Case Volkswagen has been in the news for the past couple of days. According to the company, it installed software that falsified emissions tests in 11 million diesel cars, meaning that its vehicles actually spewed more pollutants than allowed.

The company’s market cap dropped by almost 40%. The CEO had to resign. The provisions in the books were raised to 6.5 billion euros.

The congestion of class action suits is about to start, and in all likelihood some directors will end up behind bars. Case Volkswagen is just one example in the world of miscalculated integrity risks.

Every day, we see a steady flow of news regarding suspected fraud, corruption, human rights abuses and falsification of accounts. How can companies avoid becoming part of this kind of news flow? Is there something the management or the board could do better despite their existing compliance programs and global control frameworks? The answer is … absolutely!

Let’s look at the three fundamental factors determining whether a company’s reputation risk management is efficient or not: reputation-reality gap, changing expectations and unity.

Mind the Gap

Volkswagen has always had a good public reputation topped off with high integrity. The Volkswagen brand has almost become a synonym for reliability. Why did this perception collapse overnight?

Volkswagen has a global compliance program and organisation in place, so in this regard everything should have been under control. Contrary to the public perception, is it possible that the company didn’t in reality have the means to exercise its integrity risk management properly? Despite express obligations of integrity in their code of conduct, for some reason the implementation failed.

Tools in Place but not Maintained?

The second explanation could be that the company did not challenge and monitor its existing risk management system. Did Volkswagen regularly acid test the functioning of its whistle-blower communications channels? Did the compliance organisation have direct and independent access to the board, or was it subject to the interests of the operative management?

Had the workability of the existing system and the independence of compliance administration been secured, the problem might never have occurred. At least it would have come to the attention of the board much earlier, allowing sufficient time to take corrective measures before it was too late.

Maybe communications channels existed, but the fear of disclosing the problem and retaliation kept mouths shut?

Walk the Talk?

The third explanation could be that the company was ultimately unable to jointly ‘walk the talk’. Was this due to a fragmented organisation, siloed decision making, fear or sub-optimisation resulting from eccentric incentivisation? Based on the latest allegations in the news, some directors were warned, but the problem was quickly polished over by ignorance. Nevertheless, the existence of flawless internal communications and internal trust can be questioned.

Reputation Risk Management 2.0

Failures in compliance always occur when a complex company structure is managed without effective risk management tools. Compliance management is not a stand-alone exercise. Instead it should be integrated into every company’s global risk management processes.

Despite existing codes of conduct, internal instructions and policies, companies should understand the essence of taking their compliance systems to the next level. Otherwise, their businesses can easily fall into ostrich management principles, i.e. putting their heads in the sand and hoping that their problems go away.

To switch back to my original bird metaphor, compliance 2.0 is absolutely crucial if you want to keep your pelicans out of the turbine.