Root Cause Analysis

Buried in COBIT 5 processes like Manage Quality (APO11) and Manage Risk (APO12), you will find a root cause analysis (RCA) as output of the management practices.  The RCA output is used by numerous other processes.  Obviously, knowledge of root cause analysis methods and techniques is essential for Manage Service Requests and Incidents (DSS02) and Manage Problems (DSS03).  At times in COBIT, they use the term imprecisely.  For instance, process Manage Programmes and Projects (BAI01) calls for you to “perform root cause analysis for deviations from the plan.”  My management accounting education tells me this is really a variance analysis, which is where you quantitatively investigate the difference between actual and planned behaviour.  It is possible that when you determine the variance and the reason for it, you may need to get at the root when you perceive that there is a systemic reason for the deviation.  But when it is just a deviation, variance analysis is the way to go.  Any tradesman will attest that you have a toolkit and each tool has a particular purpose.  Yes, you could use a wrench to drive in a nail but a hammer works better.  Are you confused yet?  Perhaps, I need to step back and talk about what is root cause analysis.

In COBIT, you learn everything in your organization is a process or part of a process.  You can characterize every process by its average performance and variation from the average.  Processes are optimal when the result of the process is at the expected value, meaning there is minimal variation.  However, occasionally things go wrong.  In Six Sigma, they say “shift happens.”  This means the process is wobbling and drifting from average performance.  (We won’t even talk about entropy.)  ISO 13053-1, Clause 9.3.3 states: “Each particular problem is the product of an errant system (or process).  The frequency and magnitude of the problem should be monitored to determine whether it is constant or sporadic, increasing in magnitude or decreasing, etc.”

So we need to use a problem solving method like G8D, Kepner-Tregoe PSDM, Kaizen DMAIC, PDCA, RPR, SCORE, Six Sigma, ThinkX or TRIZ to figure out why.  Even the word PROBLEM gives us a simple method: Profile, Root cause, Options, Balance, Launch, Evaluate and Maintain.  Like PROBLEM, the methods usually call for root cause analysis.

Root cause analysis is an objective, thorough and disciplined methodology you employ to determine the most probable underlying causes of a problem and undesired events within your organization with the aim of formulating and agreeing corrective actions to at least mitigate, if not eliminate those causes, to produce significant long term performance improvement. 

But this begs the question: what is a root cause?  Well a root cause is the most reasonably identified basic causal factor, or factors, which when corrected or removed will prevent (or significantly reduce) the recurrence of a situation, such as an error in performing a procedure.  It is also the earliest point where you could have taken action that would have reduced the chance of the incident happening.  Notice the use of the word factors as there is usually not one factor but many contributing.  Think of the root cause of world hunger.  We have enough food to feed everyone so why are some people starving?  There are many factors contributing: environmental, political, social and economic.  And there are even more factors contributing to each of those high level buckets.  But you can work on the problem by working on the contributing factors.  Remember in COBIT, you are looking for progress not perfection.  Just chipping away at any contributing factor has a mitigating effect on the problem.

When looking for root causes look beyond the obvious.  Usually your initial response to a problem is a symptom of the root cause and not a cause.  A successful analysis is Complete, Credible and Comprehensive.  Oh, and don’t forget to document your analysis using the Five Cs: Criteria, Condition, Consequence/Effect, Cause, and Corrective Action/Recommendation.  This article was brought to you by the letter of the day: C.

By Peter T. Davis, CISA, CISM, CGEIT, COBIT Foundation, COBIT Implementation, COBIT Assessor, COBIT INCS, CISSP, CPA, CMA, CMC, ITIL FC, ISO 9001 FC, ISO 20000 FC/LI/LA, ISO 27001 LI/LA, ISO 27005/31000 RM, ISO 28000 FC, ISTQB CTFL, Lean IT FC, Open FAIR FC, PMI-RMP, PMP, PRINCE2 FC, SSGB, RESILIA FC is the principal of Peter Davis+Associates, a management consulting firm specializing in IT governance, security and audit. He currently teaches COBIT 5 Foundation/Implementation/Assessor, ISO 27001 Foundation/Lead Implementer/Lead Auditor, ISO 31000/ISO 27005 Risk Manager (RM), ISO 20000 FC/LI/LA, ISO 22301 Foundation, ISO 9001 Foundation and Project Management Institute Risk Management Professional (PMI-RMP) courses.

Category: COBIT


Post new comment

The content of this field is kept private and will not be shown publicly.