Promptly identifying the risks and opportunities associated with our operating activities and taking a forward-looking approach to managing them is crucial to our Company’s long-term success. A comprehensive risk management and internal control system (RMS/ICS) helps the Volkswagen Group deal with risks in a responsible manner.
The aim of RMS/ICS is to identify potential risks at an early stage so that suitable countermeasures can be taken to avert the threat of loss to the Company, and so that any risks that might jeopardize its continued existence can be ruled out.
The organizational design of the Volkswagen Group’s RMS/ICS is based on the internationally recognized COSO framework for enterprise risk management (COSO: Committee of Sponsoring Organizations of the Treadway Commission). In the reporting year, Volkswagen again pursued a holistic, integrated approach that combines a risk management system, an internal control system and a compliance management system (CMS) within a single management strategy. Uniform Group principles are used as the basis for managing risks in a consistent manner.
In the reporting year, we continued to develop our RMS/ICS. In addition to the ad hoc and annual risk assessment, the Board of Management also receives quarterly risk reports. This additional reporting on the current risk situation raises awareness of risks in the Company and encourages an open approach to dealing with them. We continued to reinforce the internal control system in the area of product compliance in 2016. This includes what are known as the Golden Rules, which we describe in the chapter on the diesel issue in the Volkswagen AG 2016 Annual Report, pages 96 and 97.
Assessing the probability and extent of future events and developments is, by its nature, subject to uncertainty. We are therefore aware that even the best RMS cannot foresee all potential risks and even the best ICS can never completely prevent illicit actions.
“Three Lines Of Defense” Approach
Another key element of the RMS/ICS at Volkswagen is the three lines of defense model, a basic element required, among others, by the European Confederation of Institutes of Internal Auditing (ECIIA). In line with this model, the Volkswagen Group’s RMS/ICS has three lines of defense that are designed to protect the Company from the occurrence of significant risks.
“Three Lines of Defense” Approach
- The first line of defense is formed by the divisions, companies and brands. Events that may give rise to risk are identified and assessed locally in the divisions and at the investees. Thanks to reports during the year via the paths documented above, the Board has an overall picture of the current risk situation at all times. The minimum requirements for the RMS/ICS are laid down in a single guidance document for the entire Group. This also includes a process for timely notification of significant risks.
- The second line of defense is the Group Governance, Risk & Compliance (GRC) department, which sets standards for the RMS/ICS and coordinates the quarterly risk survey and annual GRC control process. In the GRC control process, the brands, major companies and individual functions identify systemic risks and verify the effectiveness of the RMS/ICS. This serves as a basis for updating the overall picture of the potential risk situation and assessing the effectiveness of the system. The Group Board of Management receives a report on significant risks, which are also defined in terms of quantitative and qualitative assessment criteria and given probability ratings.
- The third line of defense is Group Internal Audit, which makes regular checks on the structure and implementation of the RMS as part of its independent audit activities.
A detailed overview of our risk management and internal control system can be found in the Report on Risks and Opportunities in the Group Management Report of our 2016 Annual Report.
The diesel issue both causes risks for the Volkswagen Group and has an impact on existing risks. The Volkswagen Group has made suitable provisions for risks arising from the diesel issue, in particular for the upcoming service campaigns, recalls and customer-related measures, as well as legal risks, but also for residual value risks.
Risks that could impact on the Volkswagen Group’s bottom line also include general environmental risks and climate change risks. These risks are identified, assessed and managed by the Group’s divisions and companies within the framework of the RMS. This includes risks which can result from CO2 and emissions legislation and regulations. Extreme weather situations, storms or floods can lead to failure of information and communication technology, supplier failure resulting in production stoppages, or general production downtime at one of our more than 100 production locations worldwide.
More information on economic, political, financial and operational risks can be found in the Report on Risks and Opportunities in the Group Management Report of our 2016 Annual Report.