Tom Fox podcast visits with Jonathan T Marks, CPA, CFE, on how to perform a root cause analysis and its uses in the remediation phase of a best practices compliance program. One new and different item was laid out in the Evaluation of Corporate Compliance Program, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action.
Click here for the PODCAST
One Prong of the Evaluation of Corporate Compliance Programs (Evaluation) which was not present in the Ten Hallmarks of an Effective Compliance Program, is root cause analysis. This addition was also carried forward as a requirement in the Department of Justice’s (DOJ’s) new FCPA Corporate Enforcement Policy (Policy).
Tom Fox discusses using the results of a root cause analysis in remediating a compliance program.
Under Prong 1 Analysis and Remediation of Underlying Misconduct, the Evaluation stated:
Remediation –What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future? What specific remediation has addressed the issues identified in the root cause and missed opportunity analysis? The Policy brought forward this requirement for a root cause analysis with the following language: “Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes;”.
I begin with who should perform the remediation; should it be someone or a team which were or were not a part of the root cause analysis? I put this question to well-known fraud expert Jonathan Marks, a partner at Marcum LLP, who believes the key is both “independence and objectivity”. It may be that an investigator is a subject matter expert (SME) and “therefore more qualified to get that particular recourse.” Yet to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution.
Marks also noted if “the errors require some type of financial restatement the company may also have deficiencies in internal controls. More importantly the failure to remediate gaps in internal controls provides the opportunity for additional errors or misconduct to occur, and could damage the company’s credibility with regulators” and allow the same or similar conduct to reoccur. Finally, with both the Evaluation and Policy, the DOJ has added its voice to prior Securities and Exchange Commission (SEC) statements that it “will focus on what steps the company took upon learning of the misconduct, whether the company immediately stopped the misconduct, and what new and more effective internal controls or procedures the company has adopted or plans to adopt to prevent a recurrence.”
Ben Locwin considered it from the ‘blame’ angle, when he wrote “Simply “cataloguing” and “assigning cause” to a defect or error is not compliance. Compliance presumes systems and processes are designed to adhere to regulatory pronouncements. Selecting “human error” from a dropdown list and assigning it as root cause means that user is accountable for having thoroughly investigated the causal factors of the error or defect, identifying and determining which root causes(s) are most likely, according to the preponderance of evidence, to have been associated with the defect.” This means not blaming some individuals and terminating them but actually fixing the broken compliance systems which allowed the violation in the first place.
Locwin concludes by noting, “Stop blaming people for bad systems and processes. The people are the human capital that is actually doing the thinking and processing to generate profits for your company — unless there is data to suggest willful negligence or gross incompetence, then in that case address the talent development gap or termination. A nicely documented retraining of Alice or Bob isn’t going to improve successive outcomes on future iterations of the same work. Guaranteed. And I have plenty of data showing these sorts of human error interventions [retraining] are less than 5 percent effective at preventing recurrence of the problem.”
As required under the Evaluation, from the regulatory perspective, the critical element is how did you use the inform you developed in the root cause analysis? Literally every time when you see a problem as a compliance officer, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis you can bring real value and real solutions to your compliance program.
The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step processes, in which one process can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event, and will aid in having a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence.
When you step back and consider what the DOJ was trying to accomplish with its Evaluation, it becomes clearer what they expect from the compliance professional. Hui Chen, in an interview on the Radical Compliance podcast, made clear she desired that the Evaluation would cause Chief Compliance Officers (CCOs) and compliance practitioners to consider the structure of their compliance program and how it inter-relates to the company’s risk profile. When you have a compliance failure, you should use the root cause analysis to think about how each of the structural elements of your compliance program could impact on how you manage and deal with that risk. Chen stated, “I would use the approach that I hope is consistently clear through the document is that the quest for thinking through what you want to accomplish, how you are gonna do it, who are you going to work with to accomplish those things, and how you measure the results, what data are you getting need to collect to inform your decisions along the way.”
You must not only perform the root cause analysis but use the information you obtain to inform your compliance program going forward. As much care as you put into performing your root cause analysis should be put into using the findings for remediation.
Marks also discussed there may be more than one root cause and that’s ok – right?
IIA PA 2320-2: Analysis and Evaluation – Root Cause Analysis notes, The internal auditor may, in some cases, provide multiple conclusions of fact along with multiple scenarios for management to consider as the root cause of an issue. In these circumstances, value provided by internal audit is the independent and objective evaluation and presentation of various data and analyses from which management may draw a conclusion on the most probable root cause.
Marks uses the three lines of defense (sometimes modified) as tool for the audit committee and management when explaining the key causal factors, generic causes, and the root cause(s) and how they might be linked to the breakdown or fraud. Marks calls this “visual guilt.”
Marks also provided an example:
Let’s say that you find an error in a policy and procedure. Did that error cause a fraud to occur?
Of course, you would immediately fix the error, right? But would you ask …Why was the error not picked up and allowed to exist for the two years since the policy was released?
Wasn’t there a quality control process or a policy in policies? Why didn’t the stakeholders who read and use the policy and procedure in the past report the error they spotted (assuming that this is the first time there was a fraud and the policy and procedure had been used before)?
You might find that there is an ineffective quality control process or the quality control process isn’t being performed. You might find that stakeholders had previously reported the problem but it had never been fixed. You might find that culture is so poor the stakeholders simply don’t care.
If you find there is a generic cause, you then have to think about all the other procedures that might have similar problems and how to best remediate.
So when a fraud occurs, there are probably multiple mistakes that were made (multiple causal factors), multiple root causes, some generic causes, and lots of corrective or remedial actions that could improve the control environment that could deter or prevent future frauds.
That all being said, Marks still searches for that one domino that fell and started the chain!