Last week, the Department of Justice (DOJ) premiered a new policy regarding Foreign Corrupt Practices Act (FCPA) enforcement. Deputy Attorney General Rod Rosenstein, in a speech, called it the FCPA Corporate Enforcement Policy and stated that it is now “incorporated into the United States Attorneys’ Manual.” The new Policy has four sections: 9-47.100 Introduction; 9-47.110 Policy Concerning Criminal Investigations and Prosecutions of the Foreign Corrupt Practices Act; 9-47.120 FCPA Corporate Enforcement Policy and 9-47.130 Civil Injunctive Actions. Today I want to consider in some depth what this new policy means for a best practices compliance program, particularly the importance of the root cause analysis.

There are several different points to note about compliance programs under the new Corporate Enforcement Policy. The first is the incorporation of the 10 Hallmarks of an Effective Compliance Program through reference to the 2012 FCPA Resource Guide. Second is the language that makes clear that credit for a best practices compliance program is available for programs which are beyond simply the bare minimum under the US Sentencing Guidelines. Finally, is that language and concepts in this new Policy come from a variety of sources, including the DOJ’s 2016 FCPA Pilot Program and the 2017 Evaluation of Corporate Compliance Programs (Evaluation). This builds upon the 10 Hallmarks of an Effective Compliance Program incorporated through reference into the new Enforcement Policy.

In the new Enforcement Policy, it states “Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes”. The language around root cause analysis was first articled in the Evaluation. Bill Steinman, writing in the FCPA Blog, said, “Of all the changes in the new policy, this is perhaps my favorite. As any ethics professional worth her or his salt will tell you, perhaps the most fundamental part of recovering from a lapse in appropriate conduct is figuring out how it happened in the first place. You can’t really move forward toward fixing a problem unless you’ve asked and until you’ve clearly answered questions like “why did this happen here?” or “what about our company made our people think this was ok?””

Mike Volkov, writing in his blog, said, “The “root cause” analysis has taken on greater significance through the years, and is an important inquiry needed to understand why financial and compliance controls were not able to detect and prevent the illegal conduct. It is a more intensive review and analysis than a risk and compliance program assessment, and is targeted to the specific facts underlying the violations.” In another blog post, he stated, “A root cause can implicate not only employee misconduct or failure to exercise proper oversight, but can extend to such issues as a company’s culture, tone-at-the-top and other issues with significant implications for the company’s operations.”

I agree with both assessments. A root cause analysis is a method to learn more about your business process and what occurred so that the controls, systems and process can be remediated. A root cause analysis allows you to determine the true cause of an incident, not one that simply hypothesizes a bad actor within a company going rogue. If you just fire someone, without changing the process, you are going to keep getting similar or the same results. Assessing blame does not help, as you want to get deeper into those root causes. The reason the entire process is named ‘root cause analysis’, is to emphasize the need to drill down below the superficial pieces of the framework to fix, and into the things that are driving the outcomes and the behaviors.

When root cause analysis is done correctly and utilized as a part of your remediation strategy going forward, it is principally there in order to develop preventive actions. A preventive action is something to prevent recurrence of the problem. You can correct with a corrective action, but the ultimate goal is to engineer out or fix the system and process so you do not have the opportunity for that flaw to occur again.

A root cause analysis can be used to strengthen the prevention prong of your best practices compliance program. Thinking of the proper manner to use a root cause analysis, to find facts and not assess blame will take your compliance program to an entirely higher level of proficiency. If the DOJ ever comes knocking you can demonstrate your adherence to new FCPA Corporate Enforcement Policy in a documented manner.

Once again for the compliance professional, the new FCPA Corporate Enforcement Policy makes the importance of a best practices compliance program even more critical. By having the first point speak to root cause analysis, it emphasizes not only the importance of the specific exercise but also the data driven approach to a best practices compliance program. It is more than simply learning from your mistakes; it is taking the information from your root cause analysis and incorporating it back into your compliance program. A compliance program is dynamic and not static. This final fact is what separates the type of analysis the DOJ puts forward from those who want a paper program to constitute a full and complete compliance defense.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017