Guidance on Root Cause Analysis

The Public Company Accounting Oversight Board has published fresh guidance on how to perform a root cause analysis, for anyone out there who wants to understand the root of your problems. 

The guidance, published Tuesday, is geared toward audit firms rather than corporate businesses, so not all the advice in its nine pages will be directly relevant to internal audit or corporate compliance teams trying to hone your root cause analysis skills. (“RCA” the guidance calls it, because everything in our line of work needs an acronym.) Still, plenty of the advice is relevant to in-house teams when you look at it the right way.

For example, one running theme in the document was that audit firms should not take too linear an approach to root cause analysis, because that might lead you to misunderstand control failures that arise from multiple causes. As the PCAOB wrote in its bulletin, performing a root cause analysis “does not mean that only one factor is the cause of an issue or that there is a single solution. There may be multiple contributing causes that converge to cause negative quality events.” 

Also, golf clap for reframing mistakes and control failures as “negative quality events.” 

The PCAOB guidance also encourages organizations to take an open-ended approach to root cause analysis, so that you can consider more potential causes and arrive at the real truth rather than a final step in a fixed process. For example, be wary of using a risk-analysis tool that only lets you select potential causes from a pull-down menu or forces you to work through pre-populated fields. 

Such techniques are “too linear and limiting for complex problems, and these methods will not likely show the many intricate interrelationships between each cause and associated effect,” the PCAOB said. “The more thoughtful the analysis, the more likely a firm will identify the major causal factors.”

A Better Root Cause Analysis Approach

The trick for effective root cause analysis is how to balance that need for an open-minded approach with a disciplined process, so that all the root cause analyses you perform will achieve high standards of rigor and consistency. After all, that rigor and consistency is what you’ll want to demonstrate to regulators, should your company ever have a compliance failure and you’re trying to resolve the matter by building up an effective compliance program. 

The PCAOB had some advice on that front, too. 

First, create the right team. The PCAOB bulletin was primarily for audit firms, so it spoke about large audit firms often having a dedicated RCA team to investigate glitches in quality control. The equivalent in the corporate world would be an internal audit team, or (if your company doesn’t have an internal audit function) a designated task force that swings into action when a control failure happens. 

Regardless, the important question here is whether you have the right people on that team. As the PCAOB guidance noted, “A diverse RCA team promotes multiple perspectives and drives an in-depth understanding of causal factors.” So you might want to bring together compliance, internal audit, cybersecurity, or other functions in charge of risk management and control; and then loop in executives from the First Line of Defense as necessary.

Second, think about your data gathering processes and tools. Yes, tools can be useful for root cause analysis many times; but not all times, and certainly not as the only data gathering process you use. For example, consider how you’d conduct personal interviews: immediately after a control failure, while events are still fresh in memory; or after some period of time, to let participants gain a more objective perspective?

Compliance officers might be tempted to interject here, “Are you crazy? Of course you want to get to the bottom of things right away!” But that’s what you do during an investigation, which is not the same as a root cause analysis. A root cause analysis happens after the poop hits the fan, and even after all the poop is cleaned up. A root cause analysis is more about inspecting the walls and the plumbing to see how the poop ever backed up in the first place, so you won’t have that unpleasant experience again.

You’ll also need to think about the scope of your root cause analysis. For example, some audit firms perform an RCA on positive events, to understand what they did right. Then they compared that against audits with deficiencies, to help them understand what steps the firm could take for quality improvement. 

That’s a great idea, one that internal audit teams should steal for their own purposes. Find some process or project that went exceptionally well, determine why it went so well, and then see whether you can replicate those underlying causes or conditions in other parts of the enterprise not going so well. 

Some Cheat Sheet Questions

The PCAOB guidance ended with numerous questions audit firms should ask themselves to assure that they develop the best RCA process possible. Not every one of those questions makes sense for other businesses, but with a tiny bit of imagination, several of them do.

  • Does the firm consider the objectivity and independence of the individuals performing the RCA?
  • Does the firm have enough experienced and skilled professionals trained in causal analysis techniques to perform RCA?
  • Does the RCA process include adequate causal analysis techniques that would yield an in-depth understanding of the wide range of potential contributing causal factors and their inter-relationships? 
  • Does the firm have well-defined guidance to allow for more robust and consistent analysis of deficiencies, to determine what went wrong and inform remedial efforts?
  • Does the firm monitor changes in causal factors for frequently occurring deficiencies, and consider how remedial actions should adapt to such changes? (I especially like this one.)

We should remember that root cause analysis isn’t just a nice-to-have item in the corporate compliance toolkit; it’s a must-have, per the Justice Department’s guidelines for effective compliance programs. Those guidelines specifically direct prosecutors to “consider whether the company undertook an adequate and honest root cause analysis to understand both what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future.” (An effective root cause analysis even came up as a factor in helping SAP resolve its FCPA violations earlier this year.)

Root cause analysis is seldom easy to do, especially at scale and across a wide range of possible compliance and internal control failures. The more guidance we have about how to do them right, the better. 

Leave a Comment

You must be logged in to post a comment.