Just as risk assessment is the bedrock for an effective compliance program, root cause analysis (“RCA”) similarly underpins successful remediation of compliance violations. The DOJ’s March 2023 Evaluation of Corporate Compliance Programs (“ECCP”) describes RCAs as a “hallmark” of an effective compliance program. Similarly, the DOJ Corporate Enforcement Policy requires root cause analysis and remediation to address the root causes to receive full credit for timely and appropriate remediation.
However, neither the government nor professional literature prescribes a method for conducting RCA of compliance violations. We suggest the practical steps below.
- Develop a Playbook. President Kennedy once said, “[T}he time to repair the roof is when the sun is shining.” And so it is with remediation and root cause analysis. A crisis is not the opportune time to develop a remediation and root cause policy. Recognizing that large companies are always remediating something, many mature compliance programs create a remediation playbook, including a root cause analysis process; some have appointed Chief Remediation Officers and established Remediation Offices to coordinate root cause analysis, corrective action plan development, and testing effectiveness.
- Form an Independent, Cross-Disciplinary Team. Remediation requires a cross-disciplinary team with company-specific and industry knowledge and expertise in developing and testing remediation and compliance programs. Some companies engage the same firm and team to conduct both the investigation and the remediation. A single team could prove more efficient if qualified to both investigate and remediate.
But beware of the pitfalls. Investigative expertise does not necessarily translate into remediation expertise, just as firefighting does not always make firefighters experts in fire safety. Single teams invariably delay remediation because investigators tend to want to complete the investigation before turning to remediation.
Using the same team also creates credibility issues. The root-cause analysis team should not include advocates or individuals reviewing their work. Nor should the team include anybody involved in the underlying misconduct (e.g., supervisors or coworkers who failed to report the misconduct). If maintaining attorney-client privilege is an issue, consider forming two attorney-led work streams: investigation and remediation, enabling counsel to waive the privilege to report on remediation while protecting the privilege for the investigation.
- Define the Issue(s). Many organizations fail to specify the RCA’s objectives. Detailing the issues, preferably written, safeguards against overly restrictive or broad scopes in the analysis. Spelling out the RCA objections also serves as a proactive measure for the company to defend its remediation in case of future compliance violations.
- Leverage Established Frameworks. To be credible, the team should apply a recognized process. Acceptable frameworks include the COSO Internal Control—Integrated Framework, COSO Fraud Risk Management Guide, Donald Cressey’s Fraud Triangle, Sakichi Toyoda’s Five Whys Technique, and Ishikawa Diagrams (also called fishbone diagrams). Companies subject to DOJ inquiries should consider the DOJ’s Evaluation of the Corporate Compliance Program and Corporate Enforcement Policy. Although these frameworks have their differences, they consider many of the same issues: corporate culture, motive, rationalization, entity and transaction-level control deficiencies, risk assessment, and internal audit and monitoring.
- Take Credit for Positive Findings. While the primary objective is identifying ethics and compliance problems, RCAs uncover positive facets that help companies defend the compliance program in effect during compliance violations and develop a corrective action plan.
- Draft Actionable Findings. Because the RCA findings inform the corrective action plan, the team must draft them in a way that establishes a direct connection between the remedial steps and root causes. This linkage is essential to demonstrate that the corrective action plan effectively encompasses all significant root causes.
- Risk Assess the Findings. Corrective action plans must remediate significant root causes, just as compliance programs must mitigate significant compliance risks. And the processes are nearly identical. Begin by identifying potential risks and scenarios arising from the root cause finding. Then, assess inherent risk based on likelihood and impact. Determine residual risk if inherent risk falls outside the risk appetite; finally, memorialize the risk response (e.g., determine the pervasiveness of violations, reduce risk through a corrective action plan, accept risk as is).
- Validation. Socializing the root cause analysis with key stakeholders is essential. Besides sharing the findings, offering management and affected business leaders a comprehensive overview of the process and the recommended corrective action plan is vital. And to gain buy-in, the remediation team must explain the business benefits of the remedial action (e.g., cutting costs, reducing revenue leakage, accepting)
Moving Ahead: Stay tuned for the next piece in this series, considering “Read Across,” which follows RCA in the remediation process. Read Across generally includes whether others in the organization engaged in similar behavior and if the perpetrators engaged in other misconduct. You can also find more information in our guide, “Meeting DOJ and SEC Post-Settlement Obligations: A Practical Guide.”
 DOJ, Criminal Division, Evaluation of Corporate Compliance Programs (2023)
DOJ, Criminal Division, Corporate Enforcement and Voluntary Self-Disclosure Policy (2023)
 John F. Kennedy, Annual Message to the Congress on the State of the Union. The American Presidency Project (1962)
 For an in-depth discussion of these frameworks, see J. Frank, Remediation, Litigation Services Handbook: The Role of The Financial Expert 5th Edition, Chapter 13a (2015)
 See, StoneTurn, Meeting DOJ and SEC Post-Settlement Obligations: A Practical Guide (2023)