The Germans have a word for it: schadenfreude. Being an honest and transparent sort of people, the Germans admit it can be thrilling to watch somebody else’s failure. But even Volkswagen, a paragon of Germany’s economy, is not so honest and transparent that they made diesel cars that complied with rules limiting exhaust emissions. They cheated instead, writing a crafty bit of software that could detect when the car was being tested, and temporarily alter performance to lower emissions. Now that their trickery has been discovered, one third has been wiped off VW’s share value, and the business faces multi-billion dollar fines and compensation claims. Many are saying VW have tarnished not just their own brand, but the reputation of Germany as a whole. Given that the German economy is disproportionately driven by exports of manufactured goods, this is not a good thing. And yet, I am enjoying a laugh at their expense. I can afford to chuckle at VW’s pratfall because: I am not German; I do not own shares in VW; and I am interested in communications rather than cars. But before I laugh too hard, I remind myself that the exact same thing could happen to telcos. That begs a question for every risk manager reading this article: how do you ensure your business does not make the same mistakes as VW?
Consider how VW got away with cheating for so long. They wrote an obscure bit of software, and very few people truly understood what it was doing or why. Now think about the kind of technology that telcos use. When it comes to the stuff that actually makes electronic communications happen, 90 percent of it is obscure bits of code that very few people understand. The potential for manipulation is obvious. Naughty code could alter the value of a bill. It could invent records of events that never took place, or delete records of events that did take place. It could spy on people, or persecute them by allocating them an inferior quality of service. We already know plenty of examples of naughty code, because we freely admit that criminals and fraudsters spread malware that hurt telcos and their customers. Whilst outsiders have their reasons to write naughty code, that should not blind us to the possibility that insiders might also write code that breaks legal and moral rules.
Now let me point at an imaginary internal auditor, or risk manager, or fraud manager. Let me ask them how they know that insiders have never written any naughty code for use in their telco. What would be the answer? Most of the time, the truthful answer is they have no idea about things like that. They are totally reliant on the honesty of fellow employees. And that is exactly the position of all those internal auditors and risk managers and controls analysts who work for VW, and woke up one morning to read in the newspaper that their business was embroiled in a massive scandal. So what has the communications industry done to ensure it cannot end up in a similar mess to VW? The answer is: absolutely nothing.
Whatever VW’s faults, it cannot be said they did not make any effort to mitigate risks – or at least to manage the perception of how they mitigate risks. Their enterprise risk reporting sets an example that few can match. They ticked the right boxes, cited the right standards, used all the best buzzwords, and provided detailed analysis of their main risks. For example, they were clear about the seriousness of non-compliance with environmental regulations:
Risks that could impact on the financial result of the Volkswagen Group also include general environmental risks and climate change risks. Under the RMS [Risk Management System] these are identified, assessed and controlled by the Group’s divisions and companies. Examples of such risks include the following… differences in CO2 regulations between the major volume markets, which involve a variety of sanction mechanisms. Emission requirements for vehicle taxation also play an important role here.
VW had an established program for managing enterprise risks, and they repeated all the right catchphrases and jargon:
STRUCTURE OF THE RISK MAN2AGEMENT (sic) SYSTEM AND INTERNAL CONTROL SYSTEM AT VOLKSWAGEN
The organizational design of the Volkswagen Group’s RMS/ICS is based on the internationally recognized COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework for enterprise risk management. Volkswagen has chosen a holistic, integrated approach that combines a risk management system, an internal control system and a compliance management system (CMS) in a single management strategy (governance, risk and compliance strategy). Structuring the RMS/ICS in accordance with the COSO framework for enterprise risk management ensures that potential risks are covered in full; opportunities are not captured.
The tell-tale sign that words are being repeated, without being read, comes from that spelling error in the title. Or are VW risk managers known as ‘risk man2agers’? More buzzwords follow…
In addition to fulfilling legal requirements, particularly with regard to the financial reporting process, this approach enables us to manage significant risks to the Group holistically, i.e. by incorporating both tangible and intangible criteria.
Another key element of the RMS/ICS at Volkswagen is the three lines of defense model, a basic element required, among others, by the European Confederation of Institutes of Internal Auditing (ECIIA). In line with this model, the Volkswagen Group’s RMS/ICS has three lines of defense that are designed to protect the Company from significant risks occurring.
The difficulty with being holistic is that you cannot be sure you covered everything just because you covered the same things as last year. Risks are risks, whether you identify them or not. You do not have a holistic view of risk just by saying you do – you have to actually go out and address them all. So if they really had a holistic view of risk, where did they deal with the risk of somebody writing a naughty bit of code that, if discovered, would destroy billions of dollars of shareholder value overnight? Or did they assume that if nobody inside the firm discovered naughty bits of code, then nobody outside the firm could discover them?
My favorite line features the ‘three lines of defense’ model. My view on the three lines of defense is simple. I can build three walls around my property, but the number of walls is irrelevant if those walls do not go the whole way around. The failure to identify a risk is like leaving the same sized gap at the same place in every wall. As a consequence, building and maintaining additional walls gives a false sense of comfort, and may take attention away from where it is really needed.
And consider the following: we tend to trust people who write software. In contrast, many big businesses do not even trust their employees to have free access to a stationery cupboard. Why do auditors spend time checking procedures for travel expenses or the reconciliation of bank accounts, but take no interest in the possibility that software has been written to behave badly? Have they never seen Superman 3?
Most of the sentences in VW’s corporate risk report were unchanged from one year to the next. That may be a sign of a thorough and comprehensive risk program. Or it might be a sign of complacency. However, I predict one sentence will not be repeated again.
No significant changes were made to the RMS/ICS compared with the previous year.
I could also quote from the section of VW’s report that specifically covers environmental regulation, but it is really long, really detailed, and really dull. Whoever wrote it clearly understood the importance of compliance. The problem was not a lack of understanding about the rules. Rules are often obvious. The problem was that nobody in the business was in a position to independently verify if they actually complied with the rules. In other words, nobody independent of the wrongdoing was empowered, or could be bothered, to determine if naughty bits of code were being used to fake compliance.
For pity’s sake, please do not emulate Volkswagen. They wrote a great report, and many would be tempted to copy their approach. Some people might copy chunks of their report word-for-word, because it sounds so good. VW constructed a ‘system’ that superficially looks like it did everything right, following best practice and recognizing all the important objectives. But they looked away from an obvious source of risk because it was inconvenient. Little bits of code are incredibly inconvenient, but they are a very real source of risk. Many demons can hide within the complexity of software, and software is everywhere. Just consider the magnitude of the effort put into eradicating the Y2K bug, and then multiply it because the person writing naughty code really does not want an independent auditor finding out the truth about what their code does.
I know that work is difficult, and your boss does not appreciate you. Tomorrow you will get up, and you will still have no idea if there is naughty code in your business. But you have to try to deal with the risk. Take some joy in the fact that this disaster has hit Volkswagen, and not your business. VW is not a telco, but they are a big business, and the consequences are obvious. Try to frighten your boss, especially if he or she drives a Volkswagen. Use the example of VW to illustrate why even a model risk management approach can be undermined by the failure to identify a real risk. Take the schadenfreude, and put it to good use. If you do not, then somebody else may enjoy the schadenfreude that follows your fall.