Compliance Root Cause Analysis

DOJ Guidelines encourage seeking independent evidence of root cause identification and remediation.

The Department of Justice (DOJ) has indicated that rather than merely reacting after compliance violations occur, organizations should prevent potential violations by identifying and correcting the root causes of misconduct. The DOJ’s position on utilizing root cause analysis is articulated in multiple guidance documents, including the FCPA Corporate Enforcement Policy and 2020 Evaluation of Corporate Compliance Programs. The latter discusses root cause analysis (RCA) in the context of analyzing compliance program effectiveness, and it indicates that prosecutors should consider questions such as the following when evaluating an organization’s responses to misconduct.

• Has the company undertaken an adequate and honest RCA to understand both what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future?
• Have the company’s investigations been used to identify root causes, system vulnerabilities, and accountability lapses, including among supervisory managers and senior executives?
• To what extent is the company able to conduct a thoughtful RCA of misconduct and implement appropriate and timely remediation measure to address the root causes?
• What is the company’s RCA of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?
• What specific remediation has addressed the issues identified in the root cause and missed opportunity analysis?

Compliance officers should consider the degree to which they could provide independent evidence of an effective RCA program to the DOJ. Although an RCA and general compliance investigation are different in their objectives, the processes are similar in that they both seek answers to the basic questions of who, what, when, where, why, and how. Rather than focusing on the incident and who was responsible, RCA involves identifying, defining, and understanding the fundamental cause of non-compliance that gave rise to a problem and applying corrective action to prevent reoccurrence. RCA can identify what happened, why it happened, and what improvements or changes are needed.

For more information on conducting RCA, contact Richard Kusserow at [email protected].

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.