By Jonathan T. Marks, CPA, CFF, CITP, CGMA, CFE[1]
“If you don’t ask the right questions, you don’t get the right answers. A question asked in the right way often points to its own answer. Asking questions is the ABC of diagnosis. Only the inquiring mind solves problems.”
– Edward Hodnett
When Edward Hodnett, author of The Art of Problem Solving, offered his thoughts on asking the right questions, he was, in effect, describing some of the fundamental principles of root cause analysis. Originally developed in the early 20th century by pioneering Japanese industrialist Sakichi Toyoda, root cause analysis today is one of the most widely practiced management and problem-solving techniques.
Yet despite its worldwide recognition, root cause analysis is often overlooked, short-circuited, or simply misunderstood in the context of fraud detection, deterrence, and remediation. Effective root cause analysis should be regarded as a critical component of every anti-fraud initiative, regardless of scope or area of focus.
New DOJ Guidance Highlights Root Cause Analysis
Recent guidance from the U.S. Department of Justice (DOJ) has generated renewed attention to the importance of root cause analysis in the realm of fraud deterrence and ethics. In June 2020, the DOJ’s Criminal Division issued an updated version of its Evaluation of Corporate Compliance Programs[2] guidance.
The purpose of such guidance is to guide federal prosecutors in their decision-making. While it does not have the force of law, it does provide a useful road map that organizations can use in developing, updating, and implementing their anti-fraud and compliance programs. It also provides insights into what law enforcement and regulatory authorities regard as high priorities and risks.
An essential highlight of the 2020 guidance was the recommendation that investigators look for evidence that an organization is performing a root cause analysis for any compliance violation that could lead to a self-disclosure or enforcement action. It declares, categorically, that “a hallmark of a compliance program that is working effectively in practice is the extent to which a company can conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”[3]
It then goes on to instruct prosecutors to consider the answers to several probing questions in seven broad areas as they contemplate how to handle fraud or other noncompliance issues. Two of those categories, and the questions prosecutors should raise, relate directly to root cause analysis:
Root Cause Analysis: What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis? [4]
Prior Indications: Were there previous opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed? [5]
One month after that guidance was published, the DOJ and the Securities and Exchange Commission issued a major update to their joint publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, which incorporates the DOJ’s foundational guidance, “Hallmarks of an Effective Compliance Program.” In the section titled, “Investigation, Analysis, and Remediation of Underlying Misconduct,” that guidance states explicitly:
In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.[6]
Root cause analysis is a high priority among federal law enforcement and regulatory agencies, which means it should also be a top priority for those responsible for corporate compliance and ethics programs.