This week I have been exploring how you can work to operationalize your compliance programs in ways you perhaps had not considered previously. Today I want you to consider Prong 1 of the Evaluation of Corporate Compliance Programs (Evaluation) and the root cause analysis as a way to more fully burn compliance into the DNA of your organization.

Prong 1 of the Evaluation states:

Analysis and Remediation of Underlying Misconduct. Root Cause Analysis – What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis?

A root cause analysis is a method to learn more about your business process and review what went wrong so that systems and the process itself can be remediated. The process is going to deliver whatever it delivers, whether that be right, wrong, or indifferent and until you change the process and systems, you can expect a repeatable output. Finding blame does not necessarily help and you need to get deeper into those root causes. The reason it is monikered “root cause analysis”, is to emphasize the need to drill down below the superficial pieces of the framework to correct the areas that are actually driving the outcomes and the behaviors.

Mike Volkov, in a 2017 article, entitled Under the Dark of Night, DOJ Moves the Compliance Ball (Part I of IV)”, noted, “The first question is relevant in those circumstances when the company is responding to misconduct that results in a government investigation. However, I think the questions asked provide important insights when a company suffers misconduct that does not result in a government investigation. Companies often face situations where they discover misconduct, impose discipline and remediate the problems discovered and then move on. This happens more often than misconduct resulting in a government disclosure or a government investigation. In either case, the questions are certainly relevant. The questions appear to be fairly basic but depending on the circumstances can be deadly accurate in pointing out compliance deficiencies. A “root cause” can implicate not only employee misconduct or failure to exercise proper oversight but can extend to such issues as a company’s culture, tone-at-the-top and other issues with significant implications for the company’s operations. It is too easy to blame a rogue employee, a concept that has neither relevance nor significance to legal and compliance practitioners who understand how compliance programs work.”

When root cause analysis is done correctly and utilized as a part of your remediation strategy going forward, it is primarily there to develop preventive actions. A preventive action is something to prevent recurrence of the problem. You can adjust with a corrective action, but the ultimate goal is to engineer out or fix the system and processes, so you do not have the opportunity for that flaw to occur again.

Another way to consider it, as stated by Ben Locwin, is “We have a problem. Let’s not run away from it. Let’s embrace it.” What you are really doing is looking at your program from the inside out. Locwin advocates beginning with such questions as “What can we do better? What can we do next?” He explains “you’re looking for examination from an external and not an internal prospective. Internal perspectives tend to follow along the quotas. If you always do what you always did, then you’ll always get what you always got.” He notes, “continuous improvement approaches benefit most from” its “frequent exposures to radical change.”

It is the willingness of a company to look at itself that is the key to continuous improvement. Locwin said, “typically these things come from external pressures and not from internal, incremental changes. If you take a step back, or maybe several steps back to say, what are we actually trying to do, and are we reaping the value that we’re intending to get out of what we have. If we’re not, then we should look for this really systemic overhaul of things, and not just try to tweak a little thing here and a little thing there.”

Locwin provides the example of a root cause analysis, which is typically used after an incident to determine what happened to assess blame, can be used to strengthen the prevention prong of your best practices compliance program. He said that a company must “allow themselves that freedom to appraise things that have gone wrong and then address them rather than just saying, “Well, you know we had someone who made a mistake, let’s fix the person or get rid of the person.” But really, it’s about, let’s understand what’s actually happening here because, for the most part, people are not willfully ignorant and they try to do the right things, so it could just be that there were some clarity issues with how they understood their role or their work for otherwise.”

Locwin notes a root cause analysis should not be used just simply to determine fault but, “It really should be a way to learn more about the process and what’s going wrong so that the systems and process itself can be changed because there is a thinking in the field which basically centers around the theme of, unless you have changed the process, then you’re going to keep getting similar or the same results.”

As Locwin further explained, “Until you change the process and the systems, you can basically expect that you’re going to have some sort of output that is going to repeat itself over and over again. That’s where finding blame doesn’t necessarily help and really you want to get deeper into those root causes. That’s, frankly, why it’s called root cause analysis, so that you can drill down below the superficial pieces of the framework to fix, and into the things that are actually driving the outcomes and the behaviors.” In the healthcare arena, the practice is called Corrective Action and Preventive Action (CAPA). If you take that some framework into anti-corruption compliance you should be in good stead.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018