Organisation, Management and Control Model pursuant to Legislative Decree No. 231/2001. Index

Transcription

1 Organisation, Management and Control Model pursuant to Legislative Decree No. 231/2001

2 Index APPROVAL AND MANAGEMENT OF ANY AND ALL AMENDMENTS TO THE ORGANISATION, MANAGEMENT AND CONTROL MODEL OF PERMASTEELISA S.P.A DEFINITIONS... 5 INTRODUCTION... 7 RECIPIENTS... 7 THE ADMINISTRATIVE LIABILITY OF COMPANIES... 9 THE ADMINISTRATIVE LIABILITY REGIME FOR ENTITIES... 9 EXEMPTING FROM ADMINISTRATIVE LIABILITY CONFINDUSTRIA GUIDELINES PERMASTEELISA S.P.A CORPORATE CONTEXT THE COMPANY'S GOVERNANCE SYSTEM THE ORGANISATION, MANAGEMENT AND CONTROL MODEL OF PERMASTEELISA S.P.A THE AIMS AND MAIN FEATURES OF THE MODEL ACTIVITIES AIMED AT ASSESSING THE EXISTING MODEL AND AT ITS AMENDMENT, IF NECESSARY THE ORGANISATION, MANAGEMENT AND CONTROL MODEL FOR THE PREVENTION OF RISKS OF OFFENCE IN THE MATTER OF HYGIENE AND SAFETY IN THE WORKPLACE THE ENVIRONMENTAL MANAGEMENT SYSTEM THE MODEL'S STRUCTURE THE RELATION BETWEEN THE MODEL AND THE CODE OF ETHICS ADOPTION OF THE MODEL AND AMENDMENTS TO THE LATTER METHOD FOR ASSESSING AND MANAGING RISKS RISK ASSESSMENT MAPPING OF THE AREAS AND MAPPING OF THE BUSINESS ACTIVITIES 'AT RISK OF OFFENCE' (ARTICLE 6, PARAGRAPH 2, LETTER A, OF THE DECREE) RISK MANAGEMENT PLAN THE ORGANISMO DI VIGILANZA APPOINTMENT AND TERMINATION OF THE ORGANISMO DI VIGILANZA OFFICE THE FUNDAMENTAL CONDITIONS OF THE ORGANISMO DI VIGILANZA INDIVIDUATION OF THE ORGANISMO DI VIGILANZA DUTIES OF THE ORGANISMO DI VIGILANZA REPORTING TO THE CORPORATE BODIES ACTIVITIES RELATED TO THE MANAGEMENT OF THE INFORMATION FLOW TOWARDS THE ODV THE POWERS OF THE ORGANISMO DI VIGILANZA THE ORGANISMO DI VIGILANZA'S BUDGET THE RELATIONS BETWEEN THE ORGANISMO DI VIGILANZA AND THE INTERNAL AUDITING DEPARTMENT THE DISCIPLINARY AND PENALTY SYSTEM DEFINITION AND LIMITS OF THE DISCIPLINARY LIABILITY RECIPIENTS OF THE DISCIPLINARY SYSTEM AND THEIR DUTIES GENERAL PRINCIPLES CONCERNING THE PENALTIES PENALTIES AGAINST WORKERS, CLERKS AND SENIOR MANAGERS PENALTIES AGAINST EXECUTIVES MEASURES AGAINST TOP MANAGERS

3 MEASURES AGAINST THE MEMBERS OF THE ORGANISMO DI VIGILANZA MEASURES AGAINST OUTSIDE COLLABORATORS AND CONTRACTUAL COUNTERPARTIES TRAINING AND SPREADING OF THE MODEL DISCLOSURE INFORMATION TO OTHER THIRD PARTIES THE MODEL WITHIN THE SCOPE OF THE GROUP INTRAGROUP TRANSACTIONS

4 Approval and management of any and all amendments to the Organisation, Management and Control Model of Permasteelisa S.p.A. This version of the Organisation, Management and Control Model was approved by the Board of Directors of Permasteelisa S.p.A. on 3 rd September Document: Organisation, Management and Control Model pursuant to Legislative Decree No. 231/2001 Documento Istitutivo Modello di Org.Gest.Contr.-P.IsaSpa 2013 File: rev doc (Documento Istitutivo Modello di Org.Gest.Contr.-P.IsaSpa 2013 rev151013_uk.doc, English translation, ndt) 1 st Approval: Board of Directors st Amendment: Organismo di Vigilanza nd Amendment: Organismo di Vigilanza rd Amendment: Organismo di Vigilanza

5 Definitions Activity at risk of offence: shall mean the process, transaction, action, or the whole series of transactions and actions which may expose the Company to the risk of penalties pursuant to the Decree as a result of the perpetration of an Offence; Collective Bargaining Agreement: shall mean the Collective Bargaining Agreement applicable to all Company employees; Parent Company or Company: shall mean Permasteelisa S.p.A.; Code of Ethics: shall mean the whole series of principles and values formalised and adopted by Permasteelisa S.p.A. for carrying out its own entrepreneurial activity; Legislative Decree No. 231/2001 or Decree: shall mean Legislative Decree No. 231 of 8 June 2001 on the 'Administrative liability of legal entities, companies and associations, even if lacking legal personality, pursuant to article 11 of Law No. 300 of 29 September 2000', published in State Gazette No. 140 of 19 June 2001, as amended; Recipients: shall mean the persons identified under the Chapter 'Recipients' of this Model, who are under the obligation to abide by the provisions under such Model; General Management: shall mean the company's executive body; Permasteelisa Group: shall mean the entire companies controlled by the Parent Company; Guidelines: shall mean the Code of conduct prepared by Confindustria; Model: shall mean the Organisation, Management and Control Model which the Corporate Bodies deem fit to prevent the Offences and, therefore, adopted by the Company, pursuant to articles 6 and 7 of the Legislative Decree, in order to prevent the perpetration of the Offences by any top managers or employees, as described under this document and the relevant Enclosures hereto; Organismo di Vigilanza or OdV: shall mean the Body foreseen under article 6 of the Decree, having the duty to supervise the implementation of and the compliance with the Organisation, Management and Control Model, as well as any and all updates thereof, as provided for under Chapter 'Organismo di Vigilanza' of this Model; Corporate Bodies: shall mean the Board of Directors and/or the Board of Statutory Auditors of the Company, depending on the sense of the sentence of reference; Top Managers: shall mean the persons under article 5, paragraph 1, letter a), of the Decree, namely, the persons having representative, management or executive duties within the Company. In particular, the members of the Board of Directors, the Chairman and any legal representatives and proxies of the Company, as well as any person having an independent power to take decisions in the name and on behalf of the entity; Employees or staff working under the instructions of managers: shall mean the persons under article 5, paragraph 1, letter b), of the Decree, namely, all those persons working under the instructions or supervision of Top Managers; 5

6 Predicate Offences: shall mean the relevant offences pursuant to Legislative Decree No. 231 of 8 June 2001, as listed in detail under Enclosure 1 'List of Offences' hereto. 6

7 Introduction The Company commenced the process of alignment of its own organisational and control system with the provisions under Legislative Decree No. 231/2001 throughout Later on, the Company made all necessary amendments to its own Organisation, Management and Control Model, in compliance with recent law developments such as, for instance, the update of the mapping of areas which are sensitive to the new criminal offences that are relevant for the Company, as well as the implementation of new organisational procedures. With the aim to have a more efficient management, on 03/09/2014, the Company adopted this third updated version of the Organisation, Management and Control model pursuant to Legislative Decree No. 231/2001 which, in compliance with the provisions under the Decree and under this Model, shall be constantly updated in light of any changed corporate needs, of any organisational changes, or of the integration of the list of Criminal Offences provided for under the Decree. Recipients The following shall be the recipients (hereinafter, the Recipients ) of the Model, who hereby undertake to comply with the contents thereof: any persons having, even de facto, administration, executive, management or control duties within the Company or within any of its head departments having financial or functional independence (the so-called Top Managers); Company employees (the so-called staff working under the instructions of managers); the directors, executives and employees of the other Permasteelisa Group companies rendering on behalf of the company to whom they belong intragroup services on behalf of or in the interest of the Company, within the scope of the sensitive activities identified and described in detail in the Risk Assessment Outcome Document; any persons collaborating with the Company pursuant to freelance or temporary or pro tem work (project-based workers, agents, representatives, etc.); any person who, even if not belonging to the Company, works as a result of a mandate or on behalf of the latter (advisors, experts, etc.); the suppliers and partners (also by way of temporary association of companies and joint ventures) who work with the Company within the scope of the so-called sensitive activities. At the time of signing contracts or agreements with third parties, the Company provides its own interlocutors with the respective Code of Ethics, by informing them of the existence of the Organisation, Management and Control Model, and by requesting compliance with the principles set forth under the Code of Ethics and under Legislative Decree No. 231/2001. In any event, any agreement governing the relations with third parties shall foresee specific clauses providing for clear liability in connection with the failure to abide by the Company's business policies, the Code of Ethics and the principles of this Model as well as, if necessary, the obligation to meet any request for information or for the production of documents by the Company's OdV, and to directly report to the Company's OdV any breache of the Model or of the procedures set forth for the respective implementation. 7

8 All Model Recipients shall be under the obligation to comply, with the greatest due diligence, with the provisions included therein and with the respective implementation procedures. 8

9 The administrative liability of companies The administrative liability regime for entities Legislative Decree No. 231/2001 on the 'administrative liability of legal entities, companies and associations, even if lacking legal personality' has introduced in Italy for the very first time the administrative liability, ascertainable in criminal proceedings, of entities for some offences perpetrated 'in the interest of or to the advantage of' such entities, by persons having representative, management or executive duties within the entity, or within one of its head departments having financial and functional independence, as well as by persons managing and controlling the entity even de facto (the so-called top managers) and by any persons working under the instructions or supervision of one of the persons mentioned above (the so-called staff working under the instructions of managers). The Decree excludes the entity's liability in the event that the top manager or member of staff working under the instructions of a manager has acted in his/her own interest or in the interest of third parties. The aforesaid liability needs be added to that of the natural person having physically perpetrated the criminal offence. The Offences cross-referenced by the Decree, that is the Offences whose perpetration may entail the administrative liability of entities 1, are - to date: Undue receipt of public funds; Fraud against the Public Authorities; Aggravated fraud for obtaining public funds; Computer fraud against the Public Authorities; Bribery for the fulfilment of the respective office 2 ; Bribery for the exercise of an act against the respective official duties; Judicial bribery; Bribery amongst private persons 3 ; Incitement to bribery; Extortion; Undue incitement to give or promise any benefit 4 ; Misuse of public funds; Counterfeiting legal tender, public credit notes and revenue stamps; False corporate disclosures; False corporate disclosures to the detriment of shareholders or creditors; False statement(s) in a prospectus; Prevented control; Fictitious capital formation; Undue return of contributions; Illegal distribution of profits and reserves; Illegal transactions over company shares or quotas, or over the parent company's shares or quotas; Transactions to the detriment of creditors; 1 For an in-depth analysis of the offences cross-referenced by the Decree, cross-reference is hereby made to Enclosure 1 hereto, which includes information pertaining to the criminal offences and to the Guidelines of sector associations - where it is possible to find an analysis of the behaviours used also in the relevant risk assessment activities. 2 Heading of the offence amended by way of Law No. 190 of 6 November 2012 on 'the prevention and repression of bribery and illegality within the public authorities'. 3 Offence introduced by Law No. 190 of 6 November 2012 on 'the prevention and repression of bribery and illegality within the public authorities'. 4 Offence introduced by Law No. 190 of 6 November 2012 on 'the prevention and repression of bribery and illegality within the public authorities'. 9

10 Undue distribution of corporate assets by liquidators; Undue influence on the Shareholders' Meeting; Rigging the market; Obstacle to the exercise of the duties of the public supervisory authorities; Crimes aimed at terrorism or at subverting democratic order; Crimes against the individual personality; Market Abuse crimes; Receiving of Stolen Goods and Money Laundering; Crimes relating to the smuggling of migrants; Hindrance to the Judiciary; Manslaughter and serious or very serious personal injury; Computer crimes; Copyright infringements; Infringement of distinguishing marks; Patent infringement and infringement of industrial property rights; Trade fraud; Food crime; Associative, mafia-type and weapon related offences; Environmental crimes 5 ; Use of citizens from third party countries with irregular stay 6. As regards the penalties which may be inflicted on the entity held liable for one of the Predicate Offences, article 9, paragraph 1, of the Decree identifies the following: pecuniary penalty, which consists in an amount of money quantified based on the seriousness of the offence, the entity's level of liability, the activity carried out in order to remove the consequences of the criminal offence and to mitigate the consequences, or to prevent the perpetration of other unlawful acts. The judge shall take into consideration the entity's financial and asset situation, as well as the aim of ensuring the effectiveness of the penalty. Should the entity be convicted, the penalty shall always apply; bans foreseeing an 'obligation not to perform'. The bans foreseen under the Decree are: i. temporary or final ban from doing business; ii. suspension or revocation of authorisations, licences or permits instrumental to the perpetration of the criminal act; iii. prohibition to negotiate with the Public Authorities, unless if aimed at obtaining the rendering of a public service; iv. exclusion from concessions, funding, contributions or grants, and/or the revocation of those already granted, if any; v. temporary or final prohibition to advertise goods or services. The bans shall be inflicted, jointly with any and all pecuniary penalties, solely provided that expressly provided for that criminal offence such as, for instance: - offences perpetrated in liaising with the public authorities; 5 Introduced by Legislative Decree No. 121 of 7 July 2011, on the 'Implementation of Directive 2008/99/EC on the criminal protection of the environment, as well as of Directive 2009/123/EC amending Directive 2005/35/EC on the pollution caused by ships and the introduction of penalties in the event of any breach', which entered into force on 16 August Offence introduced by Legislative Decree No. 109/

11 - manslaughter and serious or very serious personal injury offences perpetrated by breaching accident prevention, hygiene and health at work laws and regulations. The duration of the bans is normally temporary, to be calculated at intervals between three months and two years. Solely in the event of especially serious cases may some bans be ordered as final. Bans may also be inflicted as a precautionary measure, upon request of the Public Prosecutor to said extent, should there be serious circumstantial evidence as to the entity's liability, and upon grounded and specific elements such as to be possible to believe that there is a specific danger for similar criminal offences to that already perpetrated to be committed; seizure, which consists in the acquisition by the State of the price or profit of the offence or of an equivalent value thereto; publication of the adverse judgment, as additional penalty to the ban, which consists in publishing the conviction just once, either an excerpt or in full at the entity's expense, in one or more newspapers indicated by the Judge in the judgment, as well as by affixing it in the Municipality where the entity has its principal place of business. The entity shall also be liable even if the offence was solely attempted, without prejudice to a reduction in such cases of the penalties. Exempting from administrative liability The entity shall be liable provided that the subjective requirement of the relevant criminal offence under the Decree (namely, that the perpetrator of the Predicate Offence is a top manager or a person working under the latter's instructions) and that the objective requirement (namely, that the Predicate Offence has been perpetrated in the interest of or to the advantage of the entity) are met. Nonetheless, the Decree identifies an exempting cause from administrative liability, namely, it sets forth that in no way may the entity be punished if prior to the perpetration of the offence: it has adopted and effectively implemented an 'Organisation and Management Model' fit to prevent the perpetration of Predicate Offences such as that perpetrated; it has entrusted a body within the entity, which is endowed with independent initiative and control powers (hereinafter, the Organismo di Vigilanza or OdV ), with the duty to supervise the implementation of and the compliance with the Model, as well as to take care of any updates thereof; the OdV has diligently fulfilled its own supervisory duties over the Model. Nonetheless, in order for the organisation, management and control Model (hereinafter, the Model ), pursuant to article 6, paragraphs 2 and 3, of Legislative Decree No. 231/2001, to have exempting force, it shall need to be: A) successful and shall have to meet the following needs: 11

12 identify the activities within which scope the offences provided for under the Decree may be perpetrated; foresee specific protocols aimed at planning the training and implementation of the entity's decisions in connection with the offences to be prevented; identify the ways of managing the financial resources fit to prevent the perpetration of any such offences; provide for reporting obligations towards the OdV; introduce a disciplinary system fit to punish the failure to abide by the measures indicated under the Model; in connection with the nature and size of the organisation, and with the type of carried out activity, it shall foresee measures fit to guarantee the carrying out of the activity in compliance with the law and to promptly discover and remove any situations of risk; B) effectively implemented, namely, its content shall be applied in the business procedures and in the internal control system. From this standpoint, the Decree provides for the need for a regular check and update of the Model, in the event of significant breaches of the provisions included therein, upon any changes to the Company's organisation or business, and/or upon any regulatory amendment in the matter of Predicate Offences. Therefore, the Model shall act as a cause of lack of liability to punishment of the entity regardless of whether the Predicate Offence is perpetrated by a top manager, or by a person working under the latter's instructions, with the following differences. As regards the offences perpetrated by Top Managers, the entity shall not only have to prove that the aforesaid conditions are met, but also that the top manager has perpetrated the offence 'by fraudulently evading' the Model. Therefore, the entity shall have to prove that the Model was successful and that the top manager deliberately breached it, by circumventing it. Instead, as regards the offences perpetrated by Staff working under the instructions of managers, the entity may solely be punished if it is ascertained that the perpetration of the offence was made possible 'due to the breach of the management or supervision duties'. There shall be no breach of the management or supervision duties whatsoever if the entity, prior to the perpetration of the offence, adopted and effectively implemented a Model fit to prevent offences such as that occurred. For the entity, it is sufficient to prove to have adopted and implemented the Model, and the courts shall have the burden of proving the ineffectiveness of the Model. Confindustria Guidelines Finally, article 6 of the Decree sets forth that the organisation and management models may be adopted based on codes of conduct drafted by the relevant trade associations, communicated to the Ministry of Justice which, in agreement with the competent Ministries, may raise any remarks on the fitness of the models to prevent the offences within 30 days. In light of the foregoing the Company, in preparing this document, has taken into consideration the Guidelines prepared by Confindustria, as shown hereunder. Such Guidelines may be consulted at the Organismo di Vigilanza. In March 2002, Confindustria approved the first 'Guidelines for the preparation of the organisation, management and control models pursuant to Legislative Decree No. 231/2001', solely referring to the offences against the Public Authorities. Subsequently, Confindustria 12

13 approved different additional appendixes to the aforesaid Guidelines in connection with the different Predicate Offences gradually included in the Decree, until the last version dated 31 March The fundamental phases identified by the Guidelines for the preparation of the Models may be summarised as follows: (a) a first phase consists in identifying the risks, namely, in analysing the business context in order to highlight where (in which area/business sector) and how the offences under Legislative Decree No. 231/2001 may occur; (b) a second phase consists in planning the control system (the so-called protocols for planning the making and implementation of the entity's decisions), after having assessed the existing system within the entity and after having identified any and all needs for adjustment, in terms of capacity to effectively fight against the identified risks, thus reducing them to an acceptable level. The relevant components of the control system pursuant to the Guidelines proposed by Confindustria are the following: the Code of Ethics, which sets out the ethical principles concerning the behaviours which may amount to the criminal offences foreseen under Legislative Decree No. 231/2001; a sufficiently formalised and clear organisational system, which sets out the hierarchy of the different business positions and, moreover, the liabilities for the carrying out of the activities; the manual and computer (information systems) procedures such as to govern the carrying out of the activities by foreseeing the necessary points of control. In this respect, the control instrument consisting in the separation of duties amongst those carrying out key phases (activities) of a process at risk has special preventive effectiveness; an authorising system granting internal authorisation powers and signature powers outside the company, which shall be granted consistently with the established organisational and managerial responsibilities; the management control system capable of promptly reporting the existence and creation of generally and/or particularly critical situations; a communication system towards staff and the latter's training. The above components shall be aligned, amongst others, with the following control principles: all transactions, deals and actions shall need be verifiable, documented, consistent and fair: for each single transaction, there shall have to be sufficient documentary evidence through which it is possible to make controls at any time documenting the features of and reasons for the transaction, also identifying the party having authorised, carried out, recorded and verified the transaction; no one shall be entitled to independently manage a whole process: the system shall ensure the application of the principle of separation of duties, therefore, the authorisation to carry out a transaction shall be under the responsibility of a different person from that recording, effectively carrying out or controlling the transaction; control documentation: the control system shall document (if necessary, by drafting the relevant minutes) the carrying out of all controls, also of supervisory nature. It is necessary to lay stress on the fact that failure to abide by the specific points under the Confindustria Guidelines shall not jeopardise in itself the validity of the Model. 13

14 Indeed, the specific Model shall be drafted by taking into consideration the specific reality of the company to which it refers, and may perfectly deviate from the Guidelines in some specific points (which, given their nature, are general), when this is due to the need to ensure the needs protected by the Decree to a greater extent. In light of the foregoing, it shall also be necessary to assess the illustrative remarks included in the appendix to the Guidelines (the so-called Case Study), as well as a summary list of the control instruments foreseen therein. 14

15 Permasteelisa S.p.A. Corporate context Permasteelisa Group does business worldwide in designing, manufacturing and installing architectural covering, curtain walls and interiors, being the leader in the global market of reference. In all its projects, the Group contributes both with its Know-How and with its experience, in particular, for Special Features Buildings, from the design phase until completion, meeting the architectural expectations of its customers. Permasteelisa history goes back to 1973 in Vittorio Veneto, Treviso, where the Headquarters are still located. In the '90s, Permasteelisa went through a strong growth and expansion phase through worldwide acquisitions which have sanctioned its final international endorsement. At present, Permasteelisa is present in four continents, with a network of more than 50 companies in more than 30 Countries, and an annual turnover of approximately Euro 1,400 million. It has a staff of more than 6,000 employees, divided between the Engineering and Design centres, as well as 11 production plants equipped with the most modern and cutting-edge technology. The main areas of business are: design, production, construction, laying, maintenance and sale in general of components for the building industry, building equipment and systems, in particular, architectural covering; turn key management of the construction and sale of buildings equipped with systems, furniture and fittings, as well as airport and shipping contract activities; design, production, construction, laying, maintenance and sale of furnishings and indoor fitting-outs; design, production and installation of air conditioning and thermotechnics products/systems/services, electric systems, automation, safety, fire prevention, domotics systems, together with the relevant assistance and advice; study, design and making of machinery for the building industry. 15

16 The Company has been fully owned by the Japanese industrial Group LIXIL Corporation since The Group's structure and the Company's updated organisation chart may be consulted on the company's website. The Company's Governance system The Company's Governance model intends to formalise the system of values it wishes to promote, by creating an appropriate and exemplary organisational structure. The Company has adopted under its own By-laws the so-called 'traditional' management and control (governance) system. The Company By-laws foresee the following Corporate Bodies: the Shareholders' Meeting (a body having exclusively decision-making duties, whose scope of authority is exclusively limited by law to the most significant decisions of the corporate life, excluding all management duties); the Board of Directors (in charge of the strategic supervision and of the management of the company); the Board of Statutory Auditors (having control duties over the Company's management). The strategic supervision duty refers to the establishment of the strategic business policies and targets, and to the check of the respective implementation. The management duty consists in carrying out the business operations aimed at performing any such strategies. The strategic supervision and management duties, since they jointly pertain to the management of the company, fall with the Board of Directors and with the respective delegated bodies. The control duty consists in checking the regularity of the management activity and of the fitness of the Company's organisational and accounting structures. Such duty is fulfilled by the Board of Statutory Auditors, by the Auditing Firm and by the Organismo di Vigilanza. The Shareholders' Meeting The Shareholders' Meeting is placed in a top position, since it is the decisive moment at which the shareholder's willpower is expressed and at which the debating ability of the ownership establishes the decisive choices for fulfilling the company's interests. In addition to the duty and power to establish the general policy of the Company's business for the purposes of achieving the aims it pursues, the Ordinary Shareholders' Meeting is entitled and is under the obligation to: approve the financial statements; appoint and revoke the directors; appoint the Board of Statutory Auditors and its Chairman, in compliance with the rules set forth under the By-laws; 16

17 establish all fees for the directors and statutory auditors, as well as the relevant fees to be paid to the party requested to carry out the accounting control; resolve upon the liability action against the directors and statutory auditors; approve and amend the Shareholders' Meeting regulation; resolve upon the other issues set forth under the By-laws for the carrying out of actions by the directors. Board of Directors The Company is managed by a Board of Directors composed of 8 (eight) members. The Board of Directors is vested with all powers for the ordinary and extraordinary management of the Company, provided that they are not reserved to the Shareholders' Meeting by a mandatory law provision or by the By-laws. The Board of Directors is also entrusted with the duty to reach the following resolutions: creation or closing of branches; amendments to the By-laws in order to align the latter with any regulatory provisions; capital reduction in the event of withdrawal of one or more shareholders. The Board of Directors may also resolve upon the merger or spin-off in the cases provided for under sections 2505, 2505 bis and 2506 ter of the Civil Code. In compliance with the provisions under section 2381 of the Civil Code, the Board of Directors may appoint a sole Managing Director, by delegating part of its own duties and powers, including the use of the corporate signature. The legal representation of the Company towards third parties and in court, as well as the corporate signature, shall fall with the Chairman. The Board of Directors may also grant the legal representation of the Company to the Deputy Chairman and/or to the Managing Director (CEO). The Board of Directors may grant special mandates and special duties of technical and administrative nature to one or more of its members, also being entitled to have recourse to their advice. Should that be the case, the Board of Directors may resolve upon special fees and particular remuneration, both upon the granting of the mandate and at a later stage, in any event, after having heard the opinion of the Board of Statutory Auditors. The Board of Directors may appoint proxies to enter into contracts (ad negotia), agents in general for certain actions or categories of actions, directors, by establishing the respective powers and remuneration. The following resolutions shall fall within the exclusive scope of authority of the Board of Directors, therefore, it shall not be possible to delegate same and they shall furthermore be reached with the favourable vote of at least five (5) Directors: i. any decision on the appointment of the Managing Director and of the Chairman of the Board of Directors (should the Chairman of the Board of Directors not be appointed by the Shareholders' Meeting); ii. any proposal concerning the listing of the Company and of its 'Affiliates', whereby the latter shall mean any company, partnership, business or any other party, a party directly or indirectly controlling, or controlled by, or subject to the joint control of, or to 17

18 the management of any such company, partnership, business or another party pursuant to article 93 of the Consolidated Finance Act; iii. the transfer of any "Stake" (whereby the latter shall mean the quotas or any type of stake in the capital stock, equity instruments, financial equity instruments, underwriting rights, option rights, warrants, convertible bonds and any other financial right or instrument which may be converted into, exchanged with or granting the right (either present or future) to purchase or obtain shares, quotas or stakes in the capital stock or equity-based financial instruments, as well as any and all right or power arising out of, or connected with, shares, quotas or stakes in the capital stock, equitybased financial instruments or financial equity instruments such as for instance, voting or pre-emptive rights, and any other related right) directly or indirectly held by the Company; iv. any proposal to increase, reduce or otherwise change the capital stock, save for those mandatorily set forth by the applicable law or aimed at avoiding the winding-up, or to issue new categories of shares or of other financial instruments; v. bankruptcy or other restructuring/reorganisation procedures or debt restructuring, if any, save for those set forth by the relevant applicable mandatory law provision; vi. any proposal for the purchase or sale of treasury shares or for the distribution, in monies or in kind, of dividends, reserves, other funds or yielders; vii. agreements with related parties as defined, from time to time, by the accounting standards (IAS 24) and approved following the procedure under Article 6 of Regulation (EC) No. 1606/2002; viii. approval of and changes to the budget, the business plan or the strategic and multiyear plans; ix. approval of any remuneration to the members of the Board of Directors of the Company; adoption of or changes to stock option plans, or other incentives; x. resolutions or transactions entailing the change to the corporate purpose, or to the rights of Shareholders; xi. proposals of approval, waiver or settlement of liability actions against Directors or Statutory Auditors of Affiliates; xii. purchases, however made and for any reason whatsoever, of Stakes in companies or other entities, or of undertakings or going concerns, of businesses, trademarks, patents, or know how, or other intangible goods, or of tangible goods, in any event, for an amount in excess of Euro 5,000, (five million/00) (or equivalent in another currency); xiii. sale, transfer and/or assignment, however made and for any reason whatsoever, of Stakes in companies or other entities, or of undertakings or going concerns, or of businesses, trademarks, patents, or know how, or other intangible goods, or of tangible goods, in any event, for an amount in excess of Euro 5,000, (five million/00) (or equivalent in another currency); xiv. creation of real property or personal guarantees (including letters of patronage and loan guarantees, but excluding performance bids and advanced payment bonds for curtain walls or interiors), or of indemnification obligations, in any event, for an amount in excess of Euro 5,000, (five million/00) (or equivalent in another currency); creation of real property or personal counter-guarantees to back the granting of performance bonds issued by insurance companies concerning public or private calls for tenders for curtain walls or interiors, in any event, for an amount in excess of Euro 10,000, (ten million/00) (or equivalent in another currency); granting of performance bonds concerning public or private calls for tender for curtain walls or interiors, for an amount in excess of Euro 5,000, (five million/00) (or equivalent in another currency) or, if issued by insurance companies, for an amount in excess of Euro 40,000, (forty million/00); xv. taking out any type of debt, also upon the issue of bonds and/or debt securities or similar instruments, in any event, for amounts in excess of Euro 5,000, (five 18

19 xvi. xvii. xviii. xix. xx. xxi. xxii. xxiii. xxiv. xxv. xxvi. xxvii. xxviii. million/00) (or equivalent in another currency); approval of derivatives or similar financial instruments without hedging purposes (without any limits of amount) and approval of derivatives or of similar financial instruments with hedging purposes for amounts (of notional value) in excess of Euro 15,000, (fifteen million /00) (or equivalent in another currency); approval of investments for amounts in excess of Euro 5,000, (five million/00) (or equivalent in another currency); mergers, divisions, spin-offs or transformations; contracts or transactions beyond the ordinary course of business or, in any event, not on an arm's length basis; any voting instruction in Shareholders' Meetings of the Company's Affiliates, save for the Shareholders' Meetings for the approval of the financial statements and for the revocation of members of the Board of Directors and of the Board of Statutory Auditors; proposals for the voluntary winding-up or similar procedures, appointment of liquidators and granting of the relevant powers; granting of or change to the powers of the Chairman of the Board of Directors, the Managing Director (CEO) or the directors of the Company; signature of, amendment to, or termination of sponsoring and consulting agreements for an amount in excess of Euro 500, (five hundred thousand/00) (or equivalent in another currency); signature of, amendment to, or termination of joint-venture agreements, shareholders' agreements, co-sharing agreements, and the like, other than Temporary Association/Grouping of Companies, consortia or joint ventures instrumental to the participation to public and/or private calls for tender by the Company for curtain walls or interiors; creation of, change to or termination of assets allocated for a specific business; any decision concerning legal disputes or claims, or concerning settlements for amounts in excess of Euro 1,000, (one million/00) (or equivalent in another currency); appointment, change or revocation of internal committees including, without any limitation, the Remuneration Committee and the Internal Control Committee, as well as the granting of the relevant powers; any resolution on the hiring and dismissal of employment of the persons directly reporting to the Managing Director (CEO) such as, for instance, but without any limitation whatsoever: Hub CEOs, Business Unit Leaders, Group Coordination and Corporate Staff; 1) set up subsidiaries, either directly or indirectly, branch offices, entities or other business units; 2) sign joint venture agreements, alliances or other similar agreements, and 3) carry out any related action such as, for instance, but without any limitation whatsoever, any capital contribution to subsidiaries, either direct or indirect, branch offices, entities, or already existing divisions. Chairman of the Board of Directors The Chairman of the Board of Directors fulfils an important duty aimed at favouring the internal debating ability within the Board and amongst the corporate bodies, and at ensuring the balancing of powers, consistently with the duties to organise all Board debates and to circulate information, with which the Chairman is entrusted by the By-laws and by the Civil Code. The Chairman of the Board of Directors is also the interlocutor of the internal control bodies. 19

20 The Chairman of the Board of Directors is vested with the Company's corporate signature and with the Company representation vis-à-vis third parties. Managing Director (CEO) The Board of Directors has appointed a Managing Director. The Managing Director shall directly report to the Board of Directors as a collective body for the fulfilment of his/her own proxies. The Managing Director shall be vested with the corporate signature and with the legal representation of the Company vis-à-vis third parties and in court, and with the powers of ordinary and extraordinary management of the Company, without prejudice to the exclusive duties of the Chairman and of the Board of Directors. The several powers granted to the Managing Director include, by way of example, but without any limitation whatsoever: represent the company in court before any Italian or foreign court; grant and revoke mandates to lawyers, advisors and experts; represent the company in all ordinary and extraordinary shareholders' meetings of the Italian and foreign associated companies, by exercising any and all rights to which shareholders are entitled; negotiate and sign offers/agreements/the entire documentation concerning the participation of the Company and of the Subsidiaries to public or private calls for tender in Italy and abroad; liaise and have relations with customers, suppliers and, in general, the third parties who liaise or could liaise with the company; negotiate and sign the memorandums of association of temporary associations/groupings of companies, consortia and joint venture agreements instrumental to the participation to public or private calls for tender; issue bonds concerning public or private calls for tender for curtain walls or interiors, or undertake liabilities concerning the issue of bonds related to public or private calls for tender; issue parent company guarantees in favour of Group companies; carry out transactions in derivatives or similar financial instruments for hedging purposes, for amounts not in excess of Euro 15,000, (fifteen million Euros); The Managing Director is appointed Employer pursuant to Legislative Decree No. 81/2008, as amended, and is also granted the duty to carry out any necessary action to guarantee the fulfilment, compliance and implementation by the Company of/with the obligations and provisions set forth under the relevant environmental regulations. The Managing Director is appointed Group Chief Executive Officer. Accounting control The Shareholders' Meeting, after having heard the opinion of the Board of Statutory Auditors, has granted the accounting control mandate pursuant to section 2409 quater of the Civil Code to an auditing firm entered in the Roll set up at the Ministry of Justice. In compliance with the relevant provisions under the Civil Code (sections 2409 ter septies of the Civil Code), the company in charge of the accounting control: 20

21 shall check, throughout the financial year and at least on a quarterly basis, the regular keeping of the corporate accounts, together with the correct recording of all management events in the accounting ledgers; shall check whether the financial statements for the financial year and, if drawn up, the consolidated financial statements, correspond to the recordings under the accounting ledgers and to the checks made, and whether they comply with the provisions governing same; shall give an opinion on the financial statements for the financial year through the relevant report to said extent. Board of Statutory Auditors The Board of Statutory Auditors shall supervise the compliance with the law, regulatory and By-law provisions, as well as the correct management, and the suitability of the organisational and accounting structure of the Company. The Statutory Auditors may at any time carry out inspection and control activities, also individually. The Board of Statutory Auditors shall be responsible for supervising the practicality of the overall internal control system. In light of the plurality of business divisions and departments having control duties and responsibilities, such body shall check the effectiveness of all the departments and divisions involved in the control system, and whether they have been properly coordinated, thus promoting any measures for correcting any failures and the ascertained irregularities. Remuneration and appointments Committee Provided that set up, the remuneration and appointments Committee is composed of two (2) to four (4) members. The Committee shall put forward the relevant proposals to the Board of Directors for: the remuneration of the Chairman of the Board of Directors and of the Managing Director and/or any other delegated body; establishing the remuneration package to be granted to the Company's management; the appointment, termination of office and remuneration of those directly reporting to the Managing Director such as, by way of example but without any limitation whatsoever, Hub CEOs, Business Unit Leaders, Group Coordination and Corporate Staff. The Committee shall reach its decisions unanimously. Internal Control Committee Provided that set up, the Internal Control Committee is composed of two (2) to four (4) members. The aforesaid Committee shall have advisory and proactive duties towards the Board of Directors in so far as internal control is concerned and, in fulfilling its own duties, the Committee shall have access to the information concerning the Company and its subsidiaries. The Committee shall reach its decisions unanimously. 21

22 Group Internal Audit The Group Internal Audit Department's Activity is aimed at enhancing the effectiveness and efficiency of the organisation of Permasteelisa S.p.A. and of the Group having the same name. Group Internal Audit has the duty of adopting, implementing and keeping an audit plan for the examination and assessment of the fitness and effectiveness of the control systems, processes, procedures and mechanisms of the Company and of all Group subsidiaries. Group Internal Audit shall check compliance throughout all different sectors of operations, carrying out regular audits on the implementation of the operational and internal control procedures, by fulfilling inspection duties also in respect of specific irregularities, if requested by the Board of Directors, by the Internal Control Committee or by the Organismo di Vigilanza provided for under Legislative Decree No. 231/2001, and shall check the removal of any anomalies found in the effectiveness and implementation of any such controls. Organismo di Vigilanza The Organismo di Vigilanza is the body within the entity foreseen under article 6 of Legislative Decree No. 231/2001. The Organismo di Vigilanza has the duty to supervise: the Model's effectiveness and fitness in connection with the business structure and the effective capacity to prevent the perpetration of the Offences; the compliance with all Model provisions by the Corporate Bodies, Employees and other Recipients, in the latter case, also through the competent business departments; the expediency to update the Model itself, should there be any need for aligning the latter with any changed business and/or regulatory conditions. The members of the Organismo di Vigilanza shall be appointed by the Board of Directors, who shall remain in office for a maximum of 3 years, pursuant to the regulation in force. Even though the amendment made to article 6 of Legislative Decree No. 231/2001 by the socalled Stability Law for 2012 introduced the possibility to grant the Board of Statutory Auditors with the relevant supervisory duty, pursuant to the aforesaid article 6 of the Decree, the Board of Directors has resolved to keep any such organisational approach and the relevant investments, since it is possible to ensure greater specialisation of control and of duties and, ultimately, greater effectiveness and efficiency in the process for preventing the risk of offence. For further detail and information in this respect, cross-reference is hereby made to the specific section 'The Organismo di Vigilanza' herein. 22

23 The Organisation, Management and Control Model of Permasteelisa S.p.A. The aims and main features of the Model The Company has deemed it expedient to adopt a specific Organisation, Management and Control Model pursuant to the Decree, since it is convinced of the fact that this is not only a valid instrument for raising the awareness of all persons working in the interest of and to the advantage of the Company, in order for them to hold correct and consistent behaviours, but also an effective means for prevention against the risk of perpetrating the offences and the administrative unlawful acts provided for under the reference laws and regulations. By adopting the Model, the Company therefore intends to pursue the following main aims: promote the awareness of the correct and transparent management of the Company, of the compliance with the laws and regulations in force, and of the fundamental ethical principles in doing business; lay stress on the fact that each single unlawful behaviour shall be strongly condemned by the Company, since it is not only against the relevant law provisions, but also against the ethical principles embraced by the Company and by which the latter intends to abide in carrying out the respective business activity; allow the Company to have constant control and careful supervision of all activities, in such a way as to be able to act promptly should any risk aspect arise and, if necessary, apply the disciplinary measures provided for under the Model itself; ensure the awareness of everybody who acts in the name of and on behalf of the Company as to the fact that the perpetration of the criminal offences provided for under the Decree is liable to criminal penalties on the side of the perpetrator of the offence, as well as to administrative penalties which may be inflicted on the Company. Consequently, the Board of Directors deems that the adoption and effective implementation of the Model shall not only allow the Company to benefit from the exempting provided for under Legislative Decree No. 231/2001, but shall also need to be aimed at enhancing Corporate Governance, thus limiting the risk of perpetration of the Offences. Furthermore, the Board of Directors also believes that the adopted Model, without prejudice to its peculiar aim (prevention of the risk of offence) and the necessary compliance with the requirements provided for by law, needs to identify with the business reality, in particular, by adopting its own internal control system, by foreseeing the specific aims of guaranteeing the compliance of the business practices with the ethical rules, as well as with the correct and lawful carrying out of all activities. From this standpoint, in so far as the organisational aspects are concerned, the Company has already formalised its own organisation chart and the Quality and Environment Manual including the relevant business procedures, also making them effective. The awareness and spreading of the organisation chart, of the Manual and of the other organisational documents shall be guaranteed by a specific system for the distribution of organisational material through the company's Intranet. Permasteelisa S.p.A. has obtained the certification related to UNI EN ISO 9001 and UNI EN ISO regulations for the standards reached within the scope of Quality and Environment. 23

24 As regards all management and governance aspects, the Company makes crossreference to the provisions under the By-laws, which describe the duties, responsibilities and powers of all Corporate Bodies and of the Top Managers of the Company. As recommended by the guidelines of the trade associations, the Model formalises and clarifies the allocation of responsibilities, the reporting lines and the description of all duties, by specifically providing for control principles such as, for instance, the conflict of duties (if so allowed by the size of the organisation). As regards the management of operations, the preventive controls become manifest in the division of duties and, if necessary in connection with the risks of offence, in including different levels of control. In so far as all control aspects are concerned, the Company has not only foreseen the setting up of a standalone and independent Organismo di Vigilanza, but also guarantees the integration and coordination of the latter's activities with the already existing internal control system, by treasuring all developed experience. Indeed, the Model does not change the pre-existing duties, tasks and aims of the control system, but is aimed at providing greater guarantees on the compliance of the business practices and activities with the rules of the Code of Ethics and of the business regulations setting forth the principles within the scope of the Activities at risk of offence. Still, as regards the control subject-matter, the Model foresees the obligation to document (if necessary, by drafting the relevant minutes) the carrying out of any and all inspections and controls made. Finally, the disclosure and training actions provided for under the Model shall allow: all Company staff, as potential perpetrator of the Offences, to be fully aware both of the cases in point at risk of perpetration of a criminal offence, and of the total and absolute disapproval of the Company against any such behaviours, which are deemed against the interests of the Company, even if the latter, seemingly, could benefit therefrom; the Company to promptly react in order to prevent/stop the perpetration of the offence, thanks to the constant monitoring of the activity. Therefore, the adopted Model involves all aspects of the Company's business, by researching the division of operational and control duties (if possible), in order to correctly manage the possible situations of risk and/or of conflict of interest. In particular, the controls involve with different roles and levels the Board of Directors, the Organismo di Vigilanza, the Board of Statutory Auditors, the Internal Audit Department, as well as the entire Staff and, if deemed possible and effective, IT systems, thus being a fundamental feature of the Company's daily activity. Activities aimed at assessing the existing Model and at its amendment, if necessary As regards the assessment of the Model and the processes for updating and improving it, in compliance with the Decree and with the Confindustria Guidelines, the Board of Directors has decided to set up a risk assessment and risk management process, by adopting the actions listed below: 24

25 Identification and mapping of business areas and activities; Identification of the so-called sensitive activities, with respect to the Criminal Offences, through the prior examination of company documentation (organisation charts, proxies, job description, organisational instructions and notices) and a series of meetings with the persons in charge of the different areas of business operations (or with the heads of the different departments). The analysis is aimed at identifying and assessing the specific performance of all business activities, in order to identify those behaviours which could have taken the shape of Predicate Offences in abstract terms. At the same time, all control measures in place, as well as the criticalities (if any) needing further improvement have been assessed; Analysis of the ethical and organisational environment existing at present, made through self assessment techniques, in order to assess some variables of the business context fit to influence, in an inhibitory way, the inclination to commit a crime (top management's ethical tendency, management's ethical tendency, the company's ethical environment, organisational transparency and expertise of staff, remuneration policy, the entity's economic and financial situation, fitness of the internal control system and the relevant preventive capacity, fitness of the training system, fairness and lawfulness of the markets of reference and the entity's approach to any such markets, level of acceptance of the preventive or corrective measures, fitness of the penalty and disciplinary system); Identification and implementation of the actions for improving the control system and whether it is aligned with the aims pursued by the Decree, in light of and with regard to the Confindustria Guidelines, as well as of the fundamental principles of the separation of duties and of the definition of the relevant authorisation powers, consistently with the assigned responsibilities and with the control documentation. In such phase, special attention has been paid to identifying and governing the financial management and control processes in the activities at risk; Analysis of existing protocols in connection with the Activities at risk of offence, as well as definition of the implementation, if any, aimed at the alignment with the provisions under the Decree. Thus, protocols and procedures have been defined, which set forth the whole series of rules, and the rules and regulations which the operations managers of any such activities have contributed to identify as the most fit to govern the identified risk profile. The principle adopted in setting up the control system is that pursuant to which the conceptual threshold of acceptability of the risk of perpetrating the offence consists in a prevention system which may only be circumvented fraudulently, as already indicated in the Guidelines proposed by Confindustria. However, the protocols/procedures are inspired by the rule of making the different phases of the decision-making process documented and verifiable, in order for it to be possible to go back to the reasons having led to any such decision. Therefore, the fundamental activities for performing the Model are: the mapping of the Company's activities at risk, that is those activities within which scope it is possible to perpetrate the offences provided for under the Decree and gap analysis (as shown in section 'Method for assessing and managing risks'); the preparation of protocols/procedures which identify adequate moments of control for preventing the perpetration of the offences foreseen by the Decree; the spreading and involvement of all business levels in implementing the behavioural rules and the procedures set up; 25

26 the setting up of the Organismo di Vigilanza, by granting the latter with specific duties to supervise the effective and correct implementation of the Model, with the consequent regular update; the adoption of a fit disciplinary sanctioning system; the adoption of the Code of Ethics, which is an integral part of this Model. The Organisation, Management and Control Model for the prevention of risks of offence in the matter of hygiene and safety in the workplace As regards the risks caused by the manslaughter and serious and very serious personal injuries offences due to the lack of protection in the matter of hygiene and safety in the workplace, the main preventive measures adopted by the Company consist in the latter's fulfilment of the obligations provided for under Legislative Decree No. 81/2008. The rules and regulations on accident prevention and hygiene and safety at work Legislative Decree No. 81/2008 identifies the Risk Assessment Document (the so-called DVR) as the hinge on which the business safety system turns. The DVR is the document where the activity related to the 'mapping and assessment of all risks for the health and safety of workers' (including those concerning special groups of workers) needs be formalised, to be carried out by the employer, as well as by any further person identified by the regulations at issue. The risk assessment process requested by Legislative Decree No. 81/2008 leads to the identification and assessment of existing risks for workers in fulfilling the respective duties for each single business area and of any further risk for the workers within the scope of the company's business. The aforesaid document calls for a further obligation to identify and implement specific preventive protection measures in order to remove or mitigate, to the greatest possible extent, the working risk of workers, as well as the arrangement of appropriate Individual Protection Devices (the so-called DPI). The Organisational Model with respect to the offences under article 25 septies In order for the entity to be liable, article 5 of Legislative Decree No. 231/2001 requests that the offence be perpetrated 'in the interest of or to the advantage of' the entity itself. Having regard to the negligent nature of the offences in the matter of hygiene and safety in the workplace, which are characterised by the perpetrator's lack of will of the event (and, on the other hand, excluding the possibility for there to be a direct interest of the Company in the occurrence of the accident) and as highlighted by the Confindustria Guidelines for the creation of Organisation, Management and Control Models pursuant to Legislative Decree No. 231/2001, it is deemed that the advantage for the entity may be found in the saving of costs and/or time which may be obtained by not fully implementing the measures requested by the rules and regulations for the protection of the health and safety of employees. Furthermore, the cause for the entity's exclusion of liability under article 6 of Legislative Decree No. 231/2001 needs be assessed in connection with the negligent structure of the offence. In so far as wilful offences are concerned, pursuant to the aforesaid article 6, it is consistent to hold 'innocent' the entity which is able to prove that the offence was perpetrated by fraudulently circumventing the control system put in place in order to prevent any such type of offences. Differently, in a negligent offence in which the voluntariness is limited to the behaviour and not 26

27 also to the event, it shall not be possible to prove that the perpetrator pursued the event by fraudulently circumventing the measures taken by the Company. Therefore, in an aim to keep the exempting effectiveness of the 231 organisational Model, we deem that it shall be necessary to prove that the behaviour held by the perpetrator deliberately breaches the internal rules and procedures with which the entity has endowed itself in order to ensure full compliance with the rules and regulations in the matter of health and safety of employees, without prejudice to the precise fulfilment of the supervisory obligations by the specific body in charge to said extent. Permasteelisa S.p.A. Safety System The Company has set up an organisational structure, by formalising the appointments of Employer, Head of the Prevention and Protection Service, Company Doctor, persons in charge of emergency services and Workers' Representative for Safety. Furthermore, the system in force provides for structured duties, thus ensuring the necessary technical skills and powers for checking, assessing, managing and controlling risk, also thanks to the granting of appropriate powers to the proxies. The Company has set up a business management system in order to ensure the fulfilments connected with: the activities related to risk assessment and to the arrangement of the consequent prevention and protection measures (by formalising the Risk Assessment Document and the Risk Generated by Interference Assessment Documents); the compliance with the technical and structural standards provided for by law concerning the equipment, systems, workplace, chemical, physical and biological agents (check and control of the marking of equipment and tools, of the conformity certificates of systems, books and user manuals, etc.); the activities of organisational nature, such as emergencies, first aid, management of contracts, regular safety meetings, meetings with the workers' representatives for safety (the aforesaid appointments, the scheduling of regular meetings foreseen by law, etc.); the health supervision activities (carried out by the doctor in charge); the activities related to the information and training of workers; the supervision activities with respect to the compliance with the procedures and instructions in order for workers to work safely; the acquisition of mandatory documentation and certification; the regular checks as to the implementation and the effectiveness of all adopted procedures. The management system of all fulfilments in the matter of hygiene and safety in the workplace foresees the recording of the effective carrying out of the activities above, through the work of the Head of the Prevention and Protection Service. Penalties may be inflicted as a result of the failure to abide by the measures aimed at ensuring hygiene and safety in the workplace, through the penalty and disciplinary system pursuant to Model 231. Finally, the system for managing the fulfilments in the matter of hygiene and safety in the workplace foresees a specific control system as to the implementation of the same system and as to whether the fitness conditions of all adopted measures are kept throughout time, through the work of the Prevention and Protection Service, and a third level control by the Organismo di Vigilanza, which schedules control activities on an annual basis, by reporting 27

28 the respective outcome to the Board of Directors of the Company and to the Board of Statutory Auditors on an annual basis. The system then foresees the re-examination and change, if necessary, of all adopted solutions should any significant breach of the rules on accident prevention and hygiene at work be discovered, namely, on the occasion of any change to the organisation and activity in connection with scientific and technological progress (activity carried out through the Head of the Prevention and Protection Service, in light of the provisions under article 28 of Legislative Decree No. 81/2008 and on the occasion of the regular meeting, pursuant to article 35 of Legislative Decree No. 81/2008). The environmental management system As regards the risks caused by environmental offences, the main preventive measures adopted by the Company consist in the latter's fulfilment of the regulatory obligations in force and in the adoption of a system for managing such fulfilments in compliance with the UNI EN ISO 14001:2004 standard. The Company has therefore set up a business management system in order to ensure the fulfilments concerning: the activities related to the identification and assessment of risks, and to the arrangement of the consequent prevention and protection measures; the compliance with the law provisions related to the protection of the environment, and of the hygiene and safety at work, in light of any manufacturing made and of the type of business done; the activities of organisational nature, such as the formalisation of proxies and the assignation of the necessary roles, tasks and powers for the fulfilment of any such duties; the supervisory, and internal and external control activities (carried out by the company's departments in charge of first and second level controls, and by the certification body's auditors); the activities related to the information and training of workers; the acquisition of mandatory documentation and certification; the regular checks as to the implementation and effectiveness of all adopted procedures. The system for managing all environmental fulfilments also foresees the recording of the effective carrying out of the activities above. The management system in force foresees the formalisation of all functional appointments and proxies. The current system foresees structured duties, thus ensuring the necessary technical skills and duties for checking, assessing, managing and controlling risk, also thanks to the granting of appropriate powers to the proxies. Penalties may be inflicted as a result of the failure to abide by the measures aimed at guaranteeing compliance with the rules and regulations for the protection of the environment through the penalty and disciplinary system pursuant to Model 231. Finally, the environmental management system foresees a specific control system as to the implementation of the same system and as to whether the fitness conditions of all adopted measures are kept throughout time, through the work of the Environmental Service, and a 28

29 third level control by the Organismo di Vigilanza, which schedules control activities on an annual basis, by reporting the respective outcome to the Board of Directors of the Company on an annual basis. The system then foresees the re-examination and change, if necessary, of all adopted solutions should any significant breach of the rules on the protection of the environment be discovered, namely, on the occasion of any change to the organisation and activity in connection with scientific and technological progress. The Company has obtained UNI EN ISO 14001:2004 certification for its own environmental management system. The Model's structure Throughout the 2013 amendment to the Organisation, Management and Control Model, the Model's structure was reassessed, in order to align the documentation with the adopted Risk Assessment and Risk Management methods. The Organisation, Management and Control Model (2013 amendment) is composed of a Document Setting up the Model, subject to approval of the Board of Directors, and of five Enclosures: Document Setting up the Organisation, Management and Control Model: consisting of this document (former 'General Part'), which describes the contents and effects of Legislative Decree No. 231/2001, the Model's general features, the categories of Predicate Offence which may entail the Company's liability, the corporate governance and the main adopted preventive protocols, the methods used for assessing and managing Risks, the features, powers and duties of the Organismo di Vigilanza, the disciplinary system and the principles informing the training of staff. Enclosure 1: Predicate Offences (updated list as at the date of approval). Enclosure 2: Mapping of the areas at risk. Enclosure 3: Risk Management Plan. Enclosure 4: Preventive Protocols. Enclosure 5: Reference bibliography. In the 2013 version, the former 'Special Part Sections', in their original version, are in-depth analysis sections focused on those categories of offences to which the Company is exposed to a greater extent (see Risk Assessment Outcome Document). Therefore, they have been amended and implemented as specific '231 Protection Measures' for removing any such risks, in addition to the other operational Procedures in force in the Company. As such, they are cross-referenced in the Risk Management Plan (see Enclosure 3) and fall within the scope of Enclosure 4 - Preventive Protocols. The relation between the Model and the Code of Ethics The principles and rules of conduct included in this Model blend with the contents provided for in the Code of Ethics, even if the Model has a different scope to that of the Code, given the pursued aims by implementing the provisions under the Decree. From this standpoint, it is necessary to clarify that: 29

30 the Code of Ethics is a document which includes the whole series of principles of business ethics, which are also valid for the purposes of reasonably preventing the offences under the Decree, which the Company acknowledges as its own and to which it intends to draw the attention for the compliance by all Recipients and by all those persons cooperating towards the achievement of the company purposes; The Model is composed of a whole series of rules, instruments and procedures aimed at preventing the perpetration of particular types of offences which may entail administrative liability based on the provisions of the Decree, provided that perpetrated in the interest of and to the advantage of the Company. Furthermore, the Code of Ethics is a point of reference in order to direct the behaviours of the Recipients and of whomever acts in the interest of and to the advantage of the Company, upon failure of specific preventive Protocols. The Company is involved in effectively spreading the information concerning the regulatory provisions and the rules of conduct and procedures to be complied with both within the Company and towards the persons collaborating therewith, in order to ensure that the business activity is carried out in compliance with the ethical principles set forth by the Code of Ethics. The Code of Ethics shall be regularly updated and widened, if necessary, both in connection with the legislative developments and as a result of the vicissitudes changing the Company's operations and/or its own internal organisation. Adoption of the Model and amendments to the latter Article 6, paragraph 1, letter a) of the Decree requests that the Model is a 'deed issued by the executive body'. Its adoption shall fall within the scope of authority of the Board of Directors, which shall do so by way of the relevant resolution to said extent. The Model shall always be promptly amended or supplemented through the relevant resolution of the Board of Directors when: there has been any breach or avoidance of the provisions included therein, proving its ineffectiveness or inconsistency for the purposes of preventing the Predicate Offences; there have been significant changes to the Company's regulatory framework, organisation or business. After having heard the OdV, the Managing Director shall be responsible for the approval of any changes or supplements which do not distort the Model's structure and contents. In particular, the Managing Director shall have authority over the following issues: update of the mapping of the sensitive activities; update of the business procedures and relevant references under Enclosure 4 hereto. Every six months, the OdV shall inform - through the relevant report to said extent - the Board of Directors 7 on any amendment made to the Model and on its state of implementation. Nonetheless, should there be any exceptional fact calling for the need to amend or update the Model, the OdV shall promptly inform the Chairman of the Board of 7 Compare with the Regulation of the Supervisory Body. 30

31 Directors to said extent, who shall convene the Board of Directors, in order for the latter to reach the resolutions falling within its scope of authority. The amendments of formal or substantive nature may be made upon the proposal of the OdV or if so advised by the heads of the business departments. The latter shall give their own advice in writing to the Chairman of the OdV, by indicating the operational or legal reasons underlying the proposed amendment. The Chairman shall take care of convening a meeting of the OdV and shall subject the amendment proposal to the Agenda. The implementation of the principles and provisions included under the Model shall fall within the scope of authority of the Company's Board of Directors and of the competent business Divisions. The OdV shall constantly be informed of the update and implementation of the operational procedures and advice given for the respective amendment. 31

32 Method for assessing and managing risks The risk of offence analysis is an activity which is first aimed at identifying and contextualising the risk of offence in connection with the entity's governance, organisational structure and business. Second, through any such activity, it is possible to retrieve useful information to back the choices of the OdV and of the Board of Directors (to the extent of the respective scope of authority) in connection with the actions for aligning and improving the entity's Organisation, Management and Control Model with respect to the preventive aims set forth under Legislative Decree No. 231/2001 (such as the levels of exposure to each single risk of offence). The risk of offence analysis has been made by assessing the following factors: identification of the risks of offence Risk Assessment (by identifying the areas and activities at risk of offence); real probability that an unlawful event occurs (by assessing the probability of the threats inducing or which may induce the unlawful event); possible damage deriving from the perpetration of a criminal offence (by assessing the Impacts); business weaknesses of organisational nature which may be exploited to perpetrate offences (level of vulnerability). The risk assessment made may be summarised in the following formula: Risk of Offence = F(Probability of the Threat, Vulnerability, Impact) As regards any such formula: Probability of the Threat: shall mean the frequency of occurrence of a Threat, that is of an action, an activity, a process or a potential event which, depending on the Criminal Offence, is a possible way of perpetrating the Offence. Level of Vulnerability: shall mean the level of business weakness of organisational nature; the vulnerabilities may be exploited to perpetrate Offences and consist in the lack of precautionary measures, which make the occurrence of a threat and the consequent perpetration of the Offence possible; Impact: shall mean the damage resulting from the perpetration of an offence in terms of penalties, financial consequences, damage to the image, as set forth by the legislator or conceivable; Risk of Offence: shall mean the probability that the entity incurs damage caused by committing an Offence through ways of perpetrating the latter which exploit the vulnerabilities consisting in the lack of precautionary measures, or in the negative ethical and organisational environment. In order to identify the 'areas' and 'activities' 'at risk of offence', the determination of the scope of application of the subjective preconditions of the Decree is of preliminary significance. In particular, we have identified the persons whose unlawful behaviour may entail extending the liability to the Company. 32

33 More in detail (as provided for under Article 5 of Legislative Decree No. 231/2001): a. by persons having representation, management or executive duties of the entity or of one of its head departments having financial and functional independence, as well as by persons managing and controlling the entity, even de facto; b. by persons under the management or supervision of one of the persons under letter a) above. The outcome of the activity related to the mapping of the business areas and activities at risk of offence are shown under Enclosures 2 and 3 of the Model, called 'Mapping of the areas at risk of offence' and 'Risk management plan', respectively, as well as in the document Risk Assessment Outcome. More in particular, the aforesaid documents include: the mapping of the Areas at risk of Offence, highlighting the Functional Areas (Corporate Bodies and Business Departments) potentially exposed to the risk of the Offences cross-referenced by the Decree; the mapping of the Activities at risk of Offence, highlighting the sensitive processes and/or activities, that is those activities or processes falling within the scope of authority of the corporate bodies and of the business areas or departments in which the behaviours amounting to the predicate offences may be held in abstract terms; the matrices for assessing risk, highlighting the levels of risk for groups of offences per each single business Department; the risk management plan, identifying the preventive protocols, either already existing or to be prepared in order to mitigate the risk of offence to an acceptable extent (to be deemed as the residual 'possibility to perpetrate a criminal offence by solely fraudulently breaching a preventive protocol'). Risk assessment We have analysed the risk of offence by putting into practice the operational phases described hereunder: (a) Identification of the criminal offence and consequent individuation of the threats permitting the perpetration of the criminal offences (in terms of behaviours or operational activities); (b) Contextualisation of the threats permitting the perpetration of criminal offences concerning the entity through self assessment techniques (interviews with top management and with staff working under the instructions of managers, led by teams composed of labour lawyers and psychologists); (c) Assessment of the Probability of the Threats based on the following parameters: a. Business or context history or statistics; b. Importance of the activity for the entity or for the reference department; c. Analysis of any precedents; (d) Assessment of the Level of Vulnerability, through: 33

34 a. the identification of all implemented preventive measures; b. the analysis of the ethical and organisational environment, carried out through the assessment of the following 'extents' pertaining to the business perception: ethical environment, organisational transparency, remuneration policies, integrity and competence of staff, the entity's economic and financial conditions, market competitiveness, appropriateness of all prevention and control activities, reactions to change. (e) Assessment of the possible Impact, that is assessment of all possible damages caused to the entity in the event of perpetration of Offences in terms of pecuniary penalties and/or bans, and of losses of image, business and turnover. The analysis has been carried out through documentary analysis and self assessment techniques for the departments not involved in the previous mapping of risks. As regards the documentary inquiries, the following documentation has been analysed (or the respective existence or inexistence has been checked): Corporate information Company structure; By-laws; Data concerning the offices, such as the geographic locations and carried out activities; Governance, powers and outsourced services; Official documents describing the governance structure and decision-making and control processes; Powers of attorney; Proxies and organisation in the matter of accident prevention and hygiene and safety at work, environment and waste, privacy and security of disclosures, corporate disclosures and/or other issues pertaining to the company's business; Organisation Chart and Department Organisation Chart; Intragroup service agreements; Service agreements with third parties (of significant nature). Staff Bonus plans and schemes; Information on the relation with trade unions and on trade union conflicts; Report on the application of disciplinary penalties inflicted in the last three-year period, by specifically stressing all relevant issues pursuant to Legislative Decree No. 231/2001. Management Systems and Procedures Regulations and procedures concerning the Corporate Bodies; 34

35 ISO9001 and ISO14001 system procedures; Accounting and financial statements procedures; Treasury procedures; Assets cycle procedures; Liabilities cycle and purchases procedures; Human Resources management procedures; Operational procedures for core activities; Procedures related to the relations with the Public Authorities; Accident prevention, and hygiene and safety at work procedures; Data protection and security procedures; Waste disposal and environment procedure. The analysis of the entity's governance and formal organisation has allowed the retrieval of important information in order to identify and assess risk. Nonetheless, as already stated, such activity has been deemed necessary, but not sufficient for a complete analysis of risk since, often, the unlawful behaviours pertain to the so-called 'grey areas' of the business activities, that is those carried out de facto by staff and not governed by the company's regulations. The self assessment inquiries have thus allowed us to check and highlight the existence of risks of offence within each single business area or department. Mapping of the areas and mapping of the business activities 'at risk of offence' (article 6, paragraph 2, letter a, of the Decree) The main information concerning the individuation of the risks of offence may be found in the mapping of the areas and in the mapping of the activities at risk of offence (synthetically shown in Enclosure 2 and in the Risk Assessment Outcome Document). The 'Mapping of the areas at risk of offence' highlights the business Departments and Bodies exposed to the risk of committing the unlawful behaviours, based on the granted powers and duties. The Mapping of the areas at risk of offence consists in a double entry table in MS Excel showing, in the ordinate axis (or y-axis), the corporate body or business department under inquiry and, in the abscissa axis (or x-axis), the Offences cross-referenced at present by the Decree. The following lines highlight the offence to which each corporate body and each department are exposed, in YES/NO terms (see Picture 1). 35

36 Picture 1. Example of Mapping of the areas at risk of offence The 'Mapping of the activities at risk of offence' highlights the sensitive processes and/or activities, that is those activities or processes falling within the scope of authority of the bodies and business areas or departments in which it is possible, in abstract terms, to have behaviours amounting to criminal offences. The mapping is set out in the 'Risk assessment outcome' document, which includes specific paragraphs entitled and dedicated to the specific corporate bodies, business areas or departments analysed. Each paragraph shows a table divided into six columns (see Picture 2): the first one shows the offence to which the department or corporate body is potentially exposed (as it emerges from the analysis of the business documentation and from the self assessment interviews), the second, the activity exposing the body or department under analysis to the risk of offence, the third shows the probability of the threat, the fourth mentions the requested preventive protocol concerning the activities at risk of Offence, the fifth, the existing preventive protocol and, the sixth, the state of implementation of the mentioned preventive measures and the consequent level of business vulnerability. Department xxx RISK OF OFFENCE ACTIVITY AT RISK PROBABILITY OF OCCURRENCE OF THE THREAT REQUESTED PROTOCOL COMPANY'S PREVENTIVE PROTOCOL STATE OF IMPLEMENTATION (IMPLEMENTED / TO BE IMPLEMENTED / UNDER IMPLEMENTATION) Section 316-bis of the Criminal Code (Misuse of public funds) Section 316-ter of the Criminal Code (Undue receipt of public funds) Section 640-bis of the Criminal Code (Aggravated fraud for obtaining public funds) Section 640, paragraph 2, No. 1, of the Criminal Code (Fraud) Picture 2. Example of Mapping of the activities at risk of offence for Department XXX 36