Promptly identifying the risks and opportunities associated with our operating activities and taking a forward-looking approach to managing them is crucial to our Company’s long-term success. A comprehensive risk management and internal control system helps the Volkswagen Group deal with risks in a responsible manner.
The aim of the risk management system (RMS) and internal control system (ICS) is to identify potential risks at an early stage so that suitable countermeasures can be taken to avert the threat of losses to the Company, and so that any risks that might jeopardize its continued existence can be ruled out.
The organizational design of the Volkswagen Group’s RMS/ICS is based on the internationally recognized COSO framework for enterprise risk management (COSO: Committee of Sponsoring Organizations of the Treadway Commission). In the reporting period, Volkswagen again pursued a holistic, integrated approach that combines a risk management system, an internal control system and a compliance management system (CMS) within a single management strategy (Governance, Risk & Compliance strategy). Uniform Group principles are used as the basis for managing risks in a consistent manner.
With this approach we not only fulfil legal requirements, particularly with regard to the financial reporting process, but we are also able to manage significant risks to the Group holistically, i.e. by incorporating both tangible and intangible criteria.
Another key element of the RMS/ICS at Volkswagen is the three lines of defense model, a basic element required, among others, by the European Confederation of Institutes of Internal Auditing (ECIIA). In line with this model, the Volkswagen Group’s RMS/ICS has three lines of defense that are designed to protect the Company from the occurrence of significant risks.
Assessing the probability and extent of future events and developments is, by its nature, subject to uncertainty. We are therefore aware that even the best RMS cannot foresee all potential risks and even the best ICS can never completely prevent irregular actions.
In connection with our investigation of the emissions issue, we started to analyze possible viable enhancements to the system in the reporting period. These include, among other things, reinforcing the internal control system in the area of product compliance. We are also working to further reinforce the foundations of our risk management system, and issuing reports on the current risk situation on a quarterly basis. This allows us to counteract risk in a timely fashion and ensure it is averted if at all possible.
“Three Lines of Defense” Approach
- The first line of defense is formed by the divisions, companies and brands. Events that may give rise to risk are identified and assessed locally in the divisions and at the investees. Thanks to reports during the year via the paths documented above, the Board has an overall picture of the current risk situation at all times. The minimum requirements for the RMS/ICS are laid down in a single guidance document for the entire Group. This also includes a process for timely notification of significant risks.
- The second line of defense is the Group Governance, Risk & Compliance (GRC) department, which sets standards for the RMS/ICS and coordinates the quarterly risk survey and annual GRC control process. In the GRC control process, the brands, major companies and individual functions identify systemic risks and verify the effectiveness of the RMS/ICS. This serves as a basis for updating the overall picture of the potential risk situation and assessing the effectiveness of the system. The Group Board of Management receives a report on significant risks, which are also defined in terms of quantitative and qualitative assessment criteria and given probability ratings.
- The third line of defense is Group Internal Audit, which makes regular checks on the structure and implementation of the RMS as part of its independent audit activities.