Root Cause Analysis to Deliver Value Added Results January 2014 Speaker Profile Steven R. Melletz CPA, CIA, CGMA • • • • • Senior Vice President in charge of directing the Financial Audit function at First Commonwealth Financial Corporation Member of the Board of Trustees of the Institute of Internal Auditors – Pittsburgh Chapter Former Chief Audit Executive of K-Sea Transportation, a publicly traded Transportation Company (defunct by acquisition). Former Manager at PwC and a BDO Seidman affiliate Former FDIC Accounting Technician who audited failed banks for transition to the assuming banks. Disclaimer Anything that I say during this presentation is my opinion and not necessarily the opinion of First Commonwealth Financial Corporation, First Commonwealth Bank, or any of its subsidiaries. Some of the situations that I mention may or may not be true and the identities of any parties involved have been disguised. What is This? AA FE PNC FII DKS BK MYL UBSI SOME FCF A Brief History Behind Root Cause Analysis (RCA) • Developed by Sakichi Toyoda who later founded Toyota Motor Company. • RCA was first used during the development of Toyota’s manufacturing processes in 1958. Relation to the IIA Standards • Standard 2320: Analysis and Evaluation – Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations. • • • • Practice Advisory 2320-1: Analytical Procedures Practice Advisory 2320-2: Root Cause Analysis Practice Advisory 2320-3: Audit Sampling Practice Advisory 2320-4: Continuous Assurance Relation to the IIA Standards continued • Standard 2410: Criteria for Communicating – Communications must include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans. • Practice Advisory 2410-1 Communication Criteria • Standard 2420: Quality of Communications – Communications must be accurate, objective, clear, concise, constructive, complete, and timely. • Practice Advisory 2420-1 What is Root Cause Analysis? • Root cause analysis (RCA) is defined as the identification of why an issue occurred vs. only identifying or reporting the issue itself. • In this context, an issue is defined as a problem, error, instance of noncompliance, or missed opportunity. What is Root Cause Analysis? continued • Auditors whose reporting only recommends that management fix the issue and not the underlying reason that caused the issue are failing to add insights that improve the longer-term effectiveness and efficiency of business processes and thus, the overall governance, risk, and control environment. • A core competency necessary for delivering insights is the ability to identify the need for root cause analysis and as appropriate, actually facilitate, review, and/or conduct a root cause(s) analysis. What is Root Cause Analysis? continued • Internal Audit can be the ideal group to analyze issues and identify root causes given their independence and objectivity. This perspective helps ensure biases are minimized, assumptions are challenged, and evidence is fully evaluated. • Internal Auditors by working across various reporting chains and departments of an organization may have developed a broad and deep understanding of the underlying issues that may exceed that of any single member of management which makes them best positioned to analyze an issue. In circumstances where the root cause of an issue is a result of actions or inaction by management, it is critical to use an objective party such as Internal Audit to investigate and report back to Senior Management. What is Root Cause Analysis? continued • Root cause analysis benefits the organization by identifying the underlying cause(s) of an issue. This approach provides a long-term perspective for the improvement of business processes. Without the performance of an effective root cause analysis and the appropriate remdiation activities, an issue may have a higher probability to reoccur. Root cause analysis helps prevent additional rework and proactively addresses future recurrences of the issues. RCA Situations • RCA may be considered in any number of situations, such as those: – – – – – – – Involving a surprise risk event Process failure Asset damage or loss Production stoppage Safety incident Quality degradation Or Customer dissatisfaction. RCA – 5 Why’s • RCA may be as simple as asking “five whys”: – – – – – The worker fell. Why? Oil on the floor. Why? Broken part. Why? The parts keep failing. Why? Changes in procurement practices. Why? 5 Whys Continued • By the fifth why, the auditor should have identified or be close to identifying the root cause. More complex issues may require a greater investment of resources and more rigorous analysis. • Prior to commencing RCA for more complex issues, auditors should consider: – Time – Skill sets Potential RCA Barriers • Prior to performing RCA, internal auditors should anticipate the following potential barriers: – Management may be reluctant to support internal audit’s role in RCA. You may need your CAE to explain roles to Management. – Management may resist due to time and resource commitments. – RCA may be difficult and subjective – RCA that leads to specific concrete observations and recommendations could be perceived to be placing the auditor in the role of Management. Environmental Factors • Most root causes can be traced back to decisions, actions, or inactions by one or more employees. • Some of these could be: – – – – – – – Competence of personnel Hiring qualified personnel Lack of or insufficient training Adequacy of technology or tools Appropriateness of organization or departmental culture Health of the organization or departmental morale Level or number of resources (budget/personnel) Environmental Factors Continued – Process circumstances and other influencing items that led the person or persons to make the decisions – Decision-making authority of the person or persons involved. Techniques • Five Whys • Failure mode and effects analysis • SIPOC (Suppliers, inputs, processes, outputs, customers diagram. • Flowcharting of the process flow, system flow, and data flow. • Fishbone diagrams • Critical to quality metrics • Pareto chart • Statistical Correlation RCA – 5 Why’s 1. Write down the specific problem - The worker fell. Why? 2. Write down answer; Oil on the floor. Ask 2nd Why? 3. Continue until what you consider is the true root cause is defined. 4. Don’t allow an early believable answer keep you from continuing to ask why. Broken part. Why? 5. The parts keep failing. Why? 6. Changes in procurement practices. Why? RCA – Failure, Modes, and Effect Analysis • This is a step-by-step approach identifying all possible failures in a design, a manufacturing or assembly process, or a product or service. – – – – – – – – What is process step? What is key process input? In what ways can the key inputs go wrong? What is the impact on the outputs? How severe is the effect to the customer? What causes the potential failure? How often does the failure occur? What existing controls can prevent the failure? RCA – Failure, Modes, and Effect Analysis continued: – How well can the failure be detected? – Multiply the severity, occurrence, and detection. – What actions can reduce the occurrence or improve detection? SIPOC • High level process map showing Suppliers, Inputs, Process steps, Outputs, and Customers • We see how the pieces fit together: Suppliers Supplier 1 Inputs Input 1 Processes Process Step 1 Input 2 Outputs Output 1 Customers Customer 1 Output 2 Process Step 2 Supplier 2 Input 3 Process 3 Output 3 Output 4 Customer 2 Fishbone Diagram Pareto Chart • • A bar graph that categorizes the frequency of a certain type of event. Could be used for customer or Hotline complaint types. Five Cs • • • • • Criteria Condition Consequence/Effect Cause Corrective Action/Recommendation Five Cs • Criteria – The law, regulation, contractual obligation, policy, procedure, or best practice that is expected to be followed • Condition – The factual analysis of the process as it exists • Consequence/Effect – Why the issue is important and noteworthy from a compliance, financial, or operational standpoint. Five Cs • Cause – The root cause which allowed the condition to not emulate the criteria. • Corrective Action/Recommendation – Change that will address the root cause, allow the current condition to mirror best practice or other criteria and does not cost more in relation to its effect. Situation 1 - Wire • Facts – Wire was released for $2,828,282,828.28 – Why was it released? Use 5 why’s Situation 2 – Time Theft • Facts – Two workers decided to switch schedules. – Normally this would be OK if permission was asked, but that is not what happened in this situation. Situation 3 – Compensation • Facts – Employees paid commission – Falsified records Adding Value - Opportunities • RCA can be used in consulting opportunities requested by Management, the Audit Committee, by circumstances resulting from an audit, from many situations. • I have received these opportunities from: – – – – – Hotline calls H.R. requests Legal requests Line of Business requests Audit Committee requests Adding Value - How • Do we create analysis that management does not currently have available? • Recommendations that Management has not considered. • Advising Senior Management, Audit Committee, Board of Directors of business risks and issues that they may not be aware. • Issues that they may want independently assessed. Adding Value - How • Do we create analysis that management does not currently have available? Maybe it is available, but they want it to be independently verified. • Recommendations that Management has not considered. • Advising Senior Management, Audit Committee, Board of Directors of business risks and issues that they may not be aware. • Issues that they may want independently assessed. Adding Value - How • Ask Management and the Audit Committee if there are any services you can provide. • Persuade them that you have the ability to provide value added services. If you can audit and perform fraud investigations, you can provide value-added services. • Make sure that you are ‘in the know’ of the Organization’s strategy, objectives, and goals. • Don’t settle with ‘no’. Go back and inquire periodically. Sources • Institute of Internal Auditors Professional Standards and Guidance IPPF Any Questions? My Contact Information Steven R. Melletz CPA, CIA, CGMA • • SVP, Internal Audit First Commonwealth Financial Corporation • Email: SMelletz@fcbanking.com • Phone: 724.463.4707 • Please feel free to email me with any questions.