← Home

Companion to the RCA Field Guide

Methods
Handbook

How to actually run each of the ten techniques: step-by-step procedure, a worked example, a copy-ready worksheet, the errors to avoid, and where each hands off to the next. The Field Guide tells you which method and why; this tells you how.

Read the worksheet in each section as a template to copy — the blank tables and skeletons are meant to be reproduced in a ticket, doc, or whiteboard and filled in. All worked examples are illustrative, not real incidents.

METHOD 01

5 Whys

Drill a single causal thread from a confirmed fact down to a systemic, fixable root.

Reasoning · abductive, tested deductivelyBest for · a clear single threadAvoid for · interacting / parallel causes

Procedure

  1. Start from a confirmed symptom or proximate cause — never a guess.
  2. Ask why it happened; answer from evidence. If you can't evidence the answer, tag it suspected and verify before continuing.
  3. Make the next "why" interrogate the previous answer.
  4. Branch whenever a "why" has more than one valid answer — pursue each line.
  5. Stop when the cause is systemic, within your control, and fixing it would prevent recurrence.
  6. Validate by reading the chain back forward with "therefore." If a step doesn't follow, the chain is broken — repair it before you accept the root.
Worked example (illustrative)

Data accessed by unauthorized party → why? valid employee login used → why? credential phished, no second factor → why? MFA not enforced on the portal → why? no policy required MFA on internet-facing services, and no control checked for it. Root: the missing policy + control — not "the user clicked." Read back: no policy → MFA unenforced → a phished credential was sufficient → attacker logged in. Logic holds.

Worksheet — copy & fill
Problem (confirmed fact): ____________________________ Why 1: __________________________ evidence: __________ Why 2: __________________________ evidence: __________ Why 3: __________________________ evidence: __________ ├─ branch a: ________________ evidence: __________ └─ branch b: ________________ evidence: __________ Why 4: __________________________ evidence: __________ ROOT (systemic + within control): ____________________ Read-back check ("therefore" reads cleanly): ☐ pass

Common errors

Hand-off: often fed by a Fishbone candidate; its confirmed root feeds CAPA.

↑ method 01
METHOD 02

Fishbone (Ishikawa)

Surface candidate causes across categories so you don't tunnel on the first idea.

Reasoning · abductive (breadth)Best for · cause unclear, need optionsOutput · hypotheses, not conclusions

Procedure

  1. Write the effect (your problem statement) at the head of the spine.
  2. Draw one branch per category. IT/security set: People · Process · Technology · Configuration · Data · External.
  3. Brainstorm candidate causes onto each branch; add sub-bones by asking "why" within a branch.
  4. Tag each candidate evidenced or speculative.
  5. Test every surviving candidate against the timeline/evidence and discard what the facts don't support. "On the diagram" ≠ "is a cause."
  6. Take the survivors into 5 Whys or Fault Tree Analysis to drill to origin.
effect People Process Technology Configuration Data External
Blank skeleton — reproduce it, write the effect at the head, hang candidates on the bones.
Candidate-tracking worksheet
Candidate causeCategoryEvidence?Keep / Drop
confirmed / suspected / none

Common errors

Hand-off: feeds 5 Whys (single threads) or Fault Tree (combining conditions).

↑ method 02
METHOD 03

Fault Tree Analysis

Model a failure that required several conditions to coincide, making AND/OR logic explicit.

Reasoning · deductive (top-down)Best for · multi-condition failuresReveals · highest-leverage fix

Gate reference

OR gate — any one input alone causes the event above it. AND gate — all inputs must occur together. Breaking any single input of an AND gate stops the event above; an OR gate requires breaking every input.

Procedure

  1. Write the undesired outcome (the top event) precisely at the top.
  2. Identify the immediate events/conditions that could produce it.
  3. Connect them with OR or AND gates — be deliberate about which.
  4. Decompose each intermediate event until you reach basic events you can't or needn't break down further (your candidate roots).
  5. Derive the minimal cut sets — the smallest sets of basic events that together cause the top event.
  6. Prioritize: a single basic event that alone causes the top event (a one-element cut set) is a single point of failure — fix first.
TOP EVENT gate basic event basic event basic event
Skeleton — name the top event, choose the gate, decompose to basic events.
Cut-set worksheet
Cut setBasic events in itSingle point of failure?Fix / barrier
1yes / no
2

Common errors

Hand-off: often built from Fishbone survivors; cut sets feed CAPA prioritization.

↑ method 03
METHOD 04

Pareto Analysis

Across many incidents, find the few causes responsible for most of them — so you fix those first.

Reasoning · inductiveBest for · many recurring incidentsCaveat · prioritizes, doesn't diagnose

Procedure

  1. Fix a dataset and timeframe (e.g., last quarter's incidents).
  2. Categorize each incident by its cause. Use consistent, mutually exclusive categories.
  3. Count occurrences — or weight by impact if a rare cause does most of the damage.
  4. Sort categories descending by count/weight.
  5. Compute the cumulative percentage down the list.
  6. Identify the small set of causes that reaches roughly 80% of the total — start there.
  7. Run a 5 Whys on each top category to find what the cause actually is.
Worked example (illustrative)

40 incidents categorized: no-MFA 16, unpatched 9, misconfig 6, phishing 5, insider 2, other 2. Sorted, the first two causes (no-MFA + unpatched = 25/40 ≈ 63%) and the third (misconfig, cumulative ≈ 78%) account for the bulk — fix MFA enforcement and patching before anything else.

Tally worksheet
Cause categoryCount (or weighted)% of totalCumulative %

Common errors

Hand-off: the top categories feed individual 5 Whys / Fault Tree analyses.

↑ method 04
METHOD 05

Change Analysis

When something worked before and fails now, the cause is usually a change — find it by comparison.

Reasoning · comparative / deductiveBest for · "worked yesterday, broke today"Pairs with · Timeline

Procedure

  1. Define the failed state and a known-good baseline (same system when it worked, or a working peer).
  2. List every difference: deployments, config edits, patches, new/changed accounts, network/firewall changes, data volume, certificates, upstream dependencies, time/scheduled jobs.
  3. For each difference, ask: could this plausibly cause the observed failure?
  4. Rank suspects by plausibility and by timing alignment with onset.
  5. Test the top suspect — revert it, or compare against the baseline directly.
  6. Confirm the change is the cause (the removal test), then trace why that change was harmful.
Worked example (illustrative)

WEB-03 began returning 503s at 14:10. Diff vs the 13:00 baseline: a 14:00 deploy, a TLS cert rotation, and a traffic spike. Timing points at the deploy; reverting it restores service → the deploy is the change. Then drill why the deploy broke it.

Difference worksheet
DimensionKnown-good baselineFailed stateDifferenceSuspect?
Code / deploy
Config
Accounts / access
Network
Data / load

Common errors

Hand-off: the identified change becomes the starting fact for a 5 Whys.

↑ method 05
METHOD 06

Barrier Analysis

Identify which defenses between the threat and the asset were missing, bypassed, or failed.

Reasoning · deductive vs a control modelBest for · "which control should have stopped this?"Pairs with · Swiss Cheese, Bowtie

Procedure

  1. Name the hazard/threat and the target/asset it reached.
  2. List the barriers that should sit between them — preventive, detective, and corrective. Include barriers that ought to exist but don't.
  3. For each barrier, record its status: held / failed / bypassed / absent.
  4. The failed and absent barriers are your candidate root causes.
  5. The barriers that held are your honest statement of remaining defense — and the basis for residual-risk language (never "secure").
  6. Add or strengthen the failed/absent barriers as preventive actions, each tied to the threat it addresses.
Worked example (illustrative)

Threat: external actor → Asset: customer DB. Barriers: email filter (failed — phish delivered), MFA (absent), EDR (held — flagged the session), egress monitoring (absent — exfil unnoticed). Candidate roots: missing MFA and missing egress monitoring; EDR is residual defense that worked.

Barrier worksheet
BarrierTypeStatusWhy it didn't stop itAction
preventive / detective / correctiveheld / failed / bypassed / absent

Common errors

Hand-off: failed/absent barriers feed CAPA; the layered picture feeds Bowtie.

↑ method 06
METHOD 07

Timeline / Event Sequencing

Reconstruct what happened in order, and mark the control gap at each step. The default lens for incidents.

Reasoning · inductive + deductiveBest for · any incidentDo this · first

Procedure

  1. Gather timestamped evidence: logs, alerts, change/access records, metrics. Note source clocks (watch for skew).
  2. Place events in chronological order.
  3. Tag each entry confirmed or suspected; for suspected, note what would confirm it.
  4. At each event, record two things: what caused it, and which control should have caught it.
  5. Mark the gaps — each control that should have broken the chain and didn't.
  6. Trace to the earliest point where a working control would have stopped everything downstream.
Timeline worksheet
TimeEventEvidence (conf./susp.)Control that should have caught itGap?

Common errors

Hand-off: the control gaps feed Barrier Analysis; the sequence feeds Fault Tree and 5 Whys.

↑ method 07
METHOD 08

KT IS / IS-NOT

Bound the problem precisely by stating what it is and, crucially, what it is not — the contrast exposes the distinguishing factor.

Reasoning · deductive (contrast)Best for · fuzzy scope, Phase 1Feeds · Change Analysis

Procedure

  1. For each dimension — What, Where, When, Extent — state what the problem IS.
  2. State a plausible IS-NOT: something it reasonably could be affecting but isn't.
  3. Ask what distinguishes the IS from the IS-NOT for that dimension.
  4. The distinguishing factor points at the cause or the change responsible.
  5. Carry the distinctions into hypothesis generation (Fishbone / Change Analysis).
Worked example (illustrative)
DimensionISIS-NOTPoints to
What503s on WEB-03WEB-01 / WEB-02specific to WEB-03
WhereEU regionUS regionregion-scoped change
Whensince 14:10, 2 Junbefore the 14:00 deploythe deploy
Extent~2,000 sessionsnot all trafficpartial / conditional cause
Worksheet — copy & fill
DimensionISIS-NOT (plausible)Distinction → suspect
What
Where
When
Extent

Common errors

Hand-off: sharpens the problem statement; the distinctions feed Change Analysis.

↑ method 08
METHOD 09

Bowtie Analysis

Map, for one hazard, both how it can occur and how its impact is contained — and which control sits where.

Reasoning · structural (fault + event tree)Best for · communicating control coverageBuilds on · Fault Tree + Barrier

Procedure

  1. Define the central top event — the loss-of-control moment (e.g., "data breach").
  2. Left side: list the threats (causes) that could lead to it.
  3. Place the preventive controls between each threat and the event.
  4. Right side: list the consequences that follow the event.
  5. Place the mitigative / recovery controls between the event and each consequence.
  6. Assess each barrier: present? effective? Note escalation factors — conditions that degrade a barrier.
Worked example (illustrative)

Top event: data breach. Threats → preventive controls: phishing → email filter + MFA; exploit → patching + WAF; stolen credential → MFA + anomaly detection. Event → mitigative controls → consequences: egress monitoring + DLP limit "data loss"; IR plan + comms limit "regulatory fine."

Bowtie worksheet
SideThreat / ConsequenceBarrier (control)Status
Prevent (left)present / effective?
Prevent (left)
Mitigate (right)
Mitigate (right)

Common errors

Hand-off: the left side is a Fault Tree; barrier statuses feed Barrier Analysis and CAPA.

↑ method 09
METHOD 10

FMEA — Failure Mode & Effects Analysis

Proactively enumerate how a system could fail and rank the modes, so you fix the worst before they happen.

Reasoning · predictive / deductiveBest for · design & hardeningNot for · post-incident (use RCA)

Procedure

  1. Pick the system/process and break it into components or functions.
  2. For each, list potential failure modes (how it could fail).
  3. For each mode, describe the effect and rate Severity (S).
  4. Identify causes and rate Occurrence (O).
  5. Note current controls and rate Detectability (D) — how likely you are to catch it before impact.
  6. Compute a priority figure (traditionally RPN = S × O × D), sort descending.
  7. Act on the top items — reduce Severity or Occurrence, or improve Detection — then re-score.
Worked example (illustrative, 1–10 scales)
FunctionFailure modeEffectSODRPN
LoginCredential stuffing succeedsaccount takeover965270
LoginSession token not expiredreplay access736126

Credential stuffing (RPN 270) outranks the token issue (126) → address it first, e.g., add MFA (lowers O) and rate-limit + alert (improves D).

FMEA worksheet
FunctionFailure modeEffectSCauseOControlsDRPNAction
Scoring caveats — read before using RPN

The 1–10 scales are relative and team-defined; an RPN is a prioritization heuristic, not an absolute risk value, and it shouldn't be compared across different FMEAs. Multiplying ordinal scores is statistically weak — very different S/O/D combinations can produce the same RPN, so always inspect Severity directly (a high-severity mode deserves attention even at a modest RPN), and never lower a Severity score because detection is good. Newer AIAG-VDA FMEA guidance replaces RPN with an Action Priority (AP) table for this reason. If your organization follows a specific FMEA standard, verify its current revision and use that scheme rather than these defaults.

Common errors

Hand-off: high-priority modes feed the hardening backlog; after a real failure, switch to RCA.

↑ method 10

All methods here (5 Whys, Ishikawa/fishbone, Fault Tree Analysis, Pareto, Change Analysis, Barrier Analysis, timeline/event sequencing, Kepner-Tregoe IS/IS-NOT, Bowtie, FMEA) are established, widely documented techniques; procedures are synthesized from standard practice and the source notes. Worked examples, scores, and counts are illustrative, not real incidents or measured data. Scoring scales and any framework- or standard-specific scheme (e.g. FMEA RPN vs AIAG-VDA Action Priority) should be verified against your organization's currently adopted revision before use.