Framework

The Governance-to-Value Ratio

Every control is a wager that the decision quality it adds beats the delay it imposes. This is the lens for settling that wager — and for telling enabling governance apart from theatre.

Every control an organisation imposes is a wager. The bet is that the decision quality the control adds will exceed the delay it imposes. Most organisations never settle the wager. They add gates after incidents, retire them never, and accumulate a sediment of ceremony that nobody can defend on the merits. The Governance-to-Value Ratio is a lens for settling it: for any given control, weigh the value it adds against the delay it costs, and act on the answer. This continues a spine we keep returning to — architecture is decision quality, not documentation — and applies it to governance itself. A gate is, after all, a decision about decisions. It deserves the same scrutiny as any other.

The cornerstone evidence that a control can cost everything and add nothing comes from Forsgren, Humble and Kim. Analysing the State of DevOps data behind Accelerate, they found that external change approvals — a manager's sign-off or a Change Advisory Board — were negatively correlated with lead time, deployment frequency and restore time, and had no correlation with change fail rate at all. Their conclusion was blunt: approval by an external body 'simply doesn't work to increase the stability of production systems.' That is a Governance-to-Value Ratio of roughly zero, measured rather than asserted. The same body of research, drawing on 23,000-plus responses, found that high performance is achievable with any system 'provided that systems — and the teams that build and maintain them — are loosely coupled' and empowered. Structure drives speed and stability; approval gates drive neither.

The model: five parts

The ratio is simple to state and disciplined to apply. It has five parts, and you assess them per control, not per organisation.

  • Value added — the decision quality the control improves. Does it measurably reduce rework, prevent an irreversible mistake, or surface a trade-off that would otherwise be missed? If you cannot name the bad decision it prevents, the numerator is zero.
  • Delay imposed — the flow cost the control levies: the queue, the wait, the context-switch, the meeting. Don Reinertsen's Cost of Delay lets you price this in money rather than wave at it, which means the denominator is real, not rhetorical.
  • Risk tier — the consequence class of the decision under control. Borrowing McKinsey's risk-tiered approvals matrix, a low-risk, reversible decision warrants light control; a high-stakes, irreversible one warrants more. Proportion the control to the stakes, never uniformly.
  • Enforcement — whether the control actually binds. CrowdStrike's framing is exact: 'a policy that can't be enforced becomes an artifact — useful for signaling intent but unreliable as a risk management mechanism.' An unenforceable gate adds delay (people route around it) and no value (it changes nothing).
  • Position — where in the flow the control sits. A standard applied at design time (a guardrail) is cheaper than a sign-off applied at release time (a gate). SS&C put it plainly: the firms that scale fastest 'use guardrails and not gates,' and embedding governance early often makes delivery faster, not slower.

Read across the five and a control sorts into one of three verdicts. High value, proportional delay: keep it. High value but mis-positioned or unenforceable: fix the position or the enforcement, do not scrap the intent. Low value at any delay: it is theatre, and it should go.

How to detect theatre

The failure mode the ratio is built to catch has a name. Bruce Schneier coined 'security theatre' for controls that 'provide the feeling of improved security while doing little or nothing to achieve it.' The mechanism is that organisations 'reward measurable compliance activity over effective compliance outcomes' and optimise for 'what looks good on paper instead of what reduces risk.' A CAB is theatre in exactly this sense: it produces an auditable artefact and the comforting sensation of oversight, while the evidence says it moves no quality needle. The ratio's job is to make this visible by forcing the question every theatrical control cannot survive — which specific bad decision did you prevent, and at what priced delay?

Governance does not slow innovation; it enables it. Velocity without governance is not progress — it is risk moving faster. The test is not whether a control exists, but whether it earns the delay it costs.

How to measure it

The numerator needs an instrument or it stays a debate. The 2024 DORA report supplies one: it reclassified change failure rate as a proxy for rework and introduced a Rework Rate metric — the proportion of unplanned deployments fixing user-visible issues. Pair a control with its rework figure before and after, and you have evidence rather than faith. The denominator is Cost of Delay, expressed in money. A control that drops rework by a quantum worth more than the delay it priced in is earning its keep; one that does not is subtracted from the system. The 2024 DORA finding on internal developer platforms sharpens the point: platforms improve performance but 'can also lead to decreased change stability and throughput, requiring careful implementation focused on developer independence.' A control earns its ratio only when people do not have to wait on the enabling team — self-service guardrails over blocking gates.

Why this matters now

The 2025 DORA report found roughly 90 per cent of developers using AI tools while 'most organizations have not extended DevOps controls to AI-generated code,' and more than 60 per cent discovering AI-related errors only after deployment. The reflex will be to bolt on a heavy review gate. The ratio warns against it: a uniform gate over abundant machine output is the CAB mistake at a new scale. The right move is Gartner's boundary-based posture under AI TRiSM — define where AI may and may not act, set the standard at design time, enforce it automatically, and reserve human review for the irreversible doors. Govern for safety and speed, in McKinsey's phrase, by tiering the control to the consequence.

Governance tax and governance yield

Run the ratio across every control and two portfolio numbers fall out. Sum the delay your controls impose and you have the governance tax — the standing cost the organisation pays in queue, wait and context-switch, whether or not anyone notices. Sum the bad decisions they actually prevent and you have the governance yield. Most organisations can quote neither, which is exactly why the tax compounds invisibly while the yield is simply assumed. The discipline is to make both legible per control, then manage the portfolio — retire the theatre to fund the few controls that genuinely pay.

A maturity model: from gate sediment to earned control

  • Level 1 — Gate sediment. Controls accumulate after incidents and are never retired; no one can say what each one prevents.
  • Level 2 — Inventoried. Controls are listed and owned, but justified by precedent rather than value.
  • Level 3 — Tiered. Controls are proportioned to risk and reversibility: one-way doors get more scrutiny, two-way doors get less.
  • Level 4 — Repositioned. Gates become guardrails — standards enforced at design time, not sign-offs queued at release time.
  • Level 5 — Measured. Each control carries a value (rework prevented) and a delay (cost of delay), and the portfolio is actively managed.

Diagnose your governance portfolio

  • For each gate, can you name the specific bad decision it prevents?
  • Do your one-way-door decisions get more scrutiny than reversible ones — or does everything face the same monthly board?
  • Are your controls guardrails applied at design time, or sign-offs applied at release time?
  • Can a team proceed on a reversible change without waiting on a central body?
  • What is your rework rate, and which control is supposed to be holding it down?

Illustrative — a composite, not a specific client: a release board that met weekly to approve every production change. Measured across a quarter it rejected nothing and delayed everything, and the change-failure rate was indistinguishable between the changes it "reviewed" and the hotfixes that bypassed it. A The Governance-to-Value Ratio ratio of roughly zero — kept because it felt responsible, not because it worked.

From insight to action

We treat governance as a portfolio to be managed, not a posture to be defended. The work is unglamorous: inventory the controls, price the delay, name the decision each one prevents, retire the theatre, and reposition the rest as guardrails. AI makes it urgent because the reflex — a heavy review gate over abundant machine output — is the Change Advisory Board mistake at a new scale. We bring the delivery-governance experience honestly; the AI-specific patterns are convictions we are testing in the open, not a finished playbook. Our Governance-to-Value Assessment turns the questions above into a score you can act on.

If this lens is useful, the place to apply it next is Architecture Governance Without Bureaucracy, which works the same ratio through decision records, an advice process, and review tiered by consequence rather than hierarchy — the operating mechanics for keeping the audit trail while removing the queue.

The insights behind this

Related thinking