When a financial institution discovers a compliance violation, everyone always wonders what went wrong. Is this a stand-alone issue related to a specific product, service or business line or is it a symptom of a larger, systemic problem?
The only way to find out is a root cause analysis.
What is a root cause analysis?
Root cause analysis and regulatory requirements
How do you conduct a root cause analysis?
A root cause analysis is a problem-solving exercise that helps financial institutions to identify and address the underlying causes of a compliance problem – not just address its symptoms. The goal of a root cause analysis is to identify areas where a bank, credit union, mortgage company or fintech can improve its processes and systems and develop and implement effective remediation plans to prevent future compliance issues.
By identifying the root causes of compliance failures, financial institutions can take proactive measures to reduce their risk exposure and ensure they are in compliance with relevant laws, regulations, and industry standards.
Root cause analysis is also a regulatory expectation. Examiners will consider the root cause of violations when assessing an institution’s compliance management system (CMS). They also weigh root cause, severity, duration, and pervasiveness when evaluating relevant violations of law and any resulting consumer harm.
Examiners take a particularly hard stance when the root cause of consumer compliance violations stems from critical CMS deficiencies or a lack of management oversight.
A root cause analysis requires six steps:
The first step in conducting a root cause analysis is to clearly define the problem. This includes describing the problem, its symptoms, and its impact on the organization. This step is important because it helps to ensure that everyone involved in the analysis has a clear understanding of what is being analyzed.
The next step is to gather data related to the problem. This may include reviewing documents, including complaint data, interviewing stakeholders, and conducting surveys or observations. The goal of this step is to gather information that will help to identify the root cause of the problem.
Related: 3 Complaint Management Questions You Need to Be Asking
With the data collected, the next step is to identify potential causes of the problem. Analyze the data to identify patterns, trends, and relationships. Were policies and procedures followed? Are policies or procedures flawed? Are controls not working as expected? Is there an issue with a third-party vendor? Was there adequate management oversight?
After potential causes have been identified, the next step is to evaluate each one to determine which is the most likely root cause. It’s a good idea to reevaluate relevant compliance controls. It may turn out that a control isn’t very effective, but it isn’t a significant factor because the control didn’t have a large impact anyway.
The root cause of a violation isn’t always limited to one factor. It can be the result of several weaknesses within the CMS.
Related: Risk Analysis & Evaluation
With the most likely root cause determined, the next step is to confirm it through additional analysis and testing. This may include conducting reviewing documentation or interviewing stakeholders.
Once the root cause has been confirmed, the final step is to develop a solution that addresses the root cause. Should existing controls be enhanced or are new controls needed? This may involve implementing new processes, updating policies and procedures, or investing in new technologies.
Any solution should be designed to prevent the problem from occurring in the future.
The final step in conducting a root cause analysis is to implement the solution in a timely and appropriate manner and monitor its effectiveness. This may involve conducting regular reviews, testing, and monitoring to ensure that the solution is working as intended. You can’t just assume the solution is effective. You need to follow up to know for sure.
Conducting a root cause analysis can be a complex and time-consuming process, but it is necessary for understanding what’s causing compliance issues at your financial institution. Knowing the root of the problem is the only way to develop an effective and sustainable solution that addresses the underlying issues.
Read our whitepaper for advice on how to track audit and exam findings.