In this podcast, I visit Jonathan Marks, a partner at Marcum LLP on how to perform a root cause analysis and it uses in the remediation phase of a best practices compliance program. One new and different item was laid out in the Evaluation of Corporate Compliance Program, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action.

Marks noted a root cause analysis is a research based approach to identifying the bottom line reason of a problem or an issue; with the root cause not the proximate cause the root cause representing the source of the problem. He contrasted this definition with that of a risk assessment which he said is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.

We also consider how to use a risk assessment because under the Evaluation, the critical element is how did you use the information you developed in the root cause analysis. Literally every time when you see a problem as a compliance officer, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis that you can bring real value and real solutions to your compliance programs.

We tie this requirement from the Evaluation of Corporate Compliance Programs together. You must not only perform the root cause analysis but use the information you obtain to inform your compliance program going forward. As much care as you put into performing your root cause analysis should be put into using the findings for remediation.