Tag: compliance

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Taming Complexity

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

In this episode, we consider how to not simply tame complexity but embrace it as technology continues to innovate. Compliance must keep up with the business units it serves.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
FCPA Compliance Report

FCPA Compliance Report – Dr. Karen Jacobson on Bridging Cultural Divides for International Success

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. Today, I visited Dr. Karen Jacobson, a renowned expert in organizational leadership and communication. She provides guidance for compliance professionals around leadership.

Dr. Karen Jacobson is a seasoned professional with a rich background in healthcare, public speaking, and business consulting. Her perspective on effective leadership and communication in diverse workplaces is shaped by her experiences in war, the military, healthcare, and even her time as a competitive amateur ballroom dancer. Jacobson believes that effective leadership requires understanding and adapting to the needs of different audiences, tailoring communication to resonate with them, and being culturally aware. She emphasizes the importance of leaders adapting their language and communication style based on the audience’s behavior style, emotions, and level of understanding and learning about the customs, language, and etiquette of the cultures they interact with.

Join Tom Fox and Karen Jacobson on this episode of the FCPA Compliance Report to delve deeper into this insightful perspective.

Key Highlights:

  • The Power of Active Listening in Leadership
  • The Art of Navigating Generational Communication
  • Bridging Cultural Divides for International Success
  • Developing Middle Managers through Targeted Training
  • Understanding Generational Values and Communication Styles

Resources:

Karen Jacobson

Website

LinkedIn

Facebook

Twitter

YouTube

Instagram

Tom Fox

Instagram

Facebook

YouTube

Twitter

Categories
Blog

Promoting Neurodiversity and Gender Equality in the Workplace: A Path to Inclusion and Success

In a recent Great Women in Compliance episode, hosts Ellen Hunt and Sarah Hadden were joined by guests Asha Palmer and Jason Meyer. They took a deep dive into the important topic of promoting neurodiversity and gender equality in the workplace. The episode shed light on the challenges faced by neurodivergent individuals, such as those with ADHD, autism, and dyslexia. It emphasized the need for understanding, inclusivity, and accommodation in the corporate world.

Asha Palmer is the Senior Vice President of Compliance Solutions at Skillsoft, overseeing the development and strategy of compliance learning solutions. With a passion for advancing the ethics and compliance community, Asha has dedicated her career to developing effective ethics and compliance programs for numerous companies worldwide. She is known for her program development, training, engagement, and risk assessment expertise. Asha’s commitment to promoting neurodiversity and gender equality in the workplace is evident through her contributions to the Great Women in Compliance podcast, where she discusses the challenges compliance professionals face in handling neurodivergent employees. She emphasizes the importance of risk assessment, awareness, and legal accommodations to create an inclusive and supportive work environment.

Jason Meyer is a prominent figure in promoting neurodiversity and gender equality in the workplace. He is the founder and President of Lead Good Education. Meyer has a wealth of experience supporting organizations in creating inclusive work environments. In 2023, he took a significant step towards this goal by launching the NeuROInclusion Initiative, a joint effort by his companies to embrace and include neurodivergent individuals in the workforce. With his expertise in producing custom education and engagement support for compliance teams and enhancing higher education compliance programs, Meyer actively promotes neurodiversity and inclusive practices through workshops, best practices, and expert counsel.

Neurodivergent individuals often process information differently, which can both benefit and challenge them in various work situations. Some individuals may even mask their neurodivergent traits, making it difficult for others to recognize their unique needs. However, creating a neuro-inclusive culture ensures everyone feels safe and empowered to express their needs and contribute to the organization’s success.

One of the key takeaways is the importance of compliance and ethics professionals in raising awareness about the risks associated with neurodivergence. By increasing awareness among teams, these professionals can help create a supportive environment that caters to the needs of neurodivergent individuals. This includes providing varied and digestible compliance training options accommodating different learning styles.

They also touched upon the issue of gender equality in the workplace, specifically highlighting the “pink tax” that women often face. The “pink tax” refers to the additional costs women may incur for products and services marketed towards them. This disparity not only affects women’s financial well-being but also perpetuates gender stereotypes and expectations.

To address these challenges, it is crucial to challenge gender expectations and create a culture of psychological safety. It is essential to encourage a culture where individuals feel comfortable speaking up and advocating for their needs. Compliance professionals, in particular, play a vital role in fostering this culture by promoting open communication and ensuring that policies and practices are fair and inclusive.

One of the key messages is the need to recognize and embrace neurodiversity as a natural part of the human experience. As Palmer stated, “We are a neurodiverse species.” By acknowledging and celebrating our differences, we can create a workplace that is good for all and critical for some. This means adopting approaches and practices that benefit everyone while also addressing the specific needs of neurodivergent individuals.

However, promoting neurodiversity and gender equality in the workplace comes with its own set of challenges. One of the main challenges discussed is the identification and inclusion conundrum. Neurodivergent individuals may not always disclose their condition due to fears of stigma, discrimination, or unrealistic expectations. Therefore, it is not possible to identify all neurodivergent employees, making it ineffective to impose separate training or burdens on them. Instead, the focus should be on creating a neuro-inclusive culture that benefits everyone.

Another challenge is the need for compliance and ethics professionals to consider the risks associated with neurodivergence. This includes understanding how neurodivergent employees interact with management, HR, and each other and ensuring that appropriate accommodations are provided when necessary. It is a nuanced challenge that requires a thoughtful and individualized approach.

In conclusion, promoting neurodiversity and gender equality in the workplace is a matter of fairness and inclusivity and a path to success. By embracing neurodiversity and challenging gender expectations, organizations can tap into all their employees’ unique strengths and perspectives. Compliance and ethics professionals are crucial in raising awareness, fostering a neuro-inclusive culture, and ensuring that policies and practices are fair and inclusive. As Sarah Hadden aptly stated, “Small steps, but big impact.” Through these small steps, we can create a workplace where everyone feels seen, valued, and empowered to reach their full potential.

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Compliance Ecosystem

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

In this episode, we ask you to think about compliance as an ecosystem and how that can facilitate greater operationalization of your compliance program.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
From the Editor's Desk

From The Editor’s Desk – January and February 2024 in Compliance Week

Welcome to From the Editor’s Desk, a podcast where co-hosts Tom Fox and Kyle Brasseur, EIC at Compliance Week, unpack some of the top stories that have appeared in Compliance Week over the past month, look at the top compliance stories upcoming for the next month, talk about some sports and generally try to solve the world’s problems.

Tom Fox and Kyle Brasseur are back. In this episode, they look at the Department of Justice’s role in shaping corporate compliance practices through its enforcement actions, setting the tone for companies to voluntarily self-disclose and cooperate. Tom believes that the DOJ is making a concerted effort to highlight what companies are doing right in enforcement actions, particularly in relation to remedial efforts and cooperation. He sees the DOJ’s settlement documents as a clear communication of what they expect from companies going forward. Kyle emphasizes the importance of focusing on the positive aspects of enforcement actions and learning from what companies are doing right to prevent similar situations in the future. He mentions the use of data analytics and the retention of off-channel communications as examples of new expectations from the DOJ. Join Tom Fox and Kyle Brasseur on this episode of From the Editor’s Desk as they delve deeper into the topic of DOJ enforcement actions and corporate compliance practices.

Highlights Include:

  • SAP Enforcement Action
  • CNIL and Amazon’s Excessive Employee Surveillance Violation
  • Exploring Best Practices in Know Your Customer and Anti-Money Laundering Compliance
  • Highlighting Compliance Success in Financial Services
  • Insights from DOJ Enforcement Actions Roundtable
  • Bill Belichick
  • NFL Playoffs
Categories
Compliance Tip of the Day

Compliance Tip of the Day: Introduction to New Podcast Series

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

In this episode, we look down the road to 2030 and beyond to see the changes coming to compliance that were wrought beginning with the pandemic and moving forward. How can you prepare for them and what should your compliance program focus on?

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Operationalizing Compliance Through Payroll

One of the areas articulated in the 2023 ECCP was around payments and payroll. The compliance professional and the corporate payroll function have a significant role to play in operationalizing a corporate compliance program. The 2023 ECCP was replete with references to payment and its critical nature to any best practices compliance program. This includes references to foreign officials, payments to third parties, and hiding bribes in distributor payments.

The 2023 ECCP begins with a warning to stop wasting time on low-hanging fruit when there are much higher risks in your business operations. It states:

Risk-Tailored Resource Allocation—Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than to more modest and routine hospitality and entertainment?

It then drills down into the payment and payroll systems, stating:

Appropriate Controls—How does the company ensure a proper business rationale for using third parties? If third parties were involved in the underlying misconduct, what was the business rationale for using those third parties? What mechanisms exist to ensure that the contract terms specifically describe the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?

Payment Systems—How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?

These questions may not seem new, innovative, or even different from what payroll currently does for an organization. However, the 2023 ECCP demonstrates the role of payroll in compliance. The 2023 ECCP requires that payroll not only form a part of any best practices compliance program, but when it comes to the specific subject matter expertise, payroll is on the front lines of any attempts to prevent, detect, and remediate anti-corruption compliance violations.

The FCPA prohibits “anything of value” from being provided to foreign government officials or employees of state-owned enterprises to obtain or retain business. This “anything of value” is almost always money, and that money must come from somewhere inside the company. While the Watergate intonation to “follow the money” remains valid in any compliance issue, the 2023 ECCP speaks much more depth about payroll’s responsibility in a corporate compliance program. There must be verifiable controls that not only detect fraudulent payments but also work to prevent any such payments.

Yet when the inquiries are read together, they paint a broader picture than simply tasking payroll with the responsibility to prevent fraudulent leakage of money that could be used to fund bribes. The questions around the approval and certification process should be a standard part of any payroll system. This has the effect of operationalizing the responsibility up and down the management chain, from the individual employee up through their manager(s) and eventually to the highest level of management involved in the process. This level of operationalization is designed not only to put a set of brakes in place but also to work to put a second set of eyes on the entire payroll process.

Finally, payment systems have a role in the remediation phase of any best practices compliance program. If a payroll control failure led to or even allowed a compliance violation, what was done to fix the control issue? Here, payroll should work to perform a root cause analysis of what led to the control failure and then enhance or upgrade the control to provide a solution going forward. Of course, there should be a fully documented audit trail for this work to provide to the government should they ever come knocking, or even to your corporate auditors.

This means that not only can payroll be one of the compliance function’s strongest corporate allies, but that the role of payroll, by its nature, works to operationalize compliance. This is because to implement the appropriate internal controls around compliance, payroll must know the specific requirements of the FCPA and know what kinds of issues are likely to come up that might create a risk of bribery and corruption, all leading to an understanding of the appropriate compliance internal controls to implement around payroll and payments.

This is particularly true around offshore payments, generally defined as payments made to a location other than the home domicile of the payee or the area where the services were delivered. If a Tunisian agent who performs services in Dubai asks for payment in a location other than Dubai or Tunisia, that would qualify as an offshore payment. If you train people on the payroll on this issue, they may well pick up the phone and notify compliance when they see a request for payment in a geographic location separate from one of the two standard payment venues. Those are the types of communications, when properly documented, that demonstrate your compliance program is operationalized into the fabric of the organization.

Another way to view it is if there is a payroll control for such a scenario that notes the exception and requires the clearance of a red flag through additional investigation, elevation for approval, and documentation of the entire process; it operates as both a financial control and a compliance control as well. It strengthens the company’s internal controls to both prevent and detect compliance risks going forward.

There are several specific internal payroll controls that will facilitate a company operationalizing its compliance program, as required under the 2023 ECCP. These controls help keep an eye on the money trail, as the money to pay a bribe is usually hidden in some company expenditures. The four general areas of payroll control should include: 1) segregation of duties; 2) accountability, authorization, and approval; 3) security of assets; and 4) review and reconciliation.

To meet these four general goals, consider using a selection of the following controls for payroll systems, irrespective of how timekeeping information is accumulated or how employees are paid:

Audit. Have either internal or external auditors conducted an annual audit of payroll accuracy?

Change authorizations. Only allow a change to an employee’s marital status, withholding allowances, or deductions if the employee has submitted a written and signed request for the company to do so. Any change request should be reviewed and approved by a senior manager.

• Change the tracking log. If you are processing payroll in-house with a computerized payroll module, have secure change tracking to provide an audit trail.

Expense trend lines. This is your data, and it is within your company somewhere. Look for changes in payroll-related expenses in the financial statements and then investigate if warranted.

Issue payment reports to supervisors. Request supervisors review payroll summaries for correct payment amounts and unfamiliar names.

Restrict access to records. Prevent unauthorized access to payroll records.

Segregation of duties. You should never allow one person to prepare the payroll, authorize it, and create payments.

The role of payroll in compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes must come from somewhere. Unfortunately, one of those places is out of payroll. All CCOs need to sit down with their head of payroll, have them explain the role of payroll, and then review the internal controls in place to see how they facilitate compliance goals. From that review, you can then determine how to use payroll to help operationalize your compliance program.

The DOJ has now provided its clearest statement on how it expects a company to actually comply going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from compliance violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process that should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well-suited corporate discipline to provide this first level of oversight and control.

Categories
Blog

Using a Root Cause Analysis for Remediation

The 2023 ECCP re-emphasized the need for both performing a root cause analysis but equally importantly using it to remediate your compliance program. It stated, “a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”

It went on to state, what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk”).” The following questions were then posed:

Root Cause Analysis—What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?

Prior Weaknesses—What controls failed? If policies or procedures should have prohibited the misconduct, were they effectively implemented, and have functions that had ownership of these policies and procedures been held accountable?

You should begin with the question of who should perform the remediation; should it be an investigator or an investigative team which were a part of the root cause analysis? Jonathan Marks, believes the key is both “independence and objectivity.” It may be that an investigator or investigative team is a subject matter expert and “therefore more qualified to get that particular recourse”. Yet to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution.

Marks further noted that the company may also have deficiencies in internal controls. More importantly, the failure to remediate gaps in internal controls “provides the opportunity for additional errors or misconduct to occur, and thus could damage the company’s credibility with regulators” by allowing the same or similar conduct to reoccur. Finally, with both the 2023 ECCP and FCPA Corporate Enforcement Policy, the DOJ has added its voice to prior SEC statements that regulators “will focus on what steps the company took upon learning of the misconduct, whether the company immediately stopped the misconduct, and what new and more effective internal controls or procedures the company has adopted or plans to adopt to prevent a recurrence.”

As required under the 2023 ECCP, from the regulatory perspective, the critical element is how did you use the information you developed in the root cause analysis? Every time you see a problem as a CCO, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis that you can bring real value and real solutions to your compliance programs.

The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step processes, in which one process can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event and you will have a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence.

When you step back and consider what the DOJ was trying to accomplish with its 2023 ECCP, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk.

Categories
Innovation in Compliance

Innovation in Compliance – Dr. Karen Jacobson on Uncovering The Impact of Behavior

Innovation comes in many forms, and compliance professionals need to not only be ready for it but also embrace it. Today, I visited Dr. Karen Jacobson, a renowned expert in organizational leadership and communication.

Dr. Jacobson brings a unique perspective to her work, shaped by her diverse experiences ranging from serving in the military in Israel to running chiropractic offices in New York and Arizona. Dr. Jacobson’s holistic approach to organizational leadership and communication is rooted in her belief that work positioning, repetitive movements, and physical challenges are all interconnected and can impact the overall functioning of an organization. Drawing from her experiences in war, military, healthcare, and even competitive amateur ballroom dancing, she emphasizes the importance of core human connection skills such as conflict reduction, effective communication, and motivation. Her background as a chiropractor also gives her insights into understanding people and their behavior, including habits that affect posture and confidence. Join Tom Fox and Dr. Karen Jacobson on this episode of Innovation in Compliance.

Key Highlights:

  • Understanding behavioral styles is crucial for effective communication in the workplace.
  • Adapting communication for different generations and cultural differences is essential for effective workplace communication.
  • Effective leadership outside the United States requires understanding and respecting different cultures and customs.
  • Understanding personal strengths and leading with them can lead to more effective leadership.

Resources:

Karen Jacobson

Website

LinkedIn

Facebook

Twitter

YouTube

Instagram

 

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

What is a Root Cause Analysis?

One of the biggest changes in the 2020 FCPA Resource Guide, 2nd edition, is the addition of a new Hallmark, entitled, Investigation, Analysis, and Remediation of Misconduct, which reads in full:

The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.

There are many interesting aspects to this Hallmark, not the least that it begins with “The truest measure of an effective compliance program is how it responds to misconduct.” This builds upon the language found in the “Confidential Reporting and Internal Investigations Hallmark, which stated, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response,”. Now beyond being properly funded, you must have a “well-functioning mechanism” for the “timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents.”

This clearly mandates that once an allegation or even suspicion comes to the attention of compliance, it must be properly triaged, your investigation protocol should kick in with a detailed and effective investigation that is completed in a reasonable time and provide a response to the investigative findings. Moreover, an investigation is not the ending point and should be followed with a robust root cause analysis. This builds upon several sources.

The 2023 ECCP also raised the following questions under “Root Cause Analysis—What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?”

Well known fraud investigator Jonathan Marks, partner at BDO, defined a root cause analysis as “research based approach to identifying the bottom line reason of a problem or an issue; with the root cause, not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.” He went on to note, “Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. When we are able to determine why an event or failure occurred, we can then recommend workable corrective measures that deter future events of the type observed.”

However, there is no one formula for performing a root cause analysis. One protocol, articulated by Health COMPass, advocates a four-step process which includes:

Step 1: Identify possible causal factors. Using the incident(s) to identify causal factors—things that cause or contribute to the compliance failure. It includes asking such questions as:

• What sequence of events leads to the problem?

• What conditions allow the problem to occur? [e.g., traditional values and practices]

• What problems co-exist with the central problem and might contribute to it? [e.g., lack of health facilities]

• Identify as many causal factors as possible. Start with the problem and brainstorm causal factors for that problem by asking “Why?” The root cause analysis team can also ask themselves (based on their own experience) and stakeholders “why” or “so what” questions to identify causal factors.

Step 2: Identify the root cause. To find root causes—the primary sources of the compliance violation—start with the causal factors and ask why. Root causes are seldom found in the most obvious causes. It is important to dig deeper and continue to ask “Why?” until nearly all responses have been exhausted or roots that seem important to address are reached. There are several useful methods for identifying root causes. One is to construct a root cause tree. Start with the problem and brainstorm causal factors for that problem by asking why. Connect them in a logical cause and effect order until arriving at the root of the problem.

Step 3: Identify communication challenges. Now ask which root causes are challenges that compliance can and should address and which are not. Share findings about other root causes with local authorities and leaders or organizations that might be able to address them.

Step 4: Prioritize compliance challenges. If root cause analysis identifies more than one compliance failure, decide which failure to address first. Rank root causes in order, starting with the main cause. To determine rank, consider:

• The potential impact of addressing the compliance failure. The greater the potential impact, the more important it is to address.

• How difficult it will be to reach the audience associated with the compliance failure.

• The mandate attached to the funding.

• If more than one causal factor is linked to the root cause. When a root cause is the source of multiple causal factors, it indicates that addressing the root cause can have far-reaching effects.

Another approach articulated by Marks is the Five Why’s approach. As he explained “Early questions are usually superficial, obvious; the later ones more substantive.” Borrowing from Six Sigma, the folks at iSixSigma.com believe this approach contemplates that “By repeatedly asking the question “Why” (five is a good rule of thumb), you can peel away the layers of symptoms which can lead to the root cause of a problem. Very often the ostensible reason for a problem will lead you to another question. Although this technique is called “Five Whys,” you may find that you will need to ask the question fewer or more times than five before you find the issue related to a problem.”

To use this approach, iSixSigma.com suggests the following protocol. Begin by writing down the specific problem, which assists you to formulate the issue or problem. Then begin asking, “Why?” Ask why the compliance failure occurred write the answer down below the problem. But do not stop there if this first response does not “identify the root cause of the problem that you wrote down in Step 1, ask why again and write that answer down. Loop back to step 3 until the team is in agreement that the problem’s root cause is identified. Again, this may take fewer or more times than five whys.”

Ultimately, performing a root cause analysis is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer that is provided to you, as you might in an internal investigation. As Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they’re doing.”