By this point, the Volkswagen scandal is old news (we first blogged about it last October). Yet details about the case continue to emerge, most recently about board accountability. As of last week, a Volkswagen “internal probe into its emissions-cheating scandal found no evidence of wrongdoing by members of senior management…” In other words, VW’s Board didn’t know about the deception until it was too late.

This might appear to be a good thing, but actually VW is making its situation worse. Why? As we discussed in last week’s webinar, regulators now consider risk management negligence an offense equal to fraud. We also discussed this issue last November, when we blogged about how ignorance is no longer an excuse for poor board oversight.

The alternative to negligence (besides upping the ante and adopting a robust risk management program) is full disclosure of poor risk management. Thanks to the SEC’s 2010 disclosure rule, boards won’t be considered negligent if they publicize their company’s lack of risk management.

As I discussed at April’s Enterprise Risk Management Thought Leadership Summit at St. John’s University, up until 2010, board accountability for risk management extended only to actions executed at the executive level. Starting in 2010, a number of federal and state regulations extended liability for material risks to any level. The requirement for accurate disclosure of their effectiveness in managing risk also appeared. Boards suddenly found themselves accountable for much more than they had been.

The Volkswagen saga is far from the first example. Consider the following recent events:

• Nordion Inc., a global health science company, failed to adhere to its internal controls procedures, which is negligence. Even though the company self-reported to and cooperated with the SEC, it still paid $375,000 in penalties related to board accountability.
• Chipotle’s inadequate quality controls, which weren’t disclosed, led to a host of salmonella outbreaks linked to multiple locations. The company suffered regulatory penalties, a major hit in market value, and is being sued by its shareholders for risk management negligence.
• Dwolla, a small, private company, paid a civil penalty of $100,000 for risk management negligence, even though no incident occurred. This case is particularly illustrative of the importance of risk management (or disclosure of its inadequacy); it doesn’t take a data breach or bacterial outbreak for the ax to fall.
• Volkswagen reported the “innocence” (i.e. negligence) of its board regarding the emissions scandal. As a result, thousands of workers walked off numerous plants, asserting that “‘Responsibility for the diesel crisis lies with decision makers at headquarters and not with the workforce.’”

All of these events line up with what we’ve been anticipating. Boards that don’t perform their due diligence regarding risk management are now being held accountable.