The Justice Department announced its new FCPA Corporate Enforcement Policy at the end of November. And yes, the major themes of that policy look much the same as the department’s prior approach to FCPA enforcement: voluntary disclosure of violations, cooperation with the authorities, and remediation.
One part of the policy, however, is new: a greater emphasis on root cause analysis.
You can find it roughly halfway through the five-page policy statement. To win full credit for timely and appropriate remediation, a company must demonstrate a “thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes.”
Expecting companies to perform a root cause analysis isn’t unreasonable, but it should give compliance officers pause - because that’s not a task compliance officers naturally know how to do.
Yes, compliance officers can (and often do) investigate allegations of misconduct to identify facts and assign blame. But an investigation determines what happened. That’s not the same as a root cause analysis, trying to determine how something was able to happen.
What should companies try to answer with a root cause analysis? We can start with the Justice Department’s guidelines on evaluating the effectiveness of compliance programs, published in February 2017. Some possible questions include:
- What systemic issues were identified?
- Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues?
- What is the company’s analysis of why such opportunities were missed?
- Who in the company was involved in making the analysis?
Those questions aren’t about finding facts. They are about finding the circumstances in a company’s operations that allowed the facts of a specific FCPA violation to happen.
To answer them well, organizations need a disciplined way of examining business processes to find weak spots: the sloppy record-keeping because employees are overworked; the access controls that aren’t tested and kept current; the deficiencies identified but not corrected in a timely fashion; the anti-bribery training entrusted to local managers, whose motives might not be as ethically pure as a compliance officer would like.
An audit function, either internal or outsourced, will often be the best group to ask and answer questions like those. (Assessing business processes is what auditors do, after all.) Absent that, compliance officers could conduct the analysis themselves, if you know what questions to ask. The Internet is full of methods and techniques an organization could use.
From Root Cause to Executive Commitment
A larger point for compliance officers isn’t just how they conduct a root cause analysis; it’s that a thorough root cause analysis happens in the first place. As we noted before, the explicit, written emphasis on root cause analysis is new, only appearing within the last year. The Justice Department is pushing the importance of this analysis up your list of priorities.
That won’t happen - or more accurately, it won’t happen well - unless a company’s senior leadership will put the required effort into a root cause analysis.
Yes, the U.S. Sentencing Guidelines state that an “effective” compliance program periodically reviews and measures its effectiveness. That’s similar to a root cause analysis, but not the the same. Effectiveness reviews should (ideally) happen on fixed cycles, irrespective of any specific FCPA allegations.
Root cause analyses try to understand how one specific allegation was allowed to happen. A company needs to demonstrate self-awareness of how its policies, procedures, and internal controls work in the real world - including those occasions when they still allow an FCPA violation to happen.
That’s OK; failures happen, and the Justice Department knows that. What it wants above all, however, is evidence that a company takes anti-bribery compliance seriously. Strong policies, third-party oversight, and whistleblower protection are all part of that. So is a willingness, and an ability, to understand why violations happen anyway.
And as we can see in the FCPA Enforcement Policy, the Justice Department wants to see that your organization takes that root cause analysis seriously, too.