Categories
Survive and Thrive

How to Perform A Root Cause Analysis


Scenario: After an ongoing investigation closes on a typical day in a CCO’s life, you wonder if there is anything else to do. After reading Tom Fox’s The Compliance Handbook – 2nd Edition, you learn that a root cause analysis is now one of the hallmarks of an effective compliance program.
What steps do you take, and how do you perform a root cause analysis (RCA)?
Key points discussed in the episode:
✔️ Investigations are often the trigger for a root cause analysis, but they’re not the same thing. In an investigation, you’re trying to prove or disprove an allegation. If you uncover wrongdoing, it is crucial to continue to seek the root of the problem.
✔️ Root cause analysis lets us figure out and find the source of the problem instead of only looking at the symptoms. Think of it like going to the doctor if you’re sick. You tell the doctor all of your symptoms, they ask questions and run tests and then, hopefully, find the source of why you’re sick, and then attack that. The same principle applies to compliance.
✔️ When looking at the root cause, look for circumstances that contribute to the compliance issue – and ask these questions! 

  • What led to this issue?
  • What conditions allowed this to happen?
  • What needs to happen to keep this from happening again?

✔️ Find the problem and fix the problem. Remediate and document your changes per the DOJ Guidance. 

  • We’re constantly growing and building our compliance programs, but addressing the root cause includes developing a measure of success – how will we know if the remediations we put into place worked? How will we measure progress?
  • Use the results of your RCA to remediate any issues you’ve found.
  • Carry the RCA findings forward in any related risk assessments – monitor that your remediations are working/and adjust if they aren’t
  • Update programs and processes to reflect the remediations – and don’t forget to TRAIN on anything new (including the context for the changes – tell employees WHY they should care, not that they should “just care.”
  • Once fully remediated (if possible), document the remediation and how that connects to improved processes moving forward.

✔️ Root cause analysis is fundamental. Since we know the DOJ wants compliance programs to be proactive instead of reactive, root cause analysis is one of the ways we can do that. If we know people are doing things they shouldn’t do – we need to know why? Is it a problem with our hiring? A lack of controls? Not enough training? Or do we have a culture issue? We need to look under the proverbial rug to find out why things are happening, not just how they happened.
—————————————————————————-
Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.
Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.