One of the things I often find myself doing during presentations is chiding the participants (in a caring and loving manner) for not understanding what the International Standards for the Professional Practice of Internal Auditing do and do not require. I like to point out the number of things we do because we think they are required by the Standards when, in fact, we do those things because they are required by the department (or, often more likely, we do those things because those things have always been done that way.)
Well, for all my chiding, I recently found that I have been living my own fantasy about what the Standards require. (Hey, give me some credit for admitting I was wrong. Puts me a step ahead of some famous leaders I could name.) And it all has to do with the recent discussion of root cause.
This whole root cause discussion started a while ago when I posted about an excellent example of root cause analysis from the book The Power of Habit: Why We Do What We Do in Life and Business by Charles Duhigg. I followed this up with a discussion about the five whys, its role in root cause analysis, and how internal auditors may not be using the approach to its best advantage. The most recent post on the subject talked about how, in order to better identify true root causes — ones that lead to more broad-based and value-adding solutions — we might use COSO's Internal Control–Integrated Framework to make sure we are really getting to the bottom of things.
In response to that post, Mike Benke, commenting on LinkedIn, brought up some interesting points about the focus internal auditors bring to root cause analysis as they attempt to find the one thing that caused the breakdown. He discussed the obvious but often overlooked concept that organizations are complex systems where the majority of actions and results are not necessarily deterministic. (If X … then Y.) Therefore, when internal auditors try to come up with a single cause of an outcome, it ignores the reality that the situation may have been caused by a number of jointly sufficient causes.
(Mike, if I've misstated what you had to say, feel free to correct me.)
In the most recent post, I told the story of writing a report with a cause that indicated (correctly) that the department did not have sufficient resources. After the fact, we also realized that the department had not used risk assessment to determine which processes should have been dropped because of the resource shortages. My conclusion was that we had not gotten to the real root cause — the lack of risk assessment.
Now, with Mr. Benke's words ringing in my ears, I look back at the story and realize my conclusion was wrong. (See, I told you I was going to admit I was wrong.) Both were perfectly legitimate causes — dare I say root causes. The lack of resources meant they couldn't get all their work done. The lack of knowledge regarding risk and risk assessment meant they could not make an informed decision on what work should be eliminated. Perhaps, both should have been reported
All well and good. But isn't it holy writ that there shall be but one cause for any identified issue?
Looks like I was wrong again. (You don't know how much this hurts.)
If worse comes to worse, go back to the Standards. Here's what I found when I looked for references about a single root cause. It ain't there. It's not in the Standards, it's not in the implementation guidance, it's not in the practice guides. Yes, there's a lot of stuff about root causes and finding how to correct that cause. But a requirement for a single root cause (or even a suggestion that identifying a single root cause is best practice)? Nada.
Ultimately, the Standards speak to finding solutions to the cause that led to a discrepancy between condition and criteria. In fact, the implementation guidance for the related standard (Standard 2320: Analysis and Evaluation) notes, "In some cases, internal auditors may provide a variety of possible root causes for management to consider, based on an independent and objective evaluation of various scenarios as the root cause of an issue."
I guess I knew all along that it wasn't a requirement. But danged if I didn't believe it was best practice. But tell me I'm the only one making that mistake — the assumption that a single root cause is specifically or implied to be required. Because all our training, all our literature, all our instructions, all our procedures are geared to the idea that we should be finding one root cause. Take another look at the Standards and you will note that, in discussing root cause, the plural is never (and I'll stand by never) used. It should not be surprising that so many of us (again, I'm guessing there's a whole lot of us) inferred that a single root cause is what we want.
And that may be leading us to simplistic answers that provide only partial solutions for the organization.
Yes, there will be situations where a single root cause may be the answer. But we have to recognize that those situations may be fewer and farther between than we first thought. As noted from what Mr. Benke commented, when internal auditors try to come up with a single cause of an outcome, it ignores the reality that the situation may have been caused by a number of jointly sufficient causes.
Which raises some interesting (and possibly disturbing) questions.
Is it time for us to fundamentally rethink the way we analyze and report on root causes? And is it time to fundamentally rethink the way we train ourselves and others on critical thinking and root cause analysis? Is it time to revisit and possibly redefine the five Cs — condition, criteria, cause, consequence, and corrective action? Does the way those are described and used unwittingly force people to the "one right answer" approach to root cause analysis? Is it time to redefine what we mean by cause, and what we mean by corrective action? Is it time to place additional responsibilities on all audit departments to do more than come up with one solution? And is it, ultimately, a time for significant change in the way we work — our understanding of processes, our concepts of business systems, our analysis, and our reporting?
As happens far too often, I may be completely off base here. I may be the only one who is living with this "one root cause" constraint. And if so, then feel free to chide me as I have chided others. But based on the training, presentations, and discussions in which I've been involved, I have a feeling I'm not the only one out there. And if that is the case, it is definitely time to make a change.