Root Cause Analysis: Driving Continuous Improvement

Sadly, compliance programs (much like the people who run them) never achieve perfection. However, an effective program improves and evolves continuously (ideally, just as we humans do). And a program’s imperfections – the violations and near misses – offer some of the most valuable opportunities for growth (also true for humans). This is where root cause analysis (RCA) comes in. RCA identifies the underlying causes of compliance violations, enabling more effective remediation and program improvement. Without understanding root causes, remediation efforts risk addressing only symptoms, leaving organizations vulnerable to repeat failures. By shifting the focus from reactive fixes to proactively identifying and resolving systemic issues, RCA drives lasting improvement.

RCA is an area of significant opportunity for many organizations. While investigators and E&C teams have long considered remedial measures following violations, formal root cause analysis is not particularly common in the compliance world. This article explores the value of root cause analysis and how organizations might go about formalizing RCA processes.

I’ve also put together a two-page toolkit to illustrate key concepts from this article. You can find it HERE.

The Importance of RCA

Root Cause Analysis is the systematic process of identifying the underlying causes of incidents or issues. Its importance is well-recognized, including in the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (ECCP). The ECCP emphasizes that “a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”[1] Prosecutors are instructed to evaluate the thoroughness of a company’s RCA process and the appropriateness of its remedial actions by asking, for example:

• What is the company’s root cause analysis of the misconduct?
• Were systemic issues identified?
• Who participated in the analysis?
• What controls failed?
• What changes were made and documented to reduce the risk of recurrence?
• How has the company addressed the root causes and missed opportunities?

RCA strengthens compliance programs by enabling meaningful remediation, driving systemic improvements, and fostering a culture of accountability and learning. RCA turns compliance violations into valuable opportunities for growth and improvement, transforming missteps into stepping stones for progress.

An Example

To illustrate the potential of a formal RCA process, consider this example: A procurement manager at your company failed to disclose an ownership interest in a supplier that was awarded a company contract.

Using the Five Whys technique, the violation could be analyzed as follows:

1. Why did the procurement manager fail to disclose her ownership interest?
   → She didn’t believe it was necessary because she wasn’t the final decision-maker on the contract.
2. Why did she believe disclosure was unnecessary?
   → She misunderstood the company’s conflict of interest policy and assumed it applied only to those with final decision-making authority.
3. Why did she misunderstand the policy?
   → The conflicts of interest policy and training did not provide clear examples of indirect influence, such as recommending vendors.
4. Why did the training lack clear examples?
   → The policy and training materials primarily focused on direct financial conflicts and overlooked scenarios involving indirect influence.
5. Why were indirect conflicts not sufficiently addressed in policy and training?
   → The compliance program’s risk assessment failed to identify gaps in conflict-of-interest disclosures related to supplier relationships.

The root cause in this example is that the compliance program did not adequately address indirect conflicts of interest in its policies, training, and risk assessments, leading to a misunderstanding of disclosure obligations. By continuing to ask “why?” the analysis moves beyond the immediate issue of policy clarity to broader considerations, such as training effectiveness and risk assessment processes. Further probing could reveal deeper systemic issues, offering additional opportunities for strengthening compliance controls. (I also like to think of this method as Toddler Analysis. Anyone who’s spent time with a 3-year-old has experienced an impromptu RCA driven by an endless stream of “why?!”)

Formalizing RCA Processes

Organizations can strengthen RCA by embedding a structured framework for RCA into their compliance programs. A foundational step that can work well in this regard is establishing a dedicated RCA team or council composed of representatives from Ethics & Compliance (E&C), HR, Legal, Audit, Safety, and other relevant functions. It can also be very helpful to include the relevant investigator(s) in the RCA process, as they will likely have helpful information about the causes of the violation. This cross-functional approach assists in both ensuring thorough RCAs and facilitating buy-in with respect to the recommended remediation following the RCA. Ideally, significant recommendations flowing from the RCA process will be reported to senior leadership and the relevant oversight committee of the board of directors.

Potential Team Structures

There are two principal potential structures for an RCA council, each of which has benefits and disadvantages.

1. Standing RCA Council: A standing council consists of the same members who meet regularly. A standing RCA council allows members to develop expertise in RCA, which can improve the quality of analysis over time. It can also be more efficient in that less time is spent coordinating and forming teams for each RCA. However, a standing RCA may not always include the most relevant subject matter experts (SMEs) for specific issues. (Although a standing council can, of course, invite SMEs to participate in a particular review.)
2. Ad Hoc Teams: These teams are tailored to include SMEs relevant to a specific incident. While this ensures appropriate expertise, it may lead to coordination delays and limited RCA process familiarity among team members.

Developing an RCA Playbook

A playbook is important because it provides a standardized framework for conducting RCA, helping to ensure consistency and thoroughness. Key components include:

1. Framework for Determining Applicability

Clearly articulate a framework for which violations or near-misses will be subject to an RCA. Not all compliance violations will warrant an RCA, as the process requires an investment of time and resources, and – for some violations – the root cause may be apparent. Relevant criteria for determining when an RCA should be conducted include:

• Severity of the violation, including potential legal or regulatory consequences
• Frequency or pattern of occurrence
• Risk level
• Novelty or complexity of the issue
• Organizational learning opportunities
• Stakeholder expectations, such as those of the Board, leadership, or regulators.

By incorporating these criteria into a framework, companies can systematically determine when an RCA is appropriate, helping to ensure that only appropriate violations are assessed. Documenting these criteria will also help maintain consistency in decision-making.

2. Clearly Define the Issue Under Review

Clearly articulating the issue under review enables focused analysis and helps avoid overly restrictive or broad approaches. This clarity also strengthens the company’s ability to defend its remediation efforts.

3. Leverage Recognized Frameworks

To enhance credibility, it is preferable to apply a recognized RCA framework. Acceptable frameworks include the “Five Whys” technique and Ishikawa (fishbone) diagrams. The “Five Whys” technique uses iterative questioning to identify the root cause of a problem. A fishbone diagram is a visual tool that helps to identify potential causes of a problem. Both tools are simple techniques, but they are surprisingly effective at conducting RCA. In addition, the DOJ’s ECCP should be considered in developing the framework.

4. Highlight Positive Findings

Beyond identifying deficiencies, RCA can highlight effective program elements, helping to sustain critical controls.

5. Develop Actionable Findings

Effective RCA links root causes to specific remedial actions, emphasizing actionable and impactful solutions. This linkage is essential to demonstrate that the corrective action plan effectively encompasses significant root causes. Of course, it is then essential to document that the corrective action plan was actually fully implemented.

The Human Element

It can be helpful to recognize that people are often a contributing factor in compliance failures. An effective RCA will often analyze factors such as:

• Incentives and pressures.
• Inadequate training or lack of understanding.
• Managerial pressure or a culture discouraging reporting.
• Ability to circumvent or override controls.
• Lack of monitoring.

• Deficiencies in oversight.

Most RCAs should also assess the role of the relevant supervisor, specifically whether they failed to take reasonable steps to prevent or detect the violation—and, if so, what the root cause of that failure was. It is easy to overlook the Sentencing Guidelines’ directive that organizations must consistently enforce their compliance programs through “appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.”[2]

As a rule, an RCA should avoid defaulting to “human error” as the root cause. Instead, it should delve deeper to uncover why individuals made certain choices and identify any systemic factors that may have contributed. Compliance failures often stem from a combination of issues, including deficiencies in policies, lack of awareness, inadequate oversight or monitoring, cultural issues, and external pressures.

Validation

Socializing RCA findings with key stakeholders, such as management and business leaders, ensures buy-in. Demonstrating the business benefits of corrective actions, like cost reductions or compliance risk mitigation, enhances support.

Ideally, company leadership and the board of directors will be briefed regularly on the RCA framework as well as findings and remediation for significant violations.  

Documentation

RCA recommendations and their implementation should be documented in a case management system. Once you identify a weakness it becomes crucial that the resolution is promptly implemented. 

Leveraging Data Analytics

Data analytics can supplement RCA by identifying patterns and trends that are not immediately apparent. Useful metrics include:

• Sources of allegations and subject matter trends.
• Recurrence rates of similar incidents.
• Gaps in training participation or comprehension.
• Disciplinary actions by type, frequency, or region.
• Compliance hotline activity, such as spikes in reporting or inactivity in high-risk areas.
• Control failures correlated with specific business units, geographies, or processes.
• Audit findings linked to compliance violations.

Analytics also help prioritize incidents for RCA and provide data-driven insights to support conclusions.

Common RCA Pitfalls

To maximize the effectiveness of RCA, organizations should avoid:

• Focusing on symptoms: Addressing superficial issues instead of underlying causes.
• Poorly framed questions: Leading to incomplete conclusions.
• Ignoring culture: Overlooking the role of organizational culture in compliance failures.
• Over-reliance on data: Relying on data without context can be misleading. Understanding the context is crucial for drawing accurate conclusions.
• Inaction: Failing to translate findings into meaningful improvements and clearly document that this was done.

Conclusion

Root Cause Analysis is a powerful yet underutilized tool in compliance programs. By formalizing RCA processes, organizations can uncover systemic issues, enhance program effectiveness, and promote a culture of accountability and continuous improvement.

[1]              Department of Justice, Evaluation of Corporate Compliance Programs (updated September 2024), available at https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl?inline=.

[2]              Federal Sentencing Guidelines Manual § 8B2.1(b)(6) (emphasis added), available at: https://www.ussc.gov/guidelines/guidelines-archive/annotated-2021-chapter-8#8b21.