Criminal compliance program for construction group with 450 employees

The Challenge

A construction group with 450 employees operating across three provinces found itself in a position of acute legal risk when a judicial investigation into fraud in public works contracts pointed towards one of its regular subcontractors. While the group was not the primary subject of the investigation, the proceedings revealed that its managers had maintained ongoing commercial relationships with the investigated company without having applied any due diligence procedures to third parties.

The 2015 reform of the Spanish Penal Code definitively introduced corporate criminal liability in Spain. Article 31 bis establishes that a company may be criminally convicted for offences committed in its name or on its behalf, but it also creates a route to exemption from liability if the entity had in place, at the time of the events, a sufficiently robust organisational and management model to prevent offences of that type. Without such a model, the company had no legal shield whatsoever.

The situation presented three compounding risk vectors. First, the absence of a criminal risk map specific to the construction sector, which carries particular exposure to offences relating to corruption in public procurement, money laundering, tax fraud, and offences against workers’ safety. Second, the lack of an independent compliance body with genuine supervisory authority. Third, the absence of an internal whistleblower channel that might have detected the subcontractor’s conduct before it reached the courts.

Our Approach

The project was structured in three overlapping phases aimed at producing a certifiable programme within six months — the deadline the group’s legal counsel had identified as critical for being able to submit it as evidence in the ongoing criminal proceedings.

Sector-specific criminal risk mapping. The first phase involved a comprehensive analysis of the group’s business processes against the catalogue of offences listed under Art. 31 bis. For the construction sector, the priority risks identified were: private-sector bribery and public official corruption in the procurement of contracts and licences, fraud in subsidies and public contracts, money laundering through transactions with partners or clients without due diligence, tax offences in treasury operations, and offences against workers’ rights and occupational safety. Each risk was assessed by likelihood and impact and assigned to a specific business process and functional owner.

Organisational and management model. Drawing on the risk map, we drafted the full documentary package required by the standard: the Corporate Code of Ethics, the Criminal Compliance Manual with specific controls by process, third-party due diligence protocols covering suppliers, subcontractors, and intermediaries, and authorisation procedures for sensitive transactions. We designed the Compliance Body structure, defining its functions, information access rights, reporting frequency to the board, and guaranteed functional independence.

Whistleblower channel compliant with the Whistleblowing Directive. We implemented an internal reporting channel that simultaneously satisfied the requirements of Spanish criminal compliance and Directive (EU) 2019/1937, transposed into Spanish law by Act 2/2023. The channel was configured with guaranteed anonymity, management by an independent third party for cases involving senior management, statutory response deadlines, and a full audit trail. Staff training on the use of the channel and the prohibition of retaliation was cascaded through the organisational hierarchy.

AENOR certification. The final phase involved submitting the programme to external certification audit against the UNE 19601 standard. The AENOR audit assessed the design of the model, the effectiveness of the implemented controls, the adequacy of the compliance body, and the documentary evidence of genuine training and rollout. The programme was certified without major findings.

Results

The criminal compliance programme became fully operational within six months of the project start. The AENOR certification was submitted by the group’s defence team in the judicial proceedings as evidence of the existence of adequate controls prior to the events under investigation — a key element in sustaining the criminal liability exemption under Art. 31 bis.4 of the Penal Code.

During the first year of operation, the whistleblower channel received seven reports. Three related to minor administrative irregularities that were corrected internally. Two flagged non-compliant practices by a different subcontractor that did not meet the established due diligence criteria, enabling the contract to be terminated preventively before any risk materialised. The remaining two turned out to be misclassified procedural queries.

The group now has a corporate governance structure whose level of criminal compliance maturity, according to the AENOR audit, exceeds the sector average in Spain.