When compliance kills momentum, risk management stops working

Written By Guest User

Over the past three decades, I was fortunate to work alongside some brilliant minds on complex, high-stakes bids and business-critical programs. I learned a great deal about governance, risk, and what it takes to build trust in large organisations. I’m genuinely grateful for the opportunities those companies gave me and the people I worked with. I still think of them with a great deal of respect and wish them continued success.

But since leaving my role in 2023, I’ve had the rare freedom to take a step back and reimagine how governance and risk management could work—if we weren’t so bound by the structures and habits that large organisations tend to accumulate over time.

What started as a few ideas on paper has grown into a broader framework—one that asks a simple question, like: what if we treated risk in bidding, not just as something to record in a risk-log, but as something we could use for competitive advantage? What if the people closest to the work had more freedom to adapt, because they understood and supported policy, and were incented so that they never compromised on what really mattered?

This article reflects some of that thinking, grounded in real-world experience. It’s about why policies often fail to scale, and what we can do to fix that—whether you’re working in a single department, across multiple business units, or supporting a global portfolio.

Let’s Define It Properly

  • Policy is the what and the why. It sets direction, boundaries, and non-negotiable outcomes.

  • Process is the how. It lays out steps to follow, artefacts to produce, and roles involved.

  • Methodology is the approach used inside the process—especially for more complex or subjective tasks like estimating, assessing risk, or making trade-offs.

A good policy tells you where you need to land. A good process helps you get there efficiently. And a good methodology ensures consistency in judgement.

Where I’ve seen things go wrong—repeatedly—is when a policy is written as if everyone will follow the same process, with the same resources and the same tools. That assumption doesn’t hold, whether you’re comparing regions, business units, or even teams sitting two floors apart.

The Problem with One-Size-Fits-All

The most common failure point I’ve seen in policy rollouts is this: they’re written from the centre, and assume the centre’s environment applies everywhere. But it doesn’t.

  • A central team might have a dedicated risk lead, automated tools, and time to follow a 12-step sign-off process.

  • A regional team might have one person trying to keep the lights on while handling five bids at once.

This disconnect isn’t unique to governance. I’ve seen the same “one size fits all” problem with enterprise tools. CRM systems, for instance, are often rolled out with global ambition but little understanding of how different sales teams actually work. In one case, I watched a well-meaning tool get shelved by almost every regional team because it took longer to enter data than to run the meeting. The policy said “use the tool”; the process was never designed with frontline sales in mind.

Similarly, reporting requirements designed for large, stable projects often get forced onto short-term engagements that don’t have the time or scale to make those templates meaningful. People end up faking data or backfilling documents just to tick the boxes.

Treating everyone as if they operate under the same conditions creates its own risks: delayed decisions, silent non-compliance, and growing resentment. I’ve seen frontline teams forced to choose between doing the work or doing the process. That’s not good governance; that’s institutional design failure.

A Better Approach: Design for Variability

Here’s what I’ve found works in practice:

1. Write Policy as Intent Plus Outcome

Make the purpose of the policy crystal clear. Don’t bury it in assumptions. State the why in plain terms, followed by the minimum outcomes that must be delivered. This is your non-negotiable core.

For example:
"To protect the company from unacceptable commercial exposure, all high-value proposals must be reviewed for delivery, legal, and reputational risk before submission."

That tells you the intent. Now clarify what must exist—e.g. a documented risk review, an approved position on critical exposures, and a clear escalation path if red flags are unresolved.

But here's the catch: terms like “high-value”, “complex”, or “strategic” often mean different things to different teams. Should high-value mean $2 million in revenue? Or anything above the average deal size in that region? Should it include reputational exposure, regulatory risk, or critical customer relationships?

This is where flexibility and local adaptation matter. The policy should set the principle and require that thresholds be clearly defined. The process, tailored to each region or business unit, can then set meaningful and context-specific triggers—based on deal size, market risk, customer tier, or delivery complexity.

Without that calibration, either everything gets escalated or nothing does—which defeats the purpose entirely.

2. Decouple the Process from the Policy

Create separate process tracks that achieve the same outcome at different levels of resourcing or scale. Large bids with dedicated teams can follow the full governance model. Smaller or faster-turnaround work can use a lightweight version—still compliant, still reviewed, but without unnecessary overhead.

Each process should be clear about:

  • What’s mandatory

  • What’s optional

  • When you need to escalate or seek an exemption

This gives teams a framework to work within, rather than a straitjacket to wiggle out of.

3. Show Your Working: The Case for Exposing Intent

One option I’ve seen work—and worth building into future policy design—is to explicitly explain the reason behind each section of a policy. If a process step exists to prevent last-minute financial surprises, say that. If a document is required so the executive team can sign off confidently, spell it out.

Why? Because when people understand why they’re doing something, they’re more likely to do it properly—even if they have to adapt the process. It also helps risk managers and leaders defend necessary workarounds without looking like they’re cutting corners.

When It Works, It Scales

Some of the best outcomes I’ve seen didn’t come from pushing back on policy—they came from helping the corporate team understand why the process didn’t work in a given environment. By walking through the cultural or operational barriers, and proposing alternatives that still delivered the policy’s intent, we were able to get buy-in for variations.

And in a few cases, those adapted approaches were so effective they got adopted globally. That’s when governance starts to mature; when it listens and evolves, rather than just cascading rules.

Final Thought

The best risk managers aren’t enforcers; they’re translators. They understand the policy’s intent and know how to make it achievable under real conditions. They don’t ignore risk—they adapt the response to fit the context.

If we want policies that actually work, we need to stop writing them like instruction manuals. State the intent. Define the required outcomes. Offer pathways for how to get there, depending on what teams have to work with.

Governance doesn’t have to mean friction. Done right, it becomes something far more useful: a system that protects the business and respects the people doing the work.

That’s the kind of system I’m working to build. If this resonates with you, or if your team is facing challenges where policy and process feel misaligned, I’d be happy to connect.

Guest User
Next

Why Winning the Bid Doesn’t Mean You’ve Met the Customer