Stop Solving Problems by Adding Processes
Many SRE and operations teams predominantly address operational risks through “additional approval processes” — whether for database schema changes, service deployments, client releases, etc.
In theory, such operations should be planned, scheduled, and reviewed by the designated project owner. However, organizations often impose redundant layers requiring approvals from the owner’s direct leader, or even higher-level leadership. The justification typically cites leadership’s “accountability,” implying they consequently deserve oversight rights.
Yet practitioners understand this approval mechanism often degenerates into performative bureaucracy. Leaders cannot reasonably comprehend technical specifics across multiple projects — if a leader truly masters a project’s details, they should inherently be the project owner.
Key arguments:
- Increased process cost ≠ Improved risk control quality
Using approval layers as risk “gates” constitutes an indirect and inefficient control mechanism. It indiscriminately delays critical emergency changes and incentivizes workarounds, while failing to enhance substantive risk assessment capabilities. - Effective risk mitigation requires:
- Clear risk evaluation criteria and tooling for owners
- Enhanced automated validation and proactive alerting systems
- Mandatory justification protocols for high-risk operations during critical periods
These fundamental measures prove more impactful than adding perfunctory approval layers that often succumb to information asymmetry or leadership bandwidth constraints.