Tag: RCA

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 31 – Leveraging Root Cause Analysis for Effective Compliance

Welcome to a special podcast series on the Compliance Podcast Network, 31 Days to a More Effective Compliance Program. Over these 31 days of the series in January 2025, Tom Fox will post a key part of a best practices compliance program daily. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6–8 minutes, and will include three key takeaways you can implement at little or no cost to help update your compliance program. I hope you will join us each day in January for this exploration of best practices in compliance.

In this final episode of our 31-day series, we dive into the importance of using root cause analysis for remediation in compliance programs. Emphasized by the ECCP and DOJ, an effective compliance program includes thorough root cause analysis to address misconduct and implement corrective actions. The process involves understanding who should perform the remediation, emphasizing independence and objectivity, integrating the information into solutions, and addressing deficiencies in internal controls. Key takeaways include using objective root cause analysis, effectively utilizing the information gathered, and implementing data-driven, repeatable solutions to prevent future issues. This episode provides valuable insights for compliance officers aiming to enhance their programs by focusing on root causes rather than just symptoms.

Key highlights:

  • Integrating Root Cause Analysis into Solutions
  • Regulatory Expectations and Internal Controls
  • Performing Effective Root Cause Analysis
  • Developing and Implementing Solutions

Resources:

Click here to receive a 20% discount on The Compliance Handbook, 5th edition, for listeners to this podcast.

Categories
Blog

Unseen Threats and Deduction: Compliance Lessons from The Adventure of the Lion’s Mane

Sherlock Holmes, the master of deduction, seldom worked without Dr. Watson. Yet in The Adventure of the Lion’s Mane, Holmes takes center stage in a quiet coastal town, solving a case that presents no apparent suspects, no human culprit, and a mystery rooted in the natural world. For corporate compliance professionals, this unusual story offers rich lessons about vigilance, adaptability, and the importance of robust investigative techniques. The story is unusual for several reasons, including Holmes’s first-person narrative. Also, the case involves an antagonist from the natural world instead of the human world.

Equally interesting are the lessons the story can teach the 21st-century compliance professional. Today, I will examine five key compliance lessons from Holmes’s encounter with the lion’s mane jellyfish. For additional information on the story and commentary, check out the podcast Compliance Lessons from The Lion’s Mane on the Compliance Podcast Network.

Unraveling Unseen Threats: The Importance of Root Cause Analysis

In this story, the victim collapses after screaming the cryptic words “The lion’s mane!” while bearing strange, whip-like marks on his body. At first, suspicion falls on human suspects, but Holmes’s methodical approach reveals the true cause: a Cyanea capillata jellyfish, an elusive and deadly natural threat. The case highlights a critical point for compliance professionals: risks may not always appear obvious, and solutions often require digging beneath the surface.

In the compliance world, it is often tempting to stop at the first explanation for misconduct, such as blaming individual employees or focusing on the visible symptoms of an issue. However, failing to identify the root cause leaves your organization vulnerable to repeated compliance failures. Whether dealing with third-party bribery risks, internal fraud, or systemic policy gaps, the Department of Justice has made clear in the 2024 Update to the Evaluation of Corporate Compliance Programs, that a root cause analysis is a cornerstone of effective compliance programs, re-emphasizing the need for both performing a root cause analysis and equally importantly using it to remediate your compliance program. It stated, “A hallmark of a compliance program that works effectively in practice is the extent to which a company can conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”

It stated what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and implementing measures to reduce the risk of repetition of such misconduct, including measures to identify future risk.” The following questions were then posed:

Root Cause Analysis—What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?

Prior Weaknesses—What controls failed? If policies or procedures should have prohibited the misconduct, were they effectively implemented, and have functions that had ownership of these policies and procedures been held accountable?

Adaptability in Unfamiliar Environments

Holmes’s seaside investigation takes him far from his usual London setting. Without the bustle of Baker Street or Watson’s steady presence, Holmes must rely entirely on his deductive skills and adaptability. This scenario mirrors the modern compliance officer’s challenge of addressing new and unfamiliar risks.

For example, your organization may expand into a new market or pivot its business model, exposing it to unfamiliar regulatory requirements or operational risks. In these situations, compliance professionals must act as business partners, guiding the organization through uncharted waters while ensuring compliance remains a priority.

You should begin with the question of who should perform the remediation; should it be an investigator or an investigative team that was part of the root cause analysis? Jonathan Marks believes the key is both “independence and objectivity.” An investigator or investigative team may be a subject matter expert and “therefore more qualified to get that particular recourse.” Yet, to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution.

Accounting for External Risks

The lion’s mane jellyfish, a force of nature, represents the kind of external risk that organizations often overlook. External risks, whether from geopolitical shifts, third-party misconduct, or environmental factors, can devastate even the most robust compliance programs if not properly managed.

Consider the recent focus on supply chain risks. An organization may have strong internal controls, but a third-party supplier engaging in unethical practices can still expose it to liability. Therefore, due diligence and ongoing monitoring are essential to an effective compliance program. Some of the key actions you can take include the following:.

Conduct comprehensive third-party due diligence before onboarding suppliers, agents, or contractors; regularly review external risks as part of your enterprise risk management (ERM) program; and implement tools and technologies to monitor external developments in real-time, such as sanctions lists or geopolitical instability.

The Power of Patience and Observation 

Holmes’s resolution hinges on his meticulous observation of minor details, marks on the victim’s body, the jellyfish’s natural habitat, and the timeline of events. He doesn’t rush to conclusions or allow others’ assumptions to sway him. Instead, he systematically gathers evidence and applies his knowledge to reach the correct conclusion. This approach underscores the importance of methodical, data-driven investigations for compliance professionals. Whether handling an internal whistleblower complaint or responding to a regulatory inquiry, rushing the process can lead to missed details or flawed conclusions.

You may also have deficiencies in internal controls. Failing to remediate gaps in internal controls “allows additional errors or misconduct to occur and thus could damage the company’s credibility with regulators” by allowing the same or similar conduct to reoccur. Finally, with both the 2024 ECCP and FCPA Corporate Enforcement Policy, the DOJ has added its voice to prior SEC statements that regulators “will focus on what steps the company took upon learning of the misconduct, whether the company immediately stopped the misconduct, and what new and more effective internal controls or procedures the company has adopted or plans to adopt to prevent a recurrence.”

Communication as a Compliance Superpower

One of Holmes’s strengths lies in his ability to explain complex phenomena in a way others can understand. In this story, he demystifies the jellyfish’s deadly nature for the local community, helping them grasp their danger and take appropriate precautions. Communication is equally critical. Whether presenting findings to the board, conducting employee training, or preparing reports for regulators, you must convey complex information clearly and compellingly. The best compliance programs are not just comprehensive; they are understood and embraced by everyone in the organization.

For compliance professionals, there are several actions you can take. First, tailor your communication style to your audience, whether it’s frontline employees, senior leadership, or regulators. Next, use data visualization, case studies, and real-world examples to make your message relatable and memorable. Finally, foster a culture of transparency, ensuring employees feel empowered to ask questions and report concerns without fear of retaliation.

Final Thoughts 

The Adventure of the Lion’s Mane is a tale of hidden threats, careful investigation, and the power of critical thinking—qualities that resonate deeply with the compliance profession. Holmes’s success lies in adapting to unfamiliar circumstances, uncovering an unseen danger, and effectively communicating his findings. Compliance officers need these skills to navigate the complex and ever-changing corporate risk landscape.

As you reflect on Holmes’s seaside investigation, consider how his methods can inspire your compliance practices. Are you conducting root-cause analyses with the same rigor? Have you adapted your program to account for external risks? And most importantly, are you equipping your organization with the tools and knowledge to prevent compliance failures before they occur?

By channeling Sherlock Holmes’s spirit of deduction and vigilance, you can strengthen your compliance program and ensure it is prepared to face even the most unexpected challenges. When the next hidden risk emerges, you will be ready to solve the mystery with precision and confidence, just like Sherlock Holmes.

Categories
Everything Compliance

Everything Compliance: Episode 143, The North to South Episode

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows.

In this episode, we have the quartet of Matt Kelly, Jonathan Marks, and Karen Moore; with host Tom Fox wearing a double hat as a commentator as well. We take up Root Cause Analysis, DEI questions in the Boeing monitorship, failures at TD Bank and a possible Caremark claim.

1. Matt Kelly takes a look into the commercial strategies which led to the compliance failures at TD Banks.  He rants about the Boston’s National Women’s Soccer League team (now deleted) advertising campaign announcing the new team with the tagline ‘too many balls’.

2. Jonathan Marks explains the differences in a Root Cause Analysis and investigations. He shouts out the WNBA and the person who solved the Golden Owl puzzle.

3. Karen Moore takes a deep dive into the district court’s request for more information on the impact of DEI on the Boeing monitorship. She rants about non-civility in the Supermarkets of America’s Parking Lots.

4. Tom Fox takes a look at the potential Caremark claim against TD Bank for both Directors and Officers failures in their duties. He shouts out to GOP dominated Texas Legislature for subpoenaing Robert Roberson for an appearance before the House, one day before his scheduled execution and the Texas Supreme Court for staying his execution until he could appear.

The members of the Everything Compliance are:

The host and producer, rantor (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the award-winning Compliance Podcast Network.

Additional Resources:

1.     Jonathan Marks on Root Cause Analysis on LinkedIn.

2.     Matt Kelly on TD Bank’s Enforcement Action on Radical Compliance.

3.     Tom Fox on the potential Caremark claims in the TD Bank case on the Compliance Podcast Network blog.

 

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Lessons on Root Cause Analysis from John Deere

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Not only does the DOJ expect companies to perform a Root Cause Analysis during any investigation, but a RCA helps to identify systemic issues for remediation.

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Lesson from The John Deere FCPA Enforcement Action – Root Cause Analysis for Remediation

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we review why a root cause analysis is the first step you should take before you begin the remediation of your compliance program.

Categories
Sunday Book Review

Sunday Book Review: May 19, 2024 Books on Root Cause Analysis Edition

In the Sunday Book Review, Tom Fox considers books that would interest the compliance professional, the business executive, or anyone who might be curious.

It could be books about business, compliance, history, leadership, current events, or anything else that might interest me.

In today’s edition of the Sunday Book Review, we look at some of the top books on root cause analysis you should read.

  • The New Science of Fixing Things by David Hartshorne
  • The Root Cause Analysis Handbook by Max Ammerman
  • Root Cause Analysis: The Core of Problem Solving by Duke Okes
  • Root Cause Analysis: Improving Performance for the Bottom Line  by By Mark A. Latino, Robert J. Latino, and Kenneth C. Latino

For more information on Ethico and a free White Paper on ROI for your compliance program, click here.

Categories
31 Days to More Effective Compliance Programs

Day 31 | Using a root cause analysis for remediation


The 2020 Update re-emphasized the need for both performing a root cause analysis but equally importantly using it to remediate your compliance program. It stated, “a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”
It went on to state, what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk”).”
The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step processes, in which one process can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event and you will have a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence.
When you step back and consider what the DOJ was trying to accomplish with its 2020 Update, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk.
Three key takeaways:

  1. The key is objectivity and independence.
  2. The critical element is how did you use the information you developed in the root cause analysis?
  3. The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization.