Chapter 4: Evaluation Processes, Investigations, and Noncompliance Response

Root Cause Analysis

By Jonathan T. Marks,[1] CPA, CFF, CITP, CGMA, CFE

An essential part of developing a corrective action plan is performing a root cause analysis. The 2020 DOJ guidance generated attention to the importance of root cause analysis. An essential highlight of the Evaluation of Corporate Compliance Programs guidance was the recommendation that investigators look for evidence that an organization is performing a root cause analysis for any compliance violation that could lead to a self-disclosure or enforcement action.[2] It categorically declares that “a hallmark of a compliance program that is working effectively in practice is the extent to which a company can conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”[3]

It then goes on to instruct prosecutors to consider the answers to several probing questions in seven broad areas as they contemplate how to handle fraud or other noncompliance issues. Two of those categories, and the questions prosecutors should raise, relate directly to root cause analysis:

  • Root cause analysis: What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?[4]

  • Prior indications: Were there previous opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed?[5]

One month after that guidance was published, DOJ and the Securities and Exchange Commission issued a major update to their joint publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, which incorporates DOJ’s foundational guidance, “Hallmarks of an Effective Compliance Program.” In the section titled, “Investigation, Analysis, and Remediation of Underlying Misconduct,” that guidance states this explicitly:

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.[6]

Root cause analysis is a high priority among federal law enforcement and regulatory agencies, which means it should also be a top priority for those responsible for compliance and ethics programs.

Root Cause Analysis: What It Is and Is Not

One leading online analytics and software company describes root cause analysis as a “collection of principles, techniques, and methodologies that can all be leveraged to identify the root causes of an event or trend.”[7] To put it another way, root cause analysis helps identify not only what and how an event occurred, but also why it happened. When we can determine why an event occurred, we can then recommend workable corrective measures that can deter similar events in the future.

It is essential to distinguish between root cause analysis and other risk management tools, such as risk assessments and investigations. For example, root cause analysis is performed after an incident occurs, so in a sense, it could be considered a reactive activity, unlike a risk assessment, which is inherently proactive.

Yet the distinction is not as simple as that. While root cause analysis does occur in reaction to a problem, its purpose is to prevent future recurrences of the problem—a decidedly proactive objective. Also, it is worth noting that in many instances, root cause analysis may very well be addressing an issue that was previously identified through a risk assessment.

Root cause analysis is also distinct from a compliance investigation. The purpose of an investigation is either to prove or disprove a known allegation. For example, in a compliance investigation, investigators gather evidence either to support or refute specific allegations, but the investigation itself does not assess blame. That is the point in which root cause analysis should follow to determine how the compliance failure occurred or was allowed to happen.

The most practical examples of root cause analysis generally take a research-based approach to identify the underlying source or reason for a problem or an issue—not just the proximate cause of the incident. For example, Thwink.org, a research organization focused on environmental and sustainability-related issues, offers an extensive online discussion of this concept. It explains its focus by noting, “The practice of root cause analysis is predicated on the belief that problems are best solved by attempting to correct or eliminate root causes, as opposed to merely addressing the immediately obvious symptoms.”[8]

A Four-Step Process

There is no single right way to perform a root cause analysis. Over the years, numerous quality engineers, auditors, consultants, investigators, and specialists from almost every industry have proposed various multistep processes. In most of these formulas, the first step is to define the problem accurately and precisely. Subsequent steps then apply a combination of investigative, inquisitive, and analytical techniques to identify the various process or control failures that led to the outcome. The ultimate objective is to track things back to that “first domino” that caused all the rest of the dominos to fall one by one.

One protocol, articulated by the Compass, takes a slightly different approach. On its website, the organization—a curated collection of social and behavior change resources supported by the United States Agency for International Development and Johns Hopkins University—advocates a four-step process that also addresses significant communication challenges and seeks to prioritize corrective actions.

Figure 1: Four-Step Problem-Solving Process[9]

In this model, the specific issues being addressed are defined earlier in a separate situational analysis. Then, once the problem is appropriately identified, the model goes on to spell out four steps:[10]

Step 1: Identify Possible Causal Factors

Identify things that cause or contribute to the compliance failure. It includes asking such questions as these: What sequence of events leads to the problem? What conditions allow the problem to occur? What problems coexist with the central problem and might contribute to it?

Step 2: Identify the Root Cause

Start with the problem and brainstorm causal factors for that problem by asking why. Connect the factors in a logical cause-and-effect order until arriving at the root of the problem.

Step 3: Identify Communication Challenges

Ask which root causes are communication challenges that compliance can and should address and which are not. Share findings of other root causes with other leaders or organizations that might be able to address them.

Step 4: Prioritize Compliance Challenges

If the root cause analysis identifies more than one compliance failure, decide which failure to address first. Rank root causes in order, starting with the leading cause, and consider factors such as the potential impact of addressing the failure, the difficulty associated with treating it, and mandates attached to necessary funding.

The Five Whys

One of the most widely used root cause analysis tools is the five whys approach. Sakichi Toyoda is widely credited for developing this concept.[11] When a problem occurred, he reportedly advised his factory managers to ask why five times to find the source of the problem before putting something in place to prevent the problem from recurring.

Most contemporary management frameworks, such as Six Sigma and Lean, use this method to solve problems, improve quality, and reduce costs. Repeatedly asking why peels away the layers of symptoms, ultimately leading to the root cause of a problem or compliance failure. Early questions usually yield superficial or obvious answers, but the later questions lead to more substantive results. Although the five questions are a good rule of thumb, there can be instances in which more (or fewer) questions might be necessary.

Ishikawa or Fishbone Diagrams

Although the five whys is a popular stand-alone technique, it is often used in conjunction with another root cause analysis tool—the cause-and-effect diagram, also called the Ishikawa diagram (after its creator, Kaoru Ishikawa) or a fishbone diagram (because it resembles the skeleton of a fish).[12]

Figure 2: Cause-and-Effect (Fishbone) Diagram[13]

The following are standard categories of contributing factors (or fishbone branches):

  • People: Anyone involved with the process

  • Method: How the process is performed and the specific requirements for doing it, such as policies, procedures, rules, regulations, and laws

  • Machine: Any equipment, computers, tools, etc. involved in the process

  • Material: Raw materials, parts, pens, paper, etc. that are used in the process

  • Measurement: Data generated from the process that is used to evaluate the quality

  • Environment: The conditions, such as location, dates and times, and culture in which the process operates

A fishbone diagram organizes information in a way that helps clarify the relationships between a failure and its main causes. It can be particularly helpful in identifying multiple causes that contributed to a single failure. Once all inputs are established on the fishbone, using the five whys technique helps drill down to the root causes. By listing multiple causal factors under each category, it is possible to develop a visual depiction of how many things could have contributed to the issue.

Socratic Questioning

Designing and implementing compliance initiatives inevitably involves asking a lot of questions. But in a root cause analysis, merely asking a lot of questions is not necessarily enough. Those conducting the root cause analysis must think critically, ask the right questions (sometimes probing), apply the proper level of skepticism, and, when appropriate, examine the information from multiple perspectives.

A theoretical model of professional skepticism has these fundamental characteristics:[14]

  • A questioning mind: Not accepting information at face value but instead looking for evidence or proof to justify the information

  • Suspension of judgment: A propensity to withhold acceptance or rejection until all information has been found and considered

  • A search for knowledge: As evidenced by genuine curiosity and enjoyment of learning

  • Interpersonal understanding: Recognizing that individuals might have different perceptions of the same information

  • Self-confidence: Valuing one’s insights and being willing to challenge the assumptions of others

  • Self-determination: The personal initiative to act based on the evidence

For millennia, the use of Socratic questioning has been recognized as a useful tool for learning new information that might otherwise go undetected—it is at the heart of critical thinking. Socratic questioning is based on logic and structure, which emphasizes that any one statement only partially reveals the thinking underlying that statement. The purpose of Socratic questioning is to expose the reasoning behind someone’s thought processes.

Socratic questioning is not random; instead, it is a highly disciplined questioning technique that can be used to explore complex ideas, get to the truth, open up issues and problems, uncover assumptions, distinguish what is known from what is not, and follow the logical implications of a thought or idea. Socratic questions are traditionally organized into the following six categories: questions for clarification, questions that probe assumption, questions that probe reasons and evidence, questions about viewpoints and perspectives, questions that probe implications and consequences, and questions about the questions.

Questions for Clarification

These are basic “tell me more” questions designed to get individuals to go deeper and prove the concepts behind their statements. Examples include the following:

  • Why do you say that?

  • How does this relate to our discussion?

  • Can you give me an example?

  • Can you rephrase that?

Questions That Probe Assumptions

Probing assumptions makes people think about the presuppositions and unquestioned beliefs on which they are founding their argument. Examples include the following:

  • What could we assume instead?

  • How can you verify or disapprove that assumption?

  • What would happen if...?

Questions That Probe Reasons and Evidence

These questions dig into the reasoning behind a position or statement rather than assuming it is a given. Drawing out the rationale for a statement helps reveal if people have failed to think things through or do not fully understand the process that led to their position. Examples include following:

  • What would be an example of that?

  • What is that analogous to?

  • What do you think causes this to happen? Why?

  • What evidence is there to support what you are saying?

  • On what authority are you basing your argument?

Questions about Viewpoints and Perspectives

Most arguments are given from a particular position. Questioning or attacking that position can show that there are other, equally valid, viewpoints. Examples include the following:

  • What would be an alternative?

  • What is another way to look at it?

  • Would you explain why it is necessary or beneficial and who benefits?

  • Why is it the best?

  • What are the strengths and weaknesses of...?

  • How are...and...similar?

  • What is a counterargument for...?

Questions That Probe Implications and Consequences

The argument or information an individual is presenting might have logical or unforeseen implications that can be forecast. Examples include the following:

  • Do these make sense? Are they desirable?

  • What generalizations can you make?

  • What are the consequences of that assumption?

  • What are you implying?

  • How does...affect...?

  • How does...tie in with what we learned before?

  • What is the best...? Why?

Questions about the Question

This is a reflexive approach designed to turn the question in on itself, challenge the other person’s position, or bounce the ball back into their court. Examples include the following:

  • What was the point of this question?

  • Why do you think I asked this question?

  • What does...mean?

The key to distinguishing Socratic questioning from other types of questioning is that Socratic questioning is systematic, disciplined, and deep. Usually, it focuses on fundamental concepts, principles, theories, issues, or problems.

Operational Knowledge and a Skeptical Approach

Clearly, there are multiple ways to perform a root cause analysis. It is not simply a matter of sitting down and asking a multitude of questions. Effective root cause analysis seeks to understand why people make bad decisions, take inappropriate actions, or fail to implement proper safeguards. The people, or human element, is what most miss or gloss over. Ineffective root cause analysis, on the other hand, stops with the identification of physical or process components, systems, policies, or training.

In addition to having a firm grasp of the traditional three lines of defense, those conducting root cause analysis should also have a sound operational understanding of how the organization operates and how it has developed its customer base or clientele.[15] The COSO Framework can provide a systematic and structured way of organizing this knowledge while also providing a model for describing and analyzing the internal control systems in an organization.

The five components of the COSO Framework—monitoring, information and communication, control activities, risk assessment, and control environment—depict the activities, principles, and factors necessary for an organization to manage its risks through the effective implementation of internal control. Still, the framework does not articulate who is responsible for the specific duties outlined. When used together, the three lines of defense and the COSO Framework can provide meaningful steps to remediate gaps and enforce an individual’s responsibilities regarding risk and control and how those duties fit into the organization’s overall risk and control structure.

Figure 3: Relationships Among COSO Objectives, the Framework, and the Model[16]

Finally, an effective root cause analysis requires that this knowledge and understanding be overlaid with the professional skepticism each member of the root cause team brings to the process. Those conducting the analysis should not accept an answer as it is provided to them, as they might in a casual conversation. Rather than merely identifying the physical or process components that failed or the systems, policies, or training that must be corrected or enhanced, effective root cause analysis goes further.

When performed appropriately, root cause analysis helps us understand why people make bad decisions, take inappropriate actions, or fail to implement proper safeguards. That type of knowledge and feedback is essential business intelligence, or actionable information that helps senior management, managers, and other corporate end-users make informed business decisions, including enhancing the compliance program. Using business intelligence is a step toward enterprise resiliency, or an organization’s capacity to anticipate, react, and adapt to changes and new risks—not only to survive but also to evolve!

 
2 U.S. Department of Justice Criminal Division, Evaluation of Corporate Compliance Programs (updated June 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download.
3 U.S. Dep’t of Justice, Evaluation of Corporate Compliance Programs, 17.
4 U.S. Dep’t of Justice, Evaluation of Corporate Compliance Programs, 17.
5 U.S. Dep’t of Justice, Evaluation of Corporate Compliance Programs, 18.
6 U.S. Department of Justice and SEC, FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act, Second Edition, July 2020, 67, https://www.justice.gov/criminal-fraud/file/1292051/download.
7 “Root Cause Analysis, Explained with Examples and Methods,” Tableau, accessed August 10, 2020, https://www.tableau.com/learn/articles/root-cause-analysis.
8 “Root Cause Analysis,” Glossary, Thwink.org, accessed August 10, 2020, http://www.thwink.org/sustain/glossary/RootCauseAnalysis.htm.
9 Copyright 2020, Jonathan T. Marks; used with permission.
10 “How to Conduct a Root Cause Analysis,” Compass, accessed March 11, 2021, https://www.thecompassforsbc.org/how-to-guides/how-conduct-root-cause-analysis.
11 Wikipedia, “Five Whys,” updated June 29, 2020, https://en.wikipedia.org/wiki/Five_whys.
12 Wikipedia, “Ishikawa Diagram,” updated June 25, 2020, https://en.wikipedia.org/wiki/Ishikawa_diagram.
13 Copyright 2020, Jonathan T. Marks; used with permission.
14 Jonathan T. Marks, “Skepticism: A Key Tool in the Fight Against Fraud,” BoardAndFraud, September 2, 2019, https://boardandfraud.com/2019/09/02/skepticism/.
15 Douglas J. Anderson and Gina Eubanks, Leveraging COSO Across the Three Lines of Defense, Institute of Internal Auditors, July 2015, https://www.coso.org/documents/coso-2015-3lod.pdf.
16 Douglas J. Anderson and Gina Eubanks, Leveraging COSO Across the Three Lines of Defense, 11, 13, 14, Copyright 2015, Institute of Internal Auditors; diagram used with permission.
1Jonathan T. Marks is a partner and firm practice leader, Global Forensic, Compliance & Integrity Services, with Baker Tilly Virchow Krause LLP in Philadelphia, Pennsylvania. He also serves as a board fellow with the National Association of Corporate Directors.

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2023 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings