Lessons in Risk From "Jack and the Beanstalk"
/In her session titled “Root Cause or Causal Factor: Why It Matters” at the 32nd Annual ACFE Global Fraud Conference, Susann Ng, CFE, illuminated the difference between causal factor and root cause analysis. Causal factor is more granular in nature. It’s always backward looking, and there’s usually more than one contributing element. Whereas root cause is one key, underlying element of an event.
When fraud examiners understand both the causal factors and the root cause of an undesirable event, they can understand what and how something went wrong or what produced the unexpected outcome. They can then use those insights to design and implement control improvements.
Ng recommended mapping out an event using visualization techniques. “Visualization is helpful, in that, when conducting a fraud investigation, it provides clarity for yourself, the investigator and anyone you’re working with,” Ng shared with attendees. Visualization also:
Organizes events in a chronological order
Helps you to highlight the key risk points
Maps what should have happened versus what did happen
Clarifies which controls and processes were in place
Identifies interdependencies between controls and impact
Matches controls to a specific risk area as well as a specific outcome
Once you have worked through an event and have your visualizations in place, you will have a very strategic view when deciding on what type of corrective action to take.
To fully illuminate these big, complex ideas, Ng mapped out a simple, well-known fairytale by the Brother’s Grimm, “Jack and the Beanstalk.”
“The rationale of using this story,” Ng told attendees, chuckling, “is that if we can apply this method to a fairy tale, it should work in most real-life cases.”
Determining the causal factors
To start off, she listed the critical chain of events:
Jack obtains beans.
Mother scatters beans.
Jack climbs up beanstalk.
Giant’s wife warns Jack and helps him hide.
Giant smells intruder but gives up pursuit when distracted by dinner.
Jack steals golden-egg-laying hen and escapes.
Guiding attendees through the story, Ng identified the key risk incident from the giant’s perspective: the loss of the golden-egg-laying hen.
Then she asked attendees to figure out three controls and how they failed. Here’s what they came up with.
Control 1: The castle’s location
It’s very high up in the sky, so it’s a secret location that requires extraordinary effort to reach it. The barriers of knowledge and physical distance prevent an ordinary person from accessing it. It’s an effective control for the most part. However, an old lady did possess magic beans that would allow someone to reach the castle. “You could say she had the keys to unlock access to the castle, a little bit like a hacker in our modern world.”
Control 2: The giant’s wife, his partner in protecting the castle
She should be looking out for the giant and helping to protect the caste. In the real world, she’d be equivalent to a security guard. Again, this is an effective control, but it didn’t work to its full extent. She didn’t raise the alarm, and she provided privileged information to Jack on how to elude the giant.
Control 3: The giant’s ability to smell intruders
The giant’s sense of smell seems to be particularly suited to smelling exactly the kind of intruder he wants to keep out — an Englishman. Once again, this was an effective control because the giant did smell Jack and followed up on his suspicion. Where it failed is that the giant got distracted by dinner and trusted his wife’s reassurances that there was no one in the castle.
And finally, Ng and the attendees identified the causal factor for each failed control:
Magic beans: malice
Wife’s betrayal: culture
Giant’s distraction: incompetence
Pinpointing the root cause
To determine the root cause, identify the lapse with the greatest and most direct impact on the risk incident. In the case of “Jack and the Beanstalk,” what needs to happen differently to prevent the loss of the hen?
There are a wide variety of root causes that fit into these four general buckets:
People (misplaced trust, incompetency, etc.)
Process (inadequate policies, erroneous assessments, etc.)
System (faulty design, deficient testing, etc.)
External (advanced emerging technique, unknown threats, etc.)
Ng identified the two events with the greatest impact: the wife’s betrayal and the giant ignoring his instincts, and both of these events can be classified under the “people” factor. So to prevent the loss of his hen in the future, the giant should focus control improvement efforts on people — his wife and himself.
Ng walked attendees through a more real-world fraud scenario, but her main point remained the same. She ended with this advice and insight for fraud examiners. “When an investigation is over, we are keen to move on to the next one, but if we take a step back and look at it from an organization’s point of view, the value to management is when we can aggregate all these results — assuming the results are accurate — so that they can understand the risk and pinpoint the risk specific to the organization.”