LGRC, what Is Corporate Compliance?

Adherence to the rule of law and fairness in business is an indispensable element of business activity, based on trust.

The acronym LGRC refers to the management of Legal Governance, Risk & Compliance, the activity that deals with the complex set of processes, rules, tools and systems used by the corporate legal function to adopt, implement and monitor an integrated approach to business-related problems.

However, the increasingly accelerated evolution of the financial and non-financial markets, in terms not only of product innovation but also of risk transfer and containment and of the push towards international projection, makes it more difficult to identify and control behaviour that may constitute a violation of regulations or operating standards in matters, such as the environment, security, finance, privacy and data protection, administration, external relations, cybersecurity, as well as the ethical principles of business ethics and social responsibility connected with business activity.

In a corporate context, the term Compliance is used with the meaning of compliance with a law (e.g. compliance with regulations for the protection of child labour, or those that prohibit the emission of toxic gases in particular processes), a standard (e.g. standards relating to quality or certification of the financial statements), best practices (e.g. methods of conduct of trade associations) and business policies (e.g. compliance with the corporate code of ethics).

From an economic and business perspective, the term compliance is related to the internal control and risk management system, understood as

the set of rules, procedures and organisational structures aimed at enabling the identification, measurement, management and monitoring of the main risks… It contributes to ensuring the safeguarding of the company’s assets, the efficiency and effectiveness of company processes, the reliability of the information provided to corporate bodies and the market, compliance with laws and regulations as well as with the company’s bylaws and internal procedures” (Committee for Corporate Governance, Borsa Italiana S.p.a., Code of Conduct, July 2018).

Corporate Compliance – i.e. the flexibility of the company and its ability to adapt to and comply with regulations – therefore acts on the innovation of security and technology in organisations, bringing strategic choices back to the centre.

Compliance aims, at the same time, to prevent the risk of non-compliance of the company’s activities with the rules, and to implement and consolidate the relationship of trust with customers and, in the broadest sense, with stakeholders.

Traditionally, corporate compliance activities are understood to be restrictive with respect to the companies to which they are addressed, in particular:

  • institutions and companies operating in the banking and financial world;
  • business activities that have relations with the public administration (i.e. almost all companies);
  • companies listed on the stock exchange and operating on the financial markets;
  • to the public administration itself, since many public activities have been included within strict behavioural and ethical rules (think, for example, of the anti-corruption discipline).

In reality, compliance is intended for all companies (micro, small, medium, large) and public or private entities, since even a small company that does not operate in the banking sector or do not provide financial services, has to manage its regulatory compliance in one of the following areas (for example and not limited to):

  • Consumer Protection;
  • Quality certifications and ISO standards;
  • Information Security and Data Protection;
  • Accident prevention and safety in the workplace;
  • Anti-Money Laundering Regulations;
  • Privacy and Processing of Personal Data;
  • Fight against corruption;
  • Liability of entities and legal persons pursuant to Legislative Decree 231/2001

The Compliance activities carried out in these and other sectors all have the aim of achieving the same objective: reorganising the company structure by providing the internal organisation with preventive measures to avoid the risk of suffering sanctions (civil, criminal or administrative, reputational) without losing competitiveness on the market, while at the same time enhancing the image and reputation of the company in order to increase the trust of its customers, stakeholders and stockholders.

A correct use of corporate compliance, therefore, helps companies to

  • promote and consolidate its ethical principles;
  • to improve its relations with its customers;
  • to protect directors from possible responsibilities;
  • to harmonise and better control the behaviour of managers and employees.


In terms of Corporate Compliance, it is essential for the company to adopt an organizational, management and control model that is provided for and (only slightly) regulated by Legislative Decree 231/2001, which allows the company, first and foremost, to:

  • Avoid the risk of sanctions (pecuniary or disqualifying) with potentially very serious damage to the company’s assets and image;
  • Avoiding the formation of corrupt practices within the company structure, as well as risks to the health and safety of workers and/or the environment and committing other crimes defined as “prerequisites” for the liability of entities;
  • Maintain the company’s good reputation and the trust of its stakeholders;
  • Create competitive advantages in a business scenario that increasingly rewards ethical behaviour;
  • To increase the value of the company in favour of the shareholders.

In fact, the purpose of Legislative Decree 231, which governs the criminal liability of companies and entities, is to prevent and suppress the commission of various crimes by persons linked by a functional/organic relationship with the entity, such as directors, employees, suppliers.

For the first time, it introduces into our legal system the criminal liability of entities, in addition to that of the natural person who has materially committed the offence.

In practice, the extension of liability aims to involve in the punishment of certain criminal offences the assets of entities and the economic interests of shareholders, who, until the entry into force of Legislative Decree 231/2001, did not suffer consequences as a result of the commission of crimes committed, for the benefit or in the interest of the company, by directors and / or employees.

Several years have now passed since the introduction of Legislative Decree 231/2001 into our legal system.

The legislation, initially issued in 2001, was the result of the implementation of various international conventions, especially in the fight against corruption, and was initially limited to the repression of crimes and offences in relations between individuals and the public administration; over the years, it has been extended to other subjects, such as corporate and financial crimes, money laundering and self-laundering, health protection in the workplace, market abuse, copyright protection, corporate crimes, computer crimes, environmental crimes, terrorism and organized crime, crimes against industry and trade (to name the most relevant).

In practice, all those offences whose commission is facilitated by a lack of organisational structures within the company or body have been considered a source of liability.

To date, the catalogue of offences defined as the “assumption” of liability of the entity is numerous, and its number is subject to changes and updates due to the continuous evolution of the reference legislation, which makes it subject to future additions and changes, including significant ones.

The recipients of Legislative Decree 231 are therefore legal persons, companies or associations, including those without legal personality, and public economic entities, which may be sanctioned if it is established, in the context of criminal proceedings, that the unlawful conduct of the natural person has been committed in the interest or to the advantage of the entity.

The latter, on the other hand, may be exempted from liability if it has an Organisation, Management and Control Model (Model 231, or MOGC, or Compliance Program) in which it has previously “mapped” the risk of offences being committed and has therefore adopted all the organisational measures necessary to eliminate the possibility of their being committed, also providing for the imposition of adequate sanctions against the perpetrators of the offence.

If, therefore, the employee or top management fraudulently infringes the provisions of the Model 231 adopted by the company and commits the offence, the company itself shall be exempt from liability.

Obviously, no one can exclude the possibility of deviant, and therefore illegitimate, individual conduct, but this is intended to ensure that the company’s system, its organisational structure and the overall objectives it pursues are not a breeding ground for the perpetration of such crimes.

A precondition of the Compliance Programs is that good rules of internal organization are the best way to marginalize the phenomena of business crime and to ensure that their possible presence remains an exceptional fact and not easily repeated.

In practice, the entity is required to adopt behavioural models specifically calibrated to the crime risk, i.e. aimed at preventing, through the establishment of rules of ethical-organizational conduct, the commission of certain crimes.

A Model 231 is therefore the necessary tool to avoid not only the commission of crimes, but also that the entity is liable for the criminal offence committed by a person belonging to its corporate organization; to this end, the role of the Supervisory Body (SB) becomes of fundamental importance, which has the task of supervising the operation and compliance with Model 231 adopted by the entity and to ensure its continuous updating.

The Organisation, management and control Model, both in its implementation phase and in the subsequent implementation phase, must also be configured as a completion of the other management systems present in the company organisation.

The 231 Model, therefore, is not intended as a stand-alone corporate tool, but must interact with

  • the Quality Management System
  • in the environmental field (ISO 9001, ISO 14001/EMAS)
  • of Social Responsibility (SA 8000 or SCR)
  • the Occupational Safety Control and Management System (Legislative Decree 81/2008 – OHSAS 18001)
  • the Privacy System (EU Regulation 2016/679 GDPR, Legislative Decree 196/2003)
  • the Anti-Bribery System (ISO 37001) and any other ISO certification systems present and adopted by the company.


In the context of modern business and business organisation, the case of the responsibility of groups of companies and, in particular, of the parent company (so-called holding company) is of particular importance.

There are groups of companies governed by holding companies, so to speak “pure”, which limit themselves to holding and administering shareholdings (controlling or connecting); but there are also groups of companies managed by “operational” holding companies which exercise a real activity of management and coordination of shareholdings.

In the latter case, the holding company, through its subsidiaries, carries out a real entrepreneurial activity, often participating, through its directors, in the decision-making decisions of the group controlled by it.

The transfer of responsibility from the subsidiary to the parent company should not represent a sort of “strict liability” to the holding company for the acts and offences committed by the subsidiaries; however, under current law, the group of companies and the interest of the group have always been seen with particular disadvantage.

Therefore, in order to avoid at least a provisional imputation of responsibility during preliminary investigations, it will be necessary to pay the utmost attention by avoiding to behave in a way that is not advisable, such as the de facto administration of the subsidiaries, or the lack of adequate supervision of them, which may lead to an extension of the liability for the offences committed by the subsidiaries to the Holding Company.

It is therefore essential to create a 231 Model both for subsidiaries and for the parent company, which analyses and regulates not only the methods of managing financial resources, but also the processes by which decisions are taken individually and at group level, the system of powers and proxies, the phases of a priori and a posteriori controls of the activities carried out, the existence of guidelines on certain particularly sensitive operations.


As a rule, the entrepreneur does not pay attention to compliance activities because he perceives them as distant and unrelated to the actual business activity; many perceives them as a useless economic expenditure, which does not lead to any positive feedback.

Nowadays, however, an entrepreneur’s desire to act in any market or to undertake a new business necessarily leads him to come up against increasingly complex regulatory systems, in which the penalties for breaching the rules can be fatal to the possibility of continuing the company’s business.

We can no longer afford, in the end, to underestimate the risk of running into, even for simple carelessness or inattention, in disqualification sanctions that, in fact, block the business for days, months or even years, with the risk of seeing the company closed.

On the contrary, the entrepreneur must also be able to develop the skills necessary to equip himself with a good management of business risk, through a suitable and steady compliance activity that allows him to be more free to deal with the management of his company and his business environment.

P&S Legal has been dealing with corporate compliance for years, helping companies to restructure their internal organization and achieve the compliance objectives required by various national regulations, assisting entrepreneurs in the preparation of corporate governance models and systems for internal management and control, not only with regard to the provisions contained in Legislative Decree 231/2001.

As already mentioned, the list of cases included in this discipline is constantly expanding and

In the event of a conviction for liability, the consequences can be devastating for a company, as it can easily lead to its collapse and forced closure.

Through the implementation of an “organization, management and control model” of their core processes, i.e. processes whose phases may induce the company to commit the offences envisaged by the decree, companies are shielded from this form of responsibility.

P&S Legal boasts excellence and primary experience in the creation of such models which, on the basis of the new Procurement Code (art. 93), can represent a concrete economic and competitive advantage for companies.

The choice of truly specialised and up-to-date professionals is of crucial importance in the drafting of the 231 organisational model, as case law uses extremely restrictive and rigorous criteria in assessing the effectiveness of the models.

Our specialisation in

sustainable development and technological innovation allows us to have a truly complete and cross-cutting picture of the business model, risks, opportunities, markets, social, environmental and economic impacts of companies.

Take a look at our blog for an overview of the unique and specialised themes we deal with on a daily basis.

P&S Legal grants the utmost proficiency in the carrying out of all the necessary tasks aimed at creating an effective and efficient 231 organizational model, including the preliminary activities of “risk assessment” and “gap analysis“, aimed at identifying the areas most sensitive to the commission of illegal conduct in the governance structure.

The service is provided, where necessary, also using our technical-scientific consultants with proven industry experience, especially for the environmental sector, for biotechnology, nanotechnology, infotechnology, neurotechnology, robotics and artificial intelligence: we are focused on high risk Deep Tech industries.


We also offer a package of upgrade services, thus revising the existing 231 organizational models, with respect to the ever changing legislative and technological trends, in order to ensure the effective effectiveness and consistency of the existing models over time, also in relation to the perpetual change of the jurisprudential orientations that constitute the living law.

As an accessory service to the implementation of Model 231, we also provide the candidature of our lawyers to the role of member of the supervisory body, which is required by Legislative Decree 231/01, which must oversee corporate governance on the observance and effective functioning of the model itself.

The preparation of the 231 organizational model -specific, suitable, adequate, effective and flexible, feasible and shared, dynamic and systemic – (accompanied by the Code of Ethics and the Whistleblowing – internal system for reporting irregularities) together with the information and training of personnel are fundamental activities to ensure the criminal effectiveness of the model, as well as peacefully shared by the industrial guidelines and jurisprudence of many courts.

The advantages in terms of reputation and image that accompany the drafting of an organizational model, as well as the benefits provided by the Code of Public Procurement, should also be considered as an important element.

Do you still have doubts or would like to deepen your knowledge on how to best implement the 231 model? CONTACT US without further ado!