Compliance Monitoring Manager (CMM)

The Compliance Monitoring Manager is the postholder who leads the Compliance Monitoring Function — the independent internal monitoring mechanism that EASA requires as one of the core elements of every approved organization's Management System. The legal basis is ORO.GEN.200(a)(6) under Commission Regulation (EU) No 965/2012 for Air Operator Certificate (AOC) holders, ORA.GEN.200(a)(6) under Commission Regulation (EU) No 1178/2011 for Approved Training Organizations (ATOs), and CAMO.A.200(a)(6) under Commission Regulation (EU) 2017/363 for Continuing Airworthiness Management Organizations (CAMOs). AMC1 to these articles defines the CMF as requiring an individual — the CMM — with the independence, authority, and direct access to the Accountable Manager necessary to discharge the function without interference from line management.

The CMM role emerged from the broader EASA shift from Quality Management (the terminology used in the earlier Joint Aviation Authorities framework, particularly JAR-OPS 1 Subpart D and JAR-145 Section 1) to Compliance Monitoring as defined in the current regulations. The substantive change, introduced progressively from 2012 onwards, was to reframe internal audit not as a quality assurance process owned by operations, but as an independent compliance verification process that monitors whether the organization continues to meet applicable requirements, approved procedures, and relevant AMC/GM. The legacy term 'Quality Manager' is still encountered in older manuals and in some national transposition documents, but EASA's current AMC/GM uses 'Compliance Monitoring Manager' exclusively. Organizations that retain the legacy title in their Exposition or Operations Manual without updating the functional description may receive a finding on manual content.

The CMM's core responsibilities include designing and maintaining the audit program (a multi-year rolling plan that ensures all areas subject to the organization's approval are audited at a frequency commensurate with risk, and at minimum every 24 months per AMC1 ORO.GEN.200(a)(6)(i)); conducting or overseeing the conduct of scheduled and unscheduled audits; classifying findings as Level 1 (significant non-compliance posing a safety risk — requires immediate response) or Level 2 (any other non-compliance — 90-day response timeline under AMC1 ORO.GEN.150); assigning corrective actions; tracking closure; and reporting compliance status to the Accountable Manager at defined intervals. The CMM must also monitor relevant regulatory and AMC/GM changes and update the audit program scope accordingly.

The independence requirement is the most operationally challenging aspect of the CMM role, particularly in small and medium-sized ATOs and CAMOs. AMC1 to ORA.GEN.200(a)(6) states that the person responsible for the CMF must not be part of the area being audited — they cannot audit their own work. In an organization where the CMM also serves as Head of Training or Chief Instructor, the areas they manage cannot be self-audited; an external auditor or another internal auditor without a reporting line into those areas must cover those elements. Larger organizations typically address this with an internal audit team; smaller organizations commonly use contracted external auditors for the elements where independence cannot be achieved internally.

Under FAA regulations, the closest functional parallel is the Safety Assurance component of an SMS under 14 CFR Part 5 (effective March 2018 for Part 121 air carriers), specifically § 5.71 (Safety performance monitoring and measurement) and § 5.73 (Safety performance assessment). For Part 145 repair stations, § 145.211 requires an inspection system that includes an audit function; the 'quality control inspector' role under § 145.211(c) carries some CMM-like characteristics but lacks the independent postholder structure and direct AM reporting line that EASA mandates. FAA Order 8900.1, Volume 3, Chapter 18 describes the internal evaluation program expected of certificate holders in lieu of a formal CMM requirement.

The CMM sits at the intersection of three lines of defence: operational management (first line, preventing non-compliance), the CMF itself (second line, detecting non-compliance independently), and the Competent Authority's own oversight (third line, external verification). When the CMF is functioning correctly, the NAA's oversight findings should be rare, because the CMM's program will have already identified and closed issues. When the NAA finds significant compliance failures during an oversight inspection that the CMM's program did not find, the CMM function itself becomes a finding — the audit program either did not cover the area, was not conducted on schedule, or was conducted superficially (auditing documentation rather than actual practice). This meta-finding — a failed CMF — is more serious than the underlying non-compliance, because it calls into question the integrity of the entire Management System.

The most common CMM-related failure modes identified in EASA Competent Authority standardization inspections (ESSI and EASA standardization reports are publicly available and consistent on this point) are: the CMM lacking genuine independence from line management; the audit program existing on paper but audits running months or years behind schedule; audits that review records and manuals but do not include interviews, observations, or verification of actual practice; and findings being raised, acknowledged, and then left open indefinitely because the corrective action owner is not held to account. In each case, the CMF provides the appearance of compliance monitoring without the substance, which is specifically what the EASA Management System requirements are designed to prevent.

Aviatize's compliance and auditing module is built around the CMM's operational workflow. The audit program is managed as a structured schedule — broken down by approval area, regulatory reference, and assigned auditor — with automated alerts when audits are approaching their due date or have passed it without being recorded as completed. Each audit is documented through a structured checklist that references the applicable regulatory requirement, generating a finding record with automatic classification prompts (Level 1 / Level 2 / Observation), assigned corrective action owner, target closure date, and evidence attachment capability. The CMM has a live view of program completion rate, open findings by age, and overdue corrective actions — the exact metrics that demonstrate to the Accountable Manager and the NAA that the CMF is functioning.

Independence documentation is handled through the auditor assignment workflow: the system enforces the rule that no auditor can be assigned to audit an area they manage, and flags attempted assignments that would breach this. For organizations using external auditors to cover areas where internal independence cannot be achieved, Aviatize tracks external auditor qualifications, contracts, and findings in the same system as internal audits, producing a single consolidated compliance picture rather than a split between internal records and external audit PDFs. The KPI reporting and dashboards module allows the CMM to configure regular compliance health reports to the Accountable Manager — scheduled or on-demand — providing the documented AM engagement trail that Competent Authority oversight inspections routinely check.