The debate on outsourcing and criminal risk at the top is no longer an academic exercise. It has become a very concrete issue for boards, executive committees and governance bodies. In increasingly long supply chains – logistics, cleaning, transport, agribusiness, construction, technology – cases involving slave-like labor, illegal deforestation, tax fraud or industrial accidents are being brought, by the criminal justice system, to the desks of senior decision-makers.
The key question is no longer whether the CEO “knew everything”, but when a duty to act arises and how that duty can be reconstructed from the company’s governance. In other words: in what situations can inaction be treated as an unlawful omission, equivalent to action, exposing the top of the organization to criminal liability under Brazilian Criminal Law.
Outsourcing, value chains and the move into criminal law
Outsourcing was initially treated as a labor or contractual issue: who pays, who hires, who manages. As legislation began to establish joint or subsidiary liability in several sectors, the perception took hold that the contracting company shares part of the risk with its suppliers.
Criminal law enters the picture when the problem goes beyond non-performance or regulatory breaches and begins to affect legal interests such as life, physical integrity, the environment, the tax system or the organization of work. That is what happens, for example, when:
– a logistics provider operates with obviously excessive working hours and causes fatal road accidents;
– a cleaning contractor uses workers in degrading conditions inside the contracting company’s premises;
– segments of the supply chain benefit from systemic tax fraud or illegal deforestation to reduce costs.
In these scenarios, prosecutors do not ask only “who did it”, but why senior management tolerated, ignored or failed to prevent those outcomes, especially when outsourcing is central to the business model rather than a one-off decision. The value chain begins to be read as a chain of responsibility.
Omission liability: when doing nothing counts as acting
Under Article 13, paragraph 2 of the Brazilian Criminal Code, certain omissions may be treated as equivalent to action – the so-called “commission by omission” cases. In simple terms, a person can be liable as if they had acted when:
– they had a legal duty to prevent the result;
– they were in a position to act, but failed to do so;
– and, given their role, they held power to prevent the result.
This legal duty is not based on vague moral expectations. It generally comes from three classic sources: the law, contractual arrangements and situations in which someone has in fact assumed control over a risk (the so-called duty of guarantor). In outsourcing and supply chains, those three sources often overlap:
– service contracts that grant the contracting company audit rights, veto powers over subcontractors or the ability to approve critical performance standards;
– sector-specific regulations that require minimum controls over critical suppliers (for instance, in health, transport, energy or food);
– governance structures in which committees, senior executives and boards approve how the supply chain is designed, how costs are allocated and which “shortcuts” are tolerated.
The core criminal-law discussion is not whether a director was physically present at the scene, but whether, in light of how the chain was structured, that person – or the company itself – assumed a duty to act and breached it. In many cases, the argument is combined with doctrines such as willful blindness, in which prosecutors allege that the top of the organization chose not to see clear warning signs because the irregularities were profitable. This trend is analyzed in detail in the book Punindo a culpa como dolo: o uso da cegueira deliberada no Brasil, a key reference on how courts and prosecutors have expanded intent-related concepts in Brazilian Criminal Law.
How prosecutors frame criminal risk at the top
In recent years, the Brazilian Public Prosecutor’s Office has followed a consistent line: reconstructing, from governance documents, meeting minutes, e-mails and approval flows, the narrative that senior management not only could have known about the problems, but had the structural conditions to know and intervene.
When we look at case law and investigative practice, some recurring moves emerge:
First, showing that outsourcing is central to the business model. If the company’s competitive advantage depends heavily on a vendor operating at extremely low cost, the accusation tends to present that vendor as an extension of the contracting company itself.
Second, demonstrating that leadership was warned. Legal opinions, internal audit reports, e-mails from managers and repeated press coverage are used to argue that the company – and its leadership – had concrete indications of serious risk in that part of the chain.
Third, linking inaction to incentives. Aggressive targets, bonuses tied exclusively to cost reduction and the absence of integrity-related metrics are brought in as evidence that the real message from the top was “deliver at any cost” – even if the formal codes of conduct said otherwise.
The more the prosecution is able to show that the governance structure favored economic gain with little interest in how that gain was achieved, the easier it becomes to turn omissions into unlawful omissions, and outsourcing into an argument for criminal risk at the top.
Where governance really fails: policies on paper, decisions off-book
From a senior management perspective, the problem is rarely the absence of documents. Most large companies today have codes of ethics, integrity policies, supplier manuals, anti-corruption clauses and compliance programs.
For criminal courts, however, the sensitive point is the coherence between that formal architecture and real-world decisions. Some patterns are very common:
A supplier policy promises robust due diligence, but selection is driven almost exclusively by price and deadline, with self-declared questionnaires and no real checks. A risk matrix flags slave-like labor as a critical risk, yet there are no field audits in high-risk regions. Board reports present all indicators as “green”, while the operational and legal teams exchange worried internal messages about accidents, enforcement actions and lawsuits.
It is in this gap between declared governance and lived governance that prosecutors locate the space for omission liability. This is one of the reasons why corporate criminal law has become a central topic for senior management: it is at that level that decisions are made on where to invest in controls, which tolerances to accept and what kind of shortcut the organization is – or is not – willing to adopt.
When does the duty to act arise – and how do you prove it?
From a defense perspective, the point is not to deny in the abstract that a duty to act may exist in outsourced chains. The questions are when that duty arises, who actually bears it and how it can be demonstrated through the company’s governance.
In practice, some elements are decisive:
Decision-making structure. Who approves the onboarding of high-risk suppliers? Is that decision delegated loosely or taken by defined bodies, with criteria recorded in minutes? The more key decisions are made informally, without documentary trail, the easier it becomes for prosecutors to tell their own story.
Alignment between mapped risk and implemented controls. If risk assessments have for years identified the possibility of slave-like labor or severe environmental harm in certain segments of the chain, it is essential to show that there was a proportionate response: contract renegotiations, audits, supplier replacement, reinforcement of controls.
Reaction to red flags. NGO reports, media investigations, police operations involving suppliers and significant regulatory fines should trigger internal inquiries and containment measures. When nothing happens, or only public-relations efforts are deployed, prosecutors will argue that the duty to act arose there – and was knowingly neglected.
Consistency between incentives and discourse. Targets, bonuses, performance reviews and internal sanctions say far more about the company’s real culture than any brochure. If the incentive system rewards only financial outcomes, it becomes harder to argue, in court, that the top had no reason to suspect how those outcomes were being delivered.
It is precisely at this interface between omission liability and governance that works such as Punindo a culpa como dolo: o uso da cegueira deliberada no Brasil help explain how willful blindness and related doctrines are being used in Criminal procedure in Brazil to reach senior managers in complex outsourcing scenarios.
Reducing criminal risk at the top in outsourced chains
There is no way – nor should there be – to immunize any company against investigations. What can be built is a defensible position that makes it far harder to turn outsourcing into automatic criminal liability for directors and officers. Some axes are essential.
First, treat outsourcing and criminal risk at the top as a standing agenda item, not as an episodic crisis topic. This means having a permanent place in risk, audit and board committees for a concrete discussion of supply-chain risks, expressed in a language that senior management cannot later claim not to have understood.
Second, align contracts, policies and practice. Generic integrity clauses are not enough. Contracts and internal policies must provide for, and the company must actually use, audit rights, information rights, vetoes over subcontracting and clear termination triggers for serious violations – with documented evidence of when these mechanisms were activated.
Third, react promptly and proportionately to red flags. Ignoring years of serious enforcement actions against a key supplier, under the excuse that it is “irreplaceable”, is almost an invitation to criminal charges. Difficult decisions – such as replacing a major business partner – must be faced with method, phasing and documentation.
Finally, integrate criminal-law thinking into governance design. The goal is not to turn lawyers into censors of business activity, but to acknowledge that without a Criminal procedure in Brazil perspective, the organization may drift into patterns that courts will later interpret as unlawful omission at the top.
Conclusion: outsourcing with criminal awareness
Outsourcing and long supply chains are not problems in themselves. In many industries, they are preconditions for competitiveness. What the justice system increasingly demands is that senior management understand what exactly is being outsourced: the mere physical performance of certain tasks, or also responsibility for risks that, under the Constitution, remain non-transferable.
Treating outsourcing and criminal risk at the top as a governance topic – rather than a contract detail – is crucial to reducing the gap between social expectations, regulatory requirements and corporate practice. In an environment where the line between regulatory non-compliance and crime is becoming more fluid, omission liability stops being an abstract concept and becomes, very concretely, the line separating a critical incident from a criminal charge against the decision-maker.
The objective, in the end, is simple to state and hard to implement: to build supply chains in which the company knows where its risks are, can show what it did to control them, and does not have to discover, through an indictment, that outsourcing has been interpreted as a license not to look.
