Introduction

Continuing with the analysis of the Whistleblowing Reporting System (hereinafter “Whistleblowing”), today we focus our attention on the obligations connected with the Organisation, Management and Control Model (hereinafter the “Model”) set forth by Italian Legislative Decree n. 231 of 2001 (hereinafter the “Decree”). For a better understanding of this matter, it should be noted that by Whistleblowing we intend an employee’s reporting of illicit deeds committed inside of the company where they are employed.

Prescription under the Decree: the Model and prevention protocols and procedures designed to prevent the commission of the crimes listed in the Decree

As we explained in a previous publication, Whistleblowing and its relative mechanisms are currently exclusively provided for in the Model. However, the companies do not always know how to structure a Model that adequately provides for effective and compliant Whistleblowing.

General section of the Model

First of all, in the General Section of the Model and, more precisely, in the part dedicated to the information flows towards the Supervisory Body (“SB”), it is necessary to also introduce an alternative reporting channel to that of writing directly to the SB, which guarantees the secrecy of the identity of the reporter. These channels can be created in different ways, but in Italy companies frequently encounter difficulties, not knowing which kind of channel to create. A useful aid is Confindustria’s Circular of January 2018, which identifies different types of reporting channels.

By way of example, these reporting methods can be implemented through the use of computer platforms, also managed by independent and specialized third parties, as well as through dedicated mailboxes. Most companies require that reports be submitted via an e-mail address which is dedicated to whistleblowing (for example, by allocating a domain address with “whistleblowing” extension or by sending the messages to the mailbox used for notifications to the SB) – received by the SB.

Notwithstanding that the reporting channels shall “ensure, thanks to informatic technologies, confidentiality of the identity of the reporting agent” (see art. 6 of Decree), it is also possible to make use of other reporting channels, for example mailboxes or faxes.

The protocols and procedures as a part of the Model

We suggest that companies also dedicate a specific protocol of the Model to Whistleblowing, in order to identify the reporting system and to specify how the company will analyse the reports it receives. Thanks to such a protocol, employees can also know who the receiving agent is and be aware of the admissibility of anonymous reports.

With specific reference to the receiving agent, we suggest that “the company identifies all the receiving agents according to the particular characteristics of the company, its dimension, the structure of the corporate groups and the need to apply specific rules depending on the specific company’s activity.”[1] For example, companies can identify a single person or a company body, such as the SB, as a receiving agent, or an external entity or, for example, the chief of compliance, or even an entire department (such as, for example, the Legal Department, the Internal Audit office or the Compliance office).

In our opinion, it is preferable to choose the SB as the Whistleblowing receiving agent because in this way both the employee and the company are better protected. This is particularly true both when the SB is fully composed of external individuals and when it is mixed (including both individuals external and internal to the company). Following this method, it is possible to guarantee the independence of the receiving agent and also prevent the risk of possible intimidation of the reporting agent. This risk of intimidation against the reporting agent, in fact, is increased if the report concerns the people who are also the receiving agent. This avoids any possible mixing and risks associated with possible intimidation that the whistleblower could suffer, thus undermining the effectiveness of the system as a whole.

If the receiving agent is a subject or legal entity different from the SB, it is necessary that the SB is immediately informed of each report received. This is because the SB has to supervise on the effectiveness of the Model that Whistleblowing is a part of.

Furthermore, the Confindustria Circular mentioned above suggests “a possible solution is to choose an external entity as the receiving agent. In particular, it is better to choose an external subject who has criminal law skills as well as adequate experience. In this way, the receiving agent could correctly analyse the report received, helping the handling of the report.”[2]

In light of this, companies can freely choose which reporting channel to adopt or how to manage the reporting flow and who is designated as the receiving agent.

Finally, with specific reference to the admissibility of anonymous reporting, we recall the clarification of the Italian Anticorruption Authority which distinguishes between confidentiality and anonymity, by specifying that confidentiality implies the revealing of the reporting agent’s identity, that in fact can be adequately protected only if he/she reveals themselves (see the Italian Anticorruption Authority’s Determination n. 6 of 28 April 2015 – “Guidelines for the protection of the public employee’s report of illicit deeds”). The Guidelines do not prohibit the anonymous reporting channel itself. The problem with the admissibility of this type of reporting is only the risk of “rumour” reports, instead of true fact; in that case, it becomes more difficult to demonstrate the validity of the report. To prevent the risk of reports that are not strictly linked to a violation of the Model or the ethic code of the company, it is possible to require that the report be adequately documented, providing evidence that “indicates facts and situations connected with the specific contest”(see Guidelines of Italian Anticorruption Authority mentioned above, par. 2).