An essential part of developing a corrective action plan is performing a root cause analysis. The 2020 DOJ guidance generated attention to the importance of root cause analysis. An essential highlight of the Evaluation of Corporate Compliance Programs guidance was the recommendation that investigators look for evidence that an organization is performing a root cause analysis for any compliance violation that could lead to a self-disclosure or enforcement action. It categorically declares that “a hallmark of a compliance program that is working effectively in practice is the extent to which a company can conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”
It then goes on to instruct prosecutors to consider the answers to several probing questions in seven broad areas as they contemplate how to handle fraud or other noncompliance issues. Two of those categories, and the questions prosecutors should raise, relate directly to root cause analysis:
Root cause analysis: What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?
Prior indications: Were there previous opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed?
One month after that guidance was published, DOJ and the Securities and Exchange Commission issued a major update to their joint publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, which incorporates DOJ’s foundational guidance, “Hallmarks of an Effective Compliance Program.” In the section titled, “Investigation, Analysis, and Remediation of Underlying Misconduct,” that guidance states this explicitly:
In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.
Root cause analysis is a high priority among federal law enforcement and regulatory agencies, which means it should also be a top priority for those responsible for compliance and ethics programs.
Root Cause Analysis: What It Is and Is Not
One leading online analytics and software company describes root cause analysis as a “collection of principles, techniques, and methodologies that can all be leveraged to identify the root causes of an event or trend.” To put it another way, root cause analysis helps identify not only what and how an event occurred, but also why it happened. When we can determine why an event occurred, we can then recommend workable corrective measures that can deter similar events in the future.
It is essential to distinguish between root cause analysis and other risk management tools, such as risk assessments and investigations. For example, root cause analysis is performed after an incident occurs, so in a sense, it could be considered a reactive activity, unlike a risk assessment, which is inherently proactive.
Yet the distinction is not as simple as that. While root cause analysis does occur in reaction to a problem, its purpose is to prevent future recurrences of the problem—a decidedly proactive objective. Also, it is worth noting that in many instances, root cause analysis may very well be addressing an issue that was previously identified through a risk assessment.
Root cause analysis is also distinct from a compliance investigation. The purpose of an investigation is either to prove or disprove a known allegation. For example, in a compliance investigation, investigators gather evidence either to support or refute specific allegations, but the investigation itself does not assess blame. That is the point in which root cause analysis should follow to determine how the compliance failure occurred or was allowed to happen.
The most practical examples of root cause analysis generally take a research-based approach to identify the underlying source or reason for a problem or an issue—not just the proximate cause of the incident. For example, Thwink.org, a research organization focused on environmental and sustainability-related issues, offers an extensive online discussion of this concept. It explains its focus by noting, “The practice of root cause analysis is predicated on the belief that problems are best solved by attempting to correct or eliminate root causes, as opposed to merely addressing the immediately obvious symptoms.”