrates its own methodologies adopting a multidisciplinary approach that allows to assume responsibility:
- top management in the code construction and communication process;
- all levels of the organization on the application of the code.
The Conditions for Success
The Code of Ethics is the document intended and approved by the top company management. The success condition is represented by the ability to involve the top management and the management in the explication of common and shared values.
- Definition of ethical principles
- Identification of the criteria of conduct in relations with:
- Public administration;
- parties, trade unions and associations;
- other specifics of the company or sector to which it belongs.
- Construction of implementation mechanisms:
- establishment of the Supervisory Body;
- definition of the Communication and Training process;
- determination of validity and application of the code;
- identification of updating methods.
Article. 6 of Legislative Decree no. 231/01 provides that the Entity (Company) identifies the activities in which the offenses may be committed. It requires an analysis of all company activities, decision-making processes, as well as the internal control system. This analysis is also conducted through the analysis of the relevant internal company documentation and interviews with the managers of the individual areas of activity and with their direct collaborators. On the basis of the analysis are identified the subjects, the activities and the categories of operations for the what is the risk of committing the crimes foreseen by the Decree.
KEISDATA uses the following methodologies:
- analysis of the company organization and related processes;
- Risk Management for the systematic identification of sensitive activities and the related risk assessment (Risk Assessment Legislative Decree No. 81/08).
The conditions for success
The conditions for success are represented by the involvement of management and all the roles in the identification and mapping of risks and critical issues in relation to the crimes of Legislative Decree no. 231/01.
- Identification of sensitive areas
- The offenses that can be considered administrative responsibility are those expressly listed by the legislator and, through the knowledge of the business context, direct the identification of sensitive areas.
- Identification of the risks of commission of crimes
- On the basis of the analysis carried out in the Company, the subjects, the activities and the categories of transactions for which there is a risk of committing the offenses envisaged by the Decree are identified.
- The risks identified are also analyzed according to the probability of occurrence and the existing preventive controls; in addition, any appropriate adjustments to the control system are identified.
- Map of sensitive activities and related risk
Article. 6 of Legislative Decree no. 231/2001 establishes that the Entity (Company) is not liable for the offense committed if it proves that: "the task of supervising the functioning and observance of the models, of taking care of their updating has been entrusted to an Organization of the Body endowed with autonomous powers of initiative and control".
The Supervisory Body (SB) is therefore a necessary body, with supervisory functions, equipped with powers of initiative and control, and its role is essential because it is entrusted with the care of the current model and because it has the responsibility for its correct application.
The Body must have three requirements:
- autonomy and independence;
- continuity of action.
KEISDATA has found it useful to collect and summarize the positions of jurisprudence, doctrine and practice in order to provide a guide to companies regarding the establishment and composition of the SB concerning:
- the different interpretation and importance attributed to the connotation of "independence" of the SB;
- the jurisprudential orientations meanwhile formed in the matter of administrative responsibility of the institutions;
- the reform of company law and the introduction of corporate offenses into the Decree;
- the introduction in the Decree of the Health and Safety Crimes of Workers.
Conditions for success
- Identify the control points on sensitive activities at risk of crime on which to direct the Supervisory activity of the Body.
- Avoid assigning operational and management responsibilities to members of the SB.
- Define the process and the methods of communication between the SB and the Company and vice versa.
Definition of composition and professionalism
- multi-subjective and collegiate structures;
- monocratic structures that make use of the support of internal organs of the company.
Definition of tasks
- preventive function of crimes;
- inspection and repressive function of crimes;
- communication and report function.
Definition of the flow of information and data, from and to the OdV, on the basis of the type of activity and the identified risks/offenses.
Disciplinary and Sanction System
The Disciplinary System is based on the dating powers that can be deduced from art. 2106 cc.; any disciplinary measure towards an employed person must comply with the procedures set out in Article 7 of Law 300/70 (Workers' Statute) and the requirements established in the Employment Contracts. Pursuant to art. 6 D.Lgs. N. 231/01, the System is an essential condition for the Organization, Management and Control Model and consists of the provision of an adequate system of sanctions for violating the procedures set out in the Model and for violating the principles contained in the Code of Ethics.
The Disciplinary and Sanctions System, in support of the Organization, Management and Control Model, constitutes a contractual reference between workers and the Company. The difficulty of applying penalties to workers that are commensurate with the extent of the damage requires the definition of an approach oriented to the management and development of human resources.
KEISDATA adopts an innovative methodology for the prevention, observation and control by the system of workers' behavior leaders.
Conditions for success
The success condition is represented by the ability to involve the system of the leaders on the identification of the behavior punishable by sanctions.
Definition of the behavior punishable by sanctions
Detection of sanctions in relation to:
- position, function and business role;
- intentionality of behavior and degree of negligence;
- history of the behavior of the worker with particular regard to the existence of disciplinary records.
- Disciplinary and Sanction System
The Organizational Model of Management and Control provides that companies, according to their nature and size and the type of activity, ensure that the company roles have adequate managerial and/or technical-specialist skills (Article 30 of Legislative Decree no. 08); moreover, the company must provide a suitable control system through the evaluation and adoption of specific protocols aimed at planning training (Article 6 of Legislative Decree 231/01).
KEISDATA S.r.l. has chosen to design and implement Training Systems for Organizational Models that follow the dictates of ISO 10015 in line with the quality management principles indicated by the ISO 9000 family (to which ISO 10015 belongs).
The aim of the international standard ISO 10015 is to provide a guide that can help the organization in the identification and analysis of training needs, in the planning and planning of training, in the provision of training, in the evaluation of the results thereof and in monitoring and improvement of training processes in order to achieve the objectives set.
The methodological approach used by KEISDATA in line with UNI ISO 10015:2001 is reported in the flow.
The conditions for success
The certified registration of data and the filing of documents together with a timely and univocal communication are critical elements for the success in managing the training process.
KEISDATA has developed a specific IT application for the management of training activities in regulatory environments 231 and management systems (OHSAS 18001, ISO 14001, ISO 9001, ISO TS, Standard Joint Commission, etc.).
The training is divided into the following phases:
- Analysis of the Organizational Model integrated by interviews with some top managers to acquire:
- greater contextualisation of sensitive activities;
- an assessment of the behavioral elements present in the Code of Ethics;
- an evaluation of data for the control of compliance with the Model;
- Definition of the training needs required by the Organizational Model and by the surveys carried out with the direct managers. KEISDATA adopts a classification for the analysis of training gaps based on the following elements:
- Area of knowledge of the organization in terms of organization chart, roles, responsibilities, delegations, authorities etc.;
- Area of behavioral innovation in terms of new behaviors to be adopted, good practices in line with the Code of Ethics;
- Risk Management Area in terms of knowledge of the sensitive areas identified in Model 231 and related risk indicators of crime;
- Supervisory area in terms of knowledge of control tools and disciplinary and sanctioning modalities.
- Design of training modules contextualised to the population to be trained, to the sector regulatory context and to the cultural traits of the organization;
- Delivery of training modules both through classroom activities and through individual coaching;
- Evaluation of the training results obtained both through the evaluation by the participants of the activities in the classroom and through the evaluation of those responsible for the training of the results obtained over time on the knowledge of the Organizational Model;
- Verification and review of the results of the formation activity of the Organizational Model evaluated periodically, in the performance of the control functions of the Supervisory Body.
- Formative plan
- Training modules
- Feed-back collection templates
- Methodology for calculating the return on investment in training activities
- IT application for the management of the training process.
Social Responsibility System SA8000:14
Social Responsibility means "the responsibility of an organization towards the consequences of its decisions and activities on society and the environment, through an ethical and transparent behavior that:
- contribute to sustainable development, including the health and well-being of society;
- take into account the expectations of the parties involved;
- comply with applicable laws and in accordance with international behavior standards;
- is integrated into the whole organization and practiced in its relations". (ISO definition)
The Standard SA 8000:14, issued by the SAI (Social Accountability International), is the first international standard that sets the requirements for a Management System for Social Responsibility (SGRS); compliance with the requirements is expressed in the Certification of a third party, issued by an independent body.
The requirements of SA 8000 can be integrated with the ISO 26000:10 Address Standard which provides recommendations, recommendations and best practice models for the operation of internal processes, supply chain and markets.
KEISDATA supports companies in the design, implementation and improvement of an SGRS that contains, attests and communicates its commitment to sustainable management, combining business ethics and profit generation. The objectives of the SGRS are:
- to preserve corporate credibility and reputation;
- increase trust by consumers and social organizations;
- improve relations with the institutions;
- control the ethical and social correctness in the supply chain;
- improve the business climate.
- a Risk Management method that allows:
- mapping the whole organization and its relationships,
- identify the risk of behaviors that are not responsible,
- define the tools for control and improvement in risk management;
- a contextual impact analysis of the company situation and a system of access to flows and regulatory frameworks constantly updated in the areas of child labor, forced labor, health and safety, freedom of association and the right to collective bargaining, discrimination, disciplinary practices, timetable work, retribution;
- a knowledge management methodology for the engineering of standard requirements through an IT application developed specifically by KEISDATA for the management of procedural flows, activities, documents, deadlines etc. (Application Information System Management Systems).
The conditions for success
The success of an SGRS is determined by the correct interpretation of the needs and expectations of all stakeholders inside and outside the company, communication and involvement of all company functions.
The SGRS, in perfect analogy with the other management systems, is divided into the phases of Planning, Implementation, Monitoring and Re-examination, included in a cyclical process.
- to define the strategy and the company policy through the construction of the Code of Ethics and of any Code of Business Conduct;
- analyze the business areas of activity in order to:
- mapping internal and external stakeholders;
- identify activities and/or sensitive functions and/or processes regarding responsible choices;
- identify integration needs:
- with the other Business Management Systems (Quality, Health and Safety, Environment, Energy Efficiency);
- with the Organization, Management and Control Model pursuant to Legislative Decree 231/01.
- to identify the provisions of laws and regulations regarding Social Responsibility;
- set specific objectives and targets that are appropriate, achievable and congruent.
- define the Responsibility System in line with the Company Organizational Model and the Delegation System (231 Organizational Control Management Model Service);
- establish procedures, instructions and practices to manage the aspects of Social Responsibility;
- to sensitize, train and support the company structure for the implementation of the SGRS;
- communicate periodically the results and performances of the SGRS.
- implement adequate monitoring, verification and inspection activities and ensure the traceability of controls (Audit Service);
- ensure the detection of non-conformities, incidents and near events, their immediate management, identification and implementation of appropriate corrective and preventive actions for the removal of causes (Environment, Health and Safety Observatory Service).
Review to periodically assess the effectiveness and efficiency of the system and define the new lines of improvement. The SGRS is completed with the certification by a Third and Accredited Body.
KEISDATA supports the Company in managing relations with the Body and in particular in:
- request for an offer, evaluation of offers and choice of the Body;
- acquisition of "applicant status"; it is a peculiarity of the SA8000 and it is the state in which the observance of the international, national and regional laws is declared, the commitment is established to start the certification process and the availability to receive a first inspection visit within a year;
- support during the verification phase: documental (phase I), certification (phase II) and maintenance.
- Code of Ethics and Codes of Conduct
- Regulatory Frameworks, Regulatory Check-lists
- Manual, Procedures and Instructions
- Information, training and communication plans
- Monitoring and Control Plans
- Audit Reports, Review Report
- Application Statement of the SGRS (Applicant Status) and Certification