“If you don’t ask the right questions, you don’t get the right answers. A question asked in the right way often points to its own answer. Asking questions is the ABC of diagnosis. Only the inquiring mind solves problems.” – Edward Hodnett
When Edward Hodnett, author of The Art of Problem Solving, offered his thoughts on asking the right questions, he was, in effect, describing some of the fundamental principles of root cause analysis. Initially developed in the early 20th century by pioneering Japanese industrialist Sakichi Toyoda, root cause analysis today is one of the most widely practiced management and problem-solving techniques.
Yet despite its worldwide recognition, root cause analysis is often overlooked, short-circuited, ineffectively executed, or simply misunderstood in the context of fraud detection, deterrence, and remediation. Effective root cause analysis should be a critical component of every anti-fraud initiative, regardless of scope or area of focus.
DOJ Guidance Highlights Root Cause Analysis
Recent guidance from the U.S. Department of Justice (DOJ) has generated renewed attention to the importance of root cause analysis in the realm of fraud deterrence and ethics. In June 2020, the DOJ’s Criminal Division issued an updated version of its Evaluation of Corporate Compliance Programs guidance.[2]
The purpose of such guidance is to guide federal prosecutors in their decision-making. While it does not have the force of law, it provides a valuable road map that organizations can use to develop, update, and implement their anti-fraud and compliance programs. It also provides insights into what law enforcement and regulatory authorities regard as high priorities and risks.
An essential highlight of the 2020 guidance was the recommendation that investigators look for evidence that an organization is performing a root cause analysis for any compliance violation that could lead to a self-disclosure or enforcement action. It categorically declares that “a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”[3]
One of the most often overlooked concepts of the root cause process, which the guidance highlights, is “appropriately addressing the root causes.” Too often there is unnecessary time and effort spent on trying to “eliminate” the root cause instead of “addressing” it. The goal of the root cause analysis is to not only identify the reason or reasons for a noted deviation in a process but to develop, implement, and execute an action to address the root cause and reduce the amount of risk.
It then instructs prosecutors to consider the answers to several probing questions in seven broad areas as they contemplate how to handle fraud or other noncompliance issues. Two of those categories and the questions prosecutors should raise relate directly to root cause analysis:
-
“Root Cause Analysis: – What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?”
-
“Prior Indications – Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations [involving similar issues]? What is the company’s analysis of why such opportunities were missed?”
One month after that guidance was published, the DOJ and the Securities and Exchange Commission issued a major update to their joint publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, which incorporates the DOJ’s foundational guidance “Hallmarks of an Effective Compliance Program.”[4] In the section titled, “Investigation, Analysis, and Remediation of Misconduct,” that guidance states explicitly:
In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.[5]
Root cause analysis is a high priority among federal law enforcement and regulatory agencies, which means it should also be a top priority for those responsible for corporate compliance and ethics programs.
Root Cause Analysis: What It Is and Is Not
One leading online analytics and software company describes root cause analysis as a “collection of principles, techniques, and methodologies that can all be leveraged to identify the root causes of an event or trend.”[6] To put it another way, root cause analysis helps identify what and how an event occurred and why it happened. When we can determine why an event—such as a fraud incident or compliance failure—occurred, we can recommend workable corrective measures to deter similar events in the future.
It is essential to distinguish between root cause analysis, risk management, and anti-fraud tools, such as risk assessments and investigations. For example, root cause analysis is performed after an incident occurs, so in a sense, it could be considered to be a reactive activity, unlike a risk assessment, which is inherently proactive.
Yet, the distinction is not as simple as that. While root cause analysis does occur in reaction to a problem, its purpose is to detect or prevent future recurrences of the problem—a decidedly proactive objective. Also, it is worth noting that in many instances, root cause analysis may very well be addressing an issue that was previously identified through a risk assessment.
Root cause analysis is also distinct from a fraud or compliance investigation. The purpose of an investigation is to either prove or disprove a known allegation. For example, in a compliance investigation, investigators may be trying to prove or disprove that certain transactions could form the basis of a corrupt payment or bribe. They do this by gathering evidence to support or refute specific allegations, but the investigation itself does not assess blame.
That is the point where root cause analysis should follow to determine how the compliance failure occurred or was allowed to happen.
The most practical examples of root cause analysis generally take a research-based approach to identify the underlying source or reason for a problem or an issue—not just the proximate cause of the incident. For example, Thwink.org, a research organization focused on environmental and sustainability-related issues, offers an extensive online discussion of this concept. It explains its focus by noting: “The practice of root cause analysis is predicated on the belief that problems are best solved by attempting to correct or eliminate root causes, as opposed to merely addressing the immediately obvious symptoms.”[7]