Root Cause Analysis

Do you believe that unwanted situations within an organizations are about 95% related to process problems and only 5% related to personnel problems? In my views, they are 100% related to personnel problems. :) We always assume that everyone in the organization doing their best to do the right things, but everything ends up screwed up. Actually, the root cause of these situations is local optimization with no global thought involved. When we are working 'in' the process we are not working 'on' it. The person managing or owning the business process should have reasonable knowledge of the process he owns, the technology and the people involved therein.

The Plant Manager walked into the plant and found oil on the floor. He called the foreman over and instructed him to have maintenance clean up the oil. On the next day he again found oil on the floor in the same area of the plant. He thought it must be a process problem. To find the root cause of the problem, he asked the foreman why there was oil on the floor. The foreman indicated that it was due to a leaky gasket in the pipe joint above. The Plant Manager then asked when the gasket had been replaced and the foreman replied that maintenance had installed three gaskets over the past few weeks and all were seemed to leak.

The Plant Manager immediately approached the Maintenance and understood from them that they were all bad and Purchasing had already been informed about the faulty gaskets. The Plant Manager then went to talk with Purchasing about the situation with the gaskets. The Purchasing Manager indicated that they had in fact received a bad batch of gaskets from the supplier. The Purchasing Manager also informed that they had been trying continuously for past two months to get the supplier make good on the last order of gaskets that were all seemed to be bad.

The Plant Manager then asked the Purchasing Manager why they were purchasing from this supplier when they were so disreputable. The Purchasing Manager said because they were the lowest bidder when quotes were received from various suppliers and as a process they always purchase from the lowest bidder. The Plant Manager then asked the Purchasing Manager why they are continuing with this lowest bidder and he indicated that he had received the direction from the VP Finance.

The Plant Manager then went to talk to the VP Finance about the situation. When the Plant Manager asked the VP Finance why Purchasing had been directed to always purchase from the lowest bidder, the VP Finance said, "Because you indicated that we had to be as cost conscious as possible!" and purchasing from the lowest bidder saves us lots of money. The Plant Manger was horrified to find that he was held the reason there was oil on the plant floor.

One may find this scenario somewhat funny, and laugh at the situation but it is often all so true in numerous variations when you reach the last Why? doing Root Cause Analysis.

Enron all over again

Post-Enron era was supposed to be different but just six years after the disaster it feels as though somebody hit rewind.

I read above lines searching for ''Fannie Mae'' this morning. Actually today morning, I was going through my website's tracker report and found that somebody from ''Fannie Mae'' was surfing my website doing an organic search using the keywords ''Risk Consulting Mumbai''.

Fannie Mae explained to its nervous investors about the change in the way it discloses its bad loans and whether the change is masking the mounting losses. However, the chief financial officer and other executives failed to answer some important questions about loan losses and left the investors in doubt about the Company's financial footing.

Fannie Mae changed the method for calculating its credit-loss ratio, an indicator of its bad loan losses as a percentage of its overall loans. Investors have been using the credit ratio to assess the credit quality of Fannie Mae's mortgages. Fannie Mae had announced recently an annualized credit-loss ratio of four basis points for the first nine months of the year that was well within the company forecast but If it had not changed the method, it would have had a credit loss ratio almost twice the four basis points, high enough to start making the investors nervous.

Essentially, the company was able to lower the ratio by excluding a certain type of loss known as SOP 03-3 loss.

Here is how SOP 03-3 losses work: Fannie Mae guarantees mortgages, which have been packaged and sold to investors as bonds. If a house-owner falls significantly behind on his payments, Fannie Mae has to buy back the loan from the bondholder. If the mortgage has an outstanding amount of, say, $100,000 and unpaid interest of $5,000, Fannie Mae would have to pay $105,000, its full value, to make the bondholders whole.

However, the $105,000 loan may actually be worth less on the market. It is Fannie Mae's job to estimate the market value, or fair market value, of the loan and to record that price on its books. So if the fair market value is $80,000, Fannie Mae takes a loss of $25,000 (the difference between $105,000 and $80,000). This loss is considered an SOP 03-3 loss.

Until recently, Fannie Mae included SOP 03-3 losses as part of its credit-loss ratio. But here's the trick: Fannie insists that, based on past trends, it can recover a large part of that $25,000 loss by, for example, helping the borrower renew payments. So it simply decided to stop including SOP 03-3 losses in calculating its credit-loss ratio.

Fannie Mae executives failed to provide numbers showing what proportion of SOP 03-3 losses are recovered, but promised to disclose them in the future. One possible reason why Fannie Mae doesn't want to provide information on recoveries is because it might be using assumptions that are too optimistic, potentially underestimating SOP 03-3 losses.

Now, question remains why somebody at Fannie Mae was looking for Risk Consulting in Mumbai at this time.

Ethics Gospel

Once upon a time, in India, there was a big hermitage of a sage in the valley of Himalayas. There were lots of cows, by milk of which alone the expenses of the hermitage were met. The milk was also consumed by the resident of the hermitage. One day a disciple came to the sage, the headman and his Guru to make a complaint. He expressed his doubt that somebody is mixing water in the milk of the hermitage regularly. How to curb the ill practice? asked the Guru. The disciple suggested that one person be employed who will monitor the milk to control the adulteration. Thus, one person was employed for the purpose.

After few days, the disciple came again to his Guru and said that since they have employed a person to keep a watch over the milk, there has been more mixing up of water than before. The Guru casually said to keep one more person to watch over the first. A few days later, there was a big blunder and many disciples came to the Guru to complain heavy adulteration in the milk. Moreover, along with water someone had also found a fish in the milk.

The Guru said that if you employ more and more people to monitor, the adulteration is bound to increase. Initially there were lesser number of people who had their share in the milk and therefore there was lesser water in the milk. When you had increased a person for monitoring, his share was also added which in turn increased the stress on the existing resources. When you employed the second person, the adulteration increased to such an extent that you have now a fish in the milk instead of cream.

The disciples humbly asked the Guru for a correct solution. The Guru said it was his mistake that he never made his disciples mindful enough to educate and rightfully guide their subordinate disciples. By making a few people mindful does not make the society free of ills but all should understand their duties. We have to change ourselves first to bring the changes in the society. Mahatma Gandhi once said that we should become the change we want to see.

The Guru said we should have capabilities to change the mind set of the people in the hermitage. We preferred the easy way of making a complaint instead of selecting hard way of making our subordinates mindful of ills of adulteration and benefits of caring cows to produce more milk.

The Management Accounting says no one should be made liable for inefficiencies of others. The Internal Auditor is made liable for inefficiencies of the Control Owners. Cost of Internal Audit is connected to extent of its testing and monitoring. When controls designed and exercised by the management are ineffective and IA places lesser reliance on it and increases the extent of testing and monitoring which inturn increases the cost. When IA over rely on effectiveness of controls it faces risk of not exercising due care and diligence for preventing control failures.

Self Control Assessment (SCA) technique in its current format too is not effective as Control Owners are made ready to the skills of monitoring instead the objective and the ethics. There are newer ways of reducing cost of monitoring but need is to go beyond the prevailing dominant designs in the industry. We must first find out how to balance our monitoring programme which does not involve duplication of efforts allocating the valuable resources incorrectly and thus increasing our cost of monitoring. Secondly, we should become more and more objective oriented to find out newer ways of creating deterrence at a lesser cost. What you think about Ethics Gospel like this?

Your application of Indian philosophy is better only when you draw correct analogy. Remember it's a rocket science and you need the escaping velocity to mitigate the effect of dominant forces of existing systems and mind sets. The problem is difficulty in drawing a correct analogy because adulteration is on and purity is gone. Now, draw an analogy to be able to better understand the presented case study and change your execution style hereon.

Business needs a scorecard

Mr. Vidyarthi an innovative consultant had recently visited one of the biggest business conglomerates with his new idea to increase returns on the risk monitoring activities of the corporation. He had envisaged that even the smartest people in the profession will find it difficult to digest the idea due to effect of the dominant designs on their mindsets. So the meeting was more of an experiment for Mr. Vidyarthi. He wanted to test the minds of the business leaders at the meeting. One cannot think out of the box until he or she comes out of his or her comfort zones. In another words, you cannot escape the power of the dominant designs. Only the rocket science can make you pass the gravity.

Mr. Vidyarthi during his presentation to the business leaders of the business conglomerate revealed how faulty is the existing risk analysis process used in the industry whereby the monitoring activities to be carried out are prioritized on the basis of the net risk.

A risk perceived is given a risk score on the basis of various risk criteria which is then adjusted with the comfort level achieved due to perceived effectiveness of the mitigating controls. The net risk is indeed the inherent limitations of the controls. Therefore the net risk score is an incorrect criterion to priorities the monitoring activities that are mainly to test existence of the controls. Secondly, effectiveness of controls is not tested and challenged scientifically; hence the net risk so calculated is also questionable.

The business leaders were not ready to get their mind challenged and it was apparent soon. Mr. Participator, one of the business leaders present at the meeting, who first accepted a premise when asked, denied the acceptance when a flaw was shown in it subsequently.

A sharp question was then raised by Mr. Encourager, another business leader while looking at the diagram depicting gross risk, control effectiveness and net risk in the presentation of Mr. Vidyarthi. Can you define the Gross Risk? If you could come out with a method to measure the gross risk then it would be a great idea. The question was clearly out of the context. Mr. Vidyarthi was now clear that the question was from a preconceived mind than an open mind.

The point was when nobody can define a gross risk, then how anyone can be sure of effectiveness of the processes and controls? It depends on ones professional judgment and previous experiences about those risks and controls. You know more about a risk and its mitigating controls when you consider different view points which perceive risks differently. So risk assessment cannot be a static process but has to be a dynamic one. Each assertion needs to be tested again and again. Each assertion needs to be subdivided further into smaller assertions.

When Mr. Vidyarthi started talking about a new score keeping method which could reduce the monitoring cost i.e. the cost associated with monitoring the non-compliance of the established controls and procedures, Mr. Participator said that if the auditor perform sampling and finds out non-compliance issues then instead of checking all the risk sources he may just tell the risk owner to look at all of them and make the corrections. This creates required deterrence. Thus we are just using a different variant of your idea.

Mr. Vidyarthi was now very clear that Mr. Participator's mind set had been that of the fault finder but regular conflicts with his auditees in past have made him now a person just focusing on effectiveness of processes and controls and a little negligent to emphasize on finding the existence of the controls or the non-compliance. However, monitoring non-compliance has always been on the top of the list of the items that consumed his budget. He was of the view that any kind of scorecard connected with KPI of the auditees is not an effective method as it creates lot of negativity among the auditees. Therefore ensuring effective processes and control is better than finding non-compliance and scoring the non-compliant risk owners on that basis. There was an obvious flaw in the argument as effectiveness assertion is not connected with existence assertion. Which controls do you check for its existence, the less effective ones or more effective ones?

Balance sheet, P&L or NASDAQ or BSE sensex all are kinds of scorecard. Scorecard is way of life. Education systems, government legislation, businesses, economics all use some or other kind of scorecards. Risk scoring is also a scorecard. Performance appraisal using a balanced scorecard is very common. Scorecard is a scientific method to evaluate people, businesses and economy of a country. If we don' t use scorecards then we are just using our instincts and intuition to make our decisions. Mr. Participator's logic was full of flaws. The item was definitely debatable but again was out of the context. It was like putting the fingers in the ears to reject the idea outright.

Mr. Vidyarthi was actually talking about an innovative score keeping method which makes the risk owners or auditees to remain compliant proactively. So, corrective measures are taken even before the audit is carried out to detect any non-compliance. The method discussed was about leveraging the risk taking and decision making ability of the risk owners to foster compliance. The method was about reducing the cost of monitoring while keeping the deterrence at the same level.

Mr. Vidyarthi realized that the business leaders present at the meeting were all well mannered but lacked the ability to zero down from their previous knowledge, perceptions and As Is position. One has to empty up ones' fully occupied mind and stomach before something new can go inside it. The new idea was a big risk for them to invest in. It was soon the end of the meeting with a positive promise to further brainstorm the idea internally by the business leaders.

However, Mr. Vidyarthi was grateful for the valuable time provided by the business leaders for his experimentation.