The Power of Why Five Levels of Inquiry for Your Tech Vendor
Published on: Sun Mar 10 2024 by Ivar Strand
The Power of “Why?”: Five Levels of Inquiry for Your Tech Vendor
In discussions with technology vendors or internal IT teams, it is common to receive answers that are correct but incomplete. These superficial explanations can mask deeper issues, leaving significant risks unexamined. To conduct effective due diligence, managers need a tool to move past proximate causes and uncover the root of a system’s behavior.
The “5 Whys” is a classic root cause analysis technique developed within the Toyota Production System. Its application extends far beyond manufacturing. For technology assurance, it is a simple but powerful framework for structuring inquiry and ensuring a comprehensive understanding of system logic.
The Principle: Moving from Proximate to Root Cause
The core idea of the 5 Whys is that by repeatedly asking “Why?” in response to an answer, one can peel back layers of symptoms to arrive at the fundamental cause of a problem. It is a method that forces a conversation to move from a specific technical observation to a discussion of the foundational processes, business rules, or resource constraints that underpin it.
This is not an aggressive interrogation tactic. It is a collaborative discipline for achieving clarity. When used correctly, it helps both the inquirer and the respondent to think more deeply about the issue at hand.
Applying the “5 Whys” to a System Control
The value of this technique is best illustrated with a practical example. Consider a scenario where an auditor observes that the financial system allows an expense claim to be processed without a scanned receipt attached.
1. Why does the system permit a claim without a receipt?
- Vendor’s Answer: “Because the ‘receipt attached’ field is not configured as a mandatory field for the form to be submitted.”
This is a correct, but superficial, answer.
2. Why is that field not configured as mandatory?
- Vendor’s Answer: “Because during the initial design phase, the project team required a way to process emergency field payments where a physical receipt might not be immediately available.”
The inquiry has now uncovered a specific business rule.
3. Why was the solution to make the field non-mandatory for all transactions, rather than creating a separate workflow for exceptions?
- Vendor’s Answer: “Because the standard version of the software does not support conditional mandatory fields based on user roles or payment types. This was the simplest configuration to meet the requirement.”
This reveals a limitation in the off-the-shelf technology.
4. Why was the simplest configuration accepted instead of requesting a customization for a more secure workflow?
- Vendor’s Answer: “A customization to build that specific logic was identified, but it was estimated to add significant cost and would have delayed the go-live date for the project.”
This exposes a project management trade-off.
5. Why was the budget and timeline prioritized over implementing this more robust fiduciary control?
- Vendor’s Answer: “The initial project risk assessment did not categorize the risk of unverified emergency payments as a high-priority item requiring a custom solution.”
The inquiry, which began with a simple field setting, has arrived at the true root cause: a foundational decision made in the project’s risk and budget planning phase.
The Insight Gained from Deeper Inquiry
This methodical process transforms the conversation. The issue is no longer a simple technical setting but a substantive issue of risk appetite and resource allocation. The potential solution is now much clearer: it may involve revising the risk assessment and implementing a compensating manual control for emergency payments, rather than a system change that could disrupt existing processes.
The “5 Whys” is a discipline of critical thinking. It allows managers to ensure that they are addressing root causes, not just symptoms. This level of deep inquiry is fundamental to effective, independent monitoring and is essential for building systems that are robust, understood, and demonstrably trustworthy.
