Menu

Conduct & Ethics

Root Cause Analysis in Internal Investigations: Getting to the Heart of the Problem

The process can be difficult, and prescriptive guidance is lacking, but the right analytical and remediation approaches can influence “tone from the top” and improve culture.

Friday, November 1, 2024

By Joanne Taylor

Advertisement

A well-executed internal investigation adds value to an organization by identifying weaknesses in the organization’s control environment and culture. Through effective root cause analysis and remediation, organizations can avoid repeat occurrences of similar issues – minimizing future risks, costs and reputational damage.  As such, root cause analysis is an essential part of an investigator’s toolkit.

Although root cause analysis may sound easy, the process can be challenging, especially where corporate culture comes into play. Successful organizations tell stories – about their vision, their history and how they fix their problems. However, a simple ”bad egg” narrative is a missed opportunity for valuable improvements. Furthermore, such a narrative will not pass muster with regulators in situations where the organization must prove it has “reasonable procedures” to prevent wrongdoing such as bribery, corruption and fraud.

So, how should organizations sail these choppy waters without boiling the ocean?

The key is to get the basics right and navigate the corporate cultural complexities.

Nail the Basics

There is a lack of prescriptive guidance on how to conduct root cause analysis in internal investigations.

The international standard for conducting internal investigations (ISO/TS 37008) refers generically to the use of root cause analysis methods to arrive at the most appropriate remedial measures and improvements to ensure that the root causes are being appropriately, sufficiently and effectively addressed.

Internal investigators can employ classic root cause analysis methodologies, including:

  • “Five whys” approach: Ask “Why?” to receive more detailed information until the real problem becomes clear. Most root causes can be identified after five of these, but sometimes the problem reveals itself after two or 20 “whys”.
  • Fault tree analysis: Identify the primary failure and construct a flow chart beneath it of first- and second-level contributors to the problem. Work out the smallest combination of events that together would still cause the primary failure.
  • Cause and effect analysis: Fishbone/Ishikawa diagram: Visually identify root causes by writing a problem in the middle of a diagram and drawing branches of possible categories and sub-categories of causes to identify relevant ones.
  • Process analysis: Look in detail at every component of an internal process, taking into account how they work individually and how they interact with one another, using visual aids and data.
  • Stacking: Applying several of the above methodologies to the same issue for a more holistic understanding.

There may be one or more root causes, and each should be backed up with definitive, factual evidence.

The three main categories of root causes are physical, organizational and human:

  • Physical causes – failure of a tangible material item 
  • Organizational causes – e.g., arising from an organization’s policies, procedures and controls 
  • Human causes – a deliberate action or inadvertent error, e.g., due to lack of knowledge, skills or misapplication of a rule

jtaylor-160x170K2 Integrity’s Joanne Taylor: Causes, controls, and culture.

Even in straightforward root cause analysis, there will be an interplay between human error and controls effectiveness.

Take “fat finger error,” when a trader makes an inputting error in an order management system. He intends to place an order to buy 50 crude oil futures, but erroneously submits an order for 500,000. The primary cause of the incident is human error – a slip, since a frequently performed physical action has gone wrong. Root cause analysis identifies whether the organization’s controls – such as blocks, warnings and monitoring – were designed effectively to mitigate the risk of human error and, if so, whether they operated effectively in practice.

Embed the Protocol

Root cause analysis can go awry on sensitive matters, for example, when the investigation is into a senior executive, or where there is regulatory scrutiny. It’s at this sharp end when root cause analysis is most valuable, but at most risk of being railroaded, for example, due to stakeholder bias or a disinclination to tackle fundamental issues regarding corporate culture.

This can result in remediation steps which appear to be using a sledgehammer to crack a nut, whilst still not addressing the cultural root causes.

An example of a complicated scenario is BP – an investigation into a second round of allegations against the company’s CEO, Bernard Looney.

BP Case Study

In December 2023, BP dismissed CEO Looney over “serious misconduct” relating to his past relationships with colleagues. After an investigation, BP concluded Looney knowingly misled his fellow directors in 2022 when they sought assurances regarding his disclosure of past personal relationships with company colleagues and his future behavior.

BP said it had received and reviewed allegations from an anonymous source relating to Looney’s personal relationships with colleagues in May 2022. At the time, BP said Looney disclosed a small number of “historical relationships” with colleagues prior to becoming CEO, and BP found no breach of company conduct.

Further allegations subsequently came to light, and BP began a further investigation into the new claims with external legal assistance, according to the company. In response, Looney told the board that he “was not fully transparent in his previous disclosures,” leading to his termination.

BP has not published its investigation findings.  However, the company announced in June 2024 that, following a review which included peer benchmarking, all 90,000 employees will have to disclose intimate relationships with colleagues or risk losing their jobs. Previously, employees had to disclose relationships only if they thought there was a potential conflict of interest. Further, the top 4,500 managers have three months to report all the intimate relationships they have had in the past three years.

In high-stakes investigations, a policy design change can seem an easier and more impactful fix than ensuring operating effectiveness of an existing policy, particularly where the existing policy involves an element of subjectivity. Yet most companies’ codes of conduct rely on employees exercising good judgment – doing the “right thing” – assisted by examples or case studies.

Further, a policy change still needs to be operationally embedded, for example, through training and monitoring. In this kind of scenario, a robust root cause analysis will determine whether the policy design was effective and whether there were other contributory factors resulting in the initial investigation findings; for example, was there a well-designed protocol for handling allegations against senior management, and was it followed? Was there a cultural perception that policies might not apply to senior management in the same way as other employees?

The Culture Challenge

Poor organizational culture is at the heart of many incidents which have landed organizations in hot water. Arguably, poor organizational culture is not a root cause in its own right. Cultural issues are caused by a range of organizational and behavioral factors. Norms – unwritten rules of behavior – often develop over time. Where culture is under the microscope, root cause analysis can facilitate higher-impact remediation outcomes which improve the overall corporate environment.

To conclude: The costs and effort of internal investigations can be offset by the value added to organizations through effective root cause analysis. This is particularly impactful – and necessary – where organizations are experiencing repeat types of conduct issues, or recurring incidents in a particular line of business or region; there is an expectation from regulators that organizations can “join the dots” across multiple investigations.

Ultimately, effective root cause analysis can influence the “tone from the top” by helping the board understand how the organization’s embedded culture may negatively affect behaviors, and provide an impetus for meaningful change. 

 

Joanne Taylor, a senior managing director at K2 Integrity, has 20 years of legal, investigations and financial crime compliance experience. This includes fraud risk management, anti-bribery and corruption, regulatory enforcement and fraud investigations experience working within the financial and legal services industries. Before K2 Integrity, she was at Deutsche Bank as managing director, global deputy head of anti-fraud, bribery and corruption (ABC), responsible for global ABC strategy, programs and framework efforts, which included governance, policy, remediation, training and awareness, risk assessment, reporting, and whistleblowing, as well as fraud detection and monitoring strategy. She regularly engaged with board members and senior management, regulators, regulatory monitors, and internal and external audit teams.

Laura Christopher contributed additional research. 




Advertisement

We are a not-for-profit organization and the leading globally recognized membership association for risk managers.

weChat QR code.
red QR code.

BylawsCode of ConductPrivacy NoticeTerms of Use © 2024 Global Association of Risk Professionals