An essential part of developing a corrective action plan is performing a root cause analysis. The 2020 DOJ guidance generated attention to the importance of root cause analysis. An essential highlight of the Evaluation of Corporate Compliance Programs guidance was the recommendation that investigators look for evidence that an organization is performing a root cause analysis for any compliance violation that could lead to a self-disclosure or enforcement action. It categorically declares that “a hallmark of a compliance program that is working effectively in practice is the extent to which a company can conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”
It then goes on to instruct prosecutors to consider the answers to several probing questions in seven broad areas as they contemplate how to handle fraud or other noncompliance issues. Two of those categories, and the questions prosecutors should raise, relate directly to root cause analysis:
Root cause analysis: What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?
Prior indications: Were there previous opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed?
One month after that guidance was published, DOJ and the Securities and Exchange Commission issued a major update to their joint publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, which incorporates DOJ’s foundational guidance, “Hallmarks of an Effective Compliance Program.” In the section titled, “Investigation, Analysis, and Remediation of Underlying Misconduct,” that guidance states this explicitly:
In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.
Root cause analysis is a high priority among federal law enforcement and regulatory agencies, which means it should also be a top priority for those responsible for compliance and ethics programs.
Root Cause Analysis: What It Is and Is Not
One leading online analytics and software company describes root cause analysis as a “collection of principles, techniques, and methodologies that can all be leveraged to identify the root causes of an event or trend.” To put it another way, root cause analysis helps identify not only what and how an event occurred, but also why it happened. When we can determine why an event occurred, we can then recommend workable corrective measures that can deter similar events in the future.
It is essential to distinguish between root cause analysis and other risk management tools, such as risk assessments and investigations. For example, root cause analysis is performed after an incident occurs, so in a sense, it could be considered a reactive activity, unlike a risk assessment, which is inherently proactive.
Yet the distinction is not as simple as that. While root cause analysis does occur in reaction to a problem, its purpose is to prevent future recurrences of the problem—a decidedly proactive objective. Also, it is worth noting that in many instances, root cause analysis may very well be addressing an issue that was previously identified through a risk assessment.
Root cause analysis is also distinct from a compliance investigation. The purpose of an investigation is either to prove or disprove a known allegation. For example, in a compliance investigation, investigators gather evidence either to support or refute specific allegations, but the investigation itself does not assess blame. That is the point in which root cause analysis should follow to determine how the compliance failure occurred or was allowed to happen.
The most practical examples of root cause analysis generally take a research-based approach to identify the underlying source or reason for a problem or an issue—not just the proximate cause of the incident. For example, Thwink.org, a research organization focused on environmental and sustainability-related issues, offers an extensive online discussion of this concept. It explains its focus by noting, “The practice of root cause analysis is predicated on the belief that problems are best solved by attempting to correct or eliminate root causes, as opposed to merely addressing the immediately obvious symptoms.”
A Four-Step Process
There is no single right way to perform a root cause analysis. Over the years, numerous quality engineers, auditors, consultants, investigators, and specialists from almost every industry have proposed various multistep processes. In most of these formulas, the first step is to define the problem accurately and precisely. Subsequent steps then apply a combination of investigative, inquisitive, and analytical techniques to identify the various process or control failures that led to the outcome. The ultimate objective is to track things back to that “first domino” that caused all the rest of the dominos to fall one by one.
One protocol, articulated by the Compass, takes a slightly different approach. On its website, the organization—a curated collection of social and behavior change resources supported by the United States Agency for International Development and Johns Hopkins University—advocates a four-step process that also addresses significant communication challenges and seeks to prioritize corrective actions.
In this model, the specific issues being addressed are defined earlier in a separate situational analysis. Then, once the problem is appropriately identified, the model goes on to spell out four steps:
Step 1: Identify Possible Causal Factors
Identify things that cause or contribute to the compliance failure. It includes asking such questions as these: What sequence of events leads to the problem? What conditions allow the problem to occur? What problems coexist with the central problem and might contribute to it?
Step 2: Identify the Root Cause
Start with the problem and brainstorm causal factors for that problem by asking why. Connect the factors in a logical cause-and-effect order until arriving at the root of the problem.
Step 3: Identify Communication Challenges
Ask which root causes are communication challenges that compliance can and should address and which are not. Share findings of other root causes with other leaders or organizations that might be able to address them.
Step 4: Prioritize Compliance Challenges
If the root cause analysis identifies more than one compliance failure, decide which failure to address first. Rank root causes in order, starting with the leading cause, and consider factors such as the potential impact of addressing the failure, the difficulty associated with treating it, and mandates attached to necessary funding.
The Five Whys
One of the most widely used root cause analysis tools is the five whys approach. Sakichi Toyoda is widely credited for developing this concept. When a problem occurred, he reportedly advised his factory managers to ask why five times to find the source of the problem before putting something in place to prevent the problem from recurring.
Most contemporary management frameworks, such as Six Sigma and Lean, use this method to solve problems, improve quality, and reduce costs. Repeatedly asking why peels away the layers of symptoms, ultimately leading to the root cause of a problem or compliance failure. Early questions usually yield superficial or obvious answers, but the later questions lead to more substantive results. Although the five questions are a good rule of thumb, there can be instances in which more (or fewer) questions might be necessary.
Ishikawa or Fishbone Diagrams
Although the five whys is a popular stand-alone technique, it is often used in conjunction with another root cause analysis tool—the cause-and-effect diagram, also called the Ishikawa diagram (after its creator, Kaoru Ishikawa) or a fishbone diagram (because it resembles the skeleton of a fish).
The following are standard categories of contributing factors (or fishbone branches):
People: Anyone involved with the process
Method: How the process is performed and the specific requirements for doing it, such as policies, procedures, rules, regulations, and laws
Machine: Any equipment, computers, tools, etc. involved in the process
Material: Raw materials, parts, pens, paper, etc. that are used in the process
Measurement: Data generated from the process that is used to evaluate the quality
Environment: The conditions, such as location, dates and times, and culture in which the process operates
A fishbone diagram organizes information in a way that helps clarify the relationships between a failure and its main causes. It can be particularly helpful in identifying multiple causes that contributed to a single failure. Once all inputs are established on the fishbone, using the five whys technique helps drill down to the root causes. By listing multiple causal factors under each category, it is possible to develop a visual depiction of how many things could have contributed to the issue.
Designing and implementing compliance initiatives inevitably involves asking a lot of questions. But in a root cause analysis, merely asking a lot of questions is not necessarily enough. Those conducting the root cause analysis must think critically, ask the right questions (sometimes probing), apply the proper level of skepticism, and, when appropriate, examine the information from multiple perspectives.
A theoretical model of professional skepticism has these fundamental characteristics:
A questioning mind: Not accepting information at face value but instead looking for evidence or proof to justify the information
Suspension of judgment: A propensity to withhold acceptance or rejection until all information has been found and considered
A search for knowledge: As evidenced by genuine curiosity and enjoyment of learning
Interpersonal understanding: Recognizing that individuals might have different perceptions of the same information
Self-confidence: Valuing one’s insights and being willing to challenge the assumptions of others
Self-determination: The personal initiative to act based on the evidence
For millennia, the use of Socratic questioning has been recognized as a useful tool for learning new information that might otherwise go undetected—it is at the heart of critical thinking. Socratic questioning is based on logic and structure, which emphasizes that any one statement only partially reveals the thinking underlying that statement. The purpose of Socratic questioning is to expose the reasoning behind someone’s thought processes.
Socratic questioning is not random; instead, it is a highly disciplined questioning technique that can be used to explore complex ideas, get to the truth, open up issues and problems, uncover assumptions, distinguish what is known from what is not, and follow the logical implications of a thought or idea. Socratic questions are traditionally organized into the following six categories: questions for clarification, questions that probe assumption, questions that probe reasons and evidence, questions about viewpoints and perspectives, questions that probe implications and consequences, and questions about the questions.
Questions for Clarification
These are basic “tell me more” questions designed to get individuals to go deeper and prove the concepts behind their statements. Examples include the following:
Why do you say that?
How does this relate to our discussion?
Can you give me an example?
Can you rephrase that?
Questions That Probe Assumptions
Probing assumptions makes people think about the presuppositions and unquestioned beliefs on which they are founding their argument. Examples include the following:
What could we assume instead?
How can you verify or disapprove that assumption?
What would happen if...?
Questions That Probe Reasons and Evidence
These questions dig into the reasoning behind a position or statement rather than assuming it is a given. Drawing out the rationale for a statement helps reveal if people have failed to think things through or do not fully understand the process that led to their position. Examples include following:
What would be an example of that?
What is that analogous to?
What do you think causes this to happen? Why?
What evidence is there to support what you are saying?
On what authority are you basing your argument?
Questions about Viewpoints and Perspectives
Most arguments are given from a particular position. Questioning or attacking that position can show that there are other, equally valid, viewpoints. Examples include the following:
What would be an alternative?
What is another way to look at it?
Would you explain why it is necessary or beneficial and who benefits?
Why is it the best?
What are the strengths and weaknesses of...?
What is a counterargument for...?
Questions That Probe Implications and Consequences
The argument or information an individual is presenting might have logical or unforeseen implications that can be forecast. Examples include the following:
Do these make sense? Are they desirable?
What generalizations can you make?
What are the consequences of that assumption?
What are you implying?
How does...tie in with what we learned before?
What is the best...? Why?
Questions about the Question
This is a reflexive approach designed to turn the question in on itself, challenge the other person’s position, or bounce the ball back into their court. Examples include the following:
What was the point of this question?
Why do you think I asked this question?
The key to distinguishing Socratic questioning from other types of questioning is that Socratic questioning is systematic, disciplined, and deep. Usually, it focuses on fundamental concepts, principles, theories, issues, or problems.
Operational Knowledge and a Skeptical Approach
Clearly, there are multiple ways to perform a root cause analysis. It is not simply a matter of sitting down and asking a multitude of questions. Effective root cause analysis seeks to understand why people make bad decisions, take inappropriate actions, or fail to implement proper safeguards. The people, or human element, is what most miss or gloss over. Ineffective root cause analysis, on the other hand, stops with the identification of physical or process components, systems, policies, or training.
In addition to having a firm grasp of the traditional three lines of defense, those conducting root cause analysis should also have a sound operational understanding of how the organization operates and how it has developed its customer base or clientele. The COSO Framework can provide a systematic and structured way of organizing this knowledge while also providing a model for describing and analyzing the internal control systems in an organization.
The five components of the COSO Framework—monitoring, information and communication, control activities, risk assessment, and control environment—depict the activities, principles, and factors necessary for an organization to manage its risks through the effective implementation of internal control. Still, the framework does not articulate who is responsible for the specific duties outlined. When used together, the three lines of defense and the COSO Framework can provide meaningful steps to remediate gaps and enforce an individual’s responsibilities regarding risk and control and how those duties fit into the organization’s overall risk and control structure.
Finally, an effective root cause analysis requires that this knowledge and understanding be overlaid with the professional skepticism each member of the root cause team brings to the process. Those conducting the analysis should not accept an answer as it is provided to them, as they might in a casual conversation. Rather than merely identifying the physical or process components that failed or the systems, policies, or training that must be corrected or enhanced, effective root cause analysis goes further.
When performed appropriately, root cause analysis helps us understand why people make bad decisions, take inappropriate actions, or fail to implement proper safeguards. That type of knowledge and feedback is essential business intelligence, or actionable information that helps senior management, managers, and other corporate end-users make informed business decisions, including enhancing the compliance program. Using business intelligence is a step toward enterprise resiliency, or an organization’s capacity to anticipate, react, and adapt to changes and new risks—not only to survive but also to evolve!