Root cause analysis

Resolving recurring problems, giving a clear understanding of how to improve risk and control culture, enabling internal auditors to add further value to the business, are just a few of the areas where it can offer support.

However, we must first establish what caused the incident, issue or control gap. Effective RCA distinguishes between three different types of cause: 

  • immediate cause – the thing that obviously led to the problem (eg the iceberg that struck the Titanic) 
  • the contributing causes – what led the problem to occur (the route taken by the Titanic, the speed of the ship and commercial imperatives that encouraged a northerly route at that time of year) 
  • the root cause(s) –  the factors that caused, or could cause, numerous issues to arise, not just the individual problem that occurred on this occasion (insufficient lifeboats, flaws in the bulkhead design, an overestimation of the ship’s resilience).

The people caught up in a problem should not be regarded as a root cause (eg the captain of the Titanic). Even if a person carries out a fraud (making them an immediate cause), proper RCA will invariably reveal problems in the processes and controls that allowed the fraud to be perpetrated in the first place. 

More than one cause

There will almost always be more than one root cause for a problem. There is likely to be at least one concerning ‘preventative’ controls and one regarding ‘detective’.

A useful tool to analyse potential causal factors or control gap is the ‘five-whys’ method. In order to set out the immediate and contributing causes for both preventing and detecting the issue, the internal auditor will need to collect the detailed facts and circumstances of what happened and why. 

Fishbone (Ishikawa) technique 

For some situations, the ‘five whys’ approach might be too simplistic; other RCA techniques include the logic tree, the fault tree and failure mode and effects analysis (FMEA). 

In an auditing context, slightly simpler techniques are popular, especially the fishbone (Ishikawa) technique. There are many types of fishbone diagram with different categories to prompt analysis, but importantly they all recognise that there can be multiple root causes for problems. 

The human factor

Some of the types of cause are relatively easy to understand – for example, unclear roles and responsibilities, poor information and communication, and a lack of resources or poor prioritisation. Other types of cause may be less familiar, especially in relation to ‘human factors’. 

Often people in business refer to ‘the control environment’, ‘the risk culture’ or ‘the tone from the top’ as causes for problems. But it’s important to drill down into specific human behaviour that might generate risks. 

This way of thinking about the behavioural and cultural causes of issues is well established in the nuclear, rail and aviation, and medical sectors. It focuses on the idea that human factors are not a cause in themselves – after all, people make mistakes, some people are corrupt, some people forget their training, etc. 

The human factor approach asks us to consider why the organisation didn’t consider the human factor properly when designing processes, training staff and implementing checks (such as segregation of duties and conflict of interests). 

Fully integrated

Obviously if there is a major loss or incident, an RCA will take place after the event. However, progressive RCA can be folded into day-to-day audit activities. This way, if you establish a control weakness or loss in an audit, you are well on the way to knowing its causes. 

It’s important that auditors don’t think they should just ‘audit as usual’ and ‘then think about root causes.’ This mindset means lots of opportunities to prepare the ground for an RCA will be missed as you carry out an audit. It also means that the audit process will be less efficient. 

Rather, consider root cause elements as you do an audit by folding in RCA questions and evidence gathering into work programmes. Some work programmes do this already, but some need adjusting so that they zoom in properly at the ‘cracks’ that may be the cause of control weaknesses. Contrary to what many may think, addressing root causes during an audit assignment will very often speed the assignments up. 

A step-change

RCA can help deliver a step-change in the insight that audit can bring, not simply because of the tools and techniques that it has to offer, but also because of the mindset shift it can encourage in the audit team. 

Use of a recognised RCA as part of the audit process can add value that others can see – for example in writing shorter more impactful reports (that combine causes) and offering greater clarity around audit themes (reasons why), so that remediation actions are more robust and repeat issues are less likely to occur. 

It is important that RCA insights are shared with managers and colleagues in risk, compliance, finance, IT and operations etc, as RCA can be an invaluable business tool to prevent things going wrong in the first place. 

James C Paterson is the director of Risk & Assurance Insights Ltd. He is the author of Lean Auditing and Beyond the Five Whys: Root cause analysis and systems thinking