Hell hath no fury like departments of half-checked-out corporate bureaucrats colluding to strangle all projects from getting done. Swelling teams of procurement, security, compliance, legal, and risk management professionals have created processes akin to the mid-20th-century Indian government offices. Lengthy forms, opaque processes, and unclear standards managed by uncoordinated, zealous teams with gray power sources have brought your well-intentioned, important business initiatives to their knees. It now intolerably takes well over three months to get anything significant done. We must expose and expunge the risk-mongers’ hegemony and return to swiftly getting work done.
In the early 2000s, getting something done required navigating the relatively simple gauntlet of procurement and legal teams. If you wanted to make an IT purchase, maybe you needed the IT architecture team’s okay, too. Yet numerous cyberattacks, such as Equifax’s 2017 data leak or Colonial Pipeline’s 2021 ransomware attack, and acts of executive malfeasance, such as Enron’s 2001 governance meltdown, Lehman Brothers’ 2008 risky subprime investments, and Theranos’ 2025 fraudulent deception, demonstrated that companies routinely lacked controls.
Regulators pounced, and regulations spread like wildfire. The USA’s Gramm–Leach–Bliley Act and HIPAA, Europe’s GDPR and DORA, the New York Department of Financial Services’ cybersecurity regulation, the UK’s Operational Resiliency, Australia’s APRA, the Monetary Authority of Singapore’s Guidelines on Outsourcing, and many more have been introduced and enhanced numerous times. These are not simple guidance regulations. Some, such as GDPR, contain eyewatering penalties equivalent to the greater of €20M or 4% of a company’s global revenue. The newest EU AI Act carries even more punitive repercussions, reaching up to €35M or 7% of a company’s global revenue. Corporate controls and regulations swelled in response as Big 4 firms’ external audit teams’ hawkishness escalated.
The corporate legal department was the first “Department of No.” It was later joined by the birth of procurement and corporate cross-functional teams tasked with governing corporate spending and discretionary IT projects. Since then, the data privacy officer, chief information security officer, chief sustainability officer, head of operational risk, and their “Departments of No” have joined the corporate lexicon.
We use the term “Departments of No” to describe the internal teams seemingly tasked with creating challenging parkour-like hoops of fire that business leaders and their vendors must jump through or else be told “No.”
Source: HFS Research, 2024
Risk reviews performed by Departments of No are important. A director of architecture for a major airline said, “Departments believe vendors’ fairy tales that IT and procurement are unnecessary and pretend that the solutions won’t require customization or integration. Without these teams, something really bad will happen.” Another finance operations leader for a manufacturing company said, “We hear the product is used by a competitor or the Department of Defense, but when the IT security team digs into the details, there is zero security framework.” The risks are real, but the spirit in which Departments of No work is truly infuriating.
By now, you recognize your firm has a problem, but do you understand the catastrophic consequences? Let’s size the implications of allowing Departments of No to run amok in your organization.
Frustrating delays: Based on extensive interviews with business leaders, HFS Research estimates Departments of No inflict a cumulative delay of 15.3 weeks—excluding procurement’s lengthy RFP processes and legal contract negotiation time—which can stretch another 3-6 months. Imagine these delays’ cumulative multi-million-dollar impact on enterprise growth and cost-reduction goals.
High administrative costs: Departments of No are investing in workflow software and headcount to “efficiently” [we say that sarcastically] evaluate just the hundreds of new transactions they must review. Since policies, regulations, and technologies are constantly changing, most Departments of No also revisit past approved projects every two years, compounding the effort level. The costs of software licensing (and most companies cannot get their procurement, legal, compliance, privacy, and security teams to use the same software, which multiplies licensing costs two or three times) and administrative review professionals drive internal costs higher. An average company could easily have $1.5-2M of annual expenses tied up in Departments of No.
Provider expense and frustration: Providers have lost their patience with lengthy online forms that vary by company. “Pernicious, bad processes affect the staff’s morale, stress levels, and frustration,” explained one senior leader for an insurtech firm. “Some vendors refused to do business, some partners gave up,” explained the senior architect for a major airline. Furthermore, it is extremely common for companies to have separate lengthy forms for security versus privacy teams, which ask nearly the same questions, and then for compliance teams to have their own. The amount of duplication wastes providers’ time. “Poorly thought-out forms delay contract signatures and implementations for almost no additional value. Why can’t we get a single form from all the buyers?” asked one services provider SVP. To battle this, providers are now investing in GenAI tools to respond to questions, making the quality of their submissions less valuable to clients.
Enterprise behavior is fueling AI investment by providers: Multiple leaders at technology and service providers were interviewed for this research. All cited that the resources necessary to respond to all the requests are too much, so they are investing in AI technology to read through client documents and respond to them. That’s right: vendors aren’t writing their responses. ChatGPT is. This is a red flag for enterprises because the vendors are automating their responses, not seriously reading through the intent of the questionnaire and helping their clients make informed decisions.
Now that you understand the problem, here is the actional framework that all enterprises should follow to form effective Departments of Getting Things Done (see Exhibit 2).
Source: HFS Research, 2024
The proliferation of “Departments of No” has turned corporate oversight into a quagmire of inefficiency, frustration, and escalating costs. While the risks these teams manage are real, their current siloed, opaque, and disjointed processes are unsustainable for modern business needs. Organizations can transform these barriers into enablers of efficiency and innovation by centralizing workflows, standardizing requirements, and embracing a collaborative mindset. The time has come to shift from saying “No” to getting things done—streamlining operations and empowering businesses to focus on growth and value creation. Enough is enough—let’s build “Departments of Yes” that drive enterprise success.
Register now for immediate access of HFS' research, data and forward looking trends.
Get Started
If you don't have an account, Register here |
Register now for immediate access of HFS' research, data and forward looking trends.
Get Started
