Conducting an Effective Root Cause Analysis in Africa

In summary

Enforcement authorities increasingly expect companies to conduct root cause analyses following investigations that identify misconduct. The root cause analysis is a valuable compliance tool that can be used to identify the underlying reasons for misconduct, prevent recurrence of similar misconduct and uncover broader compliance issues. Companies should consider adapting and implementing root cause analysis methodologies developed in other contexts to focus on compliance-specific questions and analysis. Companies operating in Africa are well advised to consider in their analyses how certain challenges of operating on the ground on the continent may serve as root causes for compliance failures.

Discussion points

• The importance of engaging in a root cause analysis
• Enforcement authority expectations and guidance on root cause analysis
• Applying methods from other contexts to conduct a root cause analysis
• Memorialising the results of a root cause analysis
• Developing and executing remedial action plans
• Special considerations for root cause analyses in Africa

Referenced in this article

• United States v Herbalife Nutrition Ltd
• United States v Beam Suntory Inc
• In the Matter of Kinross Gold Corporation
• In the Matter of The Goodyear Tire & Rubber Company
• In the Matter of Fresenius Medical Care AG & Co KGaA
• US Department of Justice’s Evaluation of Corporate Compliance Programs
• US Department of Justice’s FCPA Corporate Enforcement Policy
• A Resource Guide to the U.S. Foreign Corrupt Practices Act: Second Edition

Introduction

In a previous Europe, the Middle East and Africa Investigations Review, we discussed best practices for effective remediation following internal investigations that identify compliance issues.^[1] In this edition, we delve into the specifics of conducting an effective root cause analysis that seeks to analyse the underlying causes of the misconduct identified in the investigation.

While investigations are typically backward-looking and focused on the actors, transactions and control failures that immediately lead to misconduct, root cause analyses go beyond immediate proximate causes to explore deeper systemic and cultural issues that have allowed or encouraged the misconduct to occur. By identifying those root causes, a company can develop various interventions (not limited to typical post-investigation remedial steps, such as control enhancements and employee discipline) that can help to better detect and prevent similar misconduct in the future.

Although there may be a view that companies have long been performing root cause analysis exercises under the broader rubric of remediation (eg, conducting ‘lessons-learned’ exercises), it is useful for companies to consider whether they are asking all the right questions to effectively identify all causes of compliance failures rather than just the immediate symptoms of deeper problems.

Hypothetical scenario

To illustrate how root cause analysis can work in practice, consider the following hypothetical scenario.

Company Z is a US-listed and US-headquartered technology company with operations in various countries in Sub-Saharan Africa and an extensive public sector business in which it provides products and services to various state-owned entities and government agency customers.

Company Z is relatively new to Africa, having acquired the public sector business of Company S, a South African technology company, less than four years ago. After the acquisition, Company Z kept the management of Company S in place because of existing relationships with public sector customers and concerns that bringing in expatriate employees from Company Z would be too expensive and might cause issues under applicable local content regulations and government procurement guidelines. Company Z also kept Company S as a separate, wholly owned subsidiary rather than merging it into Company Z operations.

Last year, during an annual visit to South Africa by Company Z’s regional compliance director, who is based in London and covers the Europe, Middle East and Africa region, Company S’s director of human resources divulged a host of continuing procurement and accounting irregularities that she felt needed to be independently investigated. Those issues had previously been raised by a channel partner to Company S’s managing director, who personally oversaw an investigation conducted by a local accounting firm.

When the compliance director enquired the managing director about the investigation, she discovered that the allegations potentially implicated the managing director and other senior employees who reported to him, and that the accounting firm had not reviewed relevant documents from those employees or interviewed them, but had dismissed the allegations as not credible because they came from a disgruntled channel partner that had recently been terminated by Company S.

The compliance director immediately called Company Z’s regular outside counsel to investigate, and the investigation revealed a series of corrupt transactions going back almost a decade, carried out through elaborate kick-back schemes involving a network of local implementation partners with close ties to government procurement officials. The investigation revealed that two large government contracts, making up over 50 per cent of Company S’s annual revenue, were improperly awarded as sole source contracts in violation of applicable tender regulations.

The compliance director also learned that none of the local partners had been subject to Company Z’s integrity diligence process because they were legacy partners of Company S from before the acquisition and were approved suppliers in a special government programme focused on increasing the participation of small and medium-sized enterprises in the technology sector. Further, she learned that payments were still being made to local partners without formal invoices or statements of work. When she first raised the prospect of terminating those local partners, she was told that Company S would be sued by the local partners for breach of contracts, which were very favourable to the local partners, and that the local partners have significant leverage because of their relationships with the government customers.

In the wake of the investigation, Company Z terminated Company S’s managing director and severed ties with over a dozen local partners. It also hired a local compliance officer in Company S for the first time and undertook significant enhancements to the diligence programme and procurement controls in Company S.

Investigation versus root cause analysis

Company Z’s investigation is appropriately focused on the facts and individuals closest to the misconduct, such as the managing director and his direct reports, the local partners, the relevant government contracts and tender irregularities. Based on this investigation, Company Z can take remedial measures by disciplining or terminating the responsible employees and third parties, making improvements to its global controls and local controls at Company S and potentially reporting the misconduct to the US and South African authorities. However, those steps alone may not address all the underlying causes of the misconduct or prevent its recurrence.

This is where root cause analysis comes in. An effective root cause analysis will ask whether other factors further removed from the immediate misconduct may have played a role. In the above scenario, those factors may include the failure to timely integrate Company Z’s compliance programme in Company S, the lack of dedicated compliance resources on the ground for Company S and business pressures arising out of Company S’s reliance on a small number of key contracts for a significant portion of its revenue.

Enforcement authorities increasingly view root cause analyses as essential compliance tools and, in the context of an enforcement action, may require a company to demonstrate that it has engaged in such an exercise to earn credit for effective remediation. Deciding whether to conduct a root cause analysis is the easy part, but determining how a company should conduct one, and then executing the analysis and taking appropriate remedial actions, can be far more challenging.

Although there is no one-size-fits-all approach to conducting an effective root cause analysis, below we outline best practices in this area that a company should consider, with an eye towards special considerations for operating in Africa. Companies that engage in root cause analyses will ultimately be better positioned to prevent the reoccurrence of misconduct, address any underlying compliance issues that may present broader risks to their operations and meet regulator expectations.

Enforcement authority guidance

During the course of an investigation, companies are expected to swiftly engage in corrective action to remediate issues as they are identified. Such action can both limit losses or liability from the misconduct in question and reduce potential penalties from enforcement agencies.

However, separate and apart from investigations designed to identify misconduct and corresponding corrective action, enforcement authorities have come to expect companies to show evidence of a discrete root cause analysis exercise.

The US Department of Justice (DOJ) first discussed its expectation that companies undertake a root cause analysis in the Criminal Division’s February 2017 guidance ‘Evaluation of Corporate Compliance Programs’. It renewed and expanded upon its expectations regarding root cause analyses in its April 2019 and June 2020 updates to the guidance.

The updated guidance states: ‘[A] hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.’^[2] Under this guidance, prosecutors are specifically instructed to ‘consider whether the company undertook an adequate and honest root cause analysis to understand both what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future.’^[3]

Conducting a thorough root cause analysis is particularly important in the context of investigations into conduct potentially subject to the US Foreign Corrupt Practices Act of 1977 (FCPA). Since November 2017, the DOJ’s FCPA Corporate Enforcement Policy has required companies to conduct a root cause analysis in the face of misconduct. The Policy dictates:

The following items will be required for a company to receive full credit for timely and appropriate remediation. . . . Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes.^[4]

Additionally, ‘A Resource Guide to the U.S. Foreign Corrupt Practices Act: Second Edition’, jointly published by the DOJ and the US Securities and Exchange Commission (SEC), specifically states:

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.^[5]

Although there is presently limited evidence of root cause analyses impacting DOJ charging decisions or enforcement outcomes, from the DOJ’s guidance and our experience in matters before the DOJ, it is becoming increasing clear that effective root cause analysis is required to earn full remediation credit in an enforcement action and may impact decisions on whether a company will be required to retain an independent compliance monitor.

The requirement that companies conduct a root cause analysis has now become a standard requirement in Attachment C of FCPA deferred prosecution agreements, which outlines the elements of an effective corporate compliance programme that companies must implement as a condition of settlement.^[6]

Although other enforcement authorities outside the United States have not overtly embraced root cause analysis in the same way that the DOJ has, they may not be far behind. For example, in its 2018 guidance issued pursuant to the Sapin II law, the French Anti-Corruption Agency referred to the need for root cause analysis in the context of guidance on anti-corruption audits of the implementation of anti-corruption compliance programmes.^[7]

Even where enforcement authorities have not issued specific guidance or requirements on root cause analysis, more general guidance or requirements for remediation and compliance programme enhancement may be broad and flexible enough to include an expectation that companies will perform root cause analyses. In any event, conducting a root cause analysis is likely to help the company meet other enforcement authority requirements and expectations for remediation and for the company’s compliance programme going forward.

Finally, other relevant stakeholders, such as external auditors and commercial partners (eg, international financial institutions), may expect companies to perform a root cause analysis in response to any significant compliance failures.

Performing an effective root cause analysis

How to conduct a root cause analysis

Despite making it clear that companies are expected to conduct a root cause analysis following investigations that identify misconduct, the DOJ has not provided detailed guidance on how to conduct one.

In the absence of specific guidance, it may be helpful for a company to look to its practices in other areas where root cause analyses are employed. For example, a company that has procedures associated with understanding the root causes of industrial accidents, safety failures or product defects may be able to leverage existing processes to develop a robust root cause analysis process for compliance matters.

Companies can also draw upon an extensive body of literature on root cause analysis methodology from other contexts.^[8] A few of the most commonly used root cause analysis methodologies are outlined below.

• Five whys method: first developed by Sakichi Toyoda for the Toyota Production System, the approach has the reviewer ask why five times whenever a problem is identified. The goal is to get to the problem’s essence. By asking why over and over again, it helps get to the core of an issue. Five is just a number: when undertaking this approach for a root cause analysis, why can be asked as many times as necessary.
• Ishikawa or fishbone diagram method: a fishbone diagram is a cause-and-effect model that can help visually identify possible causes of a problem by sorting them into categories. The problem is displayed at the head of the fish. The primary causes are listed as the fish’s bones, and sub-branches are used for the underlying root causes.
• Logic tree method: this method allows for the visual representation of the events that are associated with the problem and the cause-and-effect relationships that may have led to the misconduct. The structure of the logic tree is hierarchical so individuals can easily reference which event caused what effect. Each cause or effect is represented by a node, which represents a component of the root cause analysis.
• Fault tree analysis: this method is a top-down analysis that starts with the problem and lists the possible causes in a hierarchical format. When using this approach, the analyst asks why or how a problem occurred and identifies each cause. For each of those events, the individual asks why or how the event occurred until a ‘tree’ is developed with the various underlying root causes.

Regardless of the methodology used, the hallmarks of an effective root cause analysis include:

• conducting a root cause analysis as an exercise separate from an investigation or a proactive risk assessment; however, a company can and should gather facts during its investigation that it can use during its root cause analysis;
• developing a structured process that can be replicated following other investigations to allow for future consistency and efficiency;
• producing written work product, which helps ensure that a sufficiently detailed analysis is conducted and also creates a record that can be used in the event of any future scrutiny by an enforcement authority or other stakeholders, as well as in a company’s assessment of the effectiveness of its compliance programme;
• examining broader underlying causes of the misconduct, such as business pressures, misalignment of incentives, cultural issues or personnel issues; and
• determining whether the company’s compliance function is adequately staffed and has a sufficient understanding of the business operations at issue in order to spot and address both misconduct and root causes in the future.

Who should conduct a root cause analysis?

If possible, the team undertaking the root cause analysis should involve members of relevant business lines and control functions. This will help to ensure that the process is informed by relevant knowledge and experience relating to the business and controls processes at issue. It should also help engender stronger buy-in from business stakeholders on the ultimate solutions that may emerge from the root cause analysis.

Although compliance professionals are an essential part of the root cause analysis team, they need not be the leaders of this process. To this point, companies should be wary of the risk that if the process is ‘owned’ by the compliance function, and the underlying issues involve failures of compliance processes, the process may not be viewed as credible and independent. For the same reasons, the team should not include individuals directly implicated in the misconduct.

In composing the team to carry out the root cause analysis, a company should consider whether it intends to claim that its root cause analysis is subject to the protection of attorney–client privilege, work product doctrine or other similar doctrines. Claims for those protections will be highly dependent on the relevant facts and the specific context of the exercise (eg, whether it is being prepared in the context of an enforcement action where the company is seeking to earn mitigation credit and whether there is ongoing litigation in the background). Those issues are best considered at the outset of the exercise to allow the company to maximise the chances that it may claim those protections. If the company intends to claim privilege over the exercise, that claim will be stronger if the exercise is conducted under the direction of counsel.

A hypothetical root cause analysis

Returning to the case of Company Z, with all the above issues in mind, it decides that its root cause analysis team (the RCA team) will include the newly appointed Company S compliance officer, Company S’s head of internal audit, Company S’s director for channel partner relationships, Company Z’s regional director of public sector sales and Company Z’s regional head of human resources.

The RCA team decides that the five whys method is the appropriate approach in this situation, and begins by identifying the problems or creating a problem statement. Although there may be many ways to define the problems that Company Z faced – and numerous potential sub-problems – at its core, the issue is that Company S paid bribes through local partners to win government contracts.

Once the problem is defined, the team begins by asking a series of ‘why’ questions, such as the following, noting that there may be more than one answer to each question and that the answers will beget further questions.

Why did Company S pay bribes through the local partners?

• Company S was facing immense pressure in a competitive market to retain two government contracts that make up over 50 per cent of its annual revenue, and the renewal of those contracts is a major factor in the compensation determinations for Company S’s leadership. There is also a perception in Company S that Company S employees are not responsible for the conduct of local partners.
• Finally, there is a view that the local procurement regulations and framework leave Company S without viable alternatives to those local partners, and ‘this is just how business is done down here, and we have no alternative but to play by the local rules if we want to be competitive. This is Africa.’
• Further contributing to the improper payments is the fact that Company Z did not have adequate oversight of Company S’s due diligence, procurement and payment controls.

Why was there so much pressure on the business to retain the contracts?

Employees consulted by the RCA team give a variety of answers here, including that Company Z has not implemented strategic plans to help Company S diversify its sales portfolio and that Company Z does not understand the challenges of the local public sector business.

An employee in Company S tells the RCA team that Company Z has failed to complete the necessary integration procedures to make its business model work in Africa; the company dictates what the employees are supposed to do without a proper understanding of the local environment, and it has unrealistic expectations. The employee goes on to say that Company Z seems to think the employees can simply terminate the local partners at will when in reality, those partners are protected and have ironclad contracts that were signed before the acquisition.

There have also been a series of retrenchments arising from the failure to meet sales targets that have contributed to a ‘culture of fear’ and a ‘win at all costs’ mentality in Company S. One employee tells the RCA team that unless Company Z changes the sales team’s compensation structure and incentivises them for doing the right thing, no controls exist that can prevent the actions under investigation from happening again.

Why has Company Z not done more to integrate Company S?

The RCA team learns that personnel turnover and resource constraints at Company Z have led to a number of key integration activities not being completed even several years after the acquisition of Company S. Company S also contributes relatively little to Company Z’s global revenue, so it is ‘lower on the food chain’ in terms of getting resources and attention from the main headquarters.

Among other things, the RCA team learns that because there was no local compliance officer in place at Company S after the acquisition, no one conducted a post-acquisition risk assessment in the local market nor performed any review of the effectiveness of procurement controls. An employee comments that although Company Z personnel came to Company S and conducted FCPA training immediately after the merger, the training was not tailored to what the employees do and the corruption challenges they face because of local content and local empowerment requirements, which Company Z will never understand unless it spends more time in the market.

The employee further remarks that there was no follow-up, so the employees at Company S were left to figure things out alone, including how to run a business that complies with the FCPA while still meeting their sales targets.

Why does Company S face corruption challenges from local content requirements?

The RCA team is told by Company S employees that local content and procurement regulations require that Company S use a number of local suppliers, but that the suppliers in the local market do not have the qualifications or experience to perform the specialised type of work that Company S requires and that channel partners in other regions do. The team is also told that the government frequently ‘moves the goalposts’ on its local content and procurement requirements and never provides clear answers to what the employees are supposed to do.

This results in Company S retaining unqualified suppliers to ‘check the box’; however, the employees have to do all the work for those suppliers and, essentially, pay the local partners for their relationships with government.^[9] The team is also told that the local partner landscape is a ‘political patronage network’ and ‘everyone knows this, but people are afraid to the rock the boat because they fear for not only their jobs but their personal safety if they speak up.’

Why have Company S employees not spoken up about these issues?

The RCA team is told that Company S does not have a corporate culture that encourages reporting compliance violations to the company hotline or otherwise. They are also told that whistle-blowers can face threats to their own and their families’ safety and that employees believe that whistle-blowers will be fired under the pretence of poor work performance.

As such, traditional hotline reporting systems are less likely to be effective without enhanced efforts to foster a speak-up culture and active steps to protect whistle-blowers from retaliation. One employee says that although it’s all well and good to have access to the Company Z hotline, the company cannot guarantee the employees’ security from players outside the company, who have entrenched interests and who will hurt people who threaten those interests. The employee further remarks that because the job market is so poor, employees will do anything to keep their jobs.

Further questions

There are many more questions that Company Z must ask to complete its root cause analysis. As it proceeds through those questions, it is a helpful exercise to ask whether the same result would have occurred if a particular cause was eliminated. If the answer is ‘yes’, then further enquiry may be needed.

It is also helpful to develop a list of high-level factors to be explored in the root cause analysis, such as, among other things, culture, controls, training, integration, personnel, business environment and strategy, incentives and applicable regulations. The topics to be explored in the root cause analysis should be tailored to the issue and the geography.

What should be clear from this hypothetical case study is that there are a range of factors that contributed to Company Z’s compliance failures, some of which go much deeper and further back in time than the people and events closest to the misconduct. Although many investigations will address some of those factors (eg, compliance resources and post-acquisition integration) at some level, investigations are frequently not the optimal vehicle to conduct a more comprehensive analysis of questions, such as how a company’s corporate culture, risk appetite and resourcing decisions contributed to a particular case of misconduct.

Regardless of the method used to conduct the root cause analysis, it is important to adequately document the exercise. The documentation should include, at a minimum, identification of the team that conducted the exercise, a description of the methodology used and the process that was followed, the ultimate conclusions in respect of the root causes, and how the company is addressing those root causes through policies and controls or other interventions.

Enforcement authorities have not prescribed particular formats for such documentation, and companies should focus on documentation that is easy for the target audience to consume, recognising that the level of detail and background information that may be included in a document intended for management or a board committee that is familiar with the business may be different than what would be provided to enforcement authorities. If a company develops guidance on how to conduct a root cause analysis, it should consider developing a template reporting document.

Finally, the objective of a root cause analysis is to enable a company to take corrective actions to address root causes. Accordingly, companies should ensure that they have structured processes in place to develop and implement remediation plans based on the root cause analyses that are conducted.

Whereas a root cause analysis focuses on the underlying causes of misconduct, a remediation plan should focus on the concrete steps the company will take to correct those failures. As with a root cause analysis, there is no prescribed methodology that the DOJ or other enforcement authorities instruct companies to follow; however, it is important that the remediation plan be a stand-alone document including specific, prioritised, actionable steps to address the identified compliance issues.

The plan should designate individuals as action owners who are accountable for executing specific items, and it should contain specific deadlines for the completion of those action items. The deadlines should then be monitored and enforced to ensure that the action items do not fall by the wayside because of competing business demands or personnel changes.

Special considerations for root cause analyses in Africa

The hypothetical Company Z case study is intended to illustrate some of the factors on which companies operating in Africa should focus when conducting root cause analyses. Although a number of those factors are by no means unique to Africa and may be present to some degree in many emerging markets, they may manifest more acutely in Africa and in combinations that tend to compound compliance risks.

Below we discuss several of the factors that companies may find to be a useful reference point for root cause analyses in Africa. However, each exercise should be tailored to the unique facts and issues at hand.

Geographic and operational isolation

Companies such as Company S, which are subsidiaries of companies headquartered outside Africa, may face a host of compliance challenges based on their relative geographical and operational isolation from headquarters’ operations, especially when, as in the case of Company S, the contribution to global revenue is relatively small. This can manifest in logistical obstacles to regular visits by headquarters employees.

It can also manifest in more subtle ways, such as local management perceptions that headquarters’ employees do not understand the realities of working in Africa and the variety of operational and compliance challenges that come with it (eg, security risks, power outages, systemic corruption and skills gaps). This, in turn, can make it more difficult to achieve the buy-in of local management on compliance priorities, particularly if there is a view that headquarters is seeking to implement policies and procedures that are driven by foreign law requirements or that are unworkable in practice on the ground.

Headquarters employees should be mindful that working in challenging environments with systemic corruption can leave local employees with a sense of helplessness or resignation that corruption is inevitable and there is nothing that they can do about it, or worse, that it is simply a necessary part of doing business in Africa.

New market entry and integration issues

For Company Z, as with many international companies, expansion into Africa was accomplished via an investment transaction where it acquired an existing business already operating in Africa. In our experience, and as illustrated by several FCPA enforcement actions,^[10] inadequate preparation for market entry and failure to implement an effective compliance programme in acquired entities and new operations are common and persistent sources of compliance challenges for international companies investing in Africa. The risks of inadequate integration can be particularly acute where a company leaves an existing local management team fully intact post-acquisition without effective training or oversight.

Capacity and resourcing challenges

International businesses operating in Africa can face challenges in finding qualified and experienced personnel and suppliers in a number of areas that are key to either creating or mitigating compliance risks. In a number of African markets, experienced professionals qualified to serve in compliance and control functions in high-risk environments are in short supply, and on the supplier side, it may be the case that the pool of operationally qualified suppliers is thin and that dealing with politically exposed persons is unavoidable. Even where a company takes steps to terminate a problematic supplier, in many situations, alternative partners may raise the same, or more significant, compliance issues.

Security issues

Physical security risks are a fact of life for companies operating in many African countries and can create or exacerbate compliance risks in myriad ways. For example, companies may find it necessary to engage with police or government security forces to protect company property and personnel, which can raise a host of corruption risks.

As illustrated in the hypothetical Company Z case study, employees and suppliers may also be reluctant or unwilling to raise compliance concerns or cooperate in investigations because of concerns of violent reprisals. Those concerns can be particularly acute in isolated subsidiary operations where employee reporting lines do not extend beyond local management and where there is an ‘us and them’ dynamic between local management and headquarters.

Regulatory issues, local ownership, and local content

Corruption and other compliance risks can be driven by ambiguous, opaque or underdeveloped local regulation and a high degree of discretion vesting in government officials. Additionally, regulatory frameworks that require local shareholders, and local content regulations, can raise significant corruption risks.

Local shareholding requirements can serve as a vehicle for corruption, most commonly where a local interest is controlled by government or a parastatal official through a family member or associate, with illicit transfers of value carried out through dividend payments or related-party transactions with suppliers. Local content requirements can similarly create a number of compliance and fraud risks. These may create convenient opportunities to channel money or other things of value (eg, jobs) to government or parastatal officials and their associates or family members.

Notes