One important role for a senior response team is to help guide required and desired communications. About required communications, there may actually be obligations to tell state, local, federal, or international authorities about incidents where there's been non-compliance. This is regulation-specific, and often requires legal counsel to determine where the reporting requirements apply. Some regulatory bodies require reporting of even small instances of non-compliance, and even with these we look for signs that the company has handled the incident responsibly and imposed appropriate corrective action. I find, usually, that this is scalable. Regulatory agencies expect less of the less impactful incidents, but expect quite a lot of high impact incidents. For example, they may expect a detailed write up of what occurred, and what the company's investigation and remediation plan look like. They may want to see details about changed processes, systems personnel, or more. My advice is to take regulatory reporting very seriously. A company is usually far better off having gone through the pain of non-compliance, and then what happens later? The investigation, the remediation, the root cause analysis, reporting, and more. The culture of compliance is usually strengthened, and senior-level engagement may be fortified also. A regulatory agency that doesn't view a company as taking compliance and non-compliance seriously may feel that that company's a desirable target for enforcement action. Indeed, they may be right. Being better on compliance and showing a regulatory agency how one is better on compliance has all the right advantages. Most importantly, it strengthens internal controls and hopefully leads to fewer regulatory investigations. Aside from the regulatory agency, there may be reasons to communicate to the public. Regulations might require this. For example, under HIPAA, if there's a breach of over 500 patient records, a HIPAA-covered entity is required to inform the media and the location where the victims reside. Obviously, if media notice is required, it should be done. But even if it's not required, that information about sizable incidents has already seeped into the public domain. In that case, the messages might get confused, negative, and harmful to the company. To help ensure that messages are accurate, and that the public trust is not eroded, a company may choose to get in front of the message and help tell its own story. Who else has to be informed about non-compliance, other than regulatory agencies and sometimes the media? Well, never forget about your board of directors, anything sizable should be shared with your board. Like the senior response team, they may have insights to help you in your handling of the incident. They also may have a legal obligation to know about the events and to advise. Lastly, reporting to all of these entities is going to help inspire discipline in you, your program, and your organization by ensuring that the story told is true, is thoroughly handled, and that changes have been imposed to make the control environment even stronger.