Risk management and internal control system
STRUCTURE OF THE RISK MANAGEMENT SYSTEM AND INTERNAL CONTROL SYSTEM AT VOLKSWAGEN
The organizational design of the Volkswagen Group’s RMS and ICS is based on the internationally recognized COSO framework for enterprise risk management (COSO: Committee of Sponsoring Organizations of the Treadway Commission). The purpose of structuring the RMS/ICS in accordance with the COSO framework for enterprise risk management is so that potential risk areas are covered in full. Uniform Group principles are used as the basis for managing risks in a standardized manner. Opportunities are not recorded in the RMS processes.
Another key element of the RMS and ICS at Volkswagen is the Three Lines Model, which is required by, among other bodies, the European Confederation of Institutes of Internal Auditing (ECIIA). In line with this model, the Volkswagen Group’s RMS and ICS has three lines designed to protect the Company from significant risks occurring.
The minimum requirements for the RMS and ICS, including the Three Lines Model, are set out in guidelines for the entire Group and are regularly reviewed and refined. In addition, regular training is offered on the RMS and ICS.
A separate Group Board of Management Committee for Risk Management deals with the key aspects of the RMS and ICS every quarter. Its tasks are as follows:
- to further increase transparency in relation to significant risks to the Group and their management,
- to discuss specific issues where these constitute a significant risk to the Group,
- to make recommendations on the further development of the RMS and ICS,
- to support the open approach to dealing with risks and promote an open risk culture.
First line: Operational risk management and ICS
The first line comprises the operational risk management and internal control systems at the individual Group companies and business units. The RMS and ICS are integral parts of the Volkswagen Group’s structure and workflows. Events that may give rise to risk are identified and assessed locally in the divisions and at the investees. Countermeasures are introduced, the remaining potential impact is assessed, and the information incorporated into the planning in a timely manner. Material risks are reported to the relevant committees on an ad hoc basis. The results of the operational risk management process are incorporated into planning and financial control on an ongoing basis. The targets agreed in the planning rounds are therefore continually reviewed in revolving planning updates. At the same time, the results of risk mitigation measures are promptly incorporated into the monthly forecasts regarding further business development. This means that the Board of Management also has access to an overall picture of the current risk situation via the documented reporting channels during the year.
Second line: Group Risk Management and ICS
Each quarter, in addition to the ongoing operational risk management, the Group Risk Management department sends standardized surveys regarding the risk situation and the implementation of countermeasures – through the quarterly risk process (QRP) – to all Group brands and significant Group companies. The risks are identified and approved in a multiple-party verification process and then checked for plausibility by Group Risk Management.
A score is calculated for each risk by multiplying the likelihood of occurrence (Prob) by the potential extent of the damage. This enables comparison of the risks. The extent of the damage is calculated from the criteria of financial loss (Mat) and reputational damage (Rep) and the potential threat to adherence to external legal requirements (Req). A score between 0 and 10 is assigned to each of these criteria. The measures taken to manage and control risk are taken into account in the risk assessment (net perspective).
The score for a likelihood of occurrence of more than 50% in the analysis period is classified as high; for a medium classification, the likelihood of occurrence is at least 25%. For the criterion of financial loss, the score rises in line with the loss; the highest score of 10 is reached when the potential loss is upwards of €1 billion. The criterion of reputational damage can have characteristics ranging from local erosion of confidence and loss of trust at local level to loss of reputation at regional or international level. The potential threat to adherence to external legal requirements is classified based on the potential impact on the local company, the brand or the Group.
In addition to strategic, operational and reporting risks, risks arising from potential compliance violations (compliance risks) and from sustainability issues (ESG) are also integrated into this process.
Volkswagen Financial Services AG and Volkswagen Bank GmbH have implemented their own RMS and ICS processes and regularly report to Group Risk Management.
To review the Volkswagen Group’s risk-bearing capacity, Group Risk Management uses the risk reports for a regular comparison of the aggregated risk situation and risk-bearing capacity. A simulation is used to check whether individual risks might become a going-concern risk if they are aggregated. There were no indications of insufficient risk-bearing capacity at the Volkswagen Group in the 2022 fiscal year.
Risk reporting to the committees of Volkswagen AG depends on materiality thresholds. Risks with a risk score of 40 or more or potential financial loss of €1 billion or more are presented quarterly to the Board of Management and the Audit Committee of the Supervisory Board of Volkswagen AG. In addition, the reporting includes all risks from the QRP with a risk score of 20.
In addition, significant changes to the risk situation that can arise in the short term, for instance from unexpected external events, are reported to the Board of Management as required. This is necessary if the risk may lead to potential financial loss of €1 billion or more and the likelihood of occurrence is estimated at greater than 50%.
In recent years, a standardized ICS to better protect against process risks has also been developed and put in place in significant companies. It continues to be introduced at further companies each year. The ICS thereby goes significantly beyond the requirements for the accounting-related ICS. In 25 catalogs of controls, the Group companies within its scope are presented with requirements in respect of the process risks and control objectives to be covered in order to protect the value chain in a standardized manner.
In addition to financial reporting issues, for example, they address process risks in development or production, as well as in the areas of compliance and sustainability. The catalogs of controls are checked at regular intervals to verify that they are up to date and are regularly expanded.
Key controls to cover process risks and control objectives are also tested for their effectiveness; any significant weaknesses identified are reported to the responsible bodies at Volkswagen AG and resolved in the departments.
Like the QRP, the standardized ICS is supported by the Risk Radar IT system.
We regularly optimize the RMS and ICS as part of our continuous monitoring and improvement processes. In the process, we give equal consideration to both internal and external requirements. As a component of the RMS, our Compliance Management System (CMS) is also subject to these control and adjustment mechanisms. External experts assist in the continuous enhancement of our RMS, CMS and ICS on a case-by-case basis.
Third line: Review by Group Internal Audit
Group Internal Audit helps the Board of Management to monitor the various divisions and corporate units within the Group. It regularly checks the risk early warning system and the structure and implementation of the RMS, ICS and compliance management system (CMS) as part of its independent audit procedures. The audit plan adopted by the Board of Management includes the first and second lines, i.e. the risk-mitigating functions in addition to the operational units.
RISK EARLY WARNING SYSTEM
The Company’s risk situation is ascertained, assessed and documented and therefore also complies with legal requirements. The requirements for a risk early warning system are met by means of the RMS and ICS elements described above (first and second line). Independently of this, the external auditors check both the processes and procedures implemented in this respect and the adequacy of the documentation on an annual basis. The plausibility and adequacy of the risk reports are examined via spot checks in detailed interviews with the divisions and companies concerned. The auditor examines the risk early warning system integrated in the Risk Management System with respect to its fundamental suitability to being able to identify risks that might jeopardize the Company’s continued existence at an early stage and assesses the functionality of the risk early warning and monitoring system in accordance with section 317(4) of the HGB.
In addition, scheduled examinations as part of the audit of the annual financial statements are conducted at companies in the Financial Services Division. As a credit institution, Volkswagen Bank GmbH, including its subsidiaries, is subject to supervision by the European Central Bank, while Volkswagen Leasing GmbH as a financial services institution and Volkswagen Versicherung AG as an insurance company are subject to supervision by the relevant division of the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin – the German Federal Financial Supervisory Authority). As part of the scheduled supervisory process and unscheduled audits, the competent supervisory authority assesses whether the requirements, strategies, processes and mechanisms ensure solid risk management and solid risk cover. Furthermore, the Prüfungsverband deutscher Banken (Auditing Association of German Banks) audits Volkswagen Bank GmbH from time to time.
Volkswagen Financial Services AG operates a risk early warning and management system. Its aim is to ensure that the locally applicable regulatory requirements are adhered to and at the same time to enable appropriate and effective risk management at Group level. Important components of it are regularly reviewed as part of the audit of the annual financial statements.
Monitoring the effectiveness of the Risk Management System and the Internal Control System
Reporting to the Board of Management and Supervisory Board of Volkswagen AG includes the results of the continuous monitoring and improvement of the RMS and ICS along with the evaluation of the Company-wide risk situation based on the QRP and the presentation of the results of the internal control process based on the standardized ICS and downstream control systems at individual brands.
On this basis, an overall conclusion is reached once a year on the adequacy and effectiveness of our RMS, CMS and ICS at a Volkswagen AG Board of Management meeting. The Board of Management has received no information to indicate that our RMS or ICS as a whole were inadequate or ineffective in fiscal year 2022.
Nevertheless, there are inherent limits to the effectiveness of any risk management, compliance management and control system. Even a system judged to be adequate and effective cannot, for example, ensure that all actually materializing risks will be identified in advance or that any process disruptions will be ruled out under all circumstances.
THE RISK MANAGEMENT AND INTEGRATED INTERNAL CONTROL SYSTEM IN THE CONTEXT OF THE FINANCIAL REPORTING PROCESS
The accounting-related part of the RMS and ICS that is relevant for the financial statements of Volkswagen AG and the Volkswagen Group as well as its subsidiaries comprises measures intended to ensure that the information required for the preparation of the financial statements of Volkswagen AG, the consolidated financial statements and the combined management report of the Volkswagen Group and Volkswagen AG is complete, accurate and transmitted in a timely manner. These measures are designed to minimize the risk of material misstatement in the accounts and in external reporting.
Main features of the Risk Management and integrated Internal Control System in the context of the financial reporting process
The Volkswagen Group’s accounting is essentially organized along decentralized lines. For the most part, accounting duties are performed by the consolidated companies themselves or entrusted to the Group’s shared service centers. In principle, the financial statements of Volkswagen AG and its subsidiaries prepared in accordance with the IFRSs and the Volkswagen IFRS Accounting Manual are transmitted to the Group in encrypted form. A standard market product is used for encryption.
The Volkswagen IFRS Accounting Manual, which has been prepared in line with external expert opinions in certain cases, is intended to ensure the application and assessment of uniform accounting policies based on the requirements applicable to the parent. In particular, it includes more detailed guidance on the application of legal requirements and industry-specific issues. Components of the reporting packages that are required to be prepared by the Group companies are also set out in detail there, and requirements have been established for the presentation and settlement of intragroup transactions and the balance reconciliation process that is based on these.
Control activities at Group level include analyzing and, if necessary, adjusting the data reported in the financial statements presented by the subsidiaries, taking into account the reports submitted by the auditors and the outcome of the meetings on the financial statements with representatives of the indi-
vidual companies. These discussions address both the plausibility of the single-entity financial statements and specific significant issues at the subsidiaries. Alongside plausibility checks, other control mechanisms applied during the preparation of the single-entity and consolidated financial statements of Volkswagen AG include the clear delineation of areas of responsibility and the application of the “four eyes” principle.
The effectiveness of the Internal Control System in the context of the accounting process is systematically assessed in significant companies as part of the standardized ICS. This begins with a risk analysis and definition of controls with the aim of identifying significant risks for the financial reporting process. Regular tests based on samples are performed to evaluate the effectiveness of the controls. These form the basis for a self-evaluation of whether the controls are appropriately designed and effective.
The combined management report of the Volkswagen Group and Volkswagen AG is prepared – in accordance with the applicable requirements and regulations – centrally but with the involvement of and in consultation with the Group units and companies.
In addition, the accounting-related Internal Control System is independently reviewed by Group Internal Audit in Germany and abroad.
Integrated consolidation and planning system
The Volkswagen consolidation and corporate management system (VoKUs) enables the Volkswagen Group to consolidate and analyze both Financial Reporting’s backward-looking data and Controlling’s forward-looking data. VoKUs offers centralized master data management, uniform reporting, an authorization concept and the required flexibility with regard to changes to the legal environment, providing a technical platform that benefits Group Financial Reporting and Group Controlling in equal measure. To verify data consistency, VoKUs has a multi-level validation system that primarily checks content plausibility between the balance sheet, the income statement and the notes.