From the DOJ Evaluation of Corporate Compliance Programs

Root Cause Analysis – What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis?

A root cause analysis should be a method to learn more about your business process and what went wrong so that the systems and process itself can be changed because there is a thinking in the field which basically centers around the theme of, unless you have changed the process, then you’re going to keep getting similar or the same results. The process is going to deliver whatever it delivers, whether that be right, wrong, or indifferent. Until you change the process and the systems, you can basically expect that you’re going to have some sort of output that is going to repeat itself over and over again. Finding blame does not necessarily help and really you want to get deeper into those root causes. The reason it is monikered “root cause analysis”, is to emphasize the need to drill down below the superficial pieces of the framework to fix, and into the things that are actually driving the outcomes and the behaviors.

As Mike Volkov has noted, “The first question is relevant in those circumstances when the company is responding to misconduct that results in a government investigation. However, I think the questions asked provide important insights when a company suffers misconduct that does not result in a government investigation. Companies often face situations where they discover misconduct, impose discipline and remediate the problems discovered and then move on. This happens more often than misconduct resulting in a government disclosure or a government investigation. In either case, the questions are certainly relevant. The questions appear to be fairly basic but depending on the circumstances can be deadly accurate in pointing out compliance deficiencies. A “root cause” can implicate not only employee misconduct or failure to exercise proper oversight, but can extend to such issues as a company’s culture, tone-at-the-top and other issues with significant implications for the company’s operations. It is too easy to blame a rogue employee, a concept that has neither relevance nor significance to legal and compliance practitioners who understand how compliance programs work.”

When root cause analysis is done correctly and utilized as a part of your remediation strategy going forward, it principally is there in order to develop preventive actions. A preventive action is something to prevent recurrence of the problem. You can correct with a corrective action, but the ultimate goal is to engineer out or fix the system and processes so you do not have the opportunity for that flaw to occur again.

Another way to consider it, as stated by Ben Locwin is “We have a problem. Let’s not run away from it. Let’s embrace it.” What you are really doing is looking at your program from the inside out. Locwin advocates beginning with such questions as “What can we do better? What can we do next?” He went on to explain “you’re looking for examination from an external and not an internal prospective. Internal perspectives tend to follow along the quotas. If you always do what you always did, then you’ll always get what you always got.” He went on to say “continuous improvement approaches benefit most from” its “frequent exposures to radical change.”

It is the willingness of a company to look at itself that is the key to continuous improvement. Locwin said that while “typically these things come from external pressures and not from internal, incremental changes. If yo