Fundamentals of Investigations - Lessons Learned from Root Cause Analysis

It’s Monday morning and you’re late for work.  You comb hair, brush teeth, and then you see it – a growing puddle of water on the floor.  In a rush, you throw a towel on it, grab your jacket and head out the door—thinking only of the report your leader expects today. When you return home, the towel is soaked and water is now running across the floor.  Frustrated, you consider simply throwing another towel onto the growing pile. 

You do a bit of sleuthing and find a small hole in the wall where the steady trickle seems to originate. For a moment, you consider patching it—which would fix the problem for a short time, but could result in moldy drywall, an unhappy downstairs neighbor, and costly repairs by next week.

It’s time to call the landlord. She sends a plumber, who fixes a  faulty pipe in the shower.  No more towels on the floor. A happy downstairs neighbor. The problem is truly addressed.

You just experienced root cause analysis, the process of identifying and addressing the underlying cause of the problem—in this case a leaking pipe.  This analysis also led to corrective action—plumbing and drywall repair.

 

In a recent edition of Compliance and Ethics: Ideas and Answers, Rebecca Walker submitted an excellent article entitled, “Root Cause Analysis:  Driving Continuous Improvement.”   A particular quote resonates:  “While investigators and E&C teams have long considered remedial measures following violations, formal root cause analysis is not particularly common in the compliance world.”  No truer words were spoken.

We had the privilege last year of publishing for the Society of Corporate Compliance and Ethics a book entitled, “Fundamentals of Investigations, A Practical Guide.”    Joe Murphy, Editor of Compliance and Ethics: Ideas and Answers, suggested we take our fictional case study a step further, into the realm of Root Cause Analysis (RCA).

As a brief synopsis of the book, we focused on the report of employee Harris Smith, who contacted our ethics resource account.  He wrote, “In the last few months, my manager has started to harass me.  He micro-manages my daily activities, and it feels like I am the only person being singled out.  I believe this may be ongoing retaliation from an incident I reported last year.  Two months after that case ended, I received a poor performance evaluation.  It didn’t stop there.  Now, I feel I am being set up to fail.” 

We interviewed Harris and learned that he reported an issue last year in which a colleague was engaged in record falsification.  Investigation substantiated his concern and found that the employee’s leader, Joe Doe, knew about the record issue but failed to take action.  The employee was terminated and Joe Doe received a written reprimand and a one-week suspension. 

Harris believed that Joe, still stinging from the investigation and discipline last year, began retaliating against him.  Harris provided specific examples, including exclusion from critical customer meetings, denial of routine requests to attend conferences and other training opportunities, and demeaning comments about him to colleagues.  Investigation substantiated Harris’ retaliation and leadership concerns involving Joe Doe.               

Notwithstanding the outcome of the discipline process (led by Human Resources), what can the Ethics and Compliance organization do post-investigation? Does your organization have an established RCA process?  

After the discipline hearing, the Ethics & Compliance Officer might be inclined to simply close the case, announcing, “My work here is done!”  Yet there are important questions that remain unanswered at this stage.  Just because Joe Doe received discipline, there may be lingering issues at play in the work environment that present on-going risk for the organization.

We should ask these important questions as the investigation concludes:

  • Who were the stakeholders in the initial matter regarding records falsification and are they the same stakeholders in this subsequent report from Harris about retaliation? Have appropriate stakeholders been contacted?  What information did they share? What actions were taken after the initial investigation to ensure there were no systemic issues involved?  
  • Were any policies or standard operating procedures impacted by either investigation? Is existing policy clear on expectations and process?  Did the employee and/or Joe ignore policy or protocols?  Did the “falsification of records” result from an overt attempt to deceive or was it the result of poorly-crafted, miscommunicated, or misunderstood process or policy?   If the latter, what corrective action should be taken? 
  • Did Joe Doe act alone or was he supported (or even encouraged by) higher-level leadership involving the initial records falsification matter and the subsequent retaliation allegation? Was the falsification of records issue singular to Joe Doe (incidental issue) or was it part of a larger, systemic issue within the organization?  
  • Do the issues identified represent operational or cultural gaps? (Often, we find it is a combination.) Is a climate assessment of the work environment needed?  Should we review protocols for task or process gaps?
  • Was there an audit that resulted from the initial records falsification matter? If so, what were the results? If not, should there be an audit of process or policies?
  • Were any internal controls involved in the misconduct? If so, did they fail or were they bypassed or circumvented?  Did Joe use his access, authority or knowledge to work around any internal controls? If internal controls were lacking, we should address this as a root cause, with remediation action.
  • Were any changes made to process or policy, e.g. to prevent further record falsification? Perhaps a verification process requiring two approvers would safeguard against a repeat performance, in which the employee was able to falsify records that Joe Doe knowingly or carelessly approved. If changes were made, where are those changes documented and how are they being monitored?

Once you ask some of these questions and engage in the appropriate follow-up, you might prevent future issues from emerging which could result in disclosure, financial loss, and a loss of reputation and trust.

As we conclude, here are a few best practices regarding RCA and corrective action. 

  • During the course of an investigation, specific root causes and potential corrective actions might be identified; however, when it comes time to prepare your investigative report, use caution including these observations or recommendations in the same report that addressed the allegations against Joe Doe, and whether or not they were substantiated.

Why shouldn’t the RCA efforts and recommended corrective action be included in the report?  Glad you asked.  Should the matter be reviewed – externally or internally – this could raise questions or cast doubt on the investigation and the report summarizing it.  Imagine–in the rare but possible event of litigation–a defense attorney asks, “Georgina, it sounds as if the accountability for the violation didn’t rest solely on my client. Even your report notes systemic issues that contributed to this problem.”  Or they might ask, “Wendy, can you explain why this recommended corrective action was never taken?”  They might focus not on the issue at hand with Joe Doe and his own accountability for misconduct, but on issues ancillary to the findings that are best included under separate cover or process. 

  • Root Cause Analysis and any corrective action coming from RCA should be well- documented in your case management system—ideally within the original case record. This is distinct from including it in your stand-alone report of investigation which summarizes the allegations, investigative steps taken, and conclusion reached. 

Your case record should be a diary of all the issues and actions related to a case, whether or not they all make it into the report of investigation.  RCA should be well documented, perhaps in a log entry entitled, “Root Cause Analysis” or “Post-Investigative Action.”  In this way, you can document outcomes from the investigation that unfold after a case has concluded. 

With the report of investigation, you have identified and addressed the instant risk (Harris’ report about Joe), but with RCA you are also addressing all the contributing factors, to mitigate (and ideally prevent) future risk to your organization.

In your investigative toolkit, be sure to include Root Cause Analysis.  You’ll find this holistic approach mitigates and addresses current issues, can help prevent future (more significant) issues, and can lead to improvements in your compliance and ethics program.

Recent posts you may be interested in

Search the site

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

ECEI in Berlin

From ethical leadership to the growing impact of AI, the Berlin conference highlighted how rapidly the compliance field is evolving. Beyond the sessions, the real value was in the exchange

Read More »

Super Me?

I always wanted to be a superhero—someone who could stop harm before it happened and protect others from evil. I never imagined that working in compliance could make that dream

Read More »

Discover more from Compliance and Ethics: Ideas & Answers

Subscribe now to keep reading and get access to the full archive.

Continue reading