Information Readiness in the Wake of VW and the Yates Memo

I’m not much of a gambler, so I steered clear of the tables and slots at SCCE’s Annual Compliance and Ethics Institute in Vegas last week. That said, I really think if I’d have made a dollar for every time I heard the words “Volkswagen” or “Yates,” I could have come out of that trip ahead of when I left. The emissions cheating scandal at the German automaker and the memo recently issued by the DOJ Deputy Attorney General both took center stage—quite literally—at SCCE’s 2015 event. 

It’s hardly surprising: the events are the stuff compliance executives’ nightmares are made of.  


On one hand, you have Volkswagen. Prior to the crisis, the brand loyalty it had cultivated as a global car manufacturer was surpassed only by three other manufacturers (Audi, Mercedes Benz and Alfa Romeo). The company was a mainstay on Forbes’ Most Valuable Brands list, recent research showed that 41% percent of Volkswagen drivers have owned a car of the same brand in the past 5 years and 28% of VW owners cited brand as the most important factor in their decision to buy their VW in the first place.

Then on September 18, the EPA ordered the recall of nearly a half-million Volkswagen cars, saying VW illegally installed software in its diesel-power cars designed to evade state emissions tests and standards. Crisis management and PR experts are comparing the level of consumer deception felt to Arthur Andersen and Enron. It’s not inconceivable that the long-term damage to VW’s reputation in the form of losses of consumer trust, confidence, and loyalty could be a force multiplier to the billions they’ll pay in fines, settlements, fees and recall costs to clean this up. 

As pressure mounts for VW to uncover—and share—exactly who did what, anecdotes of unrealistically aggressive sales goals and a culture based on fear and authoritarianism are coming to light. In compliance terms, that’s the operational equivalent of a match and lighter fluid. And while the investigation (and speculation) continues, the market value of the company has tanked by 43%. If you’re counting, that’s $33 billion lost in less than a month. 


On the other hand, you have the most recently issued policy memo out of the U.S. Department of Justice. Just a few days before the VW news broke, Deputy Attorney General Sally Yates released this memo on “Individual Accountability for Corporate Wrongdoing.” 

“Effective immediately,” Yates said during related remarks at the New York University School of Law, “If a company wants any credit for cooperation—any credit at all—it must identify all individuals involved in the wrongdoing, regardless of their position, status or seniority in the company, and provide all relevant facts about their misconduct.”

Reactions to the Yates memo vary greatly. Some insist it’s simply a reiteration of previous statements around individual prosecutions, while others hold it as a game-changer that merits a focused discussion with leadership and the board. 

Whatever side of the argument you find yourself, the Yates memo at a minimum serves as a reminder that knowing, and disclosing, facts around the individuals involved in an investigation can be a huge help to a company dealing with a catastrophic compliance breakdown. 


If there’s a common takeaway from these two big developments, it’s the need for information access and readiness within the compliance department. After all, key among the factors considered in awarding cooperation credit is the “timeliness of the cooperation.”

In short: reduced fines and penalties are more likely if companies can name the parties and types of misconduct involved in an incident, and quickly. Readily available answers and information when the regulators come knocking may earn you cooperation credit and provide some much-needed assurance to internal and external stakeholders that you’re getting things under control. 

Of course, cooperation isn’t just being willing to provide facts quickly, but able. As we see with Volkswagen, delays in providing this information (because you don’t have it) won’t just start you off on the wrong foot with enforcement officials: shareholders jump ship, customer loyalty wanes and market value nosedives while everyone is left to speculate where things went wrong. 

Beyond reviewing investigation protocol and procedures, companies should ensure they’re actually able to quickly identify what individuals, behaviors and environments culminated in a breach when one occurs. Any good case management system, particularly one that works in tandem with other compliance systems (e.g., policy manager or LMS) and company data (e.g., HRMS), should at any given moment arm you with the information you need. A quick check of your case management system and its analytics capabilities should help you quickly and easily find: 

  1. Involved parties: The names and roles of all parties involved in the incident, including the subjects, witnesses, reporter (if available) and affected parties. 
  2. Type of issue: All of the various types of misconduct at play. Because catastrophic compliance events rarely are limited to one type of issue, it’s important to document, understand and address the various categories of issues that occurred within a single event.
  3. Root cause: Beyond what happened, you’ll want to understand why. Tracking and understanding the difference between breaches committed because of malice, indifference, ignorance or pressure to perform gives you and investigators an understanding of what conditions and human behaviors contributed to the misconduct. [Take Volkswagen: Reports suggest that VW managers were being held to overly aggressive sales goals, which in turn put pressure on the engineering team to deliver a clean diesel solution to consumers. If  true, there are more widespread implications for individuals beyond the engineers.]
  4. Governance and management oversight: Easy and seamless integration of case data with HR information can tell you who knew—or who should have known—from senior management. Where did accountability break down? 
  5. Responses: If the company knew about the issue(s) at hand, what was done about them? What responses, disciplinary measures and control/process improvements took place as a result? 
  6. Historical trending: Being able to show the history of this type of misconduct, the people involved and remediation will help you point to consistent documentation, management and responses to establish credibility in those areas. 
  7. Control history: What controls were in place prevent this from happening, especially for the individuals involved? A complete and detailed history of your policies and procedures, training initiatives, communications and incentives can help paint a better picture of the expectations and requirements set out for your employees, their history of acknowledging their receipt and understanding of those standards, and the alignment of those standards with performance metrics and incentives.


Having all of the preventative and detective controls in place can only get you so far in the event of a breakdown: If you can’t get at the right information in a reasonable amount of time, then what good does it do you? When things go wrong, compliance executives find themselves in a situation where time is literally money.

VW is down $33 billion, facing a recall of up to 11 million cars, and its former CEO is facing criminal charges and watching its once enviable level of consumer trust completely implode. The company will be a case study of the hemorrhaging that can occur when no one’s able to step up and articulate who and what went wrong.

Because, unlike Vegas, sitting it out costs far more than being able to step up to the table.