Ahead of the new course I will be running in 2015, here are some more reflections about the power of Root Cause Analysis (RCA).
In my first blog I gave a simple example of how easy it is to think that when you have arrived at a solution to an issue you have arrived at the Root Cause, when in fact the real reasons for the problem lurk below the surface.
Lets consider another example that arose during a session with a client who was looking to improve the impact of audit reports, in this instance in relation to an IS/IT audit.
Issue: IT security weaknesses
1st Reason: Configuration settings not up-dated for new systems
2nd Reason: IT security staff not notified of the new system
Again the solution seems simple – Audit should agree an action in which new system owners should notify the IT security staff of new systems.
However if we dig further, sticking to the 5 whys approach (i.e. whether or not we have found some preliminary solutions) we find the following:
Issue: IT security weaknesses
1st Reason: Configuration settings not up-dated for new systems
2nd Reason: IT security staff not notified of the new system
3rd Reason: Process for system “go live” does not include a step to notify the IT security staff
4th Reason: There is preference to focus on business issues
5th Reason: Sign off before go live is not a full risk assessment
Here we see a deeper cultural and process issue about the way in which systems are signed off before go live. Thus is not just about a specific IT security sign off – its about a broader process of assessing key risks before going live with a system and also a mindset of considering a range of risks. It also raises questions about the authority of the IT function to assert its authority.
In practical terms the solution may still be simple – the development of a process for signing off system readiness before go live, but underlying this audit can be “on notice” that there are other cultural issues to pay attention to.
Further information about the Root Cause analysis course is provided on the Training and events section of the website.
Also see my ‘thought piece’: Culture: Surveys vs. Root Cause Analysis (PDF)
James has helped me and my team in a number of areas, examples being improving the way we conduct and report on our audits and helping with our assurance mapping. This has all been done in a positive and supportive manner, helping the team to embed learning from these sessions.
I contacted [James] for advice as to how Assurance Mapping techniques could be applied in my own authority. Not only were his ideas very constructive, his approach was very professional yet carried out in a friendly, easy going manner which greatly helped my understanding of the issues involved. James was then always happy to deal with any follow up queries I had and he helped to fine tune and discuss the approach with the rest of my team who similarly very quickly formed the same positive view of James’s style and manner. We have recently introduced this new approach into my authority and the results and comments to date have been very encouraging, thanks in no small way to James’s advice and assistance. I would have no hesitation recommending James to anyone.