By John Verver, CPA, CA, CISA, CMC
Strategic Advisor to ACL
There is no doubt that the Volkswagen diesel engine emissions scandal is going to fuel many articles and much commentary, for some time to come, in the world of risk management.
Presumably, it has also got a lot of C-suite executives thinking a lot more seriously about whether there are any comparable risks lurking around in their own corporation, just waiting to come to light and cripple their reputation, as well as taking 20% or so off their share value. Not that any of this is really anything new. Volkswagen is just the latest in a long list of major corporations that have suffered huge damage due to something going really wrong somewhere in the organization.
In some cases, of course, senior management was clearly involved in the wrong-doing and presumably aware of the risks (fudging financial statements or condoning pervasive bribery). In others, there was probably just a lack of real awareness of the risks involved (such as suffering a cyber-security breach). What makes the Volkswagen affair particularly surprising is that (a) it happened in such a very well-established and apparently well-managed company with a great brand, (b) it involved deliberate and unequivocal deception, and (c) it seems glaringly obvious that it was going to come to light at some point.
The big picture’s silver lining
In the big picture, events such as the Volkswagen scandal actually have the potential to do a lot of good. Think about Enron and Parmalat and what those scandals ultimately did to improve the integrity and reliability of financial controls and reporting, as well as the financial audit process. Think about Sony and Targets’ security breaches and the impact they are still having on improvements to IT security infrastructure and the protection of customer and critical other data.
It is hard to say at this point what the long term impact of Volkswagen will be, ultimately. However, it is a pretty safe bet that it will be one more important component, or catalyst, in the process of getting corporations to take risk management and compliance seriously. Going through the motions of appointing a Chief Risk Officer and a compliance team, or waiting for internal audit to wave a red flag about poor risk management processes, without any real intent to operationalize risk management is not sufficient. Risk management and compliance processes should be treated with as much seriousness as any other critical business function. That means investing time and resources and really leveraging technology to gain ongoing and up-to-date visibility into the gamut of risks that corporations face.
[bctt tweet=”Will Something Good Come Out of the Volkswagen Emissions Scandal? @SCCE” via=”no”]