Our Africa Anti-Corruption Practice has previously outlined key considerations for handling internal investigations and remediation of compliance issues in Africa. Here, we take a closer look at a particular aspect of remediation, the root cause analysis. After the dust settles on an investigation identifying misconduct, a root cause analysis can serve as the most effective tool to determine why the misconduct occurred and what can be done to prevent it in the future. Drawing on a longer article we recently published in Global Investigations Review’s 2021 Europe, Middle East, and Africa Investigations Review, we describe below strategies and methodologies for conducting root cause analyses, focusing on specific considerations for companies operating in Africa.
Key Takeaways:
- Companies should promptly conduct root cause analyses following investigations that identify misconduct, in order to meet enforcement authority expectations and pinpoint all the underlying causes of misconduct.
- There is no “one size fits all” approach to conducting a root cause analysis, and companies should consider adapting root cause analysis methodologies developed in other contexts.
- Building on their risk assessments, companies investigating misconduct in Africa should consider whether specific challenges of operating on the continent may serve as the root causes underlying compliance issues.
***
Done properly, a root cause analysis is distinct from an investigation, which is focused on identifying misconduct and its immediate causes, or the resultant remedial actions (e.g., employee discipline), which seek to address and correct the control failures and employee actions identified through an investigation. Rather, a root cause analysis is designed to explore deeper systemic and cultural issues that have allowed or encouraged the misconduct to occur in the first place. By identifying those root causes, a company can develop strategies to prevent the reoccurrence of misconduct and address any underlying compliance issues and control failures that may present broader risks.
In the last five years, United States enforcement agencies, particularly the U.S. Department of Justice (“DOJ”), have made clear their expectation that companies conduct root cause analyses in the face of misconduct. In fact, DOJ has noted that the ability to “conduct a thoughtful root cause analysis of misconduct” is a hallmark of an effective compliance program.[1] Further evidencing this expectation, in the context of U.S. Foreign Corrupt Practices Act enforcement actions, DOJ may require a company to demonstrate that it has conducted a root cause analysis in order to earn credit for appropriate remediation, and is increasingly including a root cause analysis requirement in deferred prosecution agreements.[2] This trend extends beyond the United States — for example, in 2018 the Agence Francaise Anticorruption referred to root cause analyses in the context of guidance on auditing anti-corruption compliance programs.[3]
While enforcement agencies increasingly expect companies to perform root cause analyses, they have offered limited guidance on how to conduct such exercises. Thus, when considering methodologies for conducting an effective root cause analysis, companies may be well-served by drawing on existing processes and methodologies that have been developed in other contexts, including in response to safety failures, security incidents, or product defects. Some of the most commonly used root cause analysis methodologies include:
- Five Whys Method: After a problem is identified, ask “why” five or more times in order to get at the core of an issue.
- Ishikawa or Fishbone Method: Create a visual cause-and-effect model with the problem as the head of a fish, the primary causes as the bones of the fish, and the underlying root causes as sub-branches supporting each bone.
- Logic Tree Method: Visually set out the events in a hierarchical structure leading to the problem. For each event, include a node noting the cause and/or effect of that event.
- Fault Tree Analysis: Start with the problem and list the possible causes in a hierarchical format. For each cause, continue to identify the underlying events or issues until a “tree” is developed with various root causes.
Regardless of the methodology used, it is critical that a root case analysis consider broader underlying causes of the misconduct, including business pressures, misalignment of incentives, cultural issues, personnel issues, and/or the capacity of the compliance function to address misconduct and root cases. An effective root cause analysis should also develop a structured, replicable process and produce written work product.
At the outset of a root cause analysis, a company should consider the appropriate team for the exercise. As discussed further in our article, a multifunctional team, including individuals from compliance and other control functions along with members of relevant business lines, can be particularly effective. Companies should also consider whether to involve counsel in the exercise and whether they intend to claim the protection of the attorney-client privilege or work product doctrine over the exercise.
Companies operating in Africa may have an important set of cultural, regulatory, and capacity factors that they should consider when conducting root cause analyses. While these factors are by no means unique to Africa, and may be present to some degree in many emerging markets, they may present more acutely in Africa and in combinations that tend to compound compliance risks. For example:
- Geographic and operational isolation: In our experience, geographic and cultural distance between subsidiary operations in Africa and headquarters in the U.S. or Europe can pose a range of challenges. These can include the pure logistical challenges of headquarters personnel visiting the subsidiary, as well as challenges achieving local management buy-in to compliance policies that are perceived as unworkable on the ground and not tailored to the challenges of operating in Africa.
- New market entry and integration issues: In cases where expansion was accomplished via acquisition of a business already operating in Africa, inadequate integration and failure to implement and train employees on a compliance program can result in significant compliance and controls challenges.
- Security issues: Physical security risks may result in necessary engagement with police or government security forces, which can raise corruption and compliance risks.
- Regulatory issues, local ownership, and local content: Underdeveloped local regulations coupled with individual discretion can result in systemic corruption. Further, local shareholder and content regulations can create compliance risks, as they allow for channeling money, business, or other things of value to government officials or their affiliates.
This article was prepared by Covington attorneys qualified to practice law in the United States. It does not constitute legal advice. If you have further questions about your compliance programs, how to conduct due diligence on a local partner, or Covington’s anti-corruption work in Africa, please contact Ben Haley at bhaley@cov.com, Jennifer Saperstein at jsaperstein@cov.com, Noam Kutler at NKutler@cov.com, or Ishita Kala at ikala@cov.com
***
[1] U.S. Dep’t of Justice, “Evaluation of a Corporate Compliance Program,” June 2020, 17, https://www.justice.gov/criminal-fraud/page/file/937501/download; U.S. Dep’t of Justice and U.S. Sec. and Exchange Comm., “A Resource Guide to the U.S. Foreign Corrupt Practices Act: Second Edition,” July 2020, 67, https://www.justice.gov/criminal-fraud/file/1292051/download.
[2] U.S. Dep’t of Justice, “FCPA Corporate Enforcement Policy,” March 2019, 3, https://www.justice.gov/criminal-fraud/file/838416/download; see, e.g., United States v. Herbalife Nutrition Ltd., Deferred Prosecution Agreement, C-9 (August 28, 2020), https://www.justice.gov/usao-sdny/press-release/file/1312196/download; United States v. Beam Suntory Inc., Deferred Prosecution Agreement, C-9 (October 23, 2020), https://www.justice.gov/opa/press-release/file/1331666/download.
[3] Agence Francaise Anticorruption, Guidelines to help private and public sector entities prevent and detect corruption, influence peddling, extortion by public officials, unlawful taking of interest, misappropriation of public funds and favouritism (2018), https://www.agence-francaise-anticorruption.gouv.fr/files/2018-10/French_Anticorruption_Agency_Guidelines.pdf.
This post can also be found on CovAfrica, the firm’s blog on legal, regulatory, political and economic developments in Africa.