The compliance façade: when words don’t stand up to facts

Nearly 25 years after the events that profoundly impacted my professional trajectory, Eni formally acknowledged my whistleblowing report, accepting it in August 2025 within its internal system.

What one would expect at that point is a serious, independent investigation aligned with the very principles the company claims to uphold - including those embedded in its internal policies and international standards such as ISO 37301.

However, what has unfolded in practice is something quite different.

There has been no concrete evidence of a substantive investigation into the facts presented. Instead, the response has been limited to formal, template-based communications, with no real transparency regarding the investigative process, the criteria applied, or the conclusions effectively reached.

The situation becomes even more concerning when considering that:

✔️ no independent external review of the case was conducted, as formally confirmed by RINA;

✔️ the entire investigative process remained fully under the company’s control;

✔️ and yet, there is no access to the substantive content of the alleged findings.

More recently, by exercising my right of access under the GDPR, I requested access to the personal data processed in the context of this investigation - including those contained in the whistleblowing assessment report.

The response from the Data Protection Officer was clear in denying access to internal documentation.

This raises an unavoidable question:

📌 how can an effective investigation be asserted without any transparency regarding the elements that would substantiate it?

📌 If an investigation did take place, where are the verifiable elements that demonstrate it?

📌 If not, what exactly was assessed?

Facts, documents, and timelines speak for themselves.

This is not just an individual case.

It is a real test of what commonly used corporate terms truly mean: ethics, transparency, and accountability.

Because in the end, compliance is not what is written in policies or institutional reports.

Compliance is what can be proven when it is truly put to the test.

🛑 Note:

Learn more by accessing the Flinto Case:

✅ 1) Memorial (1999–2025): https://lnkd.in/eNuHg9cT

✅ 2) Chronology of facts supported by documentary evidence: https://lnkd.in/d7SNWw9s

Compliance cannot be a trophy on the wall. It must be real practice.

Over the past months, I have lived through an experience that exposes a serious structural weakness in corporate compliance models based solely on formal certifications.

When I requested that my concrete case - a formal complaint, officially accepted and investigated - be used as a practical compliance test, I received a clear response from the certification body responsible for ISO 37301:2021:

📌 No material analysis was carried out. No real case was audited. No investigation was examined.

This reveals a systemic problem:

Companies display sophisticated certifications, international seals, impeccable policies, extensive codes of ethics - but without any real-world validation of practice.

When compliance is not tested through real cases, it turns into:

✔️ institutional rhetoric

✔️ reputational marketing

✔️ formal shielding

✔️ and, ultimately, regulatory fiction

The question that remains is simple:

📌 What is the value of a compliance system that is not tested when it truly matters?

Certifications cannot be mere trophies on the wall.

They must be living instruments of control, transparency, and real accountability.

Without this, the gap between discourse and practice widens - and public trust disappears.