One new and different item was laid out in the Evaluation of Corporate Compliance Programs, supplementing the 10 Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root-cause analysis for any compliance violation which may lead to a self-disclosure or enforcement action. Under Prong 1 Analysis and Remediation of Underlying Misconduct, the Evaluation stated:
- Root Cause Analysis – What is the company’s root-cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis?
- Prior Indications – Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed?
The new Department of Justice (DOJ) FCPA Corporate Enforcement Policy brought forward this requirement for a root-cause analysis with the following language: “Demonstration of thorough analysis of causes of underlying conduct (i.e., a root-cause analysis) and, where appropriate, remediation to address the root causes.”
Simply put, a root-cause analysis is now required if you have a reportable compliance failure.
What Is a Root-Cause Analysis?
Initially you need to understand the difference between a root-cause analysis and a risk assessment. Obviously, a root-cause analysis is performed after an incident occurs, so to that extent it is reactive action rather than a proactive one.
Obviously, a root-cause analysis is performed after an incident occurs, so to that extent it is reactive action rather than a proactive one.
Well-known fraud investigator Jonathan Marks has noted, a root-cause analysis “is a research-based approach to identifying the bottom line reason of a problem or an issue; with the root cause, not the proximate cause, representing the source of the problem.” He contrasted this definition with that of a risk assessment, which he says “is something performed on a proactive basis based on various facts. A root-cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.”
8 Steps to an Effective Compliance Program: Step 1 - Risk Assessment
Marks also contrasted a root-cause analysis with an investigation. He notes, “in an investigation, we are trying to either prove or disprove an allegation.” This means that in a compliance investigation you may be trying to prove or disprove that certain transactions could form the basis of a corrupt payment or bribe by garnering evidence to either support or refute specific allegations. You do not assess blame, and that is a defining point in root-cause analysis – it is not about who did it, but why the compliance failure was allowed to occur.
Performing a Root-Cause Analysis
There are a number of different methods to perform a root-cause analysis. Two of the most common in the corporate setting can be found in Six Sigma and the “Fishbone Diagram.” Six Sigma instructs you to ask a series of “Whys,” – ideally at least five. The reasoning here is that the cause of one problem will often lead you to another question of why. This will eventually bring you to the root problem, which will be your root cause.
The Fishbone Diagram positions the problem statement as the “head” of the fish and uses each of the “bones” to highlight one of many casual factor categories. For instance, one bone could describe the processes in place, another the people, and another the environment. Viewed holistically, this diagram can surface connections that more linear thinking may overlook.
You need to have an operational understanding of how a business operates and how it has developed its customer base.
The bottom line is that there are multiple ways to perform a root cause analysis. However, it is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business functions and how it has developed its customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer which is provided to you, as you might in an internal investigation. Marks notes, “a root-cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they're doing.”
Tom Fox is the author of sixteen books including “The Complete Compliance Handbook,” in which you can learn more about the 10 Hallmarks of an Effective Compliance Program and the DOJ’s Evaluation of Corporate Compliance Program.
You can learn more about and purchase "The Complete Compliance Handbook" here.