The root cause analysis is performed for the regulatory breaches identified and reported by the compliance function or the internal audit team. Regulatory breaches may also be identified and reported by the regulator.
When significant regulatory breaches are identified, the compliance officer and the management must take appropriate steps to identify the root cause of the breaches. To perform the root cause analysis, the Compliance team and the management need to understand the relevant regulatory requirement that is breached and then identify the possible reasons for the breaches of the requirements.
Root Cause Analysis and Breaches
The possible causes of the breaches may be the lack of understanding of the regulatory requirements, lack of employee training, intentional noncompliance, or due to error. It is the responsibility of the compliance team to identify the true root cause of the regulatory noncompliance and the breaches. The compliance team investigates to identify the true root cause. Such investigation includes interviews with those involved where their knowledge of the regulatory requirements, intentions, and past experiences are tested and checked to relate to the actual root cause of the breaches.
It also checks whether the identified breaches are repeated over the period or the one-off instances. In case the breaches are found repetitive, there must be a lack of design or application of internal controls. Suppose the regulatory compliance controls are found weak or obsolete. In that case, the management must take immediate actions to design or develop the required compliance controls, to avoid the repetition of the breach in the future.
Compliance breaches may also be due to the non-application of the compliance controls. In such situations, the reason for the non-application of internal controls is checked. Disciplinary actions are taken against those who are found involved in intentional non compliances. In cases where the breaches are reported due to the lack of training, the compliance officer must ensure that compliance training programs are designed to address the areas where significant breaches are reported.
For example, suppose the breaches are in data loss or AML/CFT. In that case, the training programs must be developed to ensure that data protection-related or AML/CFT regulatory requirements are covered in the training programs and provided to the employees.
Ultimately, the management and the board are responsible for regulatory and corporate compliance. Therefore, they must know that without a robust corporate compliance culture, compliance program, independent compliance function, regular compliance reporting, monitoring, and supervision by the management compliance committee and the board compliance committee, the organization is exposed to significant compliance risks. The compliance risks are mitigated through strong compliance culture and implementation of the compliance program, management, and board oversight.
Final Thoughts
The technique of root cause analysis is used to identify the underlying key causes of review findings. Understanding the causes allows audit firms to take action to prevent negative outcomes from recurring and to promote positive outcomes from recurring.