|
Let's make a concrete example: the business dev org wants to automate some manual process to cut some cost. This will come at a controlled risk, with a business case looking like "X $ saved at Y% decrease in output quality". The problem would be much easier if Y could be easily translated to money, but for compliance-heavy domains where things like reputational damage or regulatory fines are at stake it isn't. You could model this, but then you have the same problem, just one level down: who signs off that the model is good enough? The decision is essentially a negotiation of what X and Y are acceptable. This negotiation is always stonewalled by some compliance function who want Y to be zero. They never own the costs (nor the X benefit), so why care right? The payoff matrix then looks like this: We do what Dev says, Dev is right (Y% decrease in quality isn't significant): we saved $X, Dev gets promotions, good job.
We do what Dev says, Dev is wrong: regulatory fines, reputational damage, big panic, some head gets cut
We do what Compliance says, compliance is right (hard to actually verify since well, you just don't do anything): saved the day from incompetence and greedy risk appetite
We do what Compliance says, compliance is wrong: cost benefit not realized, a bunch of man hours wasted down the drain, not Dev's fault though (they tried). Compliance is ok because well, better be safe than sorry right? All of these decisions are tracked in meeting minutes, but even in retrospect: how to verify when a decision is good? You've simply never taken it and maintained the status quo. This is a rather simplified version, but the core still holds: people who own the costs and who own the risks are put in a cage fight to negotiate with the only escalation path being to higher level decision forums that at some point can't be bothered because the Xs and Ys are too small/irrelevant for them. The only out I've seen to this is falling back to Big4/MBB consultants, where suddenly a double standard becomes super evident. Now compliance suddenly presents a much lower bar to jump: who cares if they fuck it up: it will be their fault. The idea is that potential regulatory/reputational damage can and will be deflected onto them. After all it's part of their job and they have large enough shoulders (political connections) to see it coming, mitigate, etc. |