The Governance Library curated by Matthew Doyle
Risk Room · Board Risk Oversight
Case study · Volkswagen Dieselgate
00:00
Risk Room · Practice · Board-level habits
Board Risk Oversight
The work the board does to see, probe, and act.
UK Corporate Governance Code · 2024
The apparatus. What it does not tell you is how to do it.
Principle F
The chair is responsible for the board's overall effectiveness.
Provision 28
Robust assessment of emerging and principal risks.
Provision 29
Monitor risk management and internal control. Report annually.
Practice is four things.
1
Composition
2
Information
3
Questions
4
Cadence
Habit 1
Composition
Is the right expertise at the table?
Does any director actually understand the technology, the regulator, the market you operate in?
Provision 10 · independence · material, personal, or financial relationships that could affect judgement
Habit 2
Information
The reports the board needs — or the ones management is willing to show?
Good information is not the absence of risk. It is the presence of early warning.
Habit 3
Questions
Who asks the uncomfortable one?
A board that never hears a dissenting view is not a board with consensus. It is a board without a dissenter.
Habit 4
Cadence
When something moves, does the board meet?
Or wait for the next scheduled cycle?
Composition. Information. Questions. Cadence.
None of them require a new framework.
All of them can be missing even when every framework is in place.
Case · Volkswagen supervisory board
One of the most expert-looking boards in European industry.
Former chief executives
State ministers
Engineers
Union representatives
On a balance-of-names test, a strong board.
Who actually decided
Voting rights were held by blocs, not by independent directors.
Piëch/Porsche 50%
IG Metall 20%
Qatar 17%
Lower Saxony 13%
Four blocs. Four agendas. Independent directors a small minority.
The four habits · Volkswagen
Each habit — missing.
Composition
Voting blocs dominant. No independent directors able to challenge the flagship diesel programme.
Missing
Information
Memos 2006–2014 flagged US emissions risk. One reached Winterkorn's desk in May 2014. The "I do not remember" defence is the lesson.
Missing
Questions
Audit committee met routinely. No one asked to see the emissions software. No one asked whether EA189 tests had been independently verified.
Missing
Cadence
WVU findings 2014: handled operationally, by the people whose programme was in question. Board dealt with it Sept 2015 — after the EPA Notice of Violation.
Missing
Contrast · Carillion · 2018
A UK unitary board. Different structure. Same four habits missing.
HC 769 · Joint BIS / Work & Pensions Committee · May 2018
Same metrics cycle after cycle. Ageing receivables not probed.
Aggressive contract revenue recognition not pressed.
Three profit warnings in five months — no out-of-cycle meeting.
CEO optimism not challenged.
Different country. Different board structure. Different sector. Same pattern.
What good looks like · Rolls-Royce · 2017+
A board doing the four habits — after being forced to.
£671m
SFO DPA settlement · Jan 2017
7
jurisdictions · bribery & corruption
2022
DPA closed early · on monitor's recommendation
Under chair Sir Ian Davis: rebuilt ethics and compliance from the ground up; removed the individual commission payments that drove the behaviour; established a standing board-level Ethics & Compliance Committee; published annual auditable compliance reports.
Composition strengthened. Information flow rewired. Questions asked for the record. Cadence tightened.
Structure can be built.
The four habits have to be practised.
If the chair doesn't protect the dissenting voice — there isn't one.
If audit doesn't ask for the uncomfortable attachment — it isn't produced.
If the board doesn't meet out of cycle — the signal fades.
Three things to carry forward.
A reading
US DoJ Statement of Facts · United States v. Volkswagen AG, January 2017. Paired with the SFO's Rolls-Royce DPA statement of facts from the same month — the reform arc, not the collapse.
A question
When did your board last change a decision because an uncomfortable risk report changed the picture?
The wider library
Oversight sits beside Three Lines — who produces the reports. And risk appetite — what those reports should be looking for.
Risk Room 03 · The Governance Library curated by Matthew Doyle · mæd partners
00:00 · 07:40