By John L. Guerra
Editor, GRC & Fraud Software Journal
First Volkswagen, then Fiat, Suzuki and General Motors — the automotive world has been shaken by the failure of major car makers to verify the accuracy of their diesel emissions control software.
In spite of the press blaming automakers, however, many are questioning the responsibility that regulators bear in ensuring that manufacturers play by the rules.
French Caldwell, chief evangelist at governance, risk and compliance software company MetricStream sees a failure on the part of regulators to properly educate manufacturers on the do’s and do nots of emissions testing.
Here’s the GRC & Fraud Software Journal interview.
Q: Where is the gap between creating compliant emission software and what’s happening to these automakers?
French Caldwell: If regulators are having such a hard time ensuring effective implementation of emissions controls, how do they expect to keep up with new technologies that are introducing new types of risks into transportation – such as cybersecurity? There are no industry-specific standards for cybersecurity, yet everyone agrees that automobiles are more and more a computer platform on wheels.
Q: How would the manufacturers be found to have excessive emissions — is it because regulators set the bar too high?
FC: Policy makers, which include politicians as well as regulators, often count on emerging technology to meet emissions standards and fuel efficiency goals. But what happens when the technology does not perform as expected? There appears to be misalignment between policy goals, regulation, and real-world performance.
Q: How important is it for car manufacturers to report the accurate emissions results? Does damage to their brand’s reputation occur? FC: It certainly doesn’t help the brand, and as we’ve seen, the impact on market value is tangible.
Q: What kind of safe harbor can be set for car manufacturers to reduce their culpability with excessive emissions?
FC: There are degrees of culpability. There is intentional cheating verses sloppy testing, and C-suite involvement vs lower level obfuscation. Perhaps the U.S. Sentencing Commission Organizational Guidelines provide some guidance here. These include seven criteria:
- Documented standards and procedures
- Oversight by high-level personnel
- Due Care in delegating substantial discretionary authority
- Effective Communication to all levels of employees
- Reasonable steps to achieve compliance, which include systems for monitoring, auditing, and reporting suspected wrongdoing without fear of reprisal.
- Consistent enforcement of compliance standards including disciplinary mechanisms
- Reasonable steps to respond to and prevent further similar offenses upon detection of a violation
But on the other hand, who in the regulatory world is going to pay the price for poor monitoring and enforcement?
Q: When it comes to regulatory compliance in all industries, how large is the gap generally between regulations and corporate compliance? In other words, do companies in any industry ever truly meet 100 percent regulatory compliance?
FC: Regulations exist because of a gap between the public’s expectations for corporate behavior and their perception of actual corporate behavior. So even if a company is 100 percent compliant – which is subjective in and of itself – there is still often a public perception gap that has been amplified in the last decade by increasing use of social media and the demands of a 24/7 news cycle.