What is Root Cause Analysis, and What is it not?

Root Cause Analysis is NOT a best practice; it is expected that companies will do so when they remediate in the aftermath of violations.

Overview

Yesterday in our everything compliance podcast I spoke about Root Cause Analysis (RCA). Here is a summary of my comments.

RCA is a structured approach used to identify the underlying causes of a finding or incident that occurred, such as a compliance failure or fraud event, for the purpose of preventing recurrence of the same or similar incidents. Simplistically, it describes why an event occurred and not just what happened. By finding the root causes and not just symptoms, companies can implement corrective measures in order to target the real source of the problems and improve processes, controls, and general compliance.

Effective remediation cannot occur without a comprehension of the root causes of the misconduct

Key Characteristics of RCA

• Root Cause Identification: RCA is intended to look beyond mere symptoms for the systemic causes that create the problem.
• Proactive Outcome: While RCA is reactive in nature-the analysis is performed after the incident-its goal is proactive in nature-to prevent recurrence of the incident in the future.
• Questioning Process: Techniques like the "Five Whys" and fishbone diagrams are used to peel away the symptoms layers until the fundamental cause of the problem is identified.
• Integration of Findings: RCA places great emphasis on the use of insights gained from analysis in updating policies and strengthening training and internal controls.

What Is Not RCA

• NOT a Simple Investigation: The aim of an investigation is to prove or disprove certain allegations. An investigation tries to determine what happened; whereas, RCA tries to find out why it happened and how we can deter it from occurring again.
• NOT a Risk Assessment: The processes of risk assessment are proactive processes of finding out what may go wrong before it actually does; RCA, therefore, becomes reactive since it is initiated by an event. Nevertheless, findings from the RCA can be used to update future risk assessments.
• NOT a Blame-Finding Exercise: It is not within the purview of RCA to assign blame or cast aspersion on anyone, but it involves how and where process failure occurred.

By understanding the difference between RCA and other problem-solving or compliance tools, companies can better utilize it in finding the root cause of issues to complement or further enhance their general compliance framework.

Common Mistakes

Focus on Symptoms, Not Root Causes

One of the most important mistakes involves making the wrong stop in finding the root cause, tending to be satisfied by identifying the proximate cause of the problem rather than the correct reason. Compliance professionals stop at immediate symptoms, such as process failure or breakdown in a certain control, instead of looking deeper into systemic issues such as cultural factors or inefficient training. Without identification and addressing the underlying cause, violations are likely to happen again in the future - this his called recidivism.

Failing to Ask the Right Questions

Effective RCA demands the right questions to ensure that deeper issues come into view. Unfortunately, too many compliance professionals don't dig deep enough for what really occurred. "You need to peel back layers by continually asking why," I encourage using the oft-cited "Five Whys" technique. If a question is not asked correctly or is superficial, the conclusions will be incomplete.

Missing the Human Element

Many compliance professionals fall short on including perhaps the most key ingredient in compliance failures: the people. As I have underscored, ineffective RCAs often fail to consider how people might make poor choices, work around (circumvent or override) controls or fail to follow processes as a result of incentives, lack of understanding, managerial pressure, or because they can. Understanding proper execution of a RCA requires consideration of human behavior and judgments, and workarounds. This is crucial!

Relying on Data with No Context

While data is key in understanding where compliance fails, the tendency to lean heavily on data without context forms another common mistake. Data can indicate that a control has failed, but not taking a deeper dive into why people did what they did, or why the control was bypassed, may lead compliance professionals to miss the broader systemic issues.

Failing to Integrate Findings

Even in those cases where the root cause is identified, compliance professionals don't take that critical next step of folding learned lessons into policies, training, and controls in an effort to deter recurrence. It is a lost opportunity for long-term betterment because systems, training, and policies are not updated to avoid recurrence of the issue at hand.

Regulators

The DOJ has underscored through policy updates and enforcement actions that root cause analysis is poignantly important. In 2024, the DOJ once more warned that any company facing compliance issues or misconduct investigations must conduct meaningful root cause analyses. It is not a best practice; it is expected that companies will do so when they remediate in the aftermath of violations like those under the FCPA. It is an understanding that unless the root causes of systemic misconduct are understood, mere punishing of individuals or updating of policies will not suffice.

Recently, the DOJ has emphasized in speeches that effective remediation cannot occur without a comprehension of the root causes of the misconduct. It follows that prosecutors will be interested in whether the organisation has taken the time to investigate what went wrong with its compliance, as such an investigation is a pre-requisite to any leniency in the enforcement action.

This finds most lively discussion in respect of the revised the DOJ ECCP guidance, which includes explicitly for the first time root cause analysis as one of the key criteria assessing the effectiveness of corporate compliance programs.

For example, in the case of the Deere enforcement action, the DOJ commented that remediation without root cause analysis would not be complete and thus perhaps vulnerable to future violations. So, the DOJ also wants a company to examine not just what went wrong but why, and implement solutions to address whatever identified root causes would prevent it from happening again. Emphasizing root cause analysis, the DOJ urges organization's compliance program to continuously improve through it by convincing it to change course in order to find solutions to deep-seated problems and not quick fixes.

Closing

By avoiding these common pitfalls and embracing instead a more holistic, inquisitive approach, the compliance professional will ensure that their RCA efforts result in more effective remediation and help to deter future failures.

Have a great day

Jonathan Marks

Disclaimer: The companies, individuals, or entities mentioned in this post are referenced for educational and illustrative purposes only. The information provided is not intended to criticize or call out any parties, but rather to serve as a tool for learning and discussion. The content is based on a range of purposes, including providing general information and insights. It should not be considered professional advice. Readers must consult with a qualified professional before making any decisions based on the content of this writing or any of my writings.