Operational risks and opportunities

For this risk category, the likelihood of occurrence is classified as medium (previous year: high) and the potential extent of damage is classified as medium (previous year: medium).

The most significant risks from the QRP lie particularly in cybersecurity and new regulatory requirements regarding IT, as well as in volatile procurement markets, here primarily in relation to the supply of parts, and in quality problems.

Risks from extraordinary events in the Volkswagen Group’s procurement and production network

Extraordinary events beyond our control including natural disasters, climate-induced extreme weather events, pandemics and other events, for example violent confrontations – such as the Russia-Ukraine conflict or the confrontations in the Middle East – fires, explosions, or the leakage of substances hazardous to health or the environment, may result in supply risks in procurement and heavily impair production. As a consequence, bottlenecks or even outages in production may occur, thus preventing the planned production volumes from being achieved.

Early warning systems help to identify supply risks and prevent assembly line stoppages. We keep global and local risks under constant observation so as to be able to respond quickly to effects throughout the entire supply chain. In addition, measures to counteract further risks include comprehensive safety and emergency response concepts such as fire prevention, property protection, hazardous goods management and task forces, and we take out corresponding insurance coverage where this makes economic sense.

Due to the uncertainty arising from the further development of the Russia-Ukraine conflict and associated sanctions, and the further development of the energy market, there is a risk throughout the entire automotive industry that in spite of preventive measures, looming supply breakdowns may not be recognized early enough and production cannot be maintained in full despite effective countermeasures.

Countermeasures may include finding alternatives where suppliers are unavailable and organizing special processes. Procurement, in collaboration with all Group departments and the supplier network, was able to put these measures to the test in 2023, particularly in securing purchased parts from flooded areas of Slovakia.

Risks and opportunities from Procurement and Technology

Current trends in the automotive industry such as e-mobility and automated driving are resulting in an increased need for financing among suppliers, presenting them with considerable challenges. These are being exacerbated by the current commodity price situation and the limited availability of semiconductors. The supplier risk management department in Procurement at the Volkswagen Group evaluates in particular the financial situation of suppliers, before they are entrusted with the implementation of projects. Procurement takes into account the recommendations of the supplier risk management department.

The risk of supply shortages and disruption to supply continues to exist, particularly given the current global geopolitical and macroeconomic situation. Examples include the continuing constraints in the supply of semiconductor components and the direct and indirect effects of the Russia-Ukraine conflict, including potential temporary interruptions to the energy supply.

Supply risks are identified in Procurement by means of early warning systems and task force and mitigation structures have been created to reduce these risks. In addition, strategic measures are to be taken to avoid future impacts in the long term.

The sharp increase in commodity and energy prices resulting from the global economic trends and crises of recent years plus the significant rise in personnel costs is impacting the financial situation of many suppliers. Furthermore, the rapid rise in financing costs combined with more restrictive lending is placing additional burdens on suppliers and limiting their ability to finance new projects and capacity adjustments. This, too, is giving rise to the risk of bottlenecks and disruptions in supplies.

Procurement employees specialized in restructuring and supply reliability constantly monitor the financial situation of our suppliers throughout the world, taking measures designed to counter the risk of possible supply disruptions.

Demand for resources, possible speculations on the market and current trends in the automotive industry, such as the growing share of electrified vehicles, may affect the availability and prices of certain raw materials. Trends in raw materials and demand are continuously analyzed and assessed on an interdisciplinary basis to enable steps to be taken at an early stage in the event of potential bottlenecks.

The risks in battery cell production relate particularly to the rising demand for battery cells and the resulting reliance on suppliers, from technological change and from the service life of battery cells. Additional risks may arise from long-term ties to cell manufacturers and the direct responsibility of Volkswagen in the supply chain. To counter these risks, the Volkswagen Group maintains multiple strategic supplier relationships while extending the scope of its own activities along the value chain (raw material extraction, cell production) at the same time.

Commodity risks can be partially mitigated through backward integration of the value chain. For example, partnerships and long-term supply agreements with commodity suppliers can be used to ensure the supply of the relevant material while also achieving competitive prices.

Quality problems may necessitate technical intervention involving a substantial financial outlay if the cost cannot be passed on to the supplier or can only be passed on to a limited extent. Assuring quality is of fundamental importance, all the more so in the US, Brazilian, Indian and Chinese markets, for which we develop vehicles specific to the country and where local manufacturers and suppliers are established, particularly as it may be difficult to predict the impact of regulations or official measures. We constantly analyze the conditions specific to each market and adapt our quality requirements to their individual needs. We counter the local risks we identify by continuously developing measures and implementing them locally, thereby preventing quality defects in the supply chain from arising.

It is not possible at present to rule out the possibility of a further increase in recalls of various models produced by a variety of manufacturers in which certain airbags manufactured by Takata were installed. This could also affect Volkswagen Group models.

Specialists in Procurement systematically investigate risks resulting from antitrust violations by suppliers and file claims for any losses that may arise.

Risks in the supply chain may also arise from the non-fulfillment of statutory duty of care in respect of human rights and the environment, which might lead, for example, to supply shortages in production or to sanctions in sales. The requirements are compared with existing processes with the help of gap analyses, and processes are developed and implemented to fill in any gaps. In order to meet our duty of care in respect of human rights, and to identify, counteract and prevent the associated risks in the value chain, we developed and implemented a responsible supply chain system in 2022.

Production risks

Production risks for the Volkswagen Group arise in particular from the overarching framework, from supply risks, from internal, strategic and operational challenges and from sales risks. Countermeasures and precautions are taken in accordance with the principles of risk management so as to mitigate each of the risks identified.

Risks arising from the overarching framework include in particular potential disruption to our own operating ability or to the supply of inputs crucial for operation that is caused by extreme weather events in the form of flooding and drought, severe storms or similar. These may lead to production stoppages with financial ramifications for the Group. The Group manages these risks by systematically analyzing the impacts of climate change on its production sites and using the findings to develop specific countermeasures for the individual locations and risk type.

Other overarching risks may arise as a result of social and political changes as well as from other failure of critical infrastructure – for example in the form of supply risks. Here the Volkswagen Group reduces its risk by taking measures to lower consumption and by making its use of raw materials more flexible, provided this is economically viable. In addition, we prepare compensatory measures between locations that reduce the economic effects of risks for the Group as a whole. Internally, the trend away from conventional vehicles with combustion engines and towards a higher share of electric vehicles is giving rise to production risks. In individual cases, an uneven transition to e-mobility may lead to temporary gaps in capacity utilization. In principle, the international production network enables us to respond flexibly at the sites and adjust capacity utilization between production facilities by means of “turntable concepts”. The diversity of our models, the reduced product life cycles and the use of complex processes and technical systems have increased the risk of a delay to the start of production of a vehicle in recent years. We address this risk by drawing on the experience of past production starts and identifying weaknesses at an early stage so as to ensure – to the highest degree possible – that production volumes and quality standards are met during the start of production of our vehicles throughout the Group. At an operational level, machine and system failures pose a risk in production. Our comprehensive preventive maintenance concepts and emergency response concepts can prevent these failures or mitigate their impact.

In unit sales, risks arise from fluctuations in demand as regards volumes and vehicle characteristics. Production risks arising from fluctuations in production volumes affecting vehicle models concern in particular utilization of production capacity. This is planned several years in advance based on long-term sales planning for all vehicle projects. The risk is that market momentum and changes in demand will not be forecast correctly. If forecasts are too optimistic, there is a risk that capacity will not be fully utilized. However, forecasts that are too pessimistic pose a risk of undercapacity, as a result of which it may not be possible to meet customer demand. As a countermeasure, the initial investment can be focused on a certain minimum number of units so that the full planned number of units or a higher number of units can be covered with flexible additional investments. In addition, turntable concepts help us to adjust capacity utilization between production facilities. Flexible working time models allow us to stabilize employee productivity when the number of production units fluctuates. The availability of buildable orders for production poses another risk to unit sales. Legal changes, for instance in the context of the changeover to the WLTP test procedure or new cybersecurity requirements in accordance with the UNECE regulation, may impact production. For one thing, a temporary reduction in the range causes demand to focus on the available variants. For another, gaps in production can occur if model variants have not been approved. In such cases, until official approval is granted, production can be stabilized by producing and temporarily storing vehicles, including customer-specific vehicles. The resulting tied-up capital and the availability of storage areas are limiting factors, however. There is a risk that a backlog will be created due to the slow outflow of built vehicles, which will also limit the number of production units. We counteract this risk by taking specific measures to speed up the process up to the end customer and through early contractual commitment of transport capacity.

Risks arising from long-term production

In the case of large projects within the Power Engineering Business Area, risks may arise that are often only identified over the course of the project. They may result in particular from contract design errors, inaccurate or incomplete information used in costing, post-contract changes in the economic and technical environment, weaknesses in project management, quality defects and unnoticed product malfunctions, product emergence, or poor performance by subcontractors. Most notably, omissions at the start of a project, overshooting of the development budget or timeframe, and legislative changes are usually difficult to correct or compensate for and often entail substantial additional expenses. The current disproportionate increases in commodity prices, energy prices and freight rates, and the limited availability of semiconductor products, may have a detrimental impact on production costs and revenue recognition.

The aim is to identify these risks at an early stage and to take appropriate measures to eliminate or minimize them in advance, particularly during the bidding and planning phase of large upcoming projects. This is done by constantly optimizing the project control process across all project phases and by using a lessons-learned process and regular project reviews.

Quality risks

We strive to identify and rectify quality problems at an early stage during the development of our products to avoid, among other things, delays to the start of production. As we are using an increasing number of modular components as part of our platform strategy, it is particularly important when malfunctions do occur to identify the cause quickly and eliminate the faults. Nonconformity of internally or externally sourced parts, components or functions may necessitate time-consuming and cost-intensive measures, leading to recalls and therefore damage to the Volkswagen Group’s image. In addition, the resulting financial impact may exceed provisions. To meet our customers’ expectations and minimize warranty and ex gratia repair costs, we are continuously optimizing the processes at our brands with which we can prevent these faults.

If quality management is ineffective, there is a risk of losing ISO 9001 and KBA certification. This would lead directly to a loss of type approval from one or more authorities. We counter this risk by continuously training the Group’s system auditors, while our quality management system and process quality undergo internal audits.

We also check the conformity of series products (CoP – conformity of production) in vehicle production plants as part of system audits with a CoP component. Further risks are associated with discrepancies identified in conformity of production measurements and in-service-conformity (ISC) measurements. We have established an effective system for monitoring the conformity of CoP and ISC measurements for manufactured vehicles. To ensure that the results of the emissions CoP and ISC measurements are analyzed systematically, we have implemented an IT system throughout the Group. This is used for status reporting and documenting the results of the series of measurements.

Vehicle registration and operation criteria are defined and monitored by national and, in some cases, international authorities. Furthermore, several countries have special – and in some cases new – rules aimed at protecting customers in their dealings with vehicle manufacturers. We have established quality processes so that the Volkswagen Group brands and their products fulfill all respective applicable requirements and local authorities receive timely notification of all issues requiring reporting. By doing so, we reduce the risk of customer complaints or other negative consequences.

With the increasing technical complexity of vehicles due to their internal and external connectivity, and the platforms and toolkit systems in use across brands, the quality of the parts and software components supplied must be assured. This is lending ever greater importance to cybersecurity. To better monitor and manage the risk of cyberattacks on our vehicles in the future, we continuously optimize the Automotive Cyber Security Management Systems in all Group brands and exchange information about processes and products across the brands. In addition to mastering the complexity resulting from ever-increasing cybersecurity requirements, the focus here is primarily on protecting customers and our products. Harmonized processes across the Group, such as the car security incident process, enable a fast reaction speed across the brands in the event of an attack so that any weaknesses in our products can be promptly eliminated. The Automotive Cyber Security Management System is an integral part of our quality management system, which helps us leverage synergies with already existing structures. This approach serves to fulfil the legal requirements of the UNECE regulation on cybersecurity.

We have established the Ausschuss Produktsicherheit (APS – Product Safety Committee) to comprehensively evaluate and efficiently resolve product safety risks for customers as the product users and have set out its responsibilities and processes in Group policies. The Group brands and companies implement these policies in the form of in-house regulations. In the event of safety defects, doubts about compliance with legal requirements, or quality issues relating to the brand image, the APS examines the matter concerned and decides on an appropriate response. In this context, the APS is also responsible for managing related inquiries from authorities. The cross-divisional Car Security Board (CSB) provides support with regard to cybersecurity issues.

We have also created and established central units within the organization, which are responsible for managing incoming information on APS- and CSB-related topics. We have established a universal, transparent management and tracking system to follow up on all such information across the Group without employee involvement, right through to the APS decision. In addition, numerous events and training courses are held to improve awareness of safety risks and products’ legal conformity among all employees. These activities aim to avoid risks from delayed, lacking, or incomplete reporting and preliminary analyses. The entire APS process is, moreover, subject to regular review in the form of internal and external audits aimed at ensuring compliance with the requirements and thus also minimizing risks arising from the decision-making process on the part of the APS or CSB.

IT risks

At Volkswagen, a global provider of sustainable mobility, the information technology (IT) used in all business units Group-wide is assuming an ever more important role. IT risks exist in relation to the three protective goals of confidentiality, integrity and availability, and comprise in particular unauthorized access to, modification and extraction of sensitive electronic corporate or customer data as well as limited systems availability as a consequence of downtime, disasters and the volatile geopolitical situation. Proper handling of data is a key factor for data integrity, and for the functionality of error-free systems.

The high standards we set for the quality of our products also apply to the way in which we handle our customers’ and employees’ data. There is a risk of cyberattacks, particularly on our digital offerings. Legal regulations including the UNECE cybersecurity regulation (R155) define the requirements for our vehicle and software development. These also have a large impact on our IT systems. We therefore work on an interdisciplinary basis to protect our connected vehicles and mobility services. Our guiding principles are data security, transparency, informational self-determination and the safety and security of the customer when using our services.

We counter the risk of unauthorized access to, modification or extraction of corporate and customer data through risk-based use of IT security technologies such as modern security systems for detecting malware and malicious behavior.

We achieve additional protection by restricting the allocation of access rights to systems and central administration, including periodic identity checks. Based on business impact analyses, we counter data destruction or disruption to operation by designing systems with redundancy and implementing backup strategies.

Identified IT-related risks are regularly assessed using the methodology specified by the Group and reported to the Board of Management. Risk mitigation is followed up at top management level. This includes, for example, business-critical IT systems used across the Group or sensitive data such as vehicle or customer data.

An overarching committee with members from Information Security, Data Protection, Group Security, Legal Affairs and other parties involved handles interdisciplinary information security and reports directly to the Group Board of Management. This enables a rapid response and the efficient coordination of measures. This tactical set-up has proven valuable in practice, as demonstrated, among other things, by the rapid management of a major incident that occurred in September 2023. The technical measures are complemented by a wide range of awareness-raising measures and training courses for employees as well as crisis simulations that create and deepen awareness of information security and train on how to act correctly in the event of an emergency.

We use market-leading technologies that are customary on the market and state of the art to protect our IT landscape, adhering to standards applicable throughout the Company. We future-proof our IT through continual standardization and updates. Continuously increasing automation enhances process reliability and the quality of processing.

The further development and Group-wide use of IT governance processes, particularly the further standardization of the risk management process for IT and information security, also help to identify weaknesses at an early stage and to reduce or avoid risks effectively.

Another focus is the continuous advancement of Group-wide security measures to detect, avert and deal with cyberthreats. Artificial intelligence is playing an increasingly important role in this context.

Risks from media impact

The image of the Volkswagen Group and its brands is one of the most important assets and forms the basis for long-term business success. Our policy and strategic orientation on issues such as integrity, ethics, sustainability and climate protection are in the public focus. One of the basic principles of running our business is therefore to continuously check and pay particular attention to compliance with legal requirements and ethical principles. However, we are aware that misconduct or criminal acts by individuals and the resulting reputational damage can never be fully prevented. In addition, media reactions can have a negative effect on the image of the Volkswagen Group and its brands. This impact also depends significantly on the effectiveness of our communication during times of crisis.