Root Cause Analysis Presentation - The Institute of Internal Auditors

advertisement
Root Cause Analysis
to Deliver Value
Added Results
January 2014
Speaker Profile
Steven R. Melletz CPA, CIA, CGMA
•
•
•
•
•
Senior Vice President in charge of directing the Financial Audit function at First
Commonwealth Financial Corporation
Member of the Board of Trustees of the Institute of Internal Auditors – Pittsburgh Chapter
Former Chief Audit Executive of K-Sea Transportation, a publicly traded Transportation
Company (defunct by acquisition).
Former Manager at PwC and a BDO Seidman affiliate
Former FDIC Accounting Technician who audited failed banks for transition to the assuming
banks.
Disclaimer
Anything that I say during this presentation is
my opinion and not necessarily the opinion of
First Commonwealth Financial Corporation, First
Commonwealth Bank, or any of its subsidiaries.
Some of the situations that I mention may or
may not be true and the identities of any parties
involved have been disguised.
What is This?
AA
FE
PNC
FII
DKS
BK
MYL
UBSI
SOME
FCF
A Brief History Behind Root Cause
Analysis (RCA)
• Developed by Sakichi Toyoda who later founded
Toyota Motor Company.
• RCA was first used during the development of
Toyota’s manufacturing processes in 1958.
Relation to the IIA Standards
• Standard 2320: Analysis and Evaluation
– Internal auditors must base conclusions and engagement
results on appropriate analyses and evaluations.
•
•
•
•
Practice Advisory 2320-1: Analytical Procedures
Practice Advisory 2320-2: Root Cause Analysis
Practice Advisory 2320-3: Audit Sampling
Practice Advisory 2320-4: Continuous Assurance
Relation to the IIA Standards
continued
• Standard 2410: Criteria for Communicating
– Communications must include the engagement’s
objectives and scope as well as applicable conclusions,
recommendations, and action plans.
• Practice Advisory 2410-1 Communication Criteria
• Standard 2420: Quality of Communications
– Communications must be accurate, objective, clear,
concise, constructive, complete, and timely.
• Practice Advisory 2420-1
What is Root Cause Analysis?
• Root cause analysis (RCA) is defined as the
identification of why an issue occurred vs. only
identifying or reporting the issue itself.
• In this context, an issue is defined as a problem, error,
instance of noncompliance, or missed opportunity.
What is Root Cause Analysis?
continued
• Auditors whose reporting only recommends that management
fix the issue and not the underlying reason that caused the issue
are failing to add insights that improve the longer-term
effectiveness and efficiency of business processes and thus, the
overall governance, risk, and control environment.
• A core competency necessary for delivering insights is the ability
to identify the need for root cause analysis and as appropriate,
actually facilitate, review, and/or conduct a root cause(s)
analysis.
What is Root Cause Analysis?
continued
• Internal Audit can be the ideal group to analyze issues and
identify root causes given their independence and objectivity.
This perspective helps ensure biases are minimized,
assumptions are challenged, and evidence is fully evaluated.
• Internal Auditors by working across various reporting chains and
departments of an organization may have developed a broad
and deep understanding of the underlying issues that may
exceed that of any single member of management which makes
them best positioned to analyze an issue. In circumstances
where the root cause of an issue is a result of actions or inaction
by management, it is critical to use an objective party such as
Internal Audit to investigate and report back to Senior
Management.
What is Root Cause Analysis?
continued
• Root cause analysis benefits the organization by
identifying the underlying cause(s) of an issue. This
approach provides a long-term perspective for the
improvement of business processes. Without the
performance of an effective root cause analysis and
the appropriate remdiation activities, an issue may
have a higher probability to reoccur. Root cause
analysis helps prevent additional rework and
proactively addresses future recurrences of the
issues.
RCA Situations
• RCA may be considered in any number of situations,
such as those:
–
–
–
–
–
–
–
Involving a surprise risk event
Process failure
Asset damage or loss
Production stoppage
Safety incident
Quality degradation
Or Customer dissatisfaction.
RCA – 5 Why’s
• RCA may be as simple as asking “five whys”:
–
–
–
–
–
The worker fell. Why?
Oil on the floor. Why?
Broken part. Why?
The parts keep failing. Why?
Changes in procurement practices. Why?
5 Whys Continued
• By the fifth why, the auditor should have identified
or be close to identifying the root cause. More
complex issues may require a greater investment of
resources and more rigorous analysis.
• Prior to commencing RCA for more complex issues,
auditors should consider:
– Time
– Skill sets
Potential RCA Barriers
• Prior to performing RCA, internal auditors should
anticipate the following potential barriers:
– Management may be reluctant to support internal audit’s
role in RCA. You may need your CAE to explain roles to
Management.
– Management may resist due to time and resource
commitments.
– RCA may be difficult and subjective
– RCA that leads to specific concrete observations and
recommendations could be perceived to be placing the
auditor in the role of Management.
Environmental Factors
• Most root causes can be traced back to decisions,
actions, or inactions by one or more employees.
• Some of these could be:
–
–
–
–
–
–
–
Competence of personnel
Hiring qualified personnel
Lack of or insufficient training
Adequacy of technology or tools
Appropriateness of organization or departmental culture
Health of the organization or departmental morale
Level or number of resources (budget/personnel)
Environmental Factors Continued
– Process circumstances and other influencing items that led
the person or persons to make the decisions
– Decision-making authority of the person or persons
involved.
Techniques
• Five Whys
• Failure mode and effects analysis
• SIPOC (Suppliers, inputs, processes, outputs,
customers diagram.
• Flowcharting of the process flow, system flow, and
data flow.
• Fishbone diagrams
• Critical to quality metrics
• Pareto chart
• Statistical Correlation
RCA – 5 Why’s
1. Write down the specific problem - The worker fell. Why?
2. Write down answer; Oil on the floor. Ask 2nd Why?
3. Continue until what you consider is the true root cause is
defined.
4. Don’t allow an early believable answer keep you from
continuing to ask why. Broken part. Why?
5. The parts keep failing. Why?
6. Changes in procurement practices. Why?
RCA – Failure, Modes, and Effect
Analysis
• This is a step-by-step approach identifying all
possible failures in a design, a manufacturing or
assembly process, or a product or service.
–
–
–
–
–
–
–
–
What is process step?
What is key process input?
In what ways can the key inputs go wrong?
What is the impact on the outputs?
How severe is the effect to the customer?
What causes the potential failure?
How often does the failure occur?
What existing controls can prevent the failure?
RCA – Failure, Modes, and Effect
Analysis continued:
– How well can the failure be detected?
– Multiply the severity, occurrence, and detection.
– What actions can reduce the occurrence or
improve detection?
SIPOC
• High level process map showing Suppliers,
Inputs, Process steps, Outputs, and Customers
• We see how the pieces fit together:
Suppliers
Supplier 1
Inputs
Input 1
Processes
Process
Step 1
Input 2
Outputs
Output 1
Customers
Customer 1
Output 2
Process
Step 2
Supplier 2
Input 3
Process 3
Output 3
Output 4
Customer 2
Fishbone Diagram
Pareto Chart
•
•
A bar graph that categorizes the frequency of a certain type of event.
Could be used for customer or Hotline complaint types.
Five Cs
•
•
•
•
•
Criteria
Condition
Consequence/Effect
Cause
Corrective Action/Recommendation
Five Cs
• Criteria
– The law, regulation, contractual obligation, policy,
procedure, or best practice that is expected to be followed
• Condition
– The factual analysis of the process as it exists
• Consequence/Effect
– Why the issue is important and noteworthy from a
compliance, financial, or operational standpoint.
Five Cs
• Cause
– The root cause which allowed the condition to not emulate
the criteria.
• Corrective Action/Recommendation
– Change that will address the root cause, allow the current
condition to mirror best practice or other criteria and does
not cost more in relation to its effect.
Situation 1 - Wire
• Facts
– Wire was released for $2,828,282,828.28
– Why was it released? Use 5 why’s
Situation 2 – Time Theft
• Facts
– Two workers decided to switch schedules.
– Normally this would be OK if permission was asked, but
that is not what happened in this situation.
Situation 3 – Compensation
• Facts
– Employees paid commission
– Falsified records
Adding Value - Opportunities
• RCA can be used in consulting opportunities
requested by Management, the Audit Committee, by
circumstances resulting from an audit, from many
situations.
• I have received these opportunities from:
–
–
–
–
–
Hotline calls
H.R. requests
Legal requests
Line of Business requests
Audit Committee requests
Adding Value - How
• Do we create analysis that management does not
currently have available?
• Recommendations that Management has not
considered.
• Advising Senior Management, Audit Committee,
Board of Directors of business risks and issues that
they may not be aware.
• Issues that they may want independently assessed.
Adding Value - How
• Do we create analysis that management does not
currently have available? Maybe it is available, but
they want it to be independently verified.
• Recommendations that Management has not
considered.
• Advising Senior Management, Audit Committee,
Board of Directors of business risks and issues that
they may not be aware.
• Issues that they may want independently assessed.
Adding Value - How
• Ask Management and the Audit Committee if there
are any services you can provide.
• Persuade them that you have the ability to provide
value added services. If you can audit and perform
fraud investigations, you can provide value-added
services.
• Make sure that you are ‘in the know’ of the
Organization’s strategy, objectives, and goals.
• Don’t settle with ‘no’. Go back and inquire
periodically.
Sources
• Institute of Internal Auditors Professional Standards
and Guidance IPPF
Any Questions?
My Contact Information
Steven R. Melletz CPA, CIA, CGMA
•
•
SVP, Internal Audit
First Commonwealth Financial Corporation
•
Email: SMelletz@fcbanking.com
•
Phone: 724.463.4707
•
Please feel free to email me with any questions.
Download