One new and different item laid out in the 2017 Evaluation, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance, was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action.
The FCPA Corporate Enforcement Policy brought forward this requirement for a root cause analysis with the following language: “Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes.” The 2019 Guidance also raised the following questions under “Root Cause Analysis – What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?
Well known fraud investigator Jonathan Marks, defined a root cause analysis as “a research based approach to identifying the bottom line reason of a problem or an issue; with the root cause, not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.” He went on to note a, “Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. When we are able to determine why an event or failure occurred, we can then recommend workable corrective measures that deter future events of the type observed.”
Marks also contrasted a root cause analysis with an investigation. He noted, “in an investigation we are try to either prove or disprove an allegation.” This means that in a compliance investigation you may be trying to prove or disprove that certain transactions could form the basis of a corrupt payment or bribe by garnering evidence to either support or refute specific allegations. You do not assess blame and that is the point where a root cause should follow to determine how the compliance failure occurred or was allowed to occur.
There is no one formula for performing a root cause analysis. One protocol, articulated by Health COMPass, advocates a four-step process which includes:
Step 1: Identify possible causal factors. Using the incident(s) to identify causal factors – things that cause or contribute to the compliance failure. It includes asking such questions as:
- What sequence of events leads to the problem?
- What conditions allow the problem to occur?
- What problems co-exist with the central problem and might contribute to it?
- Identify as many causal factors as possible. Start with the problem and brainstorm causal factors for that problem by asking “Why?” The root cause analysis team can also ask themselves and stakeholders “why” or “so what” questions to identify causal factors.
Step 2: Identify the root cause. To find root causes – the primary sources of the compliance violation – start with the causal factors and ask why. Root causes are seldom found in the most obvious causes. It is important to dig deeper and continue to ask “Why?” until nearly all responses have been exhausted or roots that seem important to address are reached. There are several useful methods for identifying root causes. One is to construct a root cause tree. Start with the problem and brainstorm causal factors for that problem by asking why. Connect them in a logical cause and effect order until arriving at the root of the problem.
Step 3: Identify communication challenges. Now ask which root causes are challenges that compliance can and should address and which are not. Share findings about other root causes with local authorities and leaders or organizations that might be able to address them.
Step 4: Prioritize compliance challenges. If root cause analysis identifies more than one compliance failure, decide which failure to address first. Rank root causes in order, starting with the main cause. To determine rank, consider
- The potential impact of addressing the compliance failure. The greater the potential impact, the more important it is to address.
- How difficult it will be to reach the audience associated with the compliance failure.
- The mandate attached to the funding.
- If more than one causal factor is linked to the root cause. When a root cause is the source of multiple causal factors, it indicates that addressing the root cause can have far-reaching effects.
Another approach articulated by Marks is the Five Why’s approach. As he explained “Early questions are usually superficial, obvious; the later ones more substantive.” Borrowing from Six Sigma, the folks at iSixSigma.com believe this approach contemplates that “By repeatedly asking the question “Why” (five is a good rule of thumb), you can peel away the layers of symptoms which can lead to the root cause of a problem. Very often the ostensible reason for a problem will lead you to another question. Although this technique is called “Five Whys,” you may find that you will need to ask the question fewer or more times than five before you find the issue related to a problem.”
To use this approach, iSixSigma.com suggests the following protocol. Begin by writing down the specific problem, which assists you to formulate the issue or problem. Then begin asking, “Why?” Ask why the compliance failure occurred write the answer down below the problem. But do not stop there if this first response does not “identify the root cause of the problem that you wrote down in Step 1, ask why again and write that answer down. Loop back to step 3 until the team is in agreement that the problem’s root cause is identified. Again, this may take fewer or more times than five whys.”
Ultimately, performing a root cause analysis is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer that is provided to you, as you might in an internal investigation. As Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they’re doing.”
Three key takeaways:
- A root cause analysis is now required if you have a reportable compliance failure.
- There is no one process for performing a root cause analysis. You should select the one which works for you and follow it.
- To properly perform a root cause analysis, you need trained professionals who really understand what they’re doing.