In my last post, I began considering the Prong of the Evaluation of Corporate Compliance Programs (Evaluation) which was not present in the Ten Hallmarks of an Effective Compliance Program, the root cause analysis. This addition was also carried forward as a requirement in the Department of Justice’s (DOJ’s) new FCPA Corporate Enforcement Policy (Policy). Today, I want to consider using the results of a root cause analysis in remediating a compliance program.

Under Prong 1 Analysis and Remediation of Underlying Misconduct, the Evaluation stated:

Remediation – What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future? What specific remediation has addressed the issues identified in the root cause and missed opportunity analysis? The Policy brought forward this requirement for a root cause analysis with the following language: “Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes;”.

I begin with who should perform the remediation; should it be someone or a team which were or were not a part of the root cause analysis? I put this question to well-known fraud expert Jonathan Marks, a partner at Marcum LLP, who believes the key is both “independence and objectivity”. It may be that an investigator is a subject matter expert (SME) and “therefore more qualified to get that particular recourse.” Yet to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution.

Marks also noted if “the errors require some type of financial restatement the company may also have deficiencies in internal controls. More importantly the failure to remediate gaps in internal controls provides the opportunity for additional errors or misconduct to occur, and could damage the company’s credibility with regulators” and allow the same or similar conduct to reoccur. Finally, with both the Evaluation and Policy, the DOJ has added its voice to prior Securities and Exchange Commission (SEC) statements that it “will focus on what steps the company took upon learning of the misconduct, whether the company immediately stopped the misconduct, and what new and more effective internal controls or procedures the company has adopted or plans to adopt to prevent a recurrence.”

Ben Locwin considered it from the ‘blame’ angle, when he wrote “Simply “cataloguing” and “assigning cause” to a defect or error is not compliance. Compliance presumes systems and processes are designed to adhere to regulatory pronouncements. Selecting “human error” from a dropdown list and assigning it as root cause means that user is accountable for having thoroughly investigated the causal factors of the error or defect, identifying and determining which root causes(s) are most likely, according to the preponderance of evidence, to have been associated with the defect.” This means not blaming some individuals and terminating them but actually fixing the broken compliance systems which allowed the violation in the first place.

Locwin concludes by noting, “Stop blaming people for bad systems and processes. The people are the human capital that is actually doing the thinking and processing to generate profits for your company — unless there is data to suggest willful negligence or gross incompetence, then in that case address the talent development gap or termination. A nicely documented retraining of Alice or Bob isn’t going to improve successive outcomes on future iterations of the same work. Guaranteed. And I have plenty of data showing these sorts of human error interventions [retraining] are less than 5 percent effective at preventing recurrence of the problem.”

As required under the Evaluation, from the regulatory perspective, the critical element is how did you use the inform you developed in the root cause analysis? Literally every time when you see a problem as a compliance officer, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis you can bring real value and real solutions to your compliance program.

The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step processes, in which one process can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event, and will aid in having a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence.

When you step back and consider what the DOJ was trying to accomplish with its Evaluation, it becomes clearer what they expect from the compliance professional. Hui Chen, in an interview on the Radical Compliance podcast, made clear she desired that the Evaluation would cause Chief Compliance Officers (CCOs) and compliance practitioners to consider the structure of their compliance program and how it inter-relates to the company’s risk profile. When you have a compliance failure, you should use the root cause analysis to think about how each of the structural elements of your compliance program could impact on how you manage and deal with that risk. Chen stated, “I would use the approach that I hope is consistently clear through the document is that the quest for thinking through what you want to accomplish, how you are gonna do it, who are you going to work with to accomplish those things, and how you measure the results, what data are you getting need to collect to inform your decisions along the way.”

We began with the Evaluation of Corporate Compliance Programs and that is an appropriate place to end these two blog posts on root cause analysis. You must not only perform the root cause analysis but use the information you obtain to inform your compliance program going forward. As much care as you put into performing your root cause analysis should be put into using the findings for remediation.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018