Volkswagen Side-Steps Enterprise Risk Management

Steven Minsky | Oct. 5, 2015

Volkswagen has been side-stepping environmental compliance standards by “programming some diesel-fueled cars to turn on emission controls only when being tested.” In the days since this discovery, Volkswagen has been hit with over 30 federal lawsuits and 40%+ decline in stock value, all stemming from the same source—poor Enterprise Risk Management.

In this case, poor risk management regarding their investment in diesel, without developing a risk mitigation strategy for if the technology didn’t meet emissions performance objectives, led to a second risk management failure in not uncovering a scheme to hide the non-performing emissions problem. In 2010, requirements for Enterprise Risk Management were put into place by the SEC requiring senior leadership teams and boards to know their risks and disclose them. In the case of Volkswagen, the CEO was removed for not-knowing about their emissions risk.

How can boards be successful and protect themselves from employee misconduct?

Executive teams, boards and internal audit groups are obligated to know their company’s’ major risks and disclose these risks to their investors. Without an Enterprise Risk Management software system to support an effective ERM process, they risk being found negligent in risk management, and subsequently being exposed to maximum legal penalties. Will Volkswagen’s executive team, board, and internal audit department be able to prove they were doing something to correct the situation prior to getting caught? If they can, most of the punitive damages and shareholder lawsuits could be greatly reduced as part of a robust protection package afforded to corporations practicing strong Enterprise Risk Management.

However, it appears unlikely that Volkswagen performed enterprise-wide risk assessments, which could have identified the scheme to cover engine emissions performance. With the thousands of employees involved, routine business risk assessments as part of an Enterprise Risk Management program would have detected these issues in time for corrective action to be put into place. Risk assessments would also have helped connect and prioritize the separate risks of technology failure with compliance fraud. In order to do so, the company would have needed to utilize some form of an ERM solution, starting with a risk management template, to record and track data cross-functionally, something that spreadsheets cannot achieve.

Unlike informal documentation with office products, an ERM system provides an avenue for individuals to demonstrate that they were doing everything possible to follow best practices and mitigate these types of risks. It provides transparency into what decisions are being made, based on what information is available at the time. It also allows for the tracking of these decisions as a trigger to reevaluate when new regulations are passed or new technologies are developed.

With an ERM platform, individuals can record risks, document controls, and set sign offs and approvals. Furthermore, an ERM solution allows individuals to prioritize top risks, carry over risk scores, and identify which controls compensate for those risks. The monitoring of these controls, through testing or metric collection, ensures they remain effective.

Moreover, Enterprise Risk Management software creates a method to explicitly lay out risk management procedures, and how and when risks were reviewed by a subject matter expert. This opens the door for innocence validation. With a solution, workflows are simple to set-up, tracing clear approval processes which ensure that proper steps and actions are taken. This in turn improves risk management at an enterprise level.

In an industry driven by customer satisfaction, loyalty, and trust, did Volkswagen adequately assess the risks of undermining the general public as well as regulators? A relationship with a car is not momentary, it can steam throughout a lifetime.

Winterkorn still claims, “I am not aware of any wrongdoing on my part.” Winterkorn could have learned a lesson from the BP Oil Spill tumultuous downfall.  As the CEO, as has been required by the SEC since 2010, Winterkorn needed to know about the risks his corporation faced down as many levels as to the front lines. Winterkorn could have protected his career and the Volkswagen brand by implementing a formal, well documented Enterprise Risk Management process.

Better Risk Assessments

Check out our eBook with 5 steps for better risk assessments here!