Suppose your compliance plan does not identify who should be contacted if someone sees compliance violations? You might assume that violations should be reported to the compliance officer. However, suppose it's the compliance officer who appears to be causing the violations. In that case, who should be contacted? The answer seems to be simple enough. Every compliance plan should include information on handling complaints from different sources within and outside the organization, says attorney David Jose with Krieg DeVault in Indianapolis. "In larger organizations, there will be some protective mechanisms to make sure that the employee can report a concern anonymously, and there are laws that protect against retaliation for the reporting of compliance concerns." In addition, Jose says, "A compliance plan should have an option for reporting a concern to another party if the reporting individual is concerned that the compliance officer is implicated in the matter, or if the reporting individual fears some form of retaliation."