For many organizations, compliance is often treated as a proxy for preparedness. Policies are written, training is logged, exercises are documented, and audits are passed. On paper, the organization is “ready.”
Yet researchers at the Center for International Development at Harvard University for example noted in 2023 that compliance focused evaluations often fail to capture if programs and processes are fulfilling their intended objective and that “if unanticipated problems arise in unanticipated ways in unanticipated places, or if innovative solutions are being deployed during implementation, it is unlikely (by definition) that these will be detected”. [1]
Hence, when real incidents occur, whether it’s regional unrest, environmental threats, hostile intruders, a kidnapping occurs or a cascading operational failure, the breakdowns are rarely caused by a lack of policy. They are caused by process failure: unclear decision authority, fractured communications, cultural hesitation, and misalignment between how work is imagined and how it is performed.
The Red Ball Drills® program (www.redballdrills.com) was originally designed as an active threat training program in the United States. The methodology treats participants like subject matter experts and facilitates discussion of process to derive meaningful policy and procedure improvements. What we discovered was that the methodology of discussing processes for any organizational challenge was far more effective than simply ticking the compliance box or providing solutions-based training that did not necessarily align with organizational culture.
For instance, compliance asks:
“Did we do what we were required to do?” or “Do we have what we are required to have?”
Yet, operational resilience asks:
“Can our people actually execute under pressure, within our real-world constraints?”
In many organizations, exercises are designed to validate the first question. They help confirm that:
- Policies exist
- Policies are accurate and up to date
- The correct people are aware
- The right actors are listed and primed
- Training boxes are checked
- Reports can be produced
- Evaluation are conducted
- Slaps on the back are conducted all round
What they do not test is whether those policies:
- Make sense in live operations
- Are understood by “boots on the ground” staff
- Can be executed without conflicting instructions
- Align with organizational culture
The European Banking Authority defines Operational resilience “as the ability of an institution to deliver critical operations through disruption”[2] With many organizations shaken by the weaknesses revealed during the COVID-19 pandemic awareness is growing on the need to move away from a compliance routine towards building operational resilience . [3]
How Compliance Can Blur a Useful Process
1. Policy Substitution for Decision-Making
In compliance-driven exercises, participants are often coached, explicitly or implicitly, to “find the right policy.” The exercise rewards citation, not judgment. In a real incident, however:
- Time compresses
- Information is incomplete
- Multiple policies can be in effect at the same time or may conflict with each other
- Quick practical thinking under pressure evaporates
On-site process discussions deliberately remove the safety net of policy lookup and instead observe how decisions are made. This often reveals that policies exist without a clear decision owner, leaving frontline staff exposed and hesitant. Most risk managers would agree that the most critical part of managing any crisis is communications, yet organizations spend very little time developing their internal communications strategies outside of PR-related events.
2. Artificial Calm Masks Real Friction
Traditional exercises are often paused, explained, or corrected mid-stream to ensure the “right” answer is reached. This creates artificial calm and order. Discussions of processes that avoid theatrical stress and do not impact on daily operations create actionable policies and procedures. What emerges is not panic, but actionable outcomes:
- Who is allowed to act without permission?
- Where is communication lacking?
- How long does escalation take?
- Where can informal workarounds replace formal processes?
3. Documentation Over Learning
Compliance cultures tend to prioritize what can be documented:
- Attendance sheets
- After-action reports with pre-approved language
- Findings aligned with existing plans
However, process-focused training prioritizes what can be learned:
- Why do people hesitate?
- Why do instructions conflict?
- Why does communication fail despite existing tools?
- Why does informal authority trump formal titles?
Why Prioritizing Process Helps Prevent “Compliance Theatre”
Focusing on process does not mean being anti-compliance -its complimentary and a mutual must. In practice, it often strengthens compliance by making it executable in real conditions rather than in theory. What this approach rejects is compliance theatre: exercises designed to look good rather than work well, scenarios that confirm existing assumptions rather than challenge them, and findings that protect optics instead of people. When compliance becomes performative, it may satisfy audits while quietly increasing operational risk.
By prioritizing live process, organizations tend to surface issues that formal reviews miss. This includes compliance requirements that unintentionally create delays during real incidents, policies that assume resources or capacities that do not exist, and reporting chains that function on paper but collapse under pressure. Addressing these gaps does not weaken compliance. It grounds it in reality, where it is meant to operate.
A Case Study in practice_- Believing is Seeing
At a mining facility in Kenya, five years after the Westgate Mall attack, we ran a Red Ball Drill and discovered that the entire communications plan for the facility was based on cell phone communications. All personnel were instructed to call the security command centre in the event of a safety/security issue. Process discussions with several staff members revealed that while nearly 100% of staff had cell phones, over 75% of personnel on site had no minutes on their phones and could not call. While discussing communications, a young staff member suggested a toll-free number that would allow calls from any cell phone, regardless of minutes. Management implemented it immediately at negligible cost, fixing a critical communication gap.
Preparedness Is a Process Problem, Not a Policy Problem
Finally, the most resilient organizations understand a simple truth: compliance keeps you defensible, but process keeps you operational. When leaders shift their focus away from box-checking and toward observing behaviour, communication, and decision-making in real time, risk becomes visible in ways that policies alone cannot capture. When you value the information from personnel on the ground, you facilitate policy changes from the ground up, as opposed to top-down implementation. Process-driven discussions expose how work actually happens, giving leadership the insight needed to intervene early, close gaps, and reduce risk before it escalates.
Disclaimer: Statements expressed in this blog reflect the personal opinion of the author and do not represent the position or policy of GBPG or entities we are affiliated with. While we strive to ensure the accuracy of the information presented, we make no guarantees regarding its completeness, reliability, or accuracy.
Sources
[1] Rogers, Patricia J. and Michael Woolcock. 2023. “Process and Implementation Evaluations: A Primer.” Harvard Kennedy School – Center for International Development [Available] https://bpb-us-e1.wpmucdn.com/websites.harvard.edu/dist/c/104/files/2023/05/2023-05-cid-wp-433-process-and-implementation-evaluation.pdf
[2] European Banking Authority (2026) Operational Resilience [Available] https://www.eba.europa.eu/regulation-and-policy/operational-resilience
[3] Harvard Business Review (2020) Building organizational resilience [Available] https://hbr.org/2020/11/building-organizational-resilience
