Organisational Model General Document
Transcription
Organisational Model General Document
Organisation, management and control model ex Leg. Decree 231/01 Robert Bosch S.p.A. (RBIT) ORGANISATION, MANAGEMENT AND CONTROL MODEL EX LEGISLATIVE DECREE NO. 231 OF 8 JUNE 2001 Approved by the Board of Directors of 25 September 2012 Page 1 of 52 Organisation, management and control model ex Leg. Decree 231/01 INDEX 1. THE LEGISLATIVE DECREE NO. 231/2001..................................... 11 1.1 1.2 1.3 1.4 2. THE MODEL DRAFTING AND IMPLEMENTATION PROCESS ....... 26 2.1 2.2 2.3 3. Fundamental characteristics and scope of application. ....................... 11 The organisational Model as a form of exemption from liability ........... 19 The penalty system ............................................................................. 21 The Confindustria Guidelines .............................................................. 23 The Company's choice........................................................................ 26 Methodological approach used ........................................................... 26 Drafting of the Organisation, Management and Control Model ............ 26 THE ORGANISATION, MANAGEMENT AND CONTROL MODEL ... 28 3.1 Model purpose .................................................................................... 28 3.2. Model characteristics and connections with the Code of Ethics .......... 29 3.3 Model Recipients ................................................................................ 30 3.4 Model introduction, modifications and integrations.................................... 30 4. THE COMPONENTS OF THE PREVENTIVE CONTROL SYSTEM . 32 4.1 4.2 4.3 4.4 4.5 4.6 5. SUPERVISORY AUTHORITY ........................................................... 37 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 6. Identification of OdV pre-requisites ..................................................... 37 Identification of the OdV...................................................................... 38 OdV appointment procedure and duration of post ............................... 39 Reasons for ineligibility, reasons and powers of revocation ................ 40 OdV functions ..................................................................................... 40 Required information to be forwarded to the Supervisory Authority ..... 42 OdV Reporting .................................................................................... 45 Information filing ................................................................................. 46 MODEL DISSEMINATION ................................................................. 47 6.1 6.2 7. System of ethical principles and rules of conduct ................................ 33 Organisation system ........................................................................... 34 Authorisation and decision making system ......................................... 35 Policy and procedure system .............................................................. 36 Training and information program ....................................................... 36 Computer and computer software systems ......................................... 36 Initial communication .......................................................................... 47 Personnel training on the issues of the Leg. Decree 231/01 .............. 48 PENALTY SYSTEM........................................................................... 49 7.1 Model violations .................................................................................. 49 7.2 Measures taken against employees .................................................... 50 7.3 Model violation on behalf of management and ensuing actions .......... 51 7.4 Measures against the members of the Management Body, the Board of Statutory Auditors and the members of the OdV............................................. 51 Page 2 of 52 Organisation, management and control model ex Leg. Decree 231/01 7.5 Measures taken against project collaborators and temporary workers, Consultants, agents, Suppliers and Contractors involved in Sensitive Processes. ..................................................................................................... 51 Page 3 of 52 Organisation, management and control model ex Leg. Decree 231/01 DEFINITIONS CONTRACTORS” is conventionally understood as meaning all contractors of works or services in accordance with the prescriptions of the Italian Civil Code, as well as subcontractors, employment agencies, freelance workers who have stipulated a contract with the Company and which are used by the same in the performance of Sensitive Processes. “CCNL” National Collective Bargaining Agreement. “Consultants” subjects not employed by the Company who act in the name and/or on behalf of Robert Bosch S.p.A. on the basis of a mandate or other form of collaborative relationship. “Decree” the Legislative Decree n. 231 of 8 June 2001. “Assignment” an internal act assigning functions or responsibilities within the company organisation. “Recipients” all the subjects the Model addresses and, in particular: the company organisms and their components, the employees, the Suppliers, the Contractors, the Company's agents, the Consultants, the project collaborators and temporary employees involved in Sensitive Processes, as well as the members of the Supervisory Authority that do not belong to the above categories. “Suppliers” the suppliers of goods (goods and materials for production) and services (excluding consultancy), including the other Group Companies, that the Company employs in the context of its Sensitive Processes. “Model” the organisation, management and control model foreseen by the Decree. “OdV” the Supervisory Authority foreseen by the Decree. Page 4 of 52 Organisation, management and control model ex Leg. Decree 231/01 “Sensitive Operation” the set of activities of particular relevance performed by Robert Bosch S.p.A. as part of the Sensitive Processes. “Management Body” Robert Bosch S.p.A. Board of Director's. “Sensitive Process/es” the set of company activities and operations organised in order to pursue a specific purpose or manage a particular company sector of the Robert Bosch S.p.A. company, involving sectors where one or more of the crimes listed in the decree may be at a greater risk of being committed. These crimes are listed in the Special Section of the Model, referred to generically and overall as at risk areas. “Process Owner” the subject who, given the position they hold or the activities they perform, is most involved in the Sensitive Process in question or has the most visibility for Model 231 purposes. “Mandate” the unilateral juridical contract by which the company assigns power of representation towards third parties. “Crimes” the types of crimes taken into consideration by the Decree. “Service Level Agreement” infra group contracts which define the contents and the service conditions between Robert Bosch S.p.A. and Group Companies. “Company” or “Bosch” or “Robert Bosch S.p.A.” or “RBIT” “Group Companies” Page 5 of 52 Robert Bosch S.p.A., with legal headquarters in Milano, Via Petitti n. 15, C.F. 00720460153 registration number in the Company register REA number MI-174459 all companies belonging to the group headed by Robert Bosch GmbH. Organisation, management and control model ex Leg. Decree 231/01 PRELIMINARY REMARKS The company was first set up in Stuttgart in 1886 by Robert Bosch (18611942) as a "High precision mechanical and electro-technical workshop". The activities of the Robert Bosch S.p.A. company currently involve commercial trading in all sectors of the construction, production, repair, sale and purchase even for retail and even via non financial lease, import, export and transit operations of: - components, accessories and parts including spare parts for vehicles of all kinds as well as systems and equipment for control and diagnosis; - electrical products, electrical tools, water heaters and boilers, radio equipment and related accessories and complementary parts, hydraulic, pneumatic and oleodynamic components and equipment, electrical control systems and action systems for industrial use and industrial equipment; - products, systems and plants for heating and air conditioning and other connected industrial products, as well as goods for the production and use of energy from renewable sources and equipment for the combined production of heat and electrical energy; - car-phones, radio-telephones, switchboards and telephone equipment, satellite navigation systems, electrical and mechanical material and generally speaking equipment powered by weak current sources; - objects that reproduce the above for learning or entertainment purposes. RBIT is also involved in: - the installation, assembly, repair, maintenance and providing technical assistance for all the previously identified articles, including the training and/or drilling of personnel in the use of the goods sold; - the undertaking of sales mandates; - the acquisition or sale on a rental or leasing basis of production systems and machinery, within the context of the previously outlined sectors; - the purchase and sale of patents, licences and production procedures in the above mentioned sectors; - the organisation and holding of professional training courses, meetings and seminars on the problems of a technical, regulatory, commercial administrative and management nature encountered in Page 6 of 52 Organisation, management and control model ex Leg. Decree 231/01 the business sectors the company is involved in or that may be related to them unless not legally authorised to do so; - providing administrative, management and company planning activities, with particular attention being paid to the data and the problems of Group companies; said activities being limited to areas which are not legally assigned to specific professional categories; - activities involving the processing, filing and management of databases and data supplied by clients and the organisation of consultancy services for the installation of hardware and software systems. The sole shareholder of Robert Bosch S.p.A. is currently: o Robert Bosch GmbH (which holds 100% of the share capital). The Board of Director's of Robert Bosch S.p.A., in the meeting held on 8 June 2005, approved the “Organisation, management and control model” in accordance with the Legislative Decree of 8 June 2001 no. 231, containing the “Regulations governing the administrative responsibility of judicial entities, companies and associations even devoid of judicial status, in accordance with art. 11 of Law no. 300 of 29 September 2000", while the Robert Bosch S.p.A. Shareholder's Meeting appointed the Supervisory Authority in the meeting also held on 8 June 2005. Following the coming into force of the new type of crimes considered relevant by the Leg. Decree 231/01 and the changes in the company organisation, during the course of 2011 and 2012 RBIT carried out a new risk assessment that led to the Board of Directors' approval of the new version of the Model in the meeting held on 25 May 2012. Subsequently, on 25 September 2012, the Board of Directors' approved the current version of the Model, including the special section concerning environmental crimes. As well as adopting the current Model, the Board of Directors' modified the composition of the Supervisory Authority, taking steps to appoint and assign supervisory and control powers and tasks as prescribed by the Decree in question. Page 7 of 52 Organisation, management and control model ex Leg. Decree 231/01 MODEL STRUCTURE The RBIT Organisation, Management and Control model is comprised of a "General Section" and by many "Special sections" each covering one of the family of crimes analysed in specific detail (as better specified below) and by a series of Enclosures which are referred to in each instance in the Model text and should be considered as an integral part of the Model itself. In the General Section, after a reference to the principles on which the Decree is based (as described in the previous Chapter 1), a presentation of the method used to develop the Models is provided (as described in Chapter 2). Subsequently the purpose and nature of the model are described, the recipients are identified along with the procedures for the implementation and the introduction of changes to the Model (see Chapter 3), this is followed by a description of the components of the preliminary control system (see Chapter 4), the features and operation of the Supervisory Board (see Chapter 5), the procedures introduced to disseminate the Model (see Chapter 6) and the penalty system associated to any breach of the principles established by the Model (see Chapter 7). The "Special Sections" have been drafted with reference to the specific crime categories to which RBIT is considered to be potentially exposed on the basis of the results of the Risk Assessment activities performed. The envisaged crimes, based on the assessments made, have been subdivided into the following categories: • • • • • • • • • Crimes against the Public Administration; Corporate crimes; Crimes related to the fencing, money-laundering and the use of funds, goods and services of illicit origin; Crimes related to health and safety at the workplace; Crimes related to computer criminality and violation of copyright; Crimes related to organised crime; Crimes relating to fraudulent activities in matters of trademarks, patents and distinctive labels; Crimes against industry and commerce; Environmental crimes. The Special Sections that have consequently been drafted are the following: • • • • Special Section A: "Crimes against the Public Administration"; Special Section B: "Corporate crimes"; Special Section C: "Crimes related to fencing, money-laundering and the use of funds, goods and services of illicit origin"; Special Section D: "Crimes related to health and safety at the workplace". Page 8 of 52 Organisation, management and control model ex Leg. Decree 231/01 • • • • • Special Section E: "Crimes related to computer criminality and violation of copyright"; Special Section F: "Crimes related to organised crime". Special Section G: "Crimes relating to fraudulent use or exploitation of trademarks, patents and distinctive labels". Special Section H: "Crimes against industry and commerce" Special Section I: "Environmental crimes" The Enclosures are considered an integral part of the Model (and are recalled in each instance in the text of the document itself) and in particular RBIT's Code of Ethics and the Group's Code of Business Conduct (Enclosure 1.A and 1.B respectively). Each Special Section is therefore dedicated to the discussion of each crime category contemplated in the Risk Assessment activities performed (as described in Chapter 2) and is divided into the following sections: • • • • • description of the types of crimes that may be included in the family of crimes that is the object of that specific Special Section; identification of RBIT's company processes and activities where a potential risk of incurring in the above mentioned crimes exists based on the risk assessment activities performed (so called Sensitive Processes); examples of potential crimes for each Sensitive Process; an outline of the principles and rules of conduct that should be applied in performing the activities included in the Sensitive Processes, as an integration of the ethical system and the rules of conduct detailed in Chapter 4 of the General Section of this Model; with reference to the risk areas/Sensitive Processes a description of the activities involved in these areas is provided along with a few examples of how the crimes may be committed, as well as the indication of specific conduct and control principles consistent with the fundamental principles as defined in Chapter 4 of the General Section, in order to highlight specific aspects of the internal control system components that are relevant for Process supervision. Each Special Section therefore is designed to: • provide the Recipients with a clear illustration of the Company's organisation, management and control system as well as an example of how the crimes may be committed within each Sensitive process; Page 9 of 52 Organisation, management and control model ex Leg. Decree 231/01 • point out to the Recipients the specific principles and the general rules of conduct and the specific prescriptions to which they must comply in performing their activities. Page 10 of 52 Organisation, management and control model ex Leg. Decree 231/01 GENERAL SECTION 1. THE LEGISLATIVE DECREE NO. 231/2001 1.1 Fundamental characteristics and scope of application. With the coming into force of the Legislative Decree no. 231 of 8 June 2001, a form of corporate penal responsibility has been introduced into our legislation (and formally qualified as "administrative" responsibility. The Italian Legislator has thus complied with a series of European Community and international measures that called for greater responsibility to be allocated to entities that were involved in the perpetration of certain types of crimes of penal relevance. The legislation in questions foresees a responsibility allocated to entities that is added to that allocated to the physical persons who are materially engaged in the illicit conduct and which arises when certain crimes are committed in the interest or to the advantage of the entity, in Italy or abroad,by: • • persons who hold representative, administrative or management roles within the company or are at the head of an department provided with financial and operational independence, as well as by persons who are effectively responsible for management and control (the so called management positions); persons entrusted with the management or supervision of one of the above mentioned management positions. The recipients of the legislation according to the Decree are: the entities provided with legal status and companies and associations devoid of legal status. The following entities are expressly not included within the scope of the Decree: the State, all territorial Public Authorities, other non-economic public authorities, as well as entities that perform tasks of constitutional relevance. The Decree applies to both crimes committed in Italy and those committed abroad, providing the entity in question has its main offices on Italian soil and no action has been taken against it by the State where the crime has been committed. As far as crimes committed for which a responsibility of the entities is foreseen, the Decree takes into consideration crimes committed in relations with the Public Administration, company crimes, crimes related to counterfeiting, legal tender and stamp duties, the crimes committed for terrorist purposes or in order to overturn the democratic order, crimes Page 11 of 52 Organisation, management and control model ex Leg. Decree 231/01 against individuals, crimes of insider trading (abuse of privileged information) and market manipulation, cross-border crime regulated by Law no. 146/2006, negligent homicide and serious or very negligent bodily harm committed through violations in the regulations governing health and safety at the workplace, crimes of money laundering, fencing and the use of money, goods or utilities of illegal origin, computer crimes, crimes related to organised crime, forgeries of trademarks, patents or distinctive signs, crimes against industry and trade, crimes related to copyright infringements, crimes of incitement to not testify or to bear false testimony before the Judicial Authorities, and environmental crimes. More specifically, the Decree, in its original wording, referred exclusively to a series of crimes committed in relations with the Public Administration, and precisely the crimes of: • • • • • • • • • • • • undue collection of contributions, funding or other disbursements by the State or other public entity; misappropriation against the State or other public entity; fraud against the State or other public entity; aggravated fraud for the attainment of public disbursements; computer fraud against the State or other public entity; bribery of a public official; bribery of a public official to ensure they act against their official duties; judicial corruption; bribery of a person engaged in public service; bribery, corruption and instigation to accept bribes by members of the organisms of the European Community and representatives of the European Community and foreign states; instigation to accept bribes; bribe requests. On this point, it is specified that by a Person engaged in Public Service, in accordance with art. 358 of the Italian Penal Code, one here refers to anyone who "for whatever reason acts in the public service", the latter being defined as an activity governed by public authority regulations and authoritative deeds, but without authoritative or certifying powers. Whereas by Public Official, in accordance with art. 357 of the Italian Penal Code, one refers to anyone who "exercises a legislative, judicial or administrative public role". The administrative position governed by public legislation and by authorising measures and involving the definition and the expression of the will of the Public Administration, or its performance by means of authorising or certifying powers is considered a public position. Subsequently, art. 6 of Law 409, of 6 November 2001, containing "Urgent dispositions in preparation for the introduction of the Euro", included within Page 12 of 52 Organisation, management and control model ex Leg. Decree 231/01 the Decree the art. 25-bis, which is designed to punish counterfeiting, forgery of legal tender and tax stamps, and more specifically the crimes of: • • • • • • • • counterfeiting, spending and introduction into the state, with full awareness, of counterfeited currency; currency tampering; spending and introduction into the state, without awareness, of counterfeited currency; spending of counterfeit currency received in good faith; counterfeiting of filigree paper used for the production of legal tender or tax stamps; forgery of tax stamps, introduction into the state, purchase, custody or distribution of forged tax stamps; use of counterfeit or tampered tax stamps; production or custody of filigree paper or tools for the forgery of moneys, tax stamps or filigree paper. Subsequently, art. 3 of the Legislative Decree no. 61 of 11 April 2002, in force from 16 April 2002 within the context of the reform of company law has introduced the new art. 25 - ter into the Decree, which was then modified by Law no. 262, extending the area of administrative responsibility to the institutions even for so called corporate crimes; more precisely the responsibility was extended to include the crimes of: • • • • • • • • • • • • • • false or misleading company statements; false or misleading company statements detrimental to shareholders or creditors; deceitful statements in the reports or statements of the auditing companies (this article was subsequently revoked by art. 37 of Leg. Decr. no. 39 of 27 January 2010); obstructed control; unlawful restitution of capital contributions; unlawful allocation of shares and reserves; illicit operations on company or parent company shares or quotes; transactions to the detriment of creditors; fictitiously paid-up capital stock; unlawful allocation of company property on behalf of the liquidators; illicit influence on the general shareholders' meetings; share manipulation; obstacle to the exercise of public supervisory authority functions; failure to communicate a conflict of interests (introduced by Law no. 262/2005). The art. 25 quater, included in the original wording of the Decree by art. 3 of the Law no. 7 of 14 January 2003 (Ratification of the International Agreement against terrorist funding), has extended the administrative corporate responsibility to crimes with terrorist purposes or designed to Page 13 of 52 Organisation, management and control model ex Leg. Decree 231/01 overthrow the democratic order as envisioned by the penal code and the special laws and the crimes violating the prescriptions contained in the above mentioned Agreement. These include by way of non-limiting example: • • • • the promotion, setting up, organisation or management of associations with terrorist purposes even on an international scale or for the overthrow of the democratic order; assistance to its members (art. 270-ter of the Italian penal code); terrorist or subversive attacks (art. 280 of Italian penal code); terrorist acts involving murderous or explosive devices (art. 280-bis of the Italian Penal Code). The art. 25 quater.1, included in the original wording of the Decree by art. 3 of Law no. 7 of 9 January 2006 (Dispositions concerning the prevention and the prohibition of female genital mutilation practices), has extended the administrative responsibility of organisations to crimes involving mutilation of female genital organs as detailed in art. 583-bis of the Italian Penal code. The art. 25 quinquies, included in the original wording of the Decree by art. 5 of Law no. 228 of 11 August 2003 and modified by Law no. 38 of 6 February 2006 (Measures against human trafficking), has further extended the administrative responsibilities of organisations to crimes against individuals, such as: • • • • • • • forcing into slavery; slave trafficking and trading; sale and acquisition of slaves; prostitution of minors; pornography involving minors; possession of pornographic material involving minors; tourist initiatives for the exploitation of the prostitution of minors. The art. 25 sexies, included in the original wording of the Decree by article 9, paragraph 3 of Law 62 of 18 April 2005 n. 62 (Implementation of directive 2003/6/EC of the European Parliament and Council of 28 January 2003, relative to insider trading and market abuse and the directives of the 2003/124/EC, 2003/125/EC and 2004/72/EC) has further extended the administrative responsibility of organisations to market abuse crimes: • • insider trading; market abuse. The same Law no. 62 of 2005, in art. 187- quinquies of the Financial White Paper, had also called for a new form of responsibility for the Entity related Page 14 of 52 Organisation, management and control model ex Leg. Decree 231/01 to the perpetration of the illicit administrative conduct (not crimes) in its interest or to its advantage referred to as: • • insider trading (art. 185-bis of the Financial White Paper); market abuse (art. 185-ter of the Financial White Paper). The art. 10 of Law no. 146 of 16 March 2006 - not expressly mentioned in the Decree - as subsequently modified, has included the administrative responsibility of Entities for a series of crimes of a "cross-border" nature pursuant to art. 3 of the above mentioned law (criminal syndicates, mafia syndicates, association for the purpose of unlawful trafficking in narcotic drugs, association for the purpose of smuggling tobaccos processed abroad, incitement to not testify or to bear false testimony before the Judicial Authorities, aiding and abetting, granting illegal access onto the Italian State Territory or that of another State of which the person is not a citizen and aiding and abetting illegal permanence). By cross-border crime we here refer to a crime punished with a jail sentence not below a maximum of four years, if not involved in organised crime, or: a) is committed in more than one state; b) is committed in one state but a substantial part of the planning, management and control took place in another state; c) or it is committed in one state, but a criminal organisation is involved which is engaged in criminal activities in more than one state; d) or it was committed in one state but it has substantial effects on another state. Furthermore, the law no. 123 of 3 August 2007 has introduced into the Decree the art. 25 septies. subsequently reformulated by art. 300 of the Leg. Decree no. 81 of 9 April 2001; the above mentioned art. 25 septies establishes a further extension of the administrative responsibility of the Entities relative to crimes of: • • negligent homicide committed in violation of article 55, paragraph 2 of the legislative implementation degree of the assignment as referred to in Law no. 123 of 3 August 2007 on matters of health and safety at the workplace; negligent homicide and serious and very serious personal injury committed through negligent violations of the regulations governing health and safety at the workplace. The legislative decree no. 231 of 21 November 2007, published in the ordinary supplement no. 268 of the Official Gazette no. 290 of 14 December 2007, implemented the European Parliament and Council directive 2005/60/EC of 26.10.2005, concerning the prevention of the exploitation of the financial system for the purpose of laundering the proceeds of criminal activities and the funding of terrorism (so called Third Anti-laundering directive). Page 15 of 52 Organisation, management and control model ex Leg. Decree 231/01 This legislative decree extended the scope of application of the Leg. Decree 231/2001, through the introduction of the art. 25 octies designed to sanction crimes of: • • • fencing (art. 648 of the Italian Penal Code); money laundering (art. 648 bis of the Italian Penal Code); use of money, goods or benefits of illicit origin (art. 648-ter of the Italian Penal Code). The Law no. 48 of 18 March 2008, has introduced into the Leg. Decree no. 231/2001, the art. 24 bis, thus extending the responsibility of the entities even to computer crimes as foreseen by the following articles of the Italian Penal Code: • • • • • • • • • • 615 ter, (unlawful access to computer or telecommunication systems); 615 quater (unlawful possession and distribution of access codes to computer or telecommunication systems); 615 quinquies (distribution of equipment, devices or computer programs designed to damage or interrupt a computer or communication system); 617 quater (illicit tapping, obstruction or interruption of computer or network communications); 617 quinquies, (installation of equipment designed to tap, obstruct or interrupt computer or network communications); 635 bis, (damaging of information, data and computer programs); 635 ter, (damaging of information, data and computer programs used by the state or by any other public authority or in any case of public interest); 635 quater (damage to computer or communication systems); 635 quinquies, (damage to computer or communication systems used in the public interest); 491 bis (falsification of a public electronic document or that carries evidential effectiveness); 640 quinquies (computer tampering of the electronic signature certifier). The Law no. 94 of 15 July 2009, through art. 2, has introduced the art. 24 ter "organised crime felonies", designed to extend the scope of the entities' responsibility even to the following crimes: • • • Criminal syndicates (art. 416 of the Italian Penal Code); Mafia syndicates (art. 416 bis of the Italian Penal Code); crimes committed taking advantage of the conditions of the previously mentioned art. 416 bis or with the purpose of assisting the activities of the syndicates foreseen in the previous article (art. 24 ter, first paragraph, Leg. Decree 231/2001); Page 16 of 52 Organisation, management and control model ex Leg. Decree 231/01 • • • • exchange of favours between political entities and the mafia (art. 416 ter of the Italian Penal Code); kidnapping for the purpose of theft or extortion (art. 630 of the Italian Penal Code); criminal association for the purpose of drug or psychotropic substance trafficking (art. 74 Presidential Decree 309/90); crimes related to the illicit production, introduction into the state, sale, transfer, custody and carrying in public place or place open to the public of small firearms and light weapons or such like or parts thereof, explosives, clandestine weapons, as well as more common firearms (art. 407, first paragraph, letter a) no. 5 of the Italian Civil Code of Procedure). The Law no. 99 of 23 July 2009, through art. 15 has introduced into the Leg. Decree no. 231/2001, as part of art. 25 bis the so called "crimes related to trademarks, patents and distinctive signs", with the extension of the scope of the entities' responsibility to the following crimes: • • counterfeiting, alteration or use of trademarks, or distinctive signs, or of patents, models and drawings (art. 473 of the Italian Penal Code); introduction into the state and trading of products with false signs (art. 474 of the Italian Penal Code). The same art. 15 of the Law no. 99 of 23 July 2009 has introduced, as art. 25 bis 1, the so called "crimes against industry and trade" thus extending the scope of the entities' responsibility to the following crimes: • • • • • • • • disruption of the freedom of industry and trade (art. 513 of the Italian Penal Code); illicit competition involving threats or violence (art. 513 bis of the Italian Penal Code); fraud against national industries (art. 514 of the Italian Penal Code); fraud in trade activities (art. 515 of the Italian Penal Code); sale of not genuine food substances as genuine (art. 516 of the Italian Penal Code); sale of industrial products with misleading signs (art. 517 of the Italian Penal Code); production and sale of goods produced by usurping industrial property rights (art. 517 ter of the Italian Penal Code); counterfeiting of geographic or place of origin indications of agricultural and food products (art. 517 quater of the Italian Penal Code). The Law no. 99 of 23 July 2009 has introduced the art 25-novies "Crimes involving the violation of copyright", designed to extend the scope of the entities' responsibility even to the following crimes: Page 17 of 52 Organisation, management and control model ex Leg. Decree 231/01 • • • • • availability to the public, even through the introduction onto telecommunication networks, through concessions of any kind, of protected intellectual property or a part thereof, without being so entitled; the usurpation of the paternity of the work, the deformation, mutilation or modification of the work itself if the crime is committed to other person's work intended for publication or if this causes offence to the author's honour or reputation (art. 171 L. no. 633/41, first paragraph, lett - a-bis and third paragraph); the unlawful duplication, for profit, of computer programs; and for the same purpose, the importing, distribution, sale, custody for commercial or business purposes or rental of software contained on supports not bearing the SIAE marking;, in order to reap a profit, on supports not marked SIAE, the reproduction, transfer, distribution, communication, audience presentation of the contents of a database in violation of copyright law, or the extraction or reuse of the contents of a database in violation of the copyright laws, or the sale, distribution or rental of a database (art. 171-bis Law 633/41); reproduction and other illicit actions (such as the reproduction, duplication, audience distribution etc. ) of intellectual works or other typical works intended for television broadcasting or similar supports (art. 171-ter Law no. 633/41); failure by producers or importers of supports not subject to SIAE marking to communicate to SIAE within 30 days of their introduction onto the market or the importing of said supports, of the necessary information required for their unambiguous identification; false statements concerning the compliance with the obligations connected to the SIAE marking (art. 171 septies, L. no. 633/41); fraudulent production, import, sale, promotion, installation, modification, public or private use of equipment or parts thereof designed for the decodification of audiovisual transmissions with conditional access via the airwaves, satellite or cable, in both analogical and digital form (art. 171-octies L. no. 633/41). The Law no. 116 of 3 August 2009, in force as of 20 August 2009, extended the administrative responsibility of the entities so as to include the crimes of "incitement to not testify or to bear false testimony before the Judicial Authorities" as foreseen in art. 377-bis of the Italian Penal Code and recalled in art. 25-decies1 of the Decree. Finally the Leg. Decree 121/2011,in force since 16 August 2011, has introduced among the crimes included under the Decree even crimes against the environment (art. 25 undecies), such as: Page 18 of 52 Organisation, management and control model ex Leg. Decree 231/01 • • • • • 1.2 The killing, destruction, capture, removal, detention of protected wild animal or plant species (art. 727 bis of the Italian Penal code) and destruction of the habitat within a protected site (art. 733 bis of the Italian Penal code); The discharge of industrial waste waters containing hazardous substances (art. 137, Leg. Decree 152/2006), unauthorised waste processing (art. 256, Leg. Decree 152/2006) failure to undertake site remediation and clearance (art. 257, D.lgs. 152/2006); violations in the compulsory keeping of waste transportation registers (art. 258, Leg. Decree 152/2006); illicit waste trafficking (art. 259, Leg. Decree 152/2006); activities organised for the purpose of illegal waste trafficking (art. 260, Leg. Decree 152/2006); violation of the controls on waste traceability (260 bis, Leg. Decree 152/2006); violation of dispositions on plant operation (art. 279, Leg. Decree 152/2006); Trading in animals at risk of extinction in violation of the dispositions of the same law (art. 1 and 2 of Law no. 150/1992), and the custody of wild animals that are deemed hazardous for public health and safety (art. 6 of Law 150/1992); the forgery and alteration of certifications required for the introduction of protected species into the European Community (art. 3 bis of Law 150/1992); The use of substances that are damaging to the ozone layer (art.3 of the Law no. 549 of 28 December 1999); Fraudulent pollution (art. 8 of Leg. Decree 202/2007) and negligent pollution (art. 9, Leg. Decree 202/2007) of the marine environment through discharge of waste from ships. The organisational Model as a form of exemption from liability The Decree foresees that the entity shall not be held responsible for the crimes committed by its so called management staff if it can prove that: • • • • it has introduced and effectively implemented appropriate organisation and management Models to prevent the crimes of the kind that have taken place, prior to their having been carried out; that it has assigned to a company department with independent powers of action and control the task of supervising the operation and compliance with the Model and the handling of all updating procedures; that the persons who have committed the crime fraudulently circumvented the above mentioned organisational and management models; that there has been no omission or insufficient vigilance on behalf of the organism indicated above. For the crimes committed by subjects that are not in a top management position the entity is responsible only when the perpetration of the crime has been made possible through a failure to comply with the obligations Page 19 of 52 Organisation, management and control model ex Leg. Decree 231/01 concerning management and supervision. In any case the failure to comply with the obligations concerning management and supervision is excluded if prior to the crime being committed the entity has introduced and effectively implemented an appropriate organisation, management and control model to prevent the crimes of the type that have taken place. The Decree foresees that the entities, in order to satisfy the above requirements, may adopt organisation and management models "based on codes of conduct drafted by the associations that represents these entities, as communicated to the Ministry of Justice which, through full collaboration with the competent Ministries, may produce an opinion on the appropriateness of the models to prevent crime". In compliance with these dispositions Robert Bosch S.p.A., in drafting this Model, has taken its inspiration from the guidelines issued by Confindustria. It should however be recalled that these indications represent a simple frame of reference to which each company may refer for the purpose of implementing the Model. These are suggestions which the company is free to take as its basis for the development of the Model. Each company must in the end adapt the guidelines to its own specific reality and therefore to its size and the specific activities it performs, and thus choose the technical procedures by which it can proceed to introduced the Model. Furthermore, with specific reference to the issue of health and safety at the workplace, it is essential to recall that art. 30 of the Leg. Decree no. 81 of 9 April 2008 establishes that the appropriate organisation and management model in order to be effective for administrative liability exemption purposes for the entities indicated in the Decree, must be introduced and effectively implemented, ensuring the setting up of a company system designed to fulfil all the connected juridical obligations relative to: a) compliance with the technical and structural standards prescribed by law for the equipment, plants, workplaces and all chemical, physical and biological substances; b) risk assessment activities and the introduction of the ensuing prevention and protection measures; c) activities of an organisational nature, such as emergencies, first aid, contractor management, regular safety procedure meetings, consultations with labour representatives on safety issues; d) health monitoring activities; e) employee information and training activities; f) supervisory activities with specific reference to the procedures and instructions on work safety being provided to the workforce; g) the acquisition of the necessary documentation and compulsory certifications required by law; h) the regular verifications carried out to ensure the application and effectiveness of the procedures implemented. Page 20 of 52 Organisation, management and control model ex Leg. Decree 231/01 The above organisation model must include appropriate registration systems detailing the actual performance of the activities listed above. The organisational model must in any case guarantee an appropriate allocation of tasks that may ensure that the necessary technical skills and powers are available to provide risk evaluation, management and supervision, based on the nature and size of the organisation and the type of activity it is engaged in, which shall also involve the introduction of an appropriate penalty system with the powers to sanction any failure to comply with the measures indicated in the model. The organisational model must also foresee a suitable supervisory system of the implementation and maintenance over time of the appropriateness of the measures implemented. The re-evaluation and any changes to the organisational model must be introduced if: • • significant violations to the regulations governing prevention of accidents and hygiene at the workplace are discovered, or as a result of changes in company organisation and activity due to scientific and technological progress. Finally, the above art. 30 establishes that, when first implemented, the company's organisational model must be drafted in compliance with: • • the UNI-INAIL guidelines for a health and safety management system at the workplace (SGSL) of 28 September 2001, or the British Standard OHSAS 18001:2007 which it is presumed comply with the requirements listed above for all matching sections. For the same purposes further organisation and management models may be indicated by the permanent advisory Commission on health and safety at the workplace, set up at the Ministry of Employment and Social Security by art. 6 of the Leg. Decree no. 81/2008. 1.3 The penalty system The Decree establishes that for the illicit conducts outlined above the entities may incur financial penalties and interdiction measures, the sentence may be published and the price and profit of the crime may be confiscated. The financial penalties are applied each time an entity commits one of the illicit conducts foreseen by the Decree. They are applied on a quota Page 21 of 52 Organisation, management and control model ex Leg. Decree 231/01 basis which cannot be below one hundred nor exceeding one thousand (each quota has a minimum value of between Euro 258.22 and a maximum value of Euro1,549.37) and may thus vary between a minimum fine of Euro 25,822.00 to a maximum one of Euro 1,549,370.00. For the purpose of quantifying the quotas the judge must bear in mind: • • • the seriousness of the crime; the degree of the entities' responsibility; the actions taken by the entity to eliminate or mitigate the consequences of the crime and prevent any further illicit actions being committed. The quota amount on the other hand is set based on the economic and asset conditions of the entity. In certain cases the financial sanction may even be reduced. The interdiction measures may only be applied to crimes for which they are specifically foreseen in the Decree when one of the following conditions is met: • • the entity has obtained a considerable profit from the crime in question and the crime has been committed by subjects in a top hierarchical position, or by subjects under the management of others while the perpetration of the crime has been made possible or facilitated by serious organisational shortcomings; if the illicit conducts have been reiterated. The interdiction measures that apply to the entities on the basis of the Decree are: • • • • • banning from the exercise of the activity, with ensuing suspension or revocation of the authorisations, licenses and concessions that are essential for the activities in question; the suspension or revocation of authorisations, licenses or concessions that have been instrumental to the perpetration of the illicit conduct; the prohibition from entering into contracts with the public administration, except to obtain public utility services; the disqualification from any subsidies, funds, contributions or aid and the revocation of any previously awarded; the ban from advertising goods or services. The type and duration (which may vary between three months and two years) of the interdictive sanctions may be set by the judge, on the basis of the criteria indicated for the quantification of the financial penalties. The Decree also envisages the possibility that certain sanctions be applied on a permanent basis (therefore exceeding the maximum duration of two Page 22 of 52 Organisation, management and control model ex Leg. Decree 231/01 years), in the presence of specific events that are considered particularly serious by the legislator. If necessary, the interdiction measures may be applied concomitantly. The judge, instead of enforcing the interdiction measures requiring the interruption of the entity's activity, may rule that the activity be continued under the management of a court-appointed administrative receiver for a period equivalent to the duration of the interdiction measure which would have been applied, provided one of the following conditions is met: • • the entity's activity involves providing a public service or a service of public utility the interruption of may cause serious prejudice to the community; the interruption of the entity's activity may lead to serious repercussions due to its size and the economic conditions of the area where it is located. If the interdiction measures are not complied with the penalty may be a jail sentence of between six months and three years against anyone engaged in the entity's activity to which the interdiction measures apply and is nevertheless found to have transgressed the obligations and prohibitions that the same measures have prescribed. In this case, against the entity in whose interest or to whose advantage the crime has been committed the financial administrative penalty to be applied shall vary between 200 and 600 quotas with confiscation of all related profits. If there is strong evidence to believe the entity is responsible for an illicit conduct ensuing from a crime and there are reasonable grounds and specific elements that would seem to indicate the likelihood that illicit conducts of the same kind may be reiterated, the interdiction measures outlined above may also be applied as precautionary measures. In addition to the above sanctions, the Decree, alongside the conviction, should also require the confiscation of the price or the profit earned through the crime as well as the publication of the sentence in the presence of an interdiction sanction at the entity's own expense. 1.4 The Confindustria Guidelines As previously recalled in paragraph 1.2, in order to make it easier for entities to prepare suitable Models, paragraph 3 of art. 6 of the Decree foresees that the trade associations can provide guidance by issuing specific codes of conduct to assist companies in the devising of organisation, management and control models. Page 23 of 52 Organisation, management and control model ex Leg. Decree 231/01 In this context, Confindustria has developed the "Guidelines for the construction of organisation, management and control models pursuant to Leg. Decree 231/2001”, approving its final text on 7 March 2002. Said Guidelines can be roughly outlined through the following fundamental points: A. identification of the risk areas, that is to say the company areas/sectors where it is possible that the prejudicial events foreseen by the Decree may take place; planning of a control system in order to prevent the perpetration of the crimes foreseen by the Model by introducing specific protocols. The most relevant components of the control system envisaged by Confindustria are: B. • • • • • • Code of Ethics; organisational system; manual and computer run procedures; authorisation and signing powers; control and management systems; personnel information and training. The control system components must be inspired by the following principles: • • • • • C. implementation of verification criteria, traceability, coherence and consistency of each operation; implementation of the function separation principle, which should entail that no one is in a position to manage an entire process independently; control documentation; introduction of an appropriate penalty system for violations of the Code of Ethics and of the procedures envisaged by the Model; identification of the pre-requisites of the Supervisory Authority (OdV) which should specifically include: independence and autonomy, a high level of professional expertise and continuity of action. information obligations of the OdV and towards the OdV. On 3 October 2002, Confindustria developed the "Integration Annex to the Guidelines for the construction of organisation, management and control models pursuant to Leg. Decree 231/2001 with reference to the crimes introduced by Leg. Decree 61/2002”. The objective of extending the dispositions included in the Decree to corporate crimes was to ensure a higher degree of transparency in company procedures and internal processes and as a consequence ensure a greater degree of control over management operations. Page 24 of 52 Organisation, management and control model ex Leg. Decree 231/01 This led to the twofold need to: a) define specific organisational and procedural measures - as part of the model previously outlined by the Guidelines for crimes against the Public Administration - designed to provide a reasonable guarantee that these kinds of crimes may be prevented; b) define the main tasks assigned to the OdV in order to ensure an actual, effective and continuous operation of the Model itself. The above Guidelines have been subsequently updated, the last review taking place on 30 March 2008. This last update was brought about by the need to adapt the Guidelines to the subsequent legislative modifications that have introduced into the Decree text the crimes against individuals, the crimes of insider trading and market abuse, cross-border crimes, negligent homicide and grievous or highly grievous bodily harm caused in violation of the regulations governing the protection of health and safety at the workplace, as well as the crimes of fencing, money laundering, and the use of money, goods or benefits of illegal origin. It is worth noting that the failure to comply with the specific points of the Guidelines does not affect the validity of the Model. The single Model, after all, must be drafted with reference to the actual concrete company reality, and may well move away from the Guidelines which by their vary nature are of a general character. Page 25 of 52 Organisation, management and control model ex Leg. Decree 231/01 2. THE MODEL DRAFTING AND IMPLEMENTATION PROCESS 2.1 The Company's choice Although the Decree does not impose the introduction of an Organisation, Management and Control Model, RBIT has considered it essential to take action in this regard in order to guarantee an ethically agreed conduct and to pursue compliance with the principles of legitimacy, correctness and transparency in the performance of company activities. Additionally the choice of implementing the Organisation, Management and Control Model fits in with RBIT's requirement to pursue its mission while strictly complying with the objective of creating value for its shareholders and strengthening national and international competition in the various business sectors. RBIT has therefore decided to implement an upgrading project compared to the contents of the Decree which has entailed a review of its own organisational structure, as well as its management and control tools, in order to implement its own Model. The latter is not just a valid awareness tool for everyone operating on behalf of the Company to ensure that a correct and straightforward conduct is adopted in performing one's own activities, but it is also an essential preventive tool to ensure that the crimes foreseen by the Decree are not committed. 2.2 Methodological approach used (omissis) 2.3 Drafting of the Organisation, Management and Control Model The Risk Assessment activities previously described and their results have been shared with the company management. This analysis, diagnosis and planning phase was then followed by the editing phase that led to the drafting of this Model and the definition of the elements of which it is comprised. Page 26 of 52 Organisation, management and control model ex Leg. Decree 231/01 Page 27 of 52 Organisation, management and control model ex Leg. Decree 231/01 3. THE ORGANISATION, MANAGEMENT AND CONTROL MODEL 3.1 Model purpose The introduction of the model aims to create a system of dispositions and organisational tools which aim to guarantee that the Company activity is performed while fully complying with the Decree and in order to prevent and sanction any attempts to engage in conduct which may involve the risk of committing one of the types of crime foreseen by the Decree. Therefore the Model sets itself the following objectives: • • to improve the system of Corporate Governance; the introduction of further principles and rules of conduct into the Company designed to promote and enhance an ethical internal approach, with a view to a correct and transparent business management; help to devise a structured and organic prevention and control system designed to reduce the risk of crimes being committed in the context of business operations; raise the awareness of all those who operate in the name and on behalf of RBIT in "areas of operation considered to be at risk", that if they violate the dispositions included herein they run the risk of incurring in an illicit conduct which is liable to carry with it sanctions against the author of the violation (at a civil, disciplinary and in certain cases, penal level) as well as against the Company (administrative responsibility pursuant to the Decree); to inform all those who operate for whatever reason in the name and on behalf or in any case in the interests of RBIT that the violation of the dispositions contained in the Model shall lead to the application of specific sanctions or the termination of the contractual relationship; to reassert that RBIT will not tolerate illicit conducts of any kind and regardless of their purpose, in so far as these forms of conduct (even if the Company were apparently to gain an advantage by them) are in any case contrary to the ethical principles RBIT intends to operate by; to actively curtail any conduct implemented in violation of the Model by inflicting disciplinary and/or contractual sanctions. • • • • • The Model prepared by Robert Bosch S.p.A is therefore based on a structured and organic system of protocols and control activities which: • • identify the areas and processes which are most at risk among all company processes, that is to say all those activities within which it is believed there is the highest likelihood that crimes may be committed; define an internal regulations system with the purpose of preventing the Crimes, which includes among others: Page 28 of 52 Organisation, management and control model ex Leg. Decree 231/01 • • • 3.2. o a Code of Ethics and a Group Code of Business Conduct which expresses the ethical undertakings and responsibilities that must be complied with when conducting business or engaged in company activities; o a system of assignments, powers and proxies for the signature of company deeds which may provide a clear and transparent representation of how decisions are reached and implemented; o formal procedures, designed to regulate the operating and control procedures in the risk areas; it finds its basis in an organisational structure that is coherent with the activity performed by the Company and planned with the aim of ensuring on the one hand, a correct strategic and operational management of business activities and on the other an on-going supervision of the conducts involved. This control is guaranteed by ensuring a clear and organic allocation of assignments, by applying the right kind of function separation and by ensuring that the ordering of the organisational structure used is actually implemented by means of: o a formally defined, clear and appropriate organisational chart that is consistent with the activity performed by the Company; o a clear definition of roles and responsibilities assigned to each organisational unit; o a system of internal functional appointments and assignment of the Company's representational powers towards the outside that may ensure a clear and consistent function separation; the identification of a management and control procedure over the financial resources involved in at risk activities; assigns to the OdV the task of supervising the operation and compliance of the Model and suggest any necessary updates. Model characteristics and connections with the Code of Ethics The dispositions contained in this Model are integrated with those of the Code of Ethics introduced on 25 May 2012 by the Company's Board of Directors' (Enclosure 1 A) and with those of the "Code of Business Conduct" introduced by the company during the month of May 2008 (Enclosure 1.B). These dispositions are based on the principles of the latter documents, despite the fact that the Model, given the purpose it intends to pursue through the implementation of the dispositions found in the Decree, has a different scope compared to the Codes in question. From this point of view, after all: Page 29 of 52 Organisation, management and control model ex Leg. Decree 231/01 • • 3.3 the Code of Ethics and the Code of Business Conduct represent tools introduced independently and are generally speaking subject to the implementation on behalf of the Company (and the Group) with the aim of expressing certain principles of "corporate integrity" which it acknowledges as its own and the observance of which it calls all Recipients to comply with; the Model on the other hand has been devised to satisfy the specific requirements of the Decree, and aims to prevent the perpetration of specific kinds of crimes relative to facts which, as they are committed to the apparent advantage of the Company, may entail an administrative responsibility based on the dispositions of the Decree itself. Model Recipients The Model's dispositions are addressed to all company organisms and their components, the employees, the Suppliers, the Contractors, the Company's agents, the Consultants, the project collaborators and temporary employees involved in Sensitive Processes, as well as the members of the Supervisory Authority that do not belong to the above categories. The subjects the Model is addressed to are required to comply very precisely with all its dispositions, even through compliance with duties of loyalty, correctness and due diligence that originate out of the legal relations set up with the Company. The Company disapproves of all conduct which, in addition to the law, deviates from the dispositions of the Model regardless of whether it is performed in the interest of the Company or is intended to produce and advantage for it. 3.4 Model introduction, modifications and integrations The Decree foresees that the management body should be responsible for the introduction of the Model, assigning to each entity the task of identifying within its ranks the organism to which this task should be assigned. Consistently with the indications provided by the "Confindustria Guidelines", Robert Bosch S.p.A. has singled out its own Board of Directors as the Management Body responsible for introducing the Model. The task of supervising the effective implementation of the Model has instead been assigned to the Supervisory Authority as prescribed by the Decree. Page 30 of 52 Organisation, management and control model ex Leg. Decree 231/01 As a consequence, seeing as this document is a "deed issued by the management body" (in compliance with the dispositions of art. 6 para. I lett. a) of the Decree) the subsequent modifications and integrations of a substantial nature to the same have been coherently been assigned to the competence of the same Board of Directors'. Among the substantial modifications we have included by way of nonlimiting example: • • • • • inclusion within this document of additional Special Sections; elimination of certain parts of this document; modifications to the OdV duties; identification of an OdV different to the one currently foreseen; updating/modification/integration of the control principles and rules of conduct. It is further acknowledged that the Managing Director, following a suggestion by the Legal Department, has the right to introduce possible changes or integrations to this document of a purely formal nature, on conditions that the content remains substantially unchanged, as well as introducing integrations, changes and updates to the Enclosures. These modifications and integrations must be promptly communicated to the Board of Directors' and the OdV. Page 31 of 52 Organisation, management and control model ex Leg. Decree 231/01 4. THE COMPONENTS OF THE PREVENTIVE CONTROL SYSTEM The Model devised by RBIT is based and is integrated within a structured and organic internal control system made up of protocols and rules, tools for the definition of responsibilities as well as company process monitoring mechanisms and tools, which were already in place prior to the publication of the Model. The control principles that have inspired the architecture of RBIT's internal control system, with particular reference to the Sensitive Processes outlined in the Model and consistently with Confindustria's dispositions, are described below: • • • • A clear identification of roles, tasks and responsibilities of the subject that are involved in the performance of the company's activities (whether internal or external to the organisation); Separation of the tasks between who operationally performs an activity, who checks it, who authorises it and who records it (where applicable); Ex-post verification and traceability of the operations: the relevant activities performed (particularly where Sensitive Processes are involved) must be appropriately formalized, with particular reference to the documentation produced as part of their performance. The documentation produced and/or available on paper or electronic supports, must be filed in an orderly and structured fashion by the positions/subjects involved. Identification of manual and automatic preventive controls and ex-post verifications: manual and/or automatic monitoring processes must be introduced in order to prevent crimes being committed or to detect any irregularities which might be in conflict with the objectives of this Mode on an ex-post basis. These controls are more regular, complex and sophisticated when carried out on Sensitive Processes which show a higher crime risk potential. On this basis one area that must be subjected to constant and thorough monitoring is the management of financial resources. These monitoring procedures include by way of example: • Protection of automated systems (access, data back-up, etc.); • Data reconciliation and balancing; • Ex-post monitoring/verification of the most significant activities/the most sensitive data; • Reports on the activities performed and dispatch to a hierarchically superior level. For the purposes of this Model we wish to highlight the following internal control system components as classified below: • system of ethical principles and rules of conduct; Page 32 of 52 Organisation, management and control model ex Leg. Decree 231/01 • • • • • organisation system; authorisation and decision making system; policy and procedure system; training and information system; computer and computer software systems. These components of the control system (and the organisation and operational tools which they engender), consistently with the inspirational control principles outlined above, have been specifically assessed during the risk assessment activities performed (as anticipated in the "Methodology" Chapter) in order to verify their coherence with the aim of preventing illicit conduct as prescribed by the Decree. This process has brought to light that certain tools were already in place and operational before the introduction of this Model and have been considered valid and immediately applicable even for the current purposes. For some of them however areas of improvement have been identified so that they may satisfy the requirements of this Model 231 and provide a practical implementation of the principles it envisages. These corrective and improvement actions have been outlined in the "Action Plan" or "Executive Summary" (as detailed in Chapter 2). It is further specified that the above mentioned components of the internal control system, even if formalised in separate documentation from this Model, are referred to in the text of the Model and/or contained in the relative Enclosures and are therefore to be considered an integral part of it. It follows therefore that the compliance with the principles and the dispositions it contains are to be considered an essential aspect for the implementation and effectiveness of the Model itself. The following paragraphs provide a detailed description of the individual components that comprise the Bosch internal control system and are also relevant for the purposes of the Model. 4.1 System of ethical principles and rules of conduct The Company considers it essential that the Recipients comply with the ethical principles and general rules of conduct in the performance of their activities and in managing their relations with colleagues, business partners, clients, suppliers and with the Public Administration. These regulations are outlined in a number of company documents and primarily in: • • Robert Bosch S.p.A. Code of Ethics (expressly provided as an enclosure to this Model); Group Code of Business Conduct (expressly provided as an enclosure to this Model); Page 33 of 52 Organisation, management and control model ex Leg. Decree 231/01 • Parent Company dispositions (Guidelines and Central Directives) In particular the Guidelines and Central Directives refer to documents that apply to all Group companies, including Robert Bosch S.p.A., which govern the business activities and establish the rules of conduct that RBIT employees in particular must comply with in the performance of their activities. A list of some of the issues governed by the above mentioned Policies is provided below: - Conservation of assets; - The principle of security and the principle of safety; - Authorisation levels; - Management Control regulations (for example the 4 eyes principle); - Regulations for binding deeds (for ex. the principle of the double signature); - Internal controls. 4.2 Organisation system The RBIT system of organisation is established through the drawing up of an organisational chart and the issuing of functional assignments (powers of attorney), organisational procedures and organisational dispositions/job descriptions, which provide a clear indication of the functions and responsibilities assigned to each organisational unit. The company's organisational chart must represent in a clear and sufficiently detailed fashion the company's organisational structure, by identifying and naming the divisions and functions involved. (omissis) Page 34 of 52 Organisation, management and control model ex Leg. Decree 231/01 4.3 Authorisation and decision making system The Authorisation and decision making system involves a complex and coherent system of company power delegation and assignment based on the following dispositions: • • • • • • • the assignments must link each management post to the connected responsibility and an appropriate position in the company organisational chart and be updated as a result of changes in the organisation structure; each assignment must define and describe in very specific and unambiguous terms the management powers of the assignee and the subject to whom the assignee refers in terms of hierarchy and function; the management powers assigned with these assignments and their implementation must be consistent with company objectives; the assignee must be provided with the spending powers appropriate to the functions assigned to them; the powers of attorney may be granted exclusively to subjects provided with assignments or a specific position and must include the extension of the powers of representation and, possibly, numerically established spending limitations; the recipients of powers and assignments as well as the persons directly involved/interested must be duly informed and instructed regarding the extension and limitations of the single powers assigned to them; in particular everyone who holds relations with the Public Administration on behalf of RBIT must be provided with assignments/powers of attorney to this end. The decision making process concerning Sensitive Processes must be inspired by the following criteria: • • • each decision concerning the Sensitive Process operations, as identified below, must be formally traced (on paper or electronically); there may in any case never be subjective identity between the person who decides on the performance of a Sensitive Operation and the person who actually implements it and brings it to its conclusion; by the same token, there may never be subjective identity between those who decide and implement a Sensitive Operation and those who are invested with the power to assign any required economic or financial resources to it. The principles described above find application and formal definition in the following documents; • Board of Directors' decisions; Page 35 of 52 Organisation, management and control model ex Leg. Decree 231/01 • special powers of attorney; For the management of the allocation/revocation of powers/assignment process the Company has issued a disposition note for the Heads of Human Resource and Organisation, Finance and Company Business and General Management in which the responsibilities and the operating procedures for allocation, variation or revocation of specific powers of attorney are detailed. 4.4 Policy and procedure system (omissis) 4.5 Training and information program RBIT, through its specifically appointed training division with the support of the "TEC" training school internal to group companies and specifically designed for the purpose, takes particular care over the training of the resources that operate within its organisation. (omissis) 4.6 Computer and computer software systems (omissis) Page 36 of 52 Organisation, management and control model ex Leg. Decree 231/01 5. SUPERVISORY AUTHORITY 5.1 Identification of OdV pre-requisites In order to satisfactorily perform the roles indicated in the Decree this entity must satisfy the following pre-requisites: • • • autonomy and independence: as had also been highlighted in the Guidelines, the position of the Entity Organism, "must guarantee the autonomy of the control initiative from all forms of interference and/or conditioning on behalf of any Entity member" (including the Management Body). The Organism must therefore be included as a staff unit in a hierarchic position (the highest possible) and be expected to report to the top level of company operation. Besides this, in order to guarantee the necessary autonomy of action and independence, "it is essential that the OdV be not assigned operating tasks which, by requiring it to take part in operating decisions and activities, might undermine the objectivity of its assessments when assessing conducts and the Model itself". professional experience: this pre-requisite refers to the level of specialist technical knowledge which the Organism must have in order to be able to perform the activity the regulation assigns it. In particular, the members of the Organism must have specific knowledge of all useful techniques which may enable it to perform its inspection and consultant analysis activities over the control system and have appropriate juridical knowledge (particularly of corporate and penal law), as clearly specified in the Guidelines. It is after all essential that it be provided with analysis and risk assessment techniques, the ability to develop flow-charting of procedures and processes, manage fraud detection methods, statistical and structure sampling and be fully aware of how the crimes are actually carried out. continuity of action: in order to guarantee the effectiveness of the organisational Model, it is essential that a dedicated structure be constantly present and engaged full time in supervisory activities. Therefore the OdV must: • • • be independent and in a third party position compared to those whose activities it is supposed to verify; be placed at the highest possible hierarchic level; be assigned autonomous powers of action and control; Page 37 of 52 Organisation, management and control model ex Leg. Decree 231/01 • • • • • be granted financial independence; not be involved in any operating tasks; engage in continuous supervisory action; have the required professional profile; introduce a systematic communication channel with the entire Board of Directors'. 5.2 Identification of the OdV The Board of Directors' of Robert Bosch S.p.A. has considered it advisable to set up a collegial organism to which it might assign the role of Supervisory Authority (henceforth also OdV). In particular, this organism is comprised of the following figures: • • • Head of Internal Audits; External expert; Head of Legal Department. The considerations expressed given the type and the specific nature of the Company have led to the conclusion that the ideal composition of the OdV is the collegial one, so as to guarantee the completeness of the required professional expertise and experience, as well as continuous operation. For a full compliance with the dictates of the Decree, the OdV as identified above is a subject which reports directly to the top Company management (Board of Directors') and is not connected to the operating structures by any hierarchic constraint, so that its full autonomy and independence in the performance of its functions can be assured. The activities performed by the OdV cannot be decided by any other organism or company structure, it being understood that the Management Body is in any case called upon to carry out supervisory activities on the appropriateness of its actions, seeing as it is ultimately responsible for the operation and effectiveness of the Model. As a further guarantee of the autonomy and in compliance with the provisions of the "Confindustria Guidelines", as part of the drafting procedures of the company budget, the Management Body must approve an allocation of financial resources, as suggested by the OdV itself, which the OdV may dispose of for any requirement necessary for a correct performance of its assignment (i.e. specialist consultancies, business trips, etc.). The members of the OdV have the capacity, knowledge and professional competence as well as a reputation for honorability that are essential for the performance of the tasks assigned to it. In fact the OdV in the Page 38 of 52 Organisation, management and control model ex Leg. Decree 231/01 composition outlined above is equipped with the appropriate inspection and consultancy capacities, with particular reference, among other things, to auditing techniques, fraud detection, risk analysis and assessment and penal judicial competence. Furthermore, in compliance with the dispositions of the "Confindustria Guidelines", the best practices and the jurisprudence on this point, it is believed that the OdV in the composition detailed above has the necessary requirements of independence, autonomy and continuity of action, seeing as it can rely on internal RBIT components (Head of Internal Audits and Head of the Legal Department) and on the presence of an external specialist with long-standing experience in penal matters as Chairman of the OdV. The allocation of the role of OdV to subjects other than those identified or the modification of the functions assigned to the OdV must be decided by the Board of Directors'. 5.3 OdV appointment procedure and duration of post (omissis) Page 39 of 52 Organisation, management and control model ex Leg. Decree 231/01 5.4 Reasons for ineligibility, reasons and powers of revocation (omissis) 5.5 OdV functions The OdV is completely independent in the performance if its tasks and its deliberations are unquestionable. In particular the OdV must: • • • supervise compliance with the Model on behalf of its Recipients; oversee the effectiveness and appropriateness of the Model relative to the company structure and its actual capacity to prevent crimes being committed; suggest and solicit the updating of the Model when they discover the need for updating based on changed company or regulatory conditions or changes in the external context. The OdV must also operate: • • • ex-ante (thus taking steps to provide appropriate training and information to personnel); continuously (though monitoring, supervision, review and updating activities); ex-post (through analysis of the causes and circumstances that may have led up to a violation of the Model's dispositions or a crime having been committed). For an effective performance of the above outlined functions, the OdV is assigned the following duties and powers: • • • • regular verification of the risk area maps in order to ensure updating relative to the changes introduced to the activity and/or to the company structure; collection, processing and filing of information relevant to the Model; regular verification of the actual implementation of company control procedures in the areas of at risk activities and effectiveness monitoring; verification of the implementation of the actions identified for the solution of critical elements relative to the internal control system detected during the risk assessment procedures (Action Plan), as detailed in paragraphs 2.2.1, 2.2.2, 2.2.3 and 2.2.4. Page 40 of 52 Organisation, management and control model ex Leg. Decree 231/01 • • • • • • • • carry out regular verifications on specific operations and actions performed within the context of Sensitive Processes; conduct internal investigations and inspections to check on any supposed violations of the Model's dispositions; monitor the appropriateness of the penalty system foreseen for violations of the rules established by the Model; coordinate with the other company departments, as well as with the other control bodies (first among which the auditing company and the Board of Statutory Auditors), even through specific meetings, so as to improve the monitoring of the activities relative to the procedures set up by the Model, or in order to identify new at risk areas, as well as assessing in a more general way the various aspects related to Model implementation; coordinate and cooperate with the subjects responsible for health and safety supervision of the workforce in order to ensure that the control system pursuant to the Decree is integrated with the control system implemented in compliance with the special regulations governing safety at the workplace; coordinate with the heads of the company departments in order to promote initiatives for the dissemination of knowledge (which may even involve the organisation of training courses) and the understanding of the Model's principles and to ensure the drafting of the internal organisation documentation required for its operation, containing instructions, clarifications or updates; carry out regular verifications of the content and quality of the training programs; suggest evaluation criteria to the Management Body for the identification of Sensitive Operations. To this end the OdV will have the right to: • issue dispositions and service orders designed to regulate the activity of the OdV itself; • access to all and any company documentation for the purpose of performing the tasks assigned to the OdV in accordance with the Decree; • issue directives to the various company structures, even at top management level, in order to obtain information from the latter that is considered necessary for the performance of its duties, so that a prompt identification of any Model violations is guaranteed; • carry out regular verifications based on its own action plan or even spot checks not scheduled in said plan, but nevertheless deemed necessary in order to fulfil the OdV's purpose. (omissis) Page 41 of 52 Organisation, management and control model ex Leg. Decree 231/01 The OdV will draft its own Rules and Regulations which will ensure its organisation and the functional aspects such as for example the regularity of the inspections, the decision making procedures, the summoning procedures and the minute taking for its meetings, the resolution of any conflicts of interest and the methods to be used for the modification and revision of the regulations themselves. Additionally, within these Regulations, the OdV must expressly foresee formal instances of meeting and discussion, particularly involving: • • • • the Board of Statutory Auditors; the Company account Auditing Company; the relevant actors involved in the internal control system; the relevant actors involved in the system of management responsible for health and safety at the workplace. The object of these meetings will be primarily to discuss and coordinate actions with the subjects involved in the so called front line of control system implementation, each according to their specific area of responsibility, in order to enable the OdV to identify possible areas where monitoring may be improved in order to increase the effectiveness of the Model. With this it mind it will up to the OdV to verify with these same entities the effectiveness of the flow of information it receives, as defined in paragraph 5.7 "Required information to be forwarded to the Supervisory Authority". The OdV will take steps to regulate the operating procedures and the scheduling of these meetings, identifying in each instance the subjects that need to be involved, as well as the agenda of the meetings in question. Furthermore, the OdV will draft its own "Activity Plan" which it intends to carry out in order to fulfil the duties assigned to it, and which shall be duly communicated to the Management Body. 5.6 Required information to be forwarded to the Supervisory Authority In order to facilitate the supervisory activities over the actual implementation and effectiveness of the Model, the OdV must be provided with: • • Page 42 of 52 reports of any presumed or actual violations of the model (henceforth Reports); useful information required for the performance of the supervisory duties assigned to the OdV (henceforth classified as General Information and Information on Sensitive Operations). Organisation, management and control model ex Leg. Decree 231/01 The OdV must also be allowed access to all types of information that may be deemed useful for the performance of its activities. This necessarily requires that the OdV must consider all acquired information as strictly confidential. More specifically, all the Recipients must promptly report to the OdV any actual or even presumed violations of the Model regulations. These Reports must be sufficiently accurate and detailed and ascribable to a specific company sector or events; it should be underlined that these Report may concern any company area with relevance in terms of the application of the Leg. Decree 231/2001 and the current Model, including violations of the Model deemed relevant in terms of health and safety at the workplace. It is further underlined that these Reports may also be sent to the OdV by Worker Safety Representatives provided this function is not already fulfilled by a subject identified among the Model's Recipients. (omissis) In any case in order to facilitate the supervisory activities assigned to it, the OdV must be promptly provided with all General Information considered useful for the purpose which, by way of non-limiting example, may include: • • • • • • • • any critical, anomalous or atypical events encountered by company management during Model implementation; any proceedings and/or news received from the judicial police authorities or any other authority from which one may infer that investigations are underway, even against unknown parties, for particular crimes; the internal and external communications concerning any event which may be connected to a possible crime among those included in the Decree (i.e. disciplinary proceedings set in motion/implemented against any employees); any requests for legal assistance forwarded by employees following the opening of criminal judicial proceedings; any investigation committees or internal reports concerning responsibilities for potential crimes included in the Decree; any news on disciplinary proceedings carried out in relation to Model violations and any sanctions issued (including the proceedings against employees) or indeed any case dismissal actions concerning said proceedings with their relative motivations; any news on changes to the organisational structure; the updating of the assignment and power of attorney system (including the system for allocation of powers on matters of health and safety at the workplace); Page 43 of 52 Organisation, management and control model ex Leg. Decree 231/01 • • • • any news related to changes in key positions of the organisational structure affecting matters of health and safety at the workplace and environmental procedures (i.e.: changes of positions, assignments and in the subjects responsible for worker protection); changes to the regulatory system on matters of health and safety at the workplace and the environment; any communications issued by auditing company concerning aspects that may refer to failings of the internal control system, any reprehensible facts, all observations made on the Company accounts; any assignment conferred or which it is intended to confer to the auditing company or to companies linked to it, other than accounting review or account verification; copies of the minutes of the meetings of the Board of Directors' and the Board of Statutory Auditors. This General Information must be supplied to the OdV by the heads of the various company departments depending on their area of competence, and coordinated by at least one Managing Director. Besides what will be specified below regarding the Informations handled by Process Owners concerning Sensitive Operations, the e-mail [email protected] is available for the forwarding of Reports and General Information. (omissis) Page 44 of 52 Organisation, management and control model ex Leg. Decree 231/01 5.7 OdV Reporting (omissis) Page 45 of 52 Organisation, management and control model ex Leg. Decree 231/01 5.8 Information filing (omissis) Page 46 of 52 Organisation, management and control model ex Leg. Decree 231/01 6. MODEL DISSEMINATION To guarantee the effectiveness of the Model, it is of major importance that the rules of conduct that it contains be fully understood by the company's human resources as well as those that may join the company in the future, as well as by every other Recipient, with a different degree of understanding depending on the level of involvement in Sensitive Processes. 6.1 Initial communication In order to guarantee its effective knowledge and application, the implementation of the Model is formally communicated by Board of Directors' to the various Recipient categories. In particular, following the Model's approval, the Company employees and subsequently all new employees are required to sign a statement indicating they have become fully conversant with the Model itself and undertake to comply with its dispositions (Enclosure 2). As far as Company Collaborators, Suppliers, agents, distributors as well as external Consultants and Contractors, the letter of assignment or contract which sets up a form of collaboration must explicitly contain clauses drafted in line with the one shown in Enclosure 3 which may also be drafted on a separate documents compared to the contract itself (Enclosure 4). All temporary workers shall also be required to underwrite a statement of acknowledgement of the Model itself and the commitment to comply to its dispositions (Enclosure 5). In the case of reviews and/or significant updates of the Model the Company shall takes steps to duly inform the Recipients. The Model shall also be made available according to the procedures and the tools that the Board of Directors' shall decide to implement such as for example the publication on the Company's internet site, or by making the Model available in hard copy form in each plant location. Page 47 of 52 Organisation, management and control model ex Leg. Decree 231/01 6.2 Personnel training on the issues of the Leg. Decree 231/01 The training of all personnel for the purposes of the implementation of the Model is entrusted to the Board of Directors' which must identify the most qualified resources (internal or external to the Company) to which it may entrust its organisation. (omissis) Page 48 of 52 Organisation, management and control model ex Leg. Decree 231/01 7. PENALTY SYSTEM The Decree establishes that a "penalty system capable of sanctioning any failure to comply with the measures indicated in the model" must be introduced both for subjects in top management positions and subjects who are managed and supervised by others. The existence of a system of applicable sanctions in the presence of a failure to comply with the rules of conduct, dispositions and internal procedures detailed in the Model is in fact essential in order to guarantee the effectiveness of the Model itself. The implementation of the sanctions in question must be totally independent of the any developments or outcome of any penal or administrative procedures set in motion by the Judicial or Administrative Authorities, if reproachful is also valid as an integration of a crime case which is relevant in accordance with the Decree or a penal or administrative crime which has relevance pursuant to the regulations governing health and safety at the workplace. In fact, the rules imposed by the Model are introduced independently by the Company regardless of whether any of these conducts may constitute a form of illicit penal or administrative conduct and that the Judicial or Administrative Authorities may intend to press charges against this illicit conduct. The verification of the appropriateness of the penalty system, the constant monitoring of any sanction implementation procedures against employees as well any actions taken against external subjects is assigned to the OdV, which is also responsible for reporting any infringements it may become aware of in the performance of its own specific duties. Without jeopardy to the provisions of paragraph 5.4 ("Reasons for ineligibility, reasons and powers of revocation"), the established penalty system may even be applied to members of the OdV, relative to the functions that are assigned to it under this Model (see on this point the subsequent paragraph 7.4). 7.1 Model violations Model violations consist of: 1. conduct which integrate the crime categories contemplated by the Decree; 2. conduct which, despite not being included among the crime categories detailed by the Decree, are nevertheless directed without question to their being committed; 3. conduct not compliant with the procedures indicated in the Model and the Code of Ethics and Code of Business Conduct principles Page 49 of 52 Organisation, management and control model ex Leg. Decree 231/01 4. conduct not compliant with the Model dispositions or recalled by the Model. (omissis) 5. conduct of a non collaborative nature towards the OdV, consisting by way of a non-limiting example, in the refusal to provide the required information or documentation, the failure to comply with the general and specific directives issued by the OdV in order to obtain the information considered necessary in order to fulfil its assignments, the unjustified failure to take part in scheduled inspection meetings with the OdV, the failure to take part in training meetings. (omissis) 7.2 Measures taken against employees The violation of the single conduct rules of this Model on behalf of employees subject to the "Collective Bargaining Agreement for employees of service industry companies involved in distribution and services of 17 July 2008 (renewed on 26 February 2011)", and subsequent renewals, constitutes an sanction able illicit conduct. (omissis) Page 50 of 52 Organisation, management and control model ex Leg. Decree 231/01 7.3 Model violation on behalf of management and ensuing actions As far as violations to the single rules of conduct foreseen by this Model and perpetrated by Company employees holding "management" roles, these also constitute a sanctionable illicit conduct. (omissis) 7.4 Measures against the members of the Management Body, the Board of Statutory Auditors and the members of the OdV In the case of Model violations on behalf of one or more members of the Company's Management Body, the OdV shall inform the entire Board of Directors' and the Board of Statutory Auditors who shall take the appropriate actions depending on the seriousness of the violation committed. (omissis) 7.5 Measures taken against project collaborators and temporary workers, Consultants, agents, Suppliers and Contractors involved in Sensitive Processes. Each violation perpetrated by the project collaborators or temporary workers, by Consultants, agents, Suppliers or Contractors involved in the Sensitive Processes, depending on the prescriptions of the specific clauses included in their respective contract, may lead to the contract's termination, without jeopardy to any possible claims for reimbursement, if the conduct in question leads to damages being incurred by Robert Bosch S.p.A., as would be the case if the Judge calls for the application of the measures included in the Decree. Page 51 of 52 Organisation, management and control model ex Leg. Decree 231/01 ENCLOSURES • • Enclosure 1.A: Code of Ethics Enclosure 1.B: Code of Business Conduct (OMISSIS) Page 52 of 52