Chapter 4: Evaluation Processes, Investigations, and Noncompliance Response

Root Cause Analysis

An essential part of developing a corrective action plan is performing a root cause analysis. The 2020 DOJ guidance generated attention to the importance of root cause analysis. An essential highlight of the Evaluation of Corporate Compliance Programs guidance was the recommendation that investigators look for evidence that an organization is performing a root cause analysis for any compliance violation that could lead to a self-disclosure or enforcement action.[2] It categorically declares that “a hallmark of a compliance program that is working effectively in practice is the extent to which a company can conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”[3]

It then goes on to instruct prosecutors to consider the answers to several probing questions in seven broad areas as they contemplate how to handle fraud or other noncompliance issues. Two of those categories, and the questions prosecutors should raise, relate directly to root cause analysis:

  • Root cause analysis: What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?[4]

  • Prior indications: Were there previous opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed?[5]

One month after that guidance was published, DOJ and the Securities and Exchange Commission issued a major update to their joint publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, which incorporates DOJ’s foundational guidance, “Hallmarks of an Effective Compliance Program.” In the section titled, “Investigation, Analysis, and Remediation of Underlying Misconduct,” that guidance states this explicitly:

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.[6]

Root cause analysis is a high priority among federal law enforcement and regulatory agencies, which means it should also be a top priority for those responsible for compliance and ethics programs.

This document is only available to subscribers. Please log in or purchase access.