A crash course in the key points concerning RCA for internal audit teams.
Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units.
I’ve been running courses on root cause analysis (RCA) for over five years for the IIA across Europe as well as on an in-house basis. While this article provides a crash course in the key points concerning RCA for internal audit teams, it may also be of interest for those in risk, compliance and other functions.
The reasons for the growing interest in RCA are multiple:
- the 2017 IIA IPPF requirement that internal audit should be insightful, proactive and future focused
- an IIA practice advisory note that states that IA teams are failing to add value if they simply ask management to fix problems without addressing the underlying reasons that caused the problems to arise
- an increasing sense within audit (and risk and compliance) teams that they are seeing the same, or similar, issues over and over again (Groundhog Day)
- a growing interest in risk culture and a realisation that effective root cause analysis is an important ‘gateway’ into this area.
After a career in finance, my first serious interest in RCA came when I worked in HR, helping to make change programmes more successful. Later, when I was global head of internal audit for AstraZeneca we became interested in lean/agile ways of working – which incorporate two key root cause techniques – the five whys and the Ishikawa (fishbone) diagram.
These techniques yielded a number of important benefits the first being a clearer basis to write shorter audit reports; for example: a dozen issues found might be due to just five root causes; and if the findings are written in this way, action plans will be more impactful, address key issues and enable internal audit to write a shorter audit report.
Needless to say, this requires the ability for the audit team to ‘take a step back’ in relation to what they have found and to learn how to combine issues, but I am seeing this become an increasing common practice within audit teams.
First, we must be disciplined when we talk about what caused an incident, issue or gap; and robust RCA distinguishes between three different types of cause:
- the immediate cause – the thing that obviously led to the problem (i.e. the iceberg that struck the Titanic)
- the contributing causes – that ‘set the stage’ for the problem to occur (i.e. the northerly route taken by the Titanic, close to an icepack, the speed of the ship, the inadequate look-out arrangements and commercial imperatives that encouraged a northerly route in April, rather than, say, June or July) and then
- the root cause(s) – which are the causal factors that caused, or could cause, numerous issues to arise, not just the individual problem that occurred on this occasion (in the case of the Titanic, there were multiple root causes, including insufficient lifeboats, flaws in the bulkhead design and an underestimate of the risks that the ship faced (‘the ship will be unsinkable’)).
Second, individual persons who are involved in a problem should not be regarded as a root cause (as happened in the Titanic when the captain and look-out were blamed). Even if a person made a mistake, a proper root cause analysis will invariably reveal problems with the training, coaching and monitoring of the person who made the mistake. The ‘just culture’ framework (set out in the table immediately below), makes it clear how to think about individual errors, or frauds. Being too quick to blame people is symptomatic of a ‘scapegoating’ culture that will inhibit the ability to find real root causes.
Third, there will always be more than one root cause for a problem in an organisation – at a minimum. In other words, the description ‘root cause analysis’ is slightly misleading; it should be root causes analysis! As a minimum, two key root cause types will usually include flaws with preventative controls and a problem with detective controls. In terms of the five whys technique, a good technique is the five whys, two legs method, illustrated in the attached diagram. Other techniques exist including the three-way five whys approach which seeks to look for the organisational/governance/systemic factors that led to an issue or governance, risk and compliance (GRC) gap.
Other root cause analysis techniques
Despite its use as a RCA technique, the true ‘gold star’ approaches for root cause analysis are more sophisticated: the logic tree, the bow-tie approach and FMEA (Failure Mode Effect (Cause) Analysis).
They are good techniques to apply to critical risks / issues and investigations, but can be rather involved to work through. These techniques must still be complemented by the ‘why, why, why’ philosophy of the five whys technique, but offer greater structure and often reveal the multiple ‘hairline cracks’, and how they are overlooked, prior to an incident arising (see James Reasons’ ‘Swiss cheese model of risk failure’).
The fishbone (Ishikawa) technique
From a practical perspective, the fishbone (Ishikawa) technique is a useful compromise technique between the various five whys techniques and the ‘gold star’ approaches listed above. As with all robust RCA techniques, it explicitly recognises that there can be multiple root causes for problems. There are many types of fishbone diagram with different categories to prompt analysis. Classic categories include ‘people, process and equipment’ which originates from the early lean techniques used on production lines. However, I find that something more refined is better as an audit tool.
Over the years I have seen some using as the McKinsey 7S framework or the COSO framework, but neither obviously ‘speaks’ to common root cause found in audit assignments. Better ones, in my experience are the Burke Litwin model or a very good framework for the ‘causes of non-compliance’ from the US Department of Energy. Based on these, I have developed a fishbone framework with several clients, summarised in the diagram immediately below.
Note that whilst these root cause categories are generic, whether or not they actually apply to a specific incident, issue or gap will always depend on the specific, detailed facts and circumstances of that situation. You cannot assume these cause types will apply to every problem, rather these are cause types that often may be found.
To illustrate this point with a specific issue I have seen on a number of occasions – if internal audit wants to say that a lack of resources is one of the root causes that led to an issue arising, it will be vitally important to have the detailed facts to back that up. In my experience, it is not unusual to see that a lack of resources is an important a root cause of problems.
However, if you look at the detail of what happened you may find that it’s not a lack of resources, per se, but about poor prioritisation in the context of limited resources and/or not being open about resource challenges/prioritisation dilemmas to more senior managers. In all circumstances, getting clear evidence will be key to doing effective RCA and getting any conclusions accepted by management.
An important tool for speeding up assignment delivery
Note that contrary to what many may think, carrying out a root cause analysis during an audit assignment should not slow things down. Indeed, it will very often speed it up; which was a welcome surprise when we adopted the lean auditing techniques in AstraZeneca. The reasons for this are multiple, but include:
- effective use of RCA techniques can prompt the audit team to ask different questions than might be planned in a standard work programme. It will often encourage the audit team to uncover potential root cause drivers as an audit assignment progresses, rather than leaving these until the end of the assignment. The overall result, when issues are uncovered in an audit, will be a clearer sense of what might be the immediate, contributing and root causes
- a root cause mindset can encourage the use of a ‘working hypothesis’ as audit assignments are planned and executed. A working hypothesis tries to leverage intelligence gathered and use this to prioritise the areas of focus during the assignment. May audit teams do this to some extent (e.g. when checking for transactions just below a critical financial authority level, or at particular times), but a root cause mindset allows auditors to think of, and look for, key weaknesses early on. This technique is discussed in greater detail in the ‘Lean Auditing’ book and actually mirrors a McKinsey consulting technique ‘always have an initial hypothesis’.
It should be clear that RCA can help deliver a step change in the insight that internal audit can bring, not simply because of the tools and techniques that it has to offer, but also because of the mindset shift it can encourage in the audit team. The most popular RCA technique with the audit teams I have worked with is the five whys, two legs approach.
However, the fishbone technique has many advocates and allows for the development of appropriate categories so that:
- audit can write shorter more impactful reports and
- audit themes can be reported to the board and senior management.
A few final remarks:
- note that commonly used phrases such as ‘poor tone at the top’ and ‘weak risk culture’ are not really true root causes when using one of the key RCA techniques, rather they are abbreviated terms to discuss a collection of other more specific root causes
- using RCA techniques, it is possible to better describe, in detail, specific factors and patterns that may be leading to repeated issues. Therefore, is an invaluable tool to use for those internal audit functions who want to look at risk culture, sub-cultures and behaviour. (A requirement for IA functions in financial services in the UK.)
- some of the issues that RCA may uncover can be rather sensitive to senior managers (e.g. challenges with resources and priorities, or unclear roles and accountabilities) and therefore care has to be taken in the timing and manner of sharing root causes to avoid a cultural backlash, as audit brings up ‘no go’ topics
- in addition, (and outside the scope of this article), effective root cause analysis will force IA teams to revisit their traditional action recommendations and realise these need to be changed and strengthened; this includes paying greater attention to progress implementing actions (with milestones along the way) and thinking about the evidence/metrics that will demonstrate actions have been properly implemented (aside from any audit follow-up checks).
In summary, I hope you can appreciate why this is an area that is growing in importance and will be encouraged to learn more about these techniques and implement them to good effect.
As one of my clients said to me recently – having implemented these techniques two years ago – ‘I know I’m onto something with this root cause analysis approach, because I’m bringing up some important top table issues, and starting to out-manoeuvre, but also irritate, some of the more old-fashioned managers who have been set in their ways for years!’
James C Paterson, CIA, is the director of Risk & Assurance Insights Ltd
He is the former chief internal auditor for AstraZeneca PLC, was head of global leadership development programmes, and head of group financial reporting. He has been training and consulting since 2010 and does open training for 12 of the Institute of Internal Audit in Europe as well as in-house training and consulting. He has been a speaker at three international internal audit conferences and was chair of the EU Internal Audit Service conference in 2017 and 2018. He is also the author of the book Lean Auditing, published by J Wiley in 2015.