Why, why, why? Analysing the root causes of fraud and corruption
In fighting fraud and corruption, it is very useful to have insights on a broad spectrum of elements to explain why it occurs in your organisation or is related, for example, to a specific programme. Root cause analysis (RCA), a technique applied to uncover the fundamental causes of problems such as fraud and corruption, can help. James C Paterson has been running courses on RCA for over five years for a number of the Institute of Internal Audit (IIA) organisations in Europe. He regularly presents his insights to public and private-sector organisations and has written about lean and agile auditing. So what, in his view, are the essential ingredients of an effective RCA? In this article, James provides a brief overview and applies RCA principles to fraud and corruption.
By James C Paterson, Director of Risk & Assurance Insights Ltd (RiskAI)
What is root cause analysis and how did it start?
Root cause analysis (RCA) is about analysing the underlying reasons why things have not gone as they should. The idea is that by fixing the fundamental causes of a problem, you will also address similar problems, not just the specific cause of the event in question.1
Take the Titanic as an example…
RCA has varied origins, but two of the most famous RCA techniques — the ‘5 whys’ and the ‘Ishikawa’ (fishbone) diagram — stem from the growth of ‘lean’ ways of working, and particularly the associated need to get things done ‘right the first time’.
RCA requires us to be clearer about what caused a fraudulent act or other incident, or a process weakness. It distinguishes between three different types of cause:
- the immediate cause — the thing(s) that obviously led to the problem: e.g. the iceberg that struck the Titanic;
- the contributing causes — these “set the stage” for the problem to occur; in the case of the Titanic: the northerly route taken, close to the icepack; the speed of the ship; and then;
- the root cause(s) — the underlying factors that caused the problem and might lead to similar problems in future — in the case of the Titanic, there were multiple root causes, including underestimating the risks the ship faced, insufficient lifeboats, and flaws in the bulkhead design.
I would strongly encourage any reader to start using these terms to discuss fraud, corruption and other incidents, to help their organisation be clearer about what type of cause has been identified.
Shifting the blame away from the individual
A rigorous approach to RCA means that, even if a single person carries out an act of fraud or corruption, the root cause will not just be that person. Instead, RCA will often reveal deeper problems in the relevant processes, systems, training or oversight that failed to identify and stop what happened.
A tendency to blame individuals for things that go wrong reflects a defensive culture, which will inhibit the ability to find root causes. Instead, one should think about the occurrence of problems in a way that is less likely to scapegoat individuals. The ‘Just culture’ framework, developed for ‘high reliability’ organisations and situations (see Table 1), can help.
Table 1: ‘Just culture’ — a stepped approach
There will always be more than one root cause for a problem in an organisation; as a minimum, there will normally be:
- flaws with preventative controls; and
- problems with detective controls.
5 whys/2 legs framework
This is nicely summarised in the ‘5 whys, 2 legs’ framework, illustrated below
(see Figure 1):
Figure 1: 5 whys/2 legs
There are also more sophisticated approaches for effective root cause analysis, such as the logic tree (fault tree) and bow-tie (barrier) analysis, which we will not discuss in detail here. However, even these techniques must still be complemented by the ‘why, why, why’ approach of the 5 whys. Using these techniques will often reveal the multiple ‘hairline cracks’ that led or at least contributed to a risk event. For example, in the BP Deepwater Horizon disaster (the largest ever marine oil spill, which happened in the Gulf of Mexico in 2010), around eight different processes failed simultaneously.
The fishbone (Ishikawa) technique
In practical terms, the fishbone (Ishikawa) technique is a useful ‘halfway house’ between the 5 whys 2 legs approach and the more rigorous fault tree and barrier analysis methods. As with all RCA techniques, the fishbone technique explicitly recognises that problems will have multiple root causes, but provides greater structure concerning key areas to examine systematically. This technique is especially useful as a way of:
- cross-checking whether key lines of enquiry have been exhausted, and
- allowing causal categories to be analysed.
The traditional causal categories for the fishbone technique, originating from the early days of lean methods as used on production lines, include People, Process and Equipment. However, working with clients over the years, I have developed a modified fishbone approach that uses another set of root cause categories, illustrated in the Figure 2.
Figure 2: Modified fishbone approach
Although the root cause categories chosen may point to the root causes of an issue in general terms, the actual root causes for a specific issue will be particular, depending on the detailed facts and circumstances of the situation. In other words, you cannot assume that every root cause category will apply to every problem that arises.
With all types of root cause analysis, care must be taken to:
- gather robust evidence,
- be clear about causality (rather than just correlation), and
- consider the impact of any weaknesses (e.g. by using the Pareto (80/20) method — 80% of the results will come from just 20% of the action) in order to remedy these as a matter of priority.
Fraud and corruption — taking a broader view
It is easy to think of fraud and corruption in a rather narrow, legalistic, manner, rather than see it as part of a broader spectrum of deviant workplace behaviour (see Figure 3 below). This is because it allows us to think about fraud and corruption as something that wrong-doers do, that has nothing to do with ourselves. A wider interpretation, however, may raise questions about the overall context (or culture) in which fraud and corruption sits. In particular, a bad example set in one domain risks giving the impression that similar or other forms of deviant behaviour (such as fraud or corruption) are justifiable in some way.
Figure 3: Deviant workplace behaviours
Below are some of the most significant and common root cause factors relating to fraud and corruption issues:
Control activities e.g. ABAC controls
Recently, many organisations have put a lot of effort into anti-bribery and anti-corruption (ABAC) programmes, due to increasing penalties for failure to have such programmes in place. However, it is easy for these to simply become a ‘tick-box’ exercise (to comply with laws and regulations), where the letter, but not the spirit, of the rules is followed, and so seen as separate from other organisational processes. In a nutshell, we must be very vigilant to the risk of governance, risk and compliance (GRC) ‘theatre’.
In addition, the time and effort devoted to compliance programmes can easily divert attention away from — for example — anti-fraud activities or efforts to reduce financial waste (which may also be important and in fact contribute to potential corruption risks). Ask yourself: when was last time fraud risk-assessment workshops were carried out with key finance, procurement and operational staff, and how rigorous are efforts to work on efficiency and effectiveness-related issues?
Understanding and managing roles and accountabilities
Although everyone has a responsibility to call out potential instances of fraud and corruption, there is a risk that making it ‘everyone’s job’ will in practice make it ‘no one’s job’! In my experience, large organisations need to become much better at understanding and managing the complexities of roles and accountabilities for anti-fraud and anti-corruption issues (as well as many other areas). This can be done with tools such as a modified McKinsey RASCI framework, set out in Figure 4 below. This allows the organisation to be more precise and joined up when considering who does what, and who oversees this.
Figure 4: Modified McKinsey RASCI framework
For example, when was the last time a line manager or procurement team member received guidance about the sort of fraudulent or corrupt acts that might be going on ‘under their noses’, and precisely what their role was? When was the last time a senior manager (not a member of finance), talked about this issue to their staff? Anti-fraud and anti-corruption efforts will only really have an impact when they are seen to be a specific part of everyone’s job; not in just a generic way, but rather with specific tasks and behaviours required of different roles.
Other important issues to consider relate to accountability for governance, and the quality of oversight and of anti-fraud and anti-corruption activities, which invariably need to encompass finance, legal, compliance, risk management, executive management and any oversight board.
Allowing for human error and other human factors
How can our processes, procedures and systems allow for human error and human failings as ‘a fact of life’ that therefore needs to be proactively thought about and managed? As discussed, ‘high reliability’ organisations that are intent on driving down the number of issues, incidents and near misses use the ‘Just culture’ framework (see Table 1). They pay close attention to both the breadth and depth of training needed.
Rather than simply rolling out e-learning as a blanket exercise for all, some organisations deploy specific e-learning tests with pass marks (even 100% in some organisations, with only one chance to re-sit the test!); others use face-to-face training and workshops for higher-risk areas (i.e. they believe e-learning is not good enough for some roles). They may also use other simulation activities in the workplace to check that people are applying what they learn in practice (as you may have seen with test phishing attacks in relation to IM/IT security, but applied to fraud and corruption-related risk areas).
’Human factors’ is also the arena where the existence of deviant workplace behaviour (e.g. senior managers who appear to be overly rewarded with benefits; or seem to ignore poor performance by staff; or show favouritism) may lead some staff to become disgruntled and/or demotivated. Some members of staff may cite ‘deviant activities’ (but not corrupt or fraudulent ones, according to the letter of the law) as justification for their own deviant activities, which may include fraud or corruption (i.e. ‘If they are getting away with X, why shouldn’t I be entitled to Y?’).
Ask yourself: what deviant behaviour does your organisation tolerate that might be encouraging employees (or contractors) to become demotivated, or disgruntled? Ask yourself: when was the last time this risk was explored with staff on an anonymous basis?
Note that disgruntled staff may ‘test’ control activities in small ways, to see what they can get away with, before moving on to more serious fraud, etc.
Management information, resource questions and other dilemmas: Cost/Trust vs. Control
I understand why some managers feel they have and should have a ‘zero tolerance’ approach to fraud and corruption, and particularly their insistence that anyone found committing an act of fraud or corruption would need to leave the organisation. However, when I ask them how much effort and what resources they plan to invest to calculate all losses resulting from fraud, and to recover missing funds (perhaps involving the police), they typically explain that they need to be ‘realistic and practical’.
Ask yourself: how often does your organisation publicise the removal of wrong-doers? All too often, fraud and corruption issues are kept low-key for fear of embarrassment and, consequently, reputation risks. I appreciate that there are sensitivities here, but the counter-argument to keeping things quiet, is that it means that even when acts of fraud or corruption are discovered, and staff are removed, there is no visible deterrent to others who might be contemplating such acts.
When you look at the resourcing for anti-fraud and ABAC programmes, it is clear that potential action (e.g. more extensive training and awareness in higher-risk areas) is limited by budget and resource constraints. So, managers may say they have a ‘zero tolerance’ to fraud and corruption after it has occurred, but — in practice — they do not make ‘100% effort, no expense spared’ to identify, manage and stop fraud and corruption in advance! This reflects a broader dilemma facing all organisations. We want to be trusting and empowering, lean and agile, and to be sensible and proportionate how we manage resources; but if we are too trusting and empowering, without enough checks and balances, this can be seriously abused by some of the people who (all too often) most seemed to deserve our trust! The cost, and reputational damage, of a single act of fraud or corruption can still far outweigh the costs of even the most extensive control and monitoring activities.
Whilst it is always important to talk about whistleblowing initiatives, the effective management of fraud and corruption risk requires us to think beyond whistleblowing to other ‘weak-signal’ information sources that may provide an early warning system to a bigger event. As a minimum (and in addition to robust whistleblowing mechanisms), organisations should collect loss and incident information and not be content if nothing is reported!
Best practice would suggest that organisations should encourage the reporting of near misses (not just actual losses/incidents) and of gaps in expected control activities, as well as carrying out in depth ‘spot’ checks — in real time, or as close as possible — on the activities of senior managers and finance/procurement managers. Just the mere presence of these spot checks at all levels will drastically deter staff and managers from trying to test the system and its processes. Finally, the most progressive organisations are starting to collect and use cultural and behavioural information (e.g. staff motivation, attitudes and engagement) as a leading indicator of potential fraud and corruption risks.
To address contextual and systemic causes, you need to be able to see them
Whilst the specific causes of a fraud or corrupt act will always be particular, root cause analysis, with the aid of ‘5 whys, 2 legs’ framework or the fishbone tool, can allow us to ‘see’ contextual and systemic causes of potential frauds and corrupt acts. This can help us be more mindful of changes that need to be made to reduce the frequency or impact of such events.
Finally, organisations that are serious about managing the risk of fraud and corruption need to significantly upskill their training, and ways of working, in relation to effective root cause analysis, so they can get deeper insights into the real reasons why problems regarding fraud and corruption are occurring.
This article was first published on the 2/2019 issue of the ECA Journal. The contents of the interviews and the articles are the sole responsibility of the interviewees and authors and do not necessarily reflect the opinion of the European Court of Auditors.