Rethinking Central Control Functions: Moving from Rituals to Real Accountability
In large enterprises, centralized control functions like legal counsel, ethics, cybersecurity, and compliance departments are created with a clear purpose: to support the business in achieving its objectives while ensuring adherence to regulations and internal policies.
As these teams form and develop overtime they will present what we will call collective behavioral patterns that if we are not aware can lead suboptimal interactions with the broader collective. The one they need to embedded in, or form part of. Note this is not done consciensly normally, but group think and other force are natuarally at play in addition so simple human natuare and the basic need of self preservation.
These behaviors develop rituals, processes, and even belief systems that prioritize an inward looking prioritization over business outcomes or common higher order goals, leading to what sociologist René Girard would call a "mimetic society.". Luca Dellanna has a good summary of the consequences here in his blog post on the topic.
Another force at play is Conway’s Law, which posits that organizations design systems that mirror their internal communication structures. When applied to central control functions, this means that as teams grow, they naturally create work that reflects their internal goals, rather than the needs of the business. These teams start generating activities that, while justifying their existence, do not necessarily align with or advance the company's broader objectives. More importantly their natural center of gravity becomes themselves versus the business they are supporting, loosing context progressively as time goes by.
You can start to see that these concepts and forces converge to create collective behavivour, un intended in the greatest degree I would like to believe, yet impacting the large organization they form part of.
The Pitfalls of Inward Focus and Team Self-Justification
Central control functions—whether cybersecurity, compliance, privacy or legal—are designed to help manage risks and ensure accountability. However, as these teams expand, they can become more focused on creating work that at first sight would be justified, the mere non embedded nature of their teams, tools and processes have them focus on internal challenges of scale, rather than collaborating with other their stakeholders and driving value for the business.
In the absence of clear feedback loops, centralized teams can start developing processes that serve their own internal needs, rather than solving the challenges faced by the business. This is an example of Conway’s Law in action: the structure and communication patterns of these teams shape the systems and processes they create. Rather than being built to streamline operations or mitigate real risks, many processes become rituals that reinforce the internal hierarchy and justify the team’s continued growth. Lets face it these areas have big sticks 🏑 and they can pull on like, this is the law, even if a more accurate definition would be, this is how we interpret the law. Who are we to tell a Cyber Expert that there is more context to consider and that a situation might be nuanced. The non-believers who point this out can even be subject to an inquisition for their heresy as Phil Venables points out in his blog post Ceremonial Security and Cargo Cults
For example, a compliance department might develop increasingly complex procedures that ensure every box is ticked—regardless of whether this actually improves the organization’s compliance posture or business outcomes. In such environments, attempts to improve or simplify these processes are often met with resistance. Criticism of existing practices is seen as a threat to the team’s role, and those questioning the processes are viewed as challenging the very existence of the department. So it is not really safe to critique them as they start on a control plane in the organization that gives them power that simply get people to do things without justifying themselve, aluding to competency in their domain.
The Influence of Conway’s Law on Control Functions
Conway’s Law suggests that organizations will produce designs and processes that reflect their internal structures. In the case of central control functions, this can lead to the creation of work that serves the team’s need to maintain relevance and justify its size, rather than benefiting the business.
As teams grow, they generate more internal work—developing new processes, requiring more approvals, and creating more oversight mechanisms. This expansion often reflects the team’s internal communication structures rather than the actual needs of the business. What was once a lean, supportive function can balloon into a cumbersome bureaucracy that demands more and more resources while contributing less to the organization’s strategic goals.
For example, cybersecurity teams may introduce more and more layers of process to mitigate risk. However, these additional layers often slow down product development and innovation without significantly improving the organization’s security posture. This work is generated not because the business needs it, but because the team needs to demonstrate its importance. The result is a feedback loop where the team’s size and complexity grow in response to the very systems it has created. Basically building quality in after the fact, rather then in the the process. As Jonathan Smart put it, Quality is built in rather than inspected in later from his book Sooner Safer Happier: Antipatterns and Patterns for Business Agility. Its this "inspected" later piece we have to get right!
Trust, Decentralization, and Encouraging the Right Behaviours
To counteract the self-perpetuating work generated by centralized teams, it’s essential to design tools and processes that promote the right behaviours and outcomes. This involves moving away from an inward focus and trusting decentralized teams to make decisions within well-defined parameters.
As Matthew Barzun explores in "The Power of Giving Away Power," centralized functions must be willing to trust decentralized teams, allowing them to take ownership of their areas while operating within clear guidelines. This approach requires shifting from a command-and-control model to a participatory governance structure, where decentralized teams help shape the goals and systems they will be held accountable for. By involving these teams in the decision-making process, central functions can focus on enabling success, rather than creating unnecessary work.
When centralized teams give decentralized teams more autonomy, they reduce the need for complex, self-justifying processes. Instead, teams can focus on embedding compliance and governance into everyday operations, ensuring that accountability is achieved without creating unnecessary overhead. See my blog series that starts with Rethinking the Three Lines of Defence: Putting Customers at the Core of Compliance on how to shift everything left, more it in to the flow of work that support the business value stream. You move to the work not the work to you. This is applicable for any support function. Test it. We will look more at this in the following section.
Embedding Accountability into the Flow of Work
A critical way to break the cycle of self-generated work is by embedding accountability directly into the flow of work, ensuring that systems and processes align with real business needs. Instead of creating compliance systems that function independently of daily operations, businesses can integrate these systems into existing workflows.
For example, Governance, Risk, and Compliance (GRC) functions need oversight tools, but those tools should complement the work of decentralized teams, rather than adding unnecessary complexity. By embedding compliance into everyday processes, organizations can minimize the need for additional reviews and approvals, ensuring that compliance is managed efficiently at the source. Get controls right in the first line.
When compliance systems are integrated into the flow of work, central functions can avoid creating work that exists purely to sustain their own operations. Instead, they focus on facilitating real outcomes for the business, ensuring that accountability is built into the business itself.
VERY important this is not a binary. The right level of Centralization needs to be found. This goldilocks space is not static. For example when creating a new function you might need to over scale the central accountability as the the federated teams are trained, provided the right tools, guidance is clear and explicit. As Luca Dellanna put it be super-clear: not just enough so that you can be understood but clear enough so that you cannot be misunderstood
Example: Privacy by Design
As an example, the concept of Privacy by Design demonstrates how central control functions can shift from generating internal work to enabling decentralized accountability. Rather than treating privacy as an after-the-fact compliance exercise, it should be an integral part of how the business operates, with tools embedded directly into customer-facing systems.
By design means embedding so it just happens as business as usually. This is not easy and needs the support of Experts in these compliance domains NOT to take on the accountability of those that need to do the work to keep the customer data safe but to fix and enhance those processes do the central functions oversight can be less everyday. This is the OKR!
You can get a deeper dive on how this subject can influece privacy by design as an example in this blog post.
The key thing to remember this is always the same pattern, we need to distinguish two groups of personas X for X or X for the business or operations, or products for central functions versus products for the business. e.g GRC for GRC and GRC for the business are very different, yet related. More in the following section.
Internal vs. Business-Embedded Tools: Striking the Right Balance
To avoid the pitfalls it’s important to differentiate between internal oversight tools and business-embedded features. Internal tools are necessary for governance, but they should operate in the background, supporting rather than complicating business processes.
Business-embedded tools, on the other hand, should be integrated directly into the day-to-day processes of the organization. Features like automated data minimization or real-time compliance checks should operate within customer-facing systems, ensuring that compliance is managed where it matters most. This reduces the need for ongoing intervention by centralized teams and ensures that compliance is handled effectively without generating additional layers of work.
By balancing these two approaches, organizations can create systems that support the business without falling into the trap of generating unnecessary work to sustain centralized functions.
Participatory Governance: Involving Decentralized Teams in the Process
One way to ensure that central control functions avoid generating unnecessary work is to adopt a participatory governance model. This approach involves decentralized teams in the design and implementation of governance frameworks, ensuring that the processes reflect the real challenges they face in their day-to-day work. See more on in deciding how to decide blog post.
By involving the people who understand the realities on the ground, central teams can create more practical and effective solutions. This helps prevent the creation of work that exists purely to serve internal needs, and instead ensures that governance frameworks align with the business’s goals. It also fosters greater trust between centralized and decentralized teams, allowing for smoother operations and more efficient compliance.
Shifting Toward Real Accountability and Reducing Rituals
Improving the efficiency of central control functions requires moving away from the internal focus driven by Conway’s Law and focusing on real accountability. By trusting decentralized teams to operate within well-defined parameters, and by embedding accountability into the flow of work, organizations can reduce the tendency for centralized functions to create unnecessary work.
When centralized teams work to support the business rather than create work to justify their existence, which they might not do consciously, they can foster a more efficient and effective organization. By adopting a participatory governance model and trusting decentralized teams to handle compliance, organizations can achieve their goals while minimizing the overhead associated with large, process-heavy teams.
Conclusion: Empowering Teams for Better Outcomes
The challenge for many organizations is ensuring that central control functions are embedded, via people, process or technology to support the business. By embedding compliance into daily operations, decentralizing decision-making, and adopting a participatory governance model, organizations can shift from creating rituals to achieving real progress.
Ultimately, by distributing control and trusting decentralized teams, organizations can reduce inefficiencies, improve accountability, and ensure that their control functions drive meaningful outcomes rather than justifying their existence.
The future is decentrlized. Central team need to delegate and create products that are able to work at the edge!