Why Are You Always Surprised When Things Go Wrong?
David Nichols – Co-Founder and Executive Director of the DVMS Institute
Leaders keep getting blindsided, not because they lack tools or talent, but because the governance systems they rely on were designed to document intent, not confirm outcomes.
Most organizations have invested heavily in oversight infrastructure. Frameworks are in place. Dashboards report. Audits run on schedule. Risk registers are maintained. Controls are documented, reviewed, and signed off. Yet incidents keep occurring, surprises keep arriving, and post-incident reviews keep yielding the same uncomfortable question: how did we not see this coming?
The honest answer is structural. Most enterprises’ governance systems are built to record what was planned, not to determine whether it is actually working in real-world conditions. That distinction matters because those are not the same thing.
Compliance Is Not Assurance
A checked box is not a functioning control. A completed audit is not evidence of resilience. These are not the same claims, but most governance reporting treats them as equivalent. The result is a widening gap between what the organization reports and what is actually true about its capacity to perform under stress.
This gap does not appear suddenly. It accumulates through the normal operation of governance systems designed for a slower, more predictable operating environment. Those systems reward documentation of processes. They measure adherence to the plan. They are not designed to detect the difference between a control that exists and one that works.
The surprise you keep experiencing is not a failure of execution. It is a consequence of measuring the wrong things and calling the result governance.
The Problem Starts at the Top
Incompetent people rarely lead organizations that fail at this level. They are led by capable leaders who operate with an incomplete picture of reality. The incompleteness is structural, and the structure was approved at the top.
Siloed decision-making produces siloed visibility. Accountability structures designed for a hierarchy create accountability gaps at the boundaries between functions. Systems that were integrated on paper remain operationally fragmented. Each function optimizes for its own measures, and the behavior of the system as a whole remains visible to no one.
When something goes wrong in this environment, the instinct is to identify who failed, who missed the signal, and who did not escalate. That instinct is understandable, but it is also part of the problem because it focuses attention on individuals rather than on the system that produced the outcome. It assigns blame rather than building accountability. And it leaves the underlying architecture intact.
The architecture will produce the next surprise on schedule.
Complexity Is the Condition, Not the Problem
The reflex under pressure is to simplify. Reduce the vendor count. Consolidate the platforms. Tighten the controls. These actions have genuine value. But they do not resolve the underlying condition, because the complexity that creates governance risk is not primarily a function of vendor count or platform sprawl.
It is a function of interdependency. Modern digital operations depend on supply chains, shared infrastructure, third-party services, and regulatory requirements that no organization fully controls. That interdependency does not simplify. It deepens. And the governance model that treats it as a temporary problem to be managed until things settle down will keep generating surprises because they will not settle down.
The question worth asking is not how to eliminate complexity. It is about governing confidently in its presence. That requires something different from what most governance systems provide: not documentation of intent, but continuous evidence of capability. Not a record of which controls exist, but a reliable picture of whether they are working, how the system is actually behaving, and where the gaps between planned and actual performance are emerging.
Organizations that develop this capacity do not stop encountering disruption. They encounter it from a position of operational clarity rather than institutional surprise.
The Conversation That Has to Happen
There is a conversation most organizations need to have, yet very few are having it. It does not start in the technology or risk functions. It starts at the top, because the governance architecture that produces recurring surprises was designed and approved there.
The conversation is straightforward. The way we govern was designed for a world that no longer exists. We measure what we have done and call it assurance. We know who to blame when things go wrong, but we have not built clear accountability to prevent them. We have sophisticated systems for documenting our intent and limited capacity to evidence our reality. That gap is the risk.
That is not a technology conversation. It is not a compliance conversation. It is a leadership conversation about whether the governance model is adequate for the environment in which the organization is actually operating. And it can only be started by someone willing to ask the question honestly.
Regulators and boards are beginning to demand answers. In jurisdictions and sectors where personal liability for digital resilience failures is now a live issue, the difference between documented governance and evidenced governance is no longer academic. It is the difference between being able to stand behind a claim and hoping no one looks closely.
The First Step
The hardest move in this situation is not adopting a new platform or redesigning a governance architecture. It is standing before the people you report to and stating what is true: the current model was built for a different environment, and the evidence that it is working is thinner than the reporting suggests.
That is not a failure. It is not a crisis. It is an honest answer to an honest question that most governance systems are not designed to ask.
Is the way we govern today adequate for the world we are actually operating in?
If the answer is yes, demonstrate it, not with documentation of intent, but with evidence of the outcome. If the answer is anything other than ‘yes,’ the more important question is not who is responsible for what went wrong.
It is who will be responsible for making it right.
About the Author
Dave is the Executive Director of the DVMS Institute.
Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2026 All Rights Reserved
