From the DOJ Evaluation of Corporate Compliance Programs
- Analysis and Remediation of Underlying Misconduct
Root Cause Analysis – What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis?
A root cause analysis should be a method to learn more about your business process and what went wrong so that the systems and process itself can be changed because there is a thinking in the field which basically centers around the theme of, unless you have changed the process, then you’re going to keep getting similar or the same results. The process is going to deliver whatever it delivers, whether that be right, wrong, or indifferent. Until you change the process and the systems, you can basically expect that you’re going to have some sort of output that is going to repeat itself over and over again. Finding blame does not necessarily help and really you want to get deeper into those root causes. The reason it is monikered “root cause analysis”, is to emphasize the need to drill down below the superficial pieces of the framework to fix, and into the things that are actually driving the outcomes and the behaviors.
As Mike Volkov has noted, “The first question is relevant in those circumstances when the company is responding to misconduct that results in a government investigation. However, I think the questions asked provide important insights when a company suffers misconduct that does not result in a government investigation. Companies often face situations where they discover misconduct, impose discipline and remediate the problems discovered and then move on. This happens more often than misconduct resulting in a government disclosure or a government investigation. In either case, the questions are certainly relevant. The questions appear to be fairly basic but depending on the circumstances can be deadly accurate in pointing out compliance deficiencies. A “root cause” can implicate not only employee misconduct or failure to exercise proper oversight, but can extend to such issues as a company’s culture, tone-at-the-top and other issues with significant implications for the company’s operations. It is too easy to blame a rogue employee, a concept that has neither relevance nor significance to legal and compliance practitioners who understand how compliance programs work.”
When root cause analysis is done correctly and utilized as a part of your remediation strategy going forward, it principally is there in order to develop preventive actions. A preventive action is something to prevent recurrence of the problem. You can correct with a corrective action, but the ultimate goal is to engineer out or fix the system and processes so you do not have the opportunity for that flaw to occur again.
Another way to consider it, as stated by Ben Locwin is “We have a problem. Let’s not run away from it. Let’s embrace it.” What you are really doing is looking at your program from the inside out. Locwin advocates beginning with such questions as “What can we do better? What can we do next?” He went on to explain “you’re looking for examination from an external and not an internal prospective. Internal perspectives tend to follow along the quotas. If you always do what you always did, then you’ll always get what you always got.” He went on to say “continuous improvement approaches benefit most from” its “frequent exposures to radical change.”
It is the willingness of a company to look at itself that is the key to continuous improvement. Locwin said that while “typically these things come from external pressures and not from internal, incremental changes. If you take a step back, or maybe several steps back to say, what are we actually trying to do, and are we reaping the value that we’re intending to get out of what we have. If we’re not, then we should look for this really systemic overhaul of things, and not just try to tweak a little thing here and a little thing there.”
Locwin provided the example of a root cause analysis, which is typically used after an incident to determine what happened to assess blame, can actually be used to strengthen the prevention prong of your best practices compliance program. He said that a company must “allow themselves that freedom to appraise things that have gone wrong and then address them rather than just saying, “Well, you know we had someone who made a mistake, let’s fix the person or get rid of the person. But really it’s about, let’s understand what’s actually happening here because, for the most part, people are not willfully ignorant and they try to do the right things, so it could just be that there were some clarity issues with how they understood their role or their work for otherwise.”
A root cause analysis should not be used just simply to determine fault but, “It really should be a way to learn more about the process and what’s going wrong so that the systems and process itself can be changed because there is a thinking in the field which basically centers around the theme of, unless you have changed the process, then you’re going to keep getting similar or the same results.”
As Locwin further explained, “Until you change the process and the systems, you can basically expect that you’re going to have some sort of output that is going to repeat itself over and over again. That’s where finding blame doesn’t necessarily help and really you want to get deeper into those root causes. That’s, frankly, why it’s caused root cause analysis, so that you can drill down below the superficial pieces of the framework to fix, and into the things that are actually driving the outcomes and the behaviors.” In the healthcare arena, the practice is called Corrective Action and Preventive Action (CAPA).
A root cause analysis allows you to operational your compliance program by using this preventative action approach.Click to tweet
Three Key Takeaways
- The DOJ Evaluation mandates a root cause analysis.
- You cannot have a culture of blame for a root cause analysis to be effective.
- Always remember CAPA.
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.