[Owasp-board] Role of the Compliance Officer

Tobias tobias.gondrom at owasp.org
Thu Feb 27 17:18:58 UTC 2014

Hi Josh,

my understanding is the following:
1. the main purpose of compliance officer is to allow people to "blow
the whistle" without exposing themselves (if they fear retaliation) I.e.
someone can send an email to him in confidence via compliance at owasp.org
<mailto:compliance at owasp.org> without exposing oneself. Note: I am not
sure a google form would add anything beyond the email we already have,
in fact one might feel that it rather is more risky of loosing
confidentiality with the form than a simple email. So am not sure what
the form would add.

This is mainly for purposes if there are issues with staff or financial
or accounting issues. E.g. a staff member would find a accounting
irregularity or potentially fraudulent behaviour and wants to report the
issue and the evidence in confidence to avoid retaliation from the
suspected person (that is if that person is in a position to exercise
such retaliation).

2. Second, based on the written document, my understanding is that the
compliance officer is investigator and advisor, but not judge. In
several places, the policy states clearly that the compliance officer
works on behalf of the board and provides the report to the board for
One edge case might be if the compliance officer finds proof that the
board itself would act in a fraudulent way, in which case, I would
expect the Compliance officer to report this to the community and the
police - along with the found evidence.

3. The end result from the compliance officer is his report to the
board, preferably with a recommendation.
(note again: the key feature is that the compliance officer may leave
out the identity of the reporting person in his report - not the
evidence itself uncovered in his investigation - to protect that person
from retaliation.)

This is basically the standard compliance officer / whistle blower
scenario for organisations. If you and Martin feel that the current
policy is not clear enough on the purpose and scope of the role or
ambiguous, the board should indeed clarify it.

Best regards, Tobias

On 27/02/14 14:54, Josh Sokol wrote:
> Board,
> I have been speaking with Martin in private in an attempt to clarify
> my understanding of the role of the compliance officer and the
> processes involved.  It sounds like, to some extent, we are expecting
> him to develop the process, instead of regulate and enforce it, and
> this doesn't seem fair or correct as the act of creating the process
> could actually create accusations of bias.  As such, I think that it
> is reasonable for the Board to discuss what this process should look
> like beginning with intake, inclusive of investigation, and ending
> with the resolution.  Some important questions:
> 1) How is the complaint initiated?
> I think that we should strongly discourage allegations on the pubic
> mailing lists as accusations will lead to conflict which leads to
> chaos.  Yoda said that, right?  In any case, Martin had an excellent
> idea to create a form requesting specific information from the
> accuser.  If the form is not completed properly, then I think it is
> fair for the Compliance Officer to either request additional
> information if the source is known or discard it if the source is not
> known.  My suggestion was to have this form go to compliance at owasp.org
> <mailto:compliance at owasp.org> which would be the new mailing list (I'm
> not sure I like "ombud").  This way the Board and others could stay in
> the loop on the public facing side, which includes the original
> allegation, but will continue to allow the compliance officer to
> perform the investigation from there.
> 2) The reporting procedure
> (https://www.owasp.org/index.php/Governance/Whistleblower_Policy#Reporting_Procedure)
> says that people are required to report their complaints to the
> Compliance Officer who then has the responsibility to investigate all
> reported complaints.  Is the Compliance officer required to notify
> anyone at the time of complaint or at any point during the process?
> My personal feeling is that, as with any system, there should be
> checks and balances, so I feel like this activity should not be run
> completely in a vacuum.  I believe that the Compliance Officer should
> be required to report the complaint to the Board (not necessarily the
> person who reported it unless relevant) and should be required to
> maintain evidence of the investigation for review by the Board.  I'm
> fine with the investigation itself being a relative black box, but
> evidence, along with the recommendation, should be provided to the
> Board as the end result.
> 3) What is the end result of the Compliance Officers investigation?
> The way this whistleblower policy current reads "appropriate
> corrective action will be taken if warranted by the investigation" and
> "the Compliance Officer will complete a final report noting the actors
> involved, allegations, remediation actions, and rationale for the
> determination".  So, to be clear, the policy today not only has the
> Compliance Officer receiving the complaint, but performing the
> investigation, and doling out the punishment.  In effect, we have made
> the Compliance Officer judge, jury, and executioner.  Our unbiased
> Compliance Officer can no longer maintain his objectivity in future
> investigations if he is responsible for all three of these roles.  In
> my opinion, the Compliance Officer should , in the end, provide a
> report to the Board with a recommendation and rationale for the
> determination as well as supporting evidence that they considered to
> make that decision.  This report should be made public, on the
> compliance mailing list.  Then, the Board should vote (if necessary)
> on the result. 
> Am I way off base here or does this make sense?  Please discuss.
> ~josh
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140227/26462ef2/attachment.html>

More information about the Owasp-board mailing list