Should CIOs be compliance cops? This is the headline of a post last week at Harvard Business Review by Michael Schrage, and it's a question I often wonder about but have never gotten a solid answer to. It seems that every CIO I talk to has a slightly different role and set of responsibilities than every other CIO when it comes to compliance. The wide range of models for compliance accountability often appears to leave the IT department in a difficult-to-navigate spot.

In the compliance battlefield, potential fire comes at the CIO from two separate fronts, and you may not be calling the shots in either direction. First, as Schrage, a research fellow at MIT Sloan School's Center for Digital Business, discusses in his post, you are called on by other senior executives--who are not necessarily in the chain of compliance command--to use the monitoring tools at your disposal in ways you may not be comfortable with and which may not even be legal. This puts you in the position not only of having to establish whether employee monitoring requests can be fulfilled legally, but also of having to play the bad cop in an increasingly Orwellian-feeling corporate culture.

Is it your job to acquiesce to senior managers who would inadvertently misuse technology to monitor employees, or is it your job to patrol those managers?

Then there is the question of the CIO's responsibility to proactively patrol employees in the name of compliance. Many enterprises, but not all, have chief compliance officers, who ostensibly are the ultimate compliance cops. Many enterprises, but not all, have chief privacy officers and chief security officers, who carry components of the compliance burden. Does the CIO job description include employee compliance patrol in addition to patrolling senior management to ensure they don't get carried away in their own surveillance efforts?

Last week I was talking with Larry Whiteside, CIO of the Visiting Nurse Service of New York, about data governance, and I asked him about the compliance chain of command at his organization. The Visiting Nurse Service, which is the largest not-for-profit home healthcare group in the country, employs a chief compliance officer, a chief privacy officer and an associate general counsel, who are all deeply involved in compliance. The organization not only is subject to the requirements of HIPAA and the HITECH Act, but it also submits to an annual financial audit that mirrors Sarbanes-Oxley requirements, he said.

I asked Whiteside where the buck stops when it comes to compliance with this multitude of regulatory obligations. His answer: "It depends." Requirements related to anything electronic are his bailiwick, but if an obligation relates to an information breach that does not involve anything electronic, it falls to the privacy officer. In both situations, the compliance officer and the general counsel are involved, he added.

This seems confusing and convoluted to me, but no more so than some other compliance hierarchy models I've heard about. It all reminds me of a managing editor job I once held, in which I was responsible for ensuring that nothing libelous ended up being published. As a journalist, I knew more about the intricacies of libel law than most others in the organization, but as a non-lawyer I wasn't positioned to stand up to those whose sole interest was having their voice heard, libelous or not.

More often than not, I had to go to the legal department to make a final determination, which endeared me to nobody. It always caused delay and frequently resentment, and when it was a manager who wanted something questionable published, it was particularly unpleasant. 

It seems like there would be widespread benefit in developing more of a general consensus about compliance roles and responsibilities in the enterprise. But maybe not. Let me know what you think. - Caron