Skip to content

Risk Assessment

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex B


B. Root Cause Analysis

B.1 General

Root cause analysis (RCA) refers to multiple risk assessment techniques and approaches, at times applied as a series, which are designed to identify the underlying or initiating risk source(s) or driver(s). A significant number of the techniques were originally developed in the process engineering and safety fields. These techniques were intended to not only identify potential safety hazards and points of failure during the design of new engineering processes, but also to determine why risk events occurred following significant losses.

Root cause analysis has traditionally been viewed as an assessment method most appropriately used following a major risk event or loss. Increasingly though, organizations with more mature risk management programs are using the same techniques to support business and strategic planning as a means of proactively managing risks before they can affect planned objectives.

B.2 Applying Root Cause Techniques

The use of RCA historically has been associated with reactive, rearwards-looking review situations. Typically, a significant loss event will have occurred (such as a process failure leading to damage, loss or injury) or a planned activity will not have achieved its expected outcomes. In this type of application, various techniques will be used to try and identify what failure mode gave rise to the loss event, with this information used to support recovery or future preventative actions.

In more straightforward cases, one might simply use what is known as the five whys approach of RCA. A defined problem can be analyzed sequentially by asking "why" a factor contributed to the loss event until no further explanation can be found. In more complex cases, this approach may be nested inside a cause and effect analysis (sometimes called Ishikawa or fishbone) diagram. The use of cause and effect diagrams support the analysis of more complex situations, particularly where there are multiple risk drivers present, each of which requires a more detailed analysis in order to develop a comprehensive picture of the situation.

These same techniques can also be used to identify the potential sources of risk during business or strategic planning processes. By developing a picture of the potential risks associated with a planned activity, initiative or objective, planners are able to better incorporate risk treatment activities right up front, rather than as an "add-on" after the fact.

When used proactively, the focus of the analysis shifts from the question of what caused a loss to happen to what could cause something to fail — or, perhaps more importantly — what will cause something to succeed. This type of analysis can also include a range of other RCA techniques such as force field analysis (designed to identify driving and restraining forces in the environment) and influence diagramming, which is designed to pictorially show how the relative strengths of the risk or source inter-dependencies can impact each other. Force field analyses and influence diagrams allow the experienced user to align specific actions with specific risks (or people) as a means of leveraging (or overcoming) existing dependencies.

The proactive application of RCA techniques can be problematic in some situations, particularly where there is cultural skepticism about the value of future casting. One method of overcoming this skepticism is by conducting a solutions effect analysis following the use of other RCA techniques. This approach is similar to the cause and effect technique, but sees the proposed "answers" grouped thematically rather than the risks. These solutions are then analyzed again to reveal any unintended consequences - or untapped success drivers - resulting from the combination of proposed actions. By including the proposed solution or action owners in this process, they are often able to see where their ideas may need refinement, as well as giving them greater confidence that the process used to get to those answers was robust.

Other extensively-used approaches to root causes analysis include concept fans, hazard and interoperability studies, solution effects analysis, life cycle value analysis and hazard identification/environmental identification, to name a few. While this list is not exhaustive, it provides a good starting point for a deeper understanding of initiating or underlying risk sources.

B.3 Ten Steps for Effective Root Cause Analysis

Following a disciplined approach to RCA will lead to greater success.

Figure 15 Define analyze and solve.jpg

Figure 15: Define, Analyze and Solve


1) Define the problem or describe the occurrence factually.

2) Gather data and evidence that can, for example, be plotted along the incident timeline to the final failure or crisis or, for future focus, to the final desired outcome.


3) Use one or more techniques to analyze the evidence. For example, you may ask "why" repeatedly and identify the causes associated with each step in the sequence towards the defined problem or desired outcome.

4) Classify causes into causal factors that relate to an outcome in the sequence, and root causes, that if applied can be agreed to have interrupted that step of the sequence chain.

5) If there are multiple root causes, which is often the case, note those clearly for additional analysis.


6) Identify potential solutions that will with certainty prevent recurrence of the problem or event or, alternately, must be followed for greater odds of a successful outcome.

7) Identify solutions that prevent recurrence with reasonable certainty with consensus agreement of the group, are within your control, meet your goals and objectives and do not introduce other new, unforeseen problems.

8) Implement the recommended root cause correction(s).

9) Ensure effectiveness by observing, and possibly reporting on, whether the implemented recommendation solutions achieved the intended result.

10) Other methodologies for problem solving may be considered and incorporated as supplements to root cause analysis.

RCA (particularly steps 3, 4, and 5) forms the most critical part of developing successful solutions and corrective action plans, because it directs the corrective action at the true root cause of the problem or issue. The root cause analysis itself is secondary to achieving the intended goal. However, without identifying and understanding the root cause(s), effective solutions or corrective actions may not be identified or developed.

B.4 Summary of Root Cause Analysis

Root cause analysis, when done in a comprehensive and planned manner, provides organizations with the opportunity to not only fully understand the causes of their past losses, but also to proactively plan to prevent similar losses in the future. When used to identify the true cause of past losses, the use of RCA techniques enables organizations to identify, and then treat the "disease" rather than simply applying a temporary Band-Aid solution to the "symptoms". In doing so, most organizations will find that their total cost of risk is reduced, as they are no longer required to repeatedly address the same problem.

Equally, by applying RCA techniques to the analysis of proposed actions, initiatives and objectives while they are still in the planning phase, organizations are typically able to improve those solutions through the integration of effective risk controls from the outset. This tends to not only improve the effectiveness of the solutions themselves, but also helps to prevent the need (and cost) associated with adding additional layers of risk control after implementation. This helps to reduce costs further, as post implementation application is often less effective, and is sometimes too late to save a promising opportunity from failure.

Organizations can improve the odds of successful future outcomes, by applying risk controls - and previously unrecognized success drivers - that most effectively deal with the initiating or underlying risk sources. In doing so, they reduce their overall cost of risk by reactively and proactively addressing the actual root causes of risk exposures.

Next: Annex C

Table of Contents

RA Standard Home

  • General
  • Definition of Risk Assessment
  • Quantitative and Qualitative Analysis
  • Managing Organizational and Specific Risk Assessments
  • Plan-Do-Check-Act Model


  • Scope
  • Normative References
  • Terms and Definitions
  • General
  • Impartiality, Independence, and Objectivity
  • Trust, Competence, and Due Professional Care
  • Honest and Fair Representation
  • Responsibility and Authority
  • Consutative Approach
  • Fact-Based Approach
  • Confidentiality
  • Change Management
  • Continual Improvement
Managing A Risk Assessment Program
  • General
  • Understanding the Organization and Its Objectives
  • Establishing the Framework
  • Establishing the Program
  • Implementing the Risk Assessment Program
  • Monitoring the Risk Assessment Program
  • Review and Improvement
Performing Individual Risk Assessments
  • General
  • Commencing the Risk Assessment
  • Planning Risk Assessment Activities
  • Conducting Risk Assessment Activities
  • Post Risk Assessment Activities
  • General
  • Competence

Annex A: Risk Assessment Methods, Data Collection, and Sampling

  • General
  • Types of Interactions
  • Assessment Paths
  • Sampling

Annex B: Root Cause Analysis

  • General
  • Applying Root Cause Techniques
  • Ten Steps for Effective Root Cause Analysis

Annex C: Background Screening and Security Clearances

  • General
  • Background Checks
  • Interviews
  • Privacy Protection

Annex D: Contents of the Risk Assessment Report

Annex E: Confidentiality and Document Protection

Annex F: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization

  • General
  • Prevention and Mitigation Procedures
  • Response Procedures
  • Continuity Procedures
  • Recovery Procedures

Annex G: Business Impact Analysis

Annex H: Bibliography