Risk Management – Learning from the Car of the People (how not to do risk management…)
Volkswagen (VW) has a rich history and established brand as “the car of the people”. It is a company built on a nation’s pride and reputation for precision. It is also a company with excellent risk management systems and processes.
Yet they failed to pass the test.
We all know the story of VW’s fitting of vehicles with the so-called “defeat devices”. Investigations commenced, VW appointed a new CEO and thus the road to recovery begun again. (Or so I thought until the news claimed that VW fitted the defeat devices in other brands too).
To me, the story of the car of the people tells a tale of a very efficient risk management system failing to pass the test.
Not many details are available on who made the decision to defeat the system. However, somewhere in the VW organisation, someone made a decision that should have had alarm bells go off.
The decision to defeat the system exposed VW to an unacceptable level of risk. An exposed risk that damaged the brand and reputation beyond belief.
One has to wonder why no-one picked up the installing of the defeat devices, manipulation of software and/or rigging of tests as a material risk for VW?
And why no-one escalated the risk up in the VW food chain?
Risk Management Process Generally
In general, the process of risk management is well established and practised but it does require skill to be able to identify risks accurately.
Failure to accurately identify potential risk events lead to the :
- establishment of ineffective controls and
- inability to control or mitigate risk
at an acceptable and tolerable level.
Poor risk management impacts on the ability to accurately focus on quantifying and managing the consequences and likelihood of a risk.
In the case of VW, the consequences certainly eventuated; as a costly exercise and damaging to the VW brand/reputation.
The VW Risk Management System
VW owns a blue chip risk management system (RMS/ICS) – we mayeven refer to it as the Rolls Royce of risk management systems (pardon the pun).
As an elaborate, integrated system the risk management system reaches all areas of business.
The risk management system purports to regularly check efficiency and effectiveness.
VW regards compliance as an important part of the VW organisation.
VW aims for a preventative compliance approach by creating a culture where, through awareness and education, breaches are stopped before they occur.
Knowledge is prevention.
It has a well-published code of conduct.
“We pursue a holistic, integrating approach that combines the risk management system, internal control system and compliance management system in a single Governance, Risk & Compliance strategy. As a result, the RMS/ICS ensures full coverage of all potential risk areas. The central body responsible is the Group Board of Management, which is informed about risks and opportunities in connection with a wide variety of processes. The Supervisory Board’s Audit Committee receives regular reports on the effectiveness of the RMS/ICS. As an integral part of our structures and procedures, our RMS is embedded in the day-to-day business processes of the Volkswagen Group.”
Risks get well detailed in the annual reports with a high level view on controls or mitigation.
Previous Annual Reports declared no significant risks
I could not find anything on the potential of possible EPA claims.
As a risk management professional, I would have expected more.
At least a mention of the EPA allegations in the 2014 report
triggering materiality in any basic risk management model
AS A RESULT OF
the potential impact or consequences of the VW brand.
An important precondition for business success
The basis for VW’s RMS/ICS model is to be aware of their stakeholders’ expectations.
For VW risk management is an “important precondition for business success”.
One would assume that being truthful and not breaking the trust of your stakeholders by fitting “defeat devices”, fits this important precondition.
VW claims to deal with risks in a responsible manner….
“Promptly identifying the risks and opportunities arising from our operating activities and taking a forward-looking approach to managing them is crucial to our Company’s long-term success. A comprehensive risk management and internal control system helps the Volkswagen Group deal with risks in a responsible manner.”
VW follows a “three lines of defence” RMS/ICS process:
The risk management process follows three basic lines:
- 1st – Companies and business units: Operational risk management, including compliance and reports;
- 2nd – Group Governance, Risk and Compliance: Standard for and coordination of effectiveness of the RMS/ICS and CMS, overall report; and
- 3rd – Group Internal Audit: Audit of and report on RMS/ICS and CMS.
Management reports to the Board of Management and a Supervisory Board, which effectively makes for a five line defence.
Maybe in 2009, the fitting of the devices were not known or did not trigger an escalation under the RMS/ICS.
However I would have expected that once the allegations did not go away, that the three lines of defence model should have picked it up.
As a minimum, mention should have been made of a potential issue in the 2014 report.
An effective risk management system would have picked up this risk.
Software and IT Risk Management
The report interestingly also deals with software and IT risk management.
“…We use technical resources that have been tried and tested in the market, adhering to standards applicable throughout the Company…. we continuously take measures to combat identified and anticipated risks during the software development process,..
The increase in CO2 and consumption regulations means that it is necessary to use the latest mobility technologies in all key markets worldwide. Electrified and pure-play electric drives will also become increasingly common…
The Volkswagen Group closely coordinates technology and product planning with its brands so as to avoid breaches of emission limits, which would entail severe sanctions.”
The road to recovery – or the road to passing the test?
It is noble of the CEO to resign and to allow the process of recovery to begin.
Only the CEO knows if he knew of any irregularities or not.
The question is – should he and many other executives and board members have known?
Should they have asked more questions and dug deeper?
VW management manned the defence line.
The VW managers supposedly act as the gatekeepers, protecting the interests of shareholders, employees, suppliers, customers and other stakeholders.
Hindsight is easy.
But in VWs case, I think they should have had more than hindsight.
Software modifications, manufacturing and fitting the defeat devices and rigging the tests, etc. do not happen overnight and likely would not have occurred outside the VW systems.
Transactions get captured in budgets, procurement handles the buying process, internal and external auditors ensure due diligence.
VW reviews risks in ALL areas of the business; in many ways and many forms.
Yet no one picked this up.
It is hard to believe that no one picked the gap in the fence; no one asked the right questions.
It is easy to say that the systems failed or to send the CEO packing and start afresh.
The VW systems appear solid, sound and yet a risk of this magnitude managed to slip through all the defence lines.
In my opinion the system, in particular the RMS/ICS, was efficient but not effective; not even the testing and reporting on the effectiveness of the RMS/ICS picked up the flaw in effectiveness.
VW will require a significant organisation design review not to change the systems but to eradicate the unacceptable behaviours that led to the ineffectiveness of the system.
Hopefully the investigations will be detailed enough to get to the root cause of why the lines of defence were ineffective. On paper it seems almost unbelievable that it could have happened.
The Car of the People – Picking up the Pieces to build an effective risk management system
Over time the true cost and impact of the reputation and brand of VW as “car of the people” will become known. I would expect many questions will have to be asked to ensure that the risk management system is not only efficient but also effective. The art will be in asking the right questions and achieving true effectiveness.
Lessons for Business
All of us in business can learn the lessons from VW.
I think the most important lessons for building business capability and effective risk management system include:
- the requirement to continue to ask questions, difficult ones;
- not taking short cuts but working towards innovation;
- paying attention to “smoke” – remember the old saying – “where there is smoke, there is fire”.
- realising the importance of brand/reputation and how easily a bad decision damages brand/reputation;
- the buck stops with the CEO or the business owner, therefore make sure you know what is happening;
- risk management serves a process – identifying and managing risk.
Have a great day!
Click here for more information about Celia.