3.4.1 Roles and Responsibility of Governance Bodies

In the scope of our analysis, we consider obligations which have to be met by the organisation as a whole and where the responsibility for fulfilling these obligations rests with the board members and executive managers, with some part of it being reflected down to the employees. In this context, being responsible often goes beyond civil responsibility (liability to be called upon to respond to an action at law for an injury caused by a dereliction of duty or a crime) as laws often assign penal sanctions for not meeting obligations and not performing due diligence.

The governance bodies are the owners of the strategic dimension of accountability. In order to fulfil this mission, the board and executive management must:

• Understand relevant obligations in breadth and in depth.
• Understand the consequences of not fulfilling the obligations.
• Accept responsibility for fulfilling these obligations in an accountable and responsible manner this is applicable not only to the governance body as a whole, but must be an integral part of the mission of each member of the governance body, which must embrace the obligations, ensure support from each (relevant) functional area, and act as champions in the organisation.
• Define the internal criteria for the organisation taking into account internal and external stakeholders ideas of what norms and behaviour one should account for.
• Understand the risks associated with the operation of the business in regard to the obligations. Define a risk appetite used as guidance for operational decisions, taking into account the nature of the obligations (ethical, social, or industry norm, contractual, regulatory, legal, etc). The acceptable level of risk acceptance delegated to the various levels of the organisation will typically increase with the management levels in the organisation.
• Appoint an executive-level owner who will oversee and be accountable for the fulfilment of the obligations. For example, this is typically the Chief Privacy Officer or the Chief Security Officer for (respectively) the data protection domain or the security domain.
• Ensure the proper integration of all responsibilities and actions across the whole organisation. Avoid operating the program as a silo or an afterthought.
• Ensure a proactive attitude towards the accountability domain (e.g. data protection) across the organisation.
• Drive the adoption of an accountability-driven mindset. Ensure that this becomes part of the culture, and is integrated with the core values of the organisation (e.g. code of conduct, ethical guidelines, list of values).
• Ensure accountability is properly integrated in all relevant processes (e.g. business management, risk management, compliance management, reporting)
• Ensure that employees are properly trained to understand the concept of Accountability and their own obligations.
• Ensure that employees are provided with appropriate tools and processes to fulfil their own part of the accountability obligations.
• Ensure the organisation is ready to respond to discontinuities in compliance to obligations (incident response).
• Ensure the organisation has the adequate processes and attitude to seek, receive, and collect stakeholder comments and respond in a proactive and transparent manner.
• Regularly review the status of the organisation in regards to the compliance to the obligations

In order to fulfil this mission, depending on the scope, the organisations high level management will typically create a Program Office to provide the operational support for the enactment of the governance decisions and more generally support the governance body in meeting its responsibilities. The Program Office will typically report to the executive-level owner. In relationship with this Program Office, the governance body will:

• Define the mission and charter of the Program Office.
• Define the level of authority of the Program Office.
• Ensure the Program Office is provided with the necessary means, in terms of resources, personnel, funding and authority so it can fulfil its mission.
• Support and champion the various policies, programs, processes and other actions identified by the Program Office as necessary to meet the obligations.
• Regularly review the work performed by the Program Office. Use external audits to get an external view on the performance of the Program Office.