Over the past 15 years working in the internal audit arena I have seen a growing interest in the topic of Root Cause Analysis (RCA). My involvement in the topic has evolved from using it as part and parcel of a “lean auditing” approach, to running RCA workshops and consulting advice across Europe. I was also responsible for helping the IIA UK to up-grade its guidance on Root Cause Analysis (published in 2015). Over the past 12 months I have delivered open and in-house courses in the UK, France, Norway, Switzerland and even Mauritius!
This post provides a refresher on this important topic with some key pointers to help you benchmark your current approach.
What is RCA?
RCA is about identifying why an issue occurred compared to simply reporting the issue, or its immediate, or contributing, causes. RCA techniques largely originate from lean disciplines and good techniques include the 5 whys, the Ishikawa/Fishbone diagram, the logic tree and Pareto analysis.
What role should Internal Audit have in RCA?
The IIA has a useful practice advisory (2320-2) on this topic:
“Auditors whose reporting only recommends that management fix an issue and not the underlying reason that caused the issue are failing to add insights that improve the longer-term effectiveness and efficiency of business processes and thus the overall GRC environment”.
It goes on to say:
“A core competency necessary for delivering insights is the ability to identify the need for RCA and, as appropriate, actually facilitate, review and/or conduct a root cause(s) analysis”.
Why effective RCA is not as straightforward as you might think
Consider an IT system implementation that was delayed and over budget: it can be tempting to:
- Blame External factors (“the IT contractor made things too complicated, adding time and cost”), or
- Find a politically acceptable reason for the problem (“the IT department didn’t manage the project so well”) or
- Adopt a fatalistic approach: “projects are always over budget and a bit late, it’s just one of those things”
In each case there is unlikely to be any real organizational learning because the underlying aim of such explanations is often to avoid being held accountable for what went wrong, and to close down any serious debate about what went wrong (which might not be popular in the organization).
When it comes to proper root cause analysis key challenges are:
- Assuming that the 5 whys technique is simple, when it can actually just lead down one pathway, when others factors may also have led to the issue;
- Having a proper understanding of how to combine the 5 whys technique with the other techniques, such as the fishbone and logic tree, which will help to reveal the broader roots of the issue;
- Assuming that when you have a concrete action to recommend that you have discovered the root cause, when you may be in fact only addressing immediate, rather than underlying causes; for example, simply stating that training needs to be provided ignores why the training did not happen in the past (and how to ensure it will take place in the future);
- Recognizing there will always be two root causes for any issue, not one:
- Why the issue arose and
- Why the issue was not detected
- Assuming that root cause analysis will slow down assignment delivery when in fact it can actually speed it up.
Why RCA is gaining an interest in audit
Apart from the fact that it is good practice to carry out robust RCA, once there is a proper understanding of how to carry out a root cause analysis, the approach will:
- Speed up assignment delivery (as part of a lean audit approach), since potential root causes will be more clearly under consideration from the start of an audit assignment
- Strengthen the insightfulness of what Internal Audit is finding, to genuinely improve processes and improve delivery
- Lead to shorter audit reports (because specific issues can be combined)
- Reduce the likelihood of repeat audit findings (since by definition the underlying issues that caused a problem to arise will have been addressed)
- Looking at the types of root causes and key trends concerning these will also help the audit team get a clearer appreciation of the culture of the organization and the key barriers / levers to making progress.
Some practical steps audit teams can take
My advice would be for audit teams to consider the following:
- How often do issues repeat themselves (e.g. are there common themes uncovered by audit, or through any management incident reporting?);
- What does the current IA methodology say about the difference between immediate, contributing and root causes?:
- What guidance and training is provided to IA team members in relation to Root Cause Analysis – e.g. 5 Whys, The Ishikawa diagram, Logic Trees, Pareto analysis? (Note a combination of techniques is much more powerful than just one).
- What Root cause categories are currently being used by the audit team and do they expect more than one root cause
If there is room for improvement in any of these areas, auditors should certainly read the IIA guidance and also consider attending one of my workshops in 2017 (listed on the training pages of the RiskAI website). I hope to see you there!