There are already several criminal proceedings against legal entities in which the discussion on the criminality of their conduct (if they did not reasonably prevent the crime that was committed by one of their own and in their favor) has focused on whether their preventive organization met any of the national or international technical standards of organization, whether this was accredited by the organizations that are dedicated to such assessments and what role the expert contribution of an expert had in both debates. As all this is sometimes muddled up by the parties to the proceedings in the legitimate defense of their interests, it is perhaps appropriate to distinguish the sheep from the goats and claim in all this the role of the judge, which is certainly not to simply ask an expert to rule on whether the company in question complied with a technical standard or to limit himself to checking whether the corresponding accreditation was in force.
Standardization
The standards to which we refer are norms established by national or international private associations on how certain products or procedures should be carried out. Initially, this standardization referred initially to the technical field, especially electrical engineering and telecommunications, but it eventually found its way into business management practices. It should be emphasized, so that the term “standard” is not misleading, that the agents involved are private associations, that their content is based on the consensus of those who participate in them and that they are followed on a voluntary basis.
In Spain, the main (“only”, according to its website) standardization association is the Spanish Association for Standardization (but its acronym is not AEN, but UNE). It has more than five hundred members and has produced more than 37,000 standards. Some of its private nature is diluted by the fact that it is recognized by the Ministry of Economy as a national standards body. We have not been able to find a list of its members on its website, although its corporate profile indicates that its members “represent practically the entire Spanish productive fabric” and that among these “there are 150 relevant national sector associations”; the website states that UNE “includes the main business associations, leading companies in Spain and a good representation of Public Administrations at all levels”. We have seen that among the members there are also public universities and official schools.
UNE is the Spanish representative of the International Organization for Standardization (ISO), made up of 169 national associations (one per State). ISO defines itself as an independent, non-governmental association, whose objective is to share knowledge and develop voluntary, market-relevant and consensus-based international standards.
In the area of compliance, we have witnessed a significant growth in standardization norms, especially in Spain. We have general accreditation standards (UNE – ISO 37301:2021 “Compliance management systems” and, on criminal compliance, UNE 19601:2017 “Criminal compliance management systems”, UNE 165019:2018: “Requirements for bodies performing the audit and certification of criminal compliance management systems in accordance with UNE 19601”), but also sectoral ones: On corruption (ISO 37001:2017), on socio-labor compliance systems – harassment – (UNE 19604), on tax compliance (UNE 19602), on alert channels (ISO 31301) and on internal investigations (ISO 37008:2023).
The criminal-legal value of standardization
The main question raised by compliance or non-compliance with these standards is that of their value for criminal typicity and thus for the criminal process. It could be thought that, if these standards do nothing more than set out the requirements for understanding that the business procedure is correct, adequate, corresponding to the permitted risk, they are in turn setting out the level of criminal diligence: how to organize oneself to avoid or reasonably contain the criminal risks that arise from the company and in favor of the company. In a way, the ISO and UNE standards would be nothing more than the destination of an implicit criminal referral of the type of crime of the legal person.
In a legal system as close to this matter as Italy, the legislator has even chosen to make explicit references. Art. 30.5 of Legislative Decree 81/2008, which specifies the components of the organizational model for the prevention of offenses harmful to the health and safety of workers, provides for a presumption of adequacy of the model that complies with certain national or international technical rules/standards, such as the British standard OHSAS 18001:2007 (now ISO 45001:2018). In Italy, crimes against occupational safety and reckless homicides give rise to ex delicto liability of the legal entity, so the adaptation to this standardization standard becomes all the more relevant. Without leaving Italy, there is another precept and a recent jurisprudential decision that should draw our attention. Art. 6.3 of Legislative Decree 231/2001 provides that business associations may draw up compliance programs – standard organizational models – which are then submitted to the Ministry of Justice and the competent ministry for the sector of activity of the organization, which may make allegations. The Italian Court of Cassation in its leading case Impregilo (Cass. pen., Sec. VI, 15.06.2022, n° 23401) has indicated that the adoption of these models by the legal entity implies a presumption of effectiveness of the same and that it is therefore necessary to argue in detail why it can be considered that in the specific case the model that is adapted to that standard is not suitable.
In fact, when this problem is analyzed in detail, two different problems appear, which we will call the problem of effectiveness and the problem of legitimacy.
The problem of effectiveness can be described as follows: the standardization norms, whether ISO/UNE-style or those we have seen referred to in Art. 6.3 of Law 231, represent a snapshot of the entire organizational model or of some of its parts, such as measures relating to corruption, tax compliance or even whistleblowing channels. But what has to be determined in order to establish the liability of the legal person is not whether in the abstract there is a good compliance program, but whether the legal person deployed an adequate control system to prevent the specific crime committed. And on this point, there is an open discussion as to which elements of the compliance system are the most relevant. For some authors (see for example Nieto Martín, La eficacia de los programas de cumplimiento: propuesta de herramientas para su valoración,) the effectiveness of a compliance program should not only take into account the goodness of the specific controls that should have served to avoid or reduce the risk of the conduct committed, but should also take into account what in internal auditing is called “the control environment”, and to measure this factor the effectiveness of the compliance program as a whole is relevant. Other authors, on the other hand, adopting a methodology similar to the objective imputation in the framework of the reckless crime, consider that what is relevant is in fact the specific effectiveness of the controls (see for example Galán Muñoz, Visiones y distorsiones del sistema español de responsabilidad de las personas jurídicas: un diagnóstico 13 años después). Standardization norms and certifications would logically be more important if the first position were adopted, where the judgment is more global. In this dispute, it should not be forgotten for now that the Supreme Court in its famous judgment 154/2016 advocated a more holistic view of the effectiveness of the models.
The problem of legitimization is well expressed in the old and wise admonition that the wolf should not be entrusted with the care of the sheep. Standardization norms exist in the most varied sectors; in fact, standardization constitutes an essential regulatory tool in global economic traffic, which in many sectors has filled the gap left by the technical or political incapacity of States to regulate many aspects of the production of goods and services. The legitimacy of this private law is mainly of a technical nature, which apparently gives it an aura of political neutrality. However, there is always the logical doubt that these standards are always drawn up in accordance with partisan interests and that they do not adequately weigh up all the interests at stake; that, for example, in establishing what is reasonable for the prevention of damage, the cost savings for business weigh more heavily than the protection of the environment or any other relevant social interest. For this reason, public regulation of standardization requires transparency and the participation of the various stakeholders.
Whatever solution is given to the problem of efficiency, its intertwining with the problem of legitimacy must be recognized. The rule of three would be as follows: the greater the legitimacy of the standardization rules, the greater must be their capacity to set the appropriate legal standards of compliance or, in line with what has been indicated by the Italian Corte di Cassazione, the stronger must be the presumption that the company that complies with them has acted correctly. It is true that the final determination of what is the permissible risk in the face of the protection of a legal asset is the task of the judge. It is he who must determine to what extent a legal entity is required to prevent corruption or market abuse, but if it turns out that the parties involved have established these rules in an open and transparent process – we could say Habermasian – it is not a bad solution for the judge to accept their solution.
The value of the expert evidence.
A related question, although independent of the value of the standards, is the place of the expert evidence, whose field is that of the contribution of scientific, artistic, technical or practical knowledge and whose limit is usually located in the legal field, since there the expert is the judge. Note the haziness of this boundary, since there are many occasions in which the scientific or technical contribution has the final objective of demarcating the unlawfulness of the conduct, as is the case with medical lex artis as a parameter of imprudence. If no one disputes that a medical expert should be called to indicate how a certain surgical operation should be performed and whether the operation being prosecuted complied with that canon, it is reasonable to think that the same applies to know whether a company was well organized to prevent the commission of a certain crime: if the lex artis is the standard, let us call a connoisseur of that ISO or UNE standard to explain it and to give his technical opinion on the adequacy of the business conduct being prosecuted to that conduct.
The analogy does not seem so close. First, because in the case of medicine, the scientific and technical nature of the knowledge is clear, much less accessible to the judge than the knowledge of the organization and management of a company. And secondly, because while it is clear that the medical lex artis depends fundamentally on the consensus of medical specialists, it is not clear that what is correct coincides with what the standardized norm indicates, nor that it reaches the degree of precision necessary for a judgment of subsumption to be sufficient. An expert may be required to report on how the company functioned; it is much more debatable whether an expert opinion on the adjustment of the business organization in the specific case to an ISO or UNE standard is appropriate, even though the parties may of course invoke that standard in the sense they believe it favors their interests.
Certification
The compliance of a company’s organization with a UNE or ISO standard may be subject to certification by an entity accredited to carry out such verification. In Spain, the main certification company is AENOR, whose sole owner is the UNE standardization body. The certifiers actually use the audit strategy: they inspect the company and verify that its organization corresponds to the intended standard or, if this is not the case, they grant a deadline for correction. The validity of the certificate requires an annual follow-up audit and renewal within a certain period of time.
The reader may wonder who certifies the certifier: who says that these private certifying entities meet the requirements of impartiality, independence and technical capacity to perform this function. Well, there is a “national accreditation entity” (ENAC) which is a certifier of certifiers, and who gives it this function (who is in turn the certifier of the certifier of certifiers)? The Ministry of Industry, Trade and Tourism. ENAC is a non-profit association of public utility to which the companies accredited as certifiers and several entities and public administrations belong.
The criminal legal value of certification
There is still much to be discussed about the value of certifications in criminal proceedings. On the one hand, whether or not we admit the expert evidence, a further question is the evidentiary value to be given to the certification. In the framework of the administrative process, some reputable colleagues have in fact maintained that the certification is a sort of anticipated expert evidence. On the other hand, and independently of the above, answering this question also depends on the outcome of the controversy referred to above; that is, to what extent does the general operation of the program or of one of its sections matter when establishing the effectiveness of compliance programs: let us imagine that a company has a specific certificate in accordance with the UNE on corruption (UNE – ISO 37001:2017) and another generic one (UNE 19601:2017).
If the expert opinions on compliance are admitted, nothing would prevent, for example, the legal entity from proposing the person who has carried out the certification as an expert. If this possibility is denied, another way would be for him to have a place in the criminal proceedings as a witness with scientific knowledge. Whatever the place given to the certifications in the criminal process, what should not be lost sight of is that here the final accreditor is the judge, to whom we also ask a negative verification, strict, concrete and with a peculiar canon. It is negative, because his only judgment is that the organization was defective, insufficient. It is strict because he can only proceed to accreditation if he is sure of it: beyond reasonable doubt. It is specific because the judge does not care directly (only as a possible indication) that the legal person at a given time has a generally satisfactory compliance system, but that at the specific time of the individual offense there was in the procedure in which such conduct occurred a relevant lack of controls. And here comes the last feature we mentioned: this relevant lack will not be determined only by an ISO or UNE standard but by a more subtle standard that is determined above all by the protection of the legal asset concerned and by the exercise of entrepreneurial freedom.
It goes without saying that ISO or UNE certification is far removed from what is actually sought in criminal proceedings: it is carried out by a particular expert, at a given historical moment, with the ISO or UNE standard and probably with a genericity that does not cover the specific question of the trial, which is a specific business conduct at a given time.
Our previous conclusion should not discourage companies from adjusting to organizational standards or their certification. Our conclusion is only one of some skepticism as to their value in a criminal proceeding in which the legal entity is a defendant. For the rest, organizational standardization and its certification are welcome. It sets the company on a sure path of how to do things well internally, which will have an immediate additional reflection in private and public procurement, for which certifications will be an agile instrument to replace the heavy economic and time costs of due diligence processes. Even in criminal proceedings, certifications will provide a practical demonstration of the desire for a culture of compliance. The fact that they are not a trump card does not mean that they cannot be a good card, a good contribution to the game.