Tag: root cause analysis

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Lessons on Root Cause Analysis from John Deere

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Not only does the DOJ expect companies to perform a Root Cause Analysis during any investigation, but a RCA helps to identify systemic issues for remediation.

Categories
Blog

Deere’s FCPA Enforcement Action: Performing a Root Cause Analysis to Inform Remediation

We recently had a Foreign Corrupt Practices Act (FCPA) enforcement action that reminded me that everything old is new again in anti-corruption compliance. The Securities and Exchange Commission (SEC) FCPA enforcement action involving Deere and Company (Deere) has bribery schemes torn literally from the first decade of the 21st century as they involved gifts, travel, and entertainment. In other words, it was about a low set of hanging fruit that any compliance officer would see. Today, I want to take a multipart look at the case and see what lessons the enforcement action can provide to the 2024 compliance professional.

Compliance Professionals all know the pressure to act swiftly when misconduct is discovered. It is often tempting to jump straight into remediation to address the problem, protect the company, and appease regulators. However, the case of Deere’s recent FCPA enforcement action reminds us that acting without first understanding the root cause of the misconduct can lead to superficial fixes that fail to prevent future violations.

In the Deere enforcement action, the company faced significant penalties due to bribes paid by subsidiaries of Wirtgen Group, which Deere acquired in 2017. Between 2011 and 2017, Wirtgen subsidiaries engaged in corrupt practices, paying bribes to government officials in several countries, including China and India. While Deere eventually addressed the misconduct post-acquisition, its failure to perform robust due diligence and root cause analysis before remediation exposed it to regulatory and reputational damage.

This case highlights the critical need for companies to conduct a thorough root cause analysis before embarking on remediation efforts. In this blog post, we will detail why a root cause analysis should always precede remediation, what the process entails, and how it can protect your company from future enforcement actions and compliance failures.

Understanding the True Nature of the Problem

The first and most obvious reason to conduct a root cause analysis before remediation is to ensure you address the correct problem. In the Deere case, the misconduct stemmed from bribery by Wirtgen subsidiaries, but the real issue wasn’t just the bribery itself—it was the company’s failure to identify and prevent this behavior in the first place. Simply punishing the employees involved or updating internal policies would have been insufficient without understanding why these bribes were paid.

Before designing an effective remediation plan, you must understand why the misconduct occurred. Was it due to weak internal controls? A culture that tolerated unethical behavior? Inadequate training? A failure to perform due diligence on third parties? Each of these potential causes requires a different remediation strategy. If you do not identify the true cause of the problem, your remediation efforts will be superficial and may not prevent future violations. Root cause analysis allows compliance officers to uncover the underlying reasons for misconduct, enabling them to design targeted solutions that address the actual problem—not just the symptoms.

Root Cause Analysis Helps Identify Systemic Issues

One of the biggest risks when dealing with FCPA violations or corporate misconduct is that the issue may not be isolated to one event or individual. Corruption or compliance failures are often systemic, indicating deeper issues within the company’s culture, policies, or risk management framework. If Deere had conducted a more thorough root cause analysis post-acquisition, it could have uncovered broader issues in Wirtgen’s compliance program and taken proactive steps to address those weaknesses company-wide.

Root cause analysis forces you to ask tough questions about your company’s broader compliance infrastructure. Are certain business units, regions, or third-party relationships more misconduct-prone? Are there patterns of behavior that suggest systemic problems? You can implement more effective, company-wide remediation efforts by identifying these systemic issues beyond addressing a single incident.

Regulators Expect a Root Cause Analysis

Regulators, including the DOJ and the Securities and Exchange Commission (SEC), expect companies to conduct thorough root-cause analyses when investigating FCPA violations. The DOJ’s 2024 ECCP explicitly states that prosecutors will consider whether a company has adequately identified and remediated the root causes of misconduct when determining penalties. Additionally, this was specifically called out in the SAP Deferred Prosecution Agreement (DPA) earlier this year, where the DOJ stated, “5. Conducted a root cause analysis of the underlying conduct then remediating those root causes through enhancement of its compliance program;”.

In the Deere enforcement action, part of the company’s challenge was showing regulators that it had addressed the bribes themselves and the underlying reasons that allowed the misconduct to occur. Companies that skip the root cause analysis and rush into remediation without clearly understanding what went wrong will likely face harsher penalties.

Performing a root cause analysis is more than good practice; it has moved to a regulatory expectation. The more comprehensive your analysis, the more likely regulators (DOJ and SEC) are to view your remediation efforts as credible. A company that can demonstrate it understands the root cause of its compliance failures—and has taken meaningful steps to address those causes—is more likely to receive leniency during enforcement actions.

Preventing Recurrence: Moving Beyond Quick Fixes

One of the major pitfalls of jumping into remediation without a root cause analysis is the risk of implementing quick fixes that don’t address the root problem. For example, in the Deere case, if the company had updated its anti-corruption policy without addressing the broader cultural or systemic issues, it would have left the door open for future violations.

Root cause analysis ensures that your remediation efforts are comprehensive and designed to prevent future violations. Instead of focusing solely on policies or individuals, you’re addressing the broader systems and processes that allowed the misconduct to occur. This might involve rethinking your company’s approach to third-party due diligence, improving internal reporting mechanisms, or enhancing employee training programs to emphasize ethical behavior. A quick fix might resolve the immediate problem, but a comprehensive root cause analysis will prevent recurrence and protect your company long-term.

Improving Your Compliance Program Over Time

Root cause analysis is not a reactive tool; it is a mechanism to continuously improve your company’s compliance program. By regularly performing root cause analyses in response to compliance failures or near misses, you can identify trends, weaknesses, and gaps in your existing program. This allows you to make proactive adjustments and improvements, ensuring that your compliance program evolves to meet new risks and challenges.

Compliance is an ongoing process, and root cause analysis is key. By taking the time to understand why compliance failures happen, you can strengthen and improve your program over time. Don’t wait for a major enforcement action to identify weaknesses in your compliance program—use root cause analysis as a tool for continuous improvement.

Building a Culture of Accountability

Finally, one of the most important benefits of conducting a root cause analysis before remediation is that it fosters a culture of accountability. When employees see that the company is taking a thoughtful, thorough approach to addressing misconduct, they’re more likely to trust the compliance function and adhere to ethical standards.

In the Deere case, the company’s failure to identify and address the root causes of Wirtgen’s corrupt practices could have contributed to a culture where employees felt that bribery was tolerated or encouraged. By contrast, companies emphasizing accountability and transparency in their root cause analyses send a clear message: misconduct will be thoroughly investigated, and systemic issues will be addressed.

Building a strong culture of compliance starts with holding people—and processes—accountable. Root cause analysis helps you identify the individuals responsible for misconduct and the broader systems and structures that allowed it to happen. This accountability, in turn, strengthens your compliance culture and reinforces your company’s commitment to ethical behavior.

The Deere FCPA enforcement action powerfully reminds us of the importance of conducting a root cause analysis before proceeding with remediation. Companies need to understand why misconduct occurred before implementing superficial fixes. By taking the time to perform a thorough root cause analysis, compliance professionals can ensure that their remediation efforts are comprehensive, effective, and designed to prevent future violations.

Remember, root cause analysis isn’t just a best practice, as the DOJ has now noted several times in several places and through several different media; it is a regulatory expectation. It’s also a critical tool for improving your compliance program, building a culture of accountability, and protecting your company from future compliance failures. This means that before you rush to fix the problem, ensure you understand it first. Only then can you design a remediation plan that addresses the cause of misconduct and sets your company up for long-term success.

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Lesson from The John Deere FCPA Enforcement Action – Root Cause Analysis for Remediation

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we review why a root cause analysis is the first step you should take before you begin the remediation of your compliance program.

Categories
Blog

Root Cause Analysis Lessons from Star Trek: The Corbomite Maneuver

Last month, I wrote a blog post on the tone at the top, exemplified in Star Trek’s Original Series episode, Devil in the Dark. Based on the response, some passionate Star Trek fans are out there. I decided to write a series of blog posts exploring Star Trek: The Original Series episodes as guides to the Hallmarks of an Effective Compliance program set out in the FCPA Resources Guide, 2nd edition. Today, I conclude my two-week series, looking at the Hallmarks of an Effective Compliance Program laid out by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in the FCPA Resources Guide, 2nd edition.

Today, we look at lessons learned about performing and using root cause analysis. When it comes to compliance, organizations often find themselves in situations where they need to identify the root cause of a problem and implement corrective actions. In the world of Star Trek, we see many parallels that reflect these real-world challenges. One episode that stands out as a case study for root cause analysis (RCA) is The Corbomite Maneuver. This episode highlights the importance of RCA in high-pressure situations and illustrates how creative problem-solving can avert disaster.

In this episode, Balok, a mysterious and potent alien ship, comes into contact with the USS Enterprise. After ignoring warnings to leave the area, Balok holds the Enterprise captive and declares that he will destroy the ship. With this dire situation, Captain Kirk concocts a bluff, claiming that the Enterprise has a fictitious device called “Corbomite,” which would destroy any attacker who dares to fire upon it. The bluff works, and the crew discovers Balok is testing their reactions to evaluate their character. “The Corbomite Maneuver” narrative can be seen as a metaphor for conducting a root cause analysis in compliance. Here’s how the process unfolds:

Lesson 1. Problem Identification

The episode’s main issue is clear: an unknown alien force threatens to destroy the Enterprise. Problem identification is the RCA’s first and most critical step for compliance professionals. It involves recognizing and clearly defining the issue at hand. In a business context, this might be a regulatory violation, a product defect, or a failure in operational procedures. Here, the crew initially interprets Balok’s actions as hostile, similar to how one might react to symptoms without understanding underlying causes.

Lesson  2. Data Collection and Analysis

Kirk and his crew collect as much information as possible about the situation. They analyze Balok’s actions, study the alien ship, and assess their capabilities. Data collection in RCA involves gathering all relevant information related to the problem. This can include process logs, employee testimonies, incident reports, and more. Captain Kirk employs a methodical approach, gathering information about Balok and the alien ship, reflecting the critical root cause analysis stage.

Lesson 3. Cause Identification

Kirk realizes that Balok’s apparent hostility and the lack of communication and understanding between the two parties are the root causes of the threat. He deduces that Balok might be testing the crew rather than genuinely intending to destroy them. In RCA, identifying the root cause involves digging deeper than the immediate symptoms of the problem to uncover the underlying issues.

The Enterprise crew gathers as much information as possible about Balok and the alien ship before taking action. They analyze the alien’s behavior, the ship’s capabilities, and the possible motivations behind the encounter. This data collection and analysis helps them form a clearer picture of the true nature of the threat. Effective root cause identification requires gathering all relevant data and thoroughly analyzing it. This includes understanding the context, collecting facts from different sources, and piecing together a comprehensive view of the situation.

 Lesson 4. Solution Development

In the episode, Kirk’s solution is to bluff, creating the illusion of the Corbomite device. This solution is based on his understanding of the situation and the likely behavior of the opponent. Similarly, once the root cause is identified in RCA, the next step is to develop and implement a solution that addresses the cause directly. Kirk’s bluff is a calculated risk, and he monitors the situation closely to see how Balok will react. In RCA, implementing a solution is not the final step; it must be followed by monitoring to ensure that the problem is truly resolved and that no new issues arise.

Lesson 5. Continuous Improvement

At the end of “The Corbomite Maneuver,” the Enterprise crew learns that Balok is testing them, and they use this experience to understand better how to handle similar situations in the future. RCA should always conclude with a review of the process to identify what was learned and how similar issues can be prevented in the future. After the episode, the crew reflects on their encounter with Balok and the lessons learned from the experience. This reflection is essential in compliance as well.

Continuous improvement relies on regular review and reflection on past actions. Post-incident reviews, audits, and assessments should be conducted to identify what went well and what didn’t and how the organization can improve its compliance posture in the future. Learning from successes and failures is key to building a robust and effective compliance program.

The Corbomite Maneuver also highlights the importance of creativity and leadership in the RCA process. Kirk’s decision to bluff with the Corbomite device is not a conventional solution. Still, it reflects his deep understanding of human (and alien) psychology and his ability to remain calm under pressure. In compliance, leaders must often think outside the box to effectively identify and address root causes. This might involve bringing in cross-functional teams, using new analytical tools, or rethinking established procedures.

Moreover, leadership is crucial in ensuring the RCA process is thorough and the solutions are implemented effectively. Just as Kirk takes personal responsibility for the safety of his crew, compliance leaders must ensure that RCA findings lead to fundamental, actionable changes within their organizations.

This episode provides a powerful narrative that can be applied to root cause analysis in compliance. Organizations can navigate the complex challenges they face by following the steps of problem identification, data collection, cause identification, solution development, implementation, and continuous improvement. The episode also reminds us of the importance of creativity, leadership, and calmness in the face of adversity—essential for any compliance professional aiming to protect their organization from risks and ensure long-term success.

In the end, the lesson from Star Trek is clear. Whether navigating the vast reaches of space or the complex world of corporate compliance, understanding the root cause of a problem is the key to finding lasting solutions and boldly going where no one has gone before.

Categories
FCPA Survival Guide

FCPA Survival Guide: Step 4 – Root Cause Analysis

How can you survive an FCPA enforcement action? In this special podcast series, Tom Fox and Nick Gallo outline the Top 10 things you can do to reduce your overall fine and penalty, perhaps down to a complete declination. All of the actions you can take come from recent DOJ prosecutions under the FCPA and speeches from DOJ representatives. This podcast, sponsored by Ethico, is the companion series to the book The FCPA Survival Guide: Surviving and Thriving a Foreign Corrupt Practices Act Enforcement Action. Today, we discuss the DOJ requirement that your remediation begins with a root cause analysis.

In this episode, host Tom Fox and co-host Nick Gallo discuss the importance of conducting a root cause analysis in compliance programs, particularly in light of the recent FCPA enforcement actions highlighting its significance. They use SAP’s approach to root cause analysis as a prime example of effectively identifying and remedying the underlying causes of compliance failures rather than merely addressing symptoms. They relate the human tendency to stop at superficial answers and the importance of discipline in continually asking ‘why’ to uncover true or ‘root’ causes. This approach satisfies regulatory expectations and builds a robust compliance program to prevent future violations. They underline the importance of storytelling in compliance, framing the root cause analysis and subsequent remediation efforts in a narrative that resonates with internal and external audiences, including regulators.

Key Highlights and Issues:

  • The Importance of Root Cause Analysis in Compliance
  • Human Nature and the Challenge of Deep Analysis
  • DOJ’s Expectations
  • The Art of Storytelling in Compliance

 Resources:

Nick Gallo on LinkedIn

Ethico

The FCPA Survival Guide: Surviving and Thriving a Foreign Corrupt Practices Act Enforcement Action

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Sunday Book Review

Sunday Book Review: May 19, 2024 Books on Root Cause Analysis Edition

In the Sunday Book Review, Tom Fox considers books that would interest the compliance professional, the business executive, or anyone who might be curious.

It could be books about business, compliance, history, leadership, current events, or anything else that might interest me.

In today’s edition of the Sunday Book Review, we look at some of the top books on root cause analysis you should read.

  • The New Science of Fixing Things by David Hartshorne
  • The Root Cause Analysis Handbook by Max Ammerman
  • Root Cause Analysis: The Core of Problem Solving by Duke Okes
  • Root Cause Analysis: Improving Performance for the Bottom Line  by By Mark A. Latino, Robert J. Latino, and Kenneth C. Latino

For more information on Ethico and a free White Paper on ROI for your compliance program, click here.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 4, Start with a Root Cause Analysis

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 4, Root Cause, Risk Assessment, and Gap Analysis. Your remediation should begin with a root cause analysis. From there, move on to a risk assessment and gap analysis, and then you are ready to start your complete remediation.

SAP

The SAP Deferred Prosecution Agreement (DPA) laid out the best example of how this works in practice. The DPA reported extensive remediation by SAP, and the information provided in the DPA is instructive for every compliance professional. SAP engaged in a wide range of remedial actions. It all started with a root cause analysis. Root Cause analysis was enshrined in the FCPA Resource Guide, 2nd edition, as one of the Hallmarks of an Effective Compliance Program. It stated, “The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigation’s structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.”

This means a company should respond to the specific incident of misconduct that led to the FCPA violation. This means your organization “should also integrate lessons learned from misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.” The SAP DPA noted that SAP engaged in the following steps based on these factors:

1. Conducted a root cause analysis of the underlying conduct, then remediated those root causes through enhancement of its compliance program;
2. Conducted a gap analysis of internal controls, remediating those found lacking;
3. Undertook a “comprehensive risk assessment focusing on high-risk areas and controls around payment processes and enhancing its regular compliance risk assessment process”;
4. SAP documented using “comprehensive operational and compliance data” in its risk assessments.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct and remediate those causes promptly and appropriately to prevent future compliance breaches. This SAP did it during its remediation phase.

Albemarle

Albemarle also received credit “because it engaged in extensive and timely remedial measures.” This remedial action began based on the company’s root cause analysis of its FCPA violations.
This root cause analysis led to a risk assessment, which led to remediation. All of these steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out an effective compliance program and had tested it.

ABB

ABB also did an excellent job in its remedial efforts. According to the ABB Plea, ABB “engaged in extensive remedial measures, including hiring experienced compliance personnel and following a root-cause analysis of the conduct,” which led to the FCPA enforcement action. More on the ABB remediation later.

Each entity worked diligently to rebuild its compliance programs from the ground up. Whatever the faults of their prior compliance programs, each company was quite diligent in revamping their compliance regimes. While each company builds out a program based on its own risk, there is quite a bit of guidance you can draw from if your company finds itself in this position.

Here, the DOJ communicates that your remedial measures should start with a root cause analysis of the FCPA violation. From there, move to a risk assessment and internal control gap analysis to create a clear risk management strategy.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 31 – Using a Root Cause Analysis for Remediation

The 2023 ECCP re-emphasized the need for both performing a root cause analysis but equally importantly using it to remediate your compliance program. It stated, “a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.” It went on to state, what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk.”

When you step back and consider what the DOJ was trying to accomplish with its 2023 ECCP, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk.

 Three key takeaways:

1. The key to using a root cause analysis is objectivity and independence.

2. The critical element is how did you use the information you developed in the root cause analysis?

3. The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization.

Categories
Blog

Using a Root Cause Analysis for Remediation

The 2023 ECCP re-emphasized the need for both performing a root cause analysis but equally importantly using it to remediate your compliance program. It stated, “a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”

It went on to state, what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk”).” The following questions were then posed:

Root Cause Analysis—What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?

Prior Weaknesses—What controls failed? If policies or procedures should have prohibited the misconduct, were they effectively implemented, and have functions that had ownership of these policies and procedures been held accountable?

You should begin with the question of who should perform the remediation; should it be an investigator or an investigative team which were a part of the root cause analysis? Jonathan Marks, believes the key is both “independence and objectivity.” It may be that an investigator or investigative team is a subject matter expert and “therefore more qualified to get that particular recourse”. Yet to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution.

Marks further noted that the company may also have deficiencies in internal controls. More importantly, the failure to remediate gaps in internal controls “provides the opportunity for additional errors or misconduct to occur, and thus could damage the company’s credibility with regulators” by allowing the same or similar conduct to reoccur. Finally, with both the 2023 ECCP and FCPA Corporate Enforcement Policy, the DOJ has added its voice to prior SEC statements that regulators “will focus on what steps the company took upon learning of the misconduct, whether the company immediately stopped the misconduct, and what new and more effective internal controls or procedures the company has adopted or plans to adopt to prevent a recurrence.”

As required under the 2023 ECCP, from the regulatory perspective, the critical element is how did you use the information you developed in the root cause analysis? Every time you see a problem as a CCO, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis that you can bring real value and real solutions to your compliance programs.

The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step processes, in which one process can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event and you will have a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence.

When you step back and consider what the DOJ was trying to accomplish with its 2023 ECCP, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk.

Categories
Blog

What is a Root Cause Analysis?

One of the biggest changes in the 2020 FCPA Resource Guide, 2nd edition, is the addition of a new Hallmark, entitled, Investigation, Analysis, and Remediation of Misconduct, which reads in full:

The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.

There are many interesting aspects to this Hallmark, not the least that it begins with “The truest measure of an effective compliance program is how it responds to misconduct.” This builds upon the language found in the “Confidential Reporting and Internal Investigations Hallmark, which stated, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response,”. Now beyond being properly funded, you must have a “well-functioning mechanism” for the “timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents.”

This clearly mandates that once an allegation or even suspicion comes to the attention of compliance, it must be properly triaged, your investigation protocol should kick in with a detailed and effective investigation that is completed in a reasonable time and provide a response to the investigative findings. Moreover, an investigation is not the ending point and should be followed with a robust root cause analysis. This builds upon several sources.

The 2023 ECCP also raised the following questions under “Root Cause Analysis—What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?”

Well known fraud investigator Jonathan Marks, partner at BDO, defined a root cause analysis as “research based approach to identifying the bottom line reason of a problem or an issue; with the root cause, not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.” He went on to note, “Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. When we are able to determine why an event or failure occurred, we can then recommend workable corrective measures that deter future events of the type observed.”

However, there is no one formula for performing a root cause analysis. One protocol, articulated by Health COMPass, advocates a four-step process which includes:

Step 1: Identify possible causal factors. Using the incident(s) to identify causal factors—things that cause or contribute to the compliance failure. It includes asking such questions as:

• What sequence of events leads to the problem?

• What conditions allow the problem to occur? [e.g., traditional values and practices]

• What problems co-exist with the central problem and might contribute to it? [e.g., lack of health facilities]

• Identify as many causal factors as possible. Start with the problem and brainstorm causal factors for that problem by asking “Why?” The root cause analysis team can also ask themselves (based on their own experience) and stakeholders “why” or “so what” questions to identify causal factors.

Step 2: Identify the root cause. To find root causes—the primary sources of the compliance violation—start with the causal factors and ask why. Root causes are seldom found in the most obvious causes. It is important to dig deeper and continue to ask “Why?” until nearly all responses have been exhausted or roots that seem important to address are reached. There are several useful methods for identifying root causes. One is to construct a root cause tree. Start with the problem and brainstorm causal factors for that problem by asking why. Connect them in a logical cause and effect order until arriving at the root of the problem.

Step 3: Identify communication challenges. Now ask which root causes are challenges that compliance can and should address and which are not. Share findings about other root causes with local authorities and leaders or organizations that might be able to address them.

Step 4: Prioritize compliance challenges. If root cause analysis identifies more than one compliance failure, decide which failure to address first. Rank root causes in order, starting with the main cause. To determine rank, consider:

• The potential impact of addressing the compliance failure. The greater the potential impact, the more important it is to address.

• How difficult it will be to reach the audience associated with the compliance failure.

• The mandate attached to the funding.

• If more than one causal factor is linked to the root cause. When a root cause is the source of multiple causal factors, it indicates that addressing the root cause can have far-reaching effects.

Another approach articulated by Marks is the Five Why’s approach. As he explained “Early questions are usually superficial, obvious; the later ones more substantive.” Borrowing from Six Sigma, the folks at iSixSigma.com believe this approach contemplates that “By repeatedly asking the question “Why” (five is a good rule of thumb), you can peel away the layers of symptoms which can lead to the root cause of a problem. Very often the ostensible reason for a problem will lead you to another question. Although this technique is called “Five Whys,” you may find that you will need to ask the question fewer or more times than five before you find the issue related to a problem.”

To use this approach, iSixSigma.com suggests the following protocol. Begin by writing down the specific problem, which assists you to formulate the issue or problem. Then begin asking, “Why?” Ask why the compliance failure occurred write the answer down below the problem. But do not stop there if this first response does not “identify the root cause of the problem that you wrote down in Step 1, ask why again and write that answer down. Loop back to step 3 until the team is in agreement that the problem’s root cause is identified. Again, this may take fewer or more times than five whys.”

Ultimately, performing a root cause analysis is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer that is provided to you, as you might in an internal investigation. As Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they’re doing.”