One new and different item laid out in the Evaluation of Corporate Compliance Program (Evaluation), supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance, was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action. Under Prong 1 Analysis and Remediation of Underlying Misconduct, the Evaluation stated:

Root Cause Analysis What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis? 

Prior Indications Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed? 

The new Department of Justice (DOJ) FCPA Corporate Enforcement Policy (Policy) brought forward this requirement for a root cause analysis with the following language: “Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes;”.

Initially you need to understand the difference between a root cause analysis and a risk assessment. Obviously, you would perform a root cause analysis after an incident occurs so to that extent it is reactive rather than proactive. The site has defined root cause analysis as “The purpose of root cause analysis is to strike at the root of a problem by finding and resolving its root causes. Root cause analysis is a class of problem solving methods aimed at identifying the root causes of problems or events. … The practice of root cause analysis is predicated on the belief that problems are best solved by attempting to correct or eliminate root causes, as opposed to merely addressing the immediately obvious symptoms.”

Well known fraud investigator Jonathan Marks, has noted it is a research based approach to identifying the bottom line reason of a problem or an issue with the root cause not the proximate cause the root cause representing the source of the problem. He contrasted his definition with that of a risk assessment which is something performed on a proactive basis based on various facts and things of nature that you know. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.

Marks also contrasted a root cause analysis with an investigation. He noted, “in an investigation we are try to either prove or disprove a known allegation.” This means that in a compliance investigation you may be trying to prove or disprove certain transactions could form the basis of a corrupt payment or bribe by garnering evidence to either support or refute specific allegations. You do not assess blame and that is the point where a root cause should follow to determine how the compliance failure occurred or was allowed to occur.

There is no one formula for performing a root cause analysis. One protocol, articulated by, advocates a four-step process which includes:

Step 1: Identify Possible Causal Factors

Using the incident(s) to identify causal factors – things that cause or contribute to the compliance failure. It includes asking such questions as:

  • What sequence of events leads to the problem?
  • What conditions allow the problem to occur? [e.g. traditional values and practices]
  • What problems co-exist with the central problem and might contribute to it? [e.g. lack of health facilities]
  • Identify as many causal factors as possible. Start with the problem and brainstorm causal factors for that problem by asking “Why?” The root cause analysis team can also ask themselves (based on their own experience) and stakeholders “why” or “so what” questions to identify causal factors.

Step 2: Identify the Root Cause

To find root causes – the primary sources of the compliance violation – start with the causal factors identified above and ask “why?”. Root causes are seldom found in the most obvious causes. It is important to dig deeper and continue to ask “why?” until nearly all responses have been exhausted or roots that seem important to address are reached. There are several useful methods for identifying root causes.

One method for identifying root causes is to construct a root cause tree. Start with the problem and brainstorm causal factors for that problem by asking why. Connect them in a logical cause and effect order until arriving at the root of the problem.

Step 3: Identify Communication Challenges

Now ask which root causes are challenges that compliance can and should address – communication challenges – and which are not. They provide an example that identifies the communication challenges. Share findings about other root causes with local authorities and leaders or organizations that might be able to address them.

Step 4: Prioritize Compliance Challenges

If the root cause analysis identifies more than one compliance failure, decide which failure to address first. Rank root causes in order, starting with the main cause. To determine rank, consider:

  • The potential impact of addressing the compliance failure. The greater the potential impact, the more important it is to address.
  • How difficult it will be to reach the audience associated with the compliance failure.
  • The mandate attached to the funding.
  • If more than one causal factor is linked to the root cause. When a root cause is the source of multiple causal factors, it indicates that addressing the root cause can have far-reaching effects.

Another approach articulated by Marks is the Five Why’s approach. As he explained “Early questions are usually superficial, obvious; the later ones more substantive.” Borrowing from Six Sigma, the site believes this approach contemplates that “By repeatedly asking the question “Why” (five is a good rule of thumb), you can peel away the layers of symptoms which can lead to the root cause of a problem. Very often the ostensible reason for a problem will lead you to another question. Although this technique is called “5 Whys,” you may find that you will need to ask the question fewer or more times than five before you find the issue related to a problem.”

To use this approach, suggests the following protocol. Begin by writing down the specific problem, which assists you to formulate the issue or problem. Then begin asking ‘why’. Ask why the compliance failure occurred write the answer down below the problem. But do not stop there so if this first response does not “identify the root cause of the problem that you wrote down in Step 1, ask Why again and write that answer down. Loop back to step 3 until the team is in agreement that the problem’s root cause is identified. Again, this may take fewer or more times than five Whys.”

Yet another approach was suggested by risk management expert Ben Locwin in an article entitled ““Human Error” Deviations: How You Can Stop Creating (Most Of) Them”. It is the “Fishbone Diagram”, also known as the “Ishikawa diagram” for its progenitor, Kaoru Ishikawa, because it looks like the skeleton of a fish. Locwin noted, “You put the problem statement at the “head” of the fish, and the causal factor categories as the “ribs” (remember, fish have cartilage, not bone, so these categories can be adjusted to suit your needs). By having a working group list causal factors under each category, you begin to develop a visual of how many things could contribute to your main effect (the problem statement).”

The six fishbone include (1) People – Anyone involved with the process; (2) Methods – how the process is performed and the specific requirements for doing it, such as policies, procedures, rules, regulations and laws; (3) Machines – any equipment, computers, tools, etc. required to accomplish the job; (4) Materials – raw materials, parts, pens, paper, etc. used to produce the final product; (5) Measurements – data generated from the process that are used to evaluate its quality; and (6) Environment – the conditions, such as location, time, temperature, and culture in which the process operates.

The bottom line is there are multiple ways to perform a root cause analysis. However, it is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor would bring so that you do not simply accept an answer which is provided to you, as you might in an internal investigation. Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals that really understand what they’re doing.”

Tomorrow we will take up using the root cause analysis as the basis for remediation as stated under the Evaluation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018