Get in touch

Postlight joins Launch by NTT DATA! Learn more.

It seems natural to implement rules to reduce risk. But when dealing with fluid processes like software development, can rigidity and fear of unknown variables actually hold you back? Paul and Rich discuss what’s at stake when leaders confuse rules with risk mitigation, and draw parallels between a good pilot, a good lawyer, and good software development — and as a bonus, Paul tells you how you can earn a promotion using only four words. 


Paul Ford It doesn’t matter if you have no idea what anybody’s talking about! When they look at you and they’re like, [high pitched, like a choking bird], “Uh blah blah blah! Brah blah blah!” “We’ll figure it out.”

Rich Ziade Yeah [laughs; music fades in, plays alone for 18 seconds, ramps down].

PF Alright, Rich.

RZ Mm hmm. 

PF I have a business idea. Like, a thing I wanna run by you. 

RZ Oh! I love business ideas. I love business. 

PF Well, no, like a concept, not a new business but like a concept I’m tryna flesh out. 

RZ Ok. 

PF So, here’s the thing: [music fades out] I think that when we go and talk to people at big organizations who are thinking about digital transformation and so on, they often get two things mixed up. They get rules mixed up with risks. And risks mixed up with rules. Let me give you some examples and then you can tell me [hmm], you can tell me here, on this podcast if I’m full of nonsense or not. 

RZ Ok. 

PF Lemme give you—lemme give you an example of, “Hey, Postlight, you guys seem great and I really like your design work, and your team is good, but we’re building a—a medical product and we’re worried that you don’t have enough direct experience with HIPAA Compliance to build something.” 

RZ Sure. 

PF HIPAA Compliance is a set of rules and we’re very good at following rules and not just us, basically anyone who can build software which is also a lot of rules. 

PF Mm hmm. 

PF Can figure out HIPAA Compliance. It’s boring. It’s gonna be weeks. It’s the same with, like, Sarbanes-Oxley Accounting Rules. Like, it sucks! It takes a minute. It is easier if somebody walks in the door and says, “I’m a Sarbanes-Oxley world expert.” But it’s not the risk they think it is. It’s just a set of rules that you need to learn. 

RZ It is a set of rules you need to learn. The rules are there beca—to mitigate risk. The rules are essentially guidelines so that you avoid certain outcomes that you don’t even have to think about. Just meet these guidelines, don’t worry about the possible outcomes. Essentially, you’re sidestepping risk analysis by having rules. 


PF That’s right. You’re gonna follow this and then you are compliant. We see it with our finance clients. I think you have a different perspective on this because lawyers have a very particular attitude towards risk that’s different than any other industry, and any other way of seeing it, which is you truly do see it as a dynamic system. It’s like, “Oh, well, I see why you made that choice, you played around on the edges with the rules, and took some risks around the rules in order to get a different outcome, and now you’ve been arrested. Well, I’m glad you came to talk to me, a lawyer, because we can now start to negotiate in this world, right?” But in general if you’re in an environment in which there are government regulations and rules, it’s always in your best interest to just lock ‘em down, follow ‘em, hire a fixer slash expediter if you don’t know—construction is another great example. 

RZ Mm hmm. 

PF So we walk into these environments all the time and people really don’t know what to make of us because we’re like, “We’ll figure it out! Just, you know, let us talk to your guy and we’ll know how to build the software so it’s compliant.” They think that the rules are gonna be impossible and it’s this huge risk. And then on the flip side, you end up in this situation where they wanna put rules around risks. Meaning that, they’re like, “Ok, I need a guarantee that the software will meet this exact set of requirements within 16 months, and it will look like this, act like this, and do these things.” And we look ‘em in the eye and we’re like, “Yeah, that’s not—you’re not actually managing risk. You’re trying to apply rules so that you can get a certain outcome, in the same way that, like, HIPAA does and it will never work with software. We can’t give you those guarantees or if you really, really want those guarantees you’re gonna get exactly that delivered and it won’t work.” Like, over and over you see that pattern. 

RZ I think that’s true. I do think that you can validate some things when you’re building software. We happen to have a culture where the engineers write code to test code which is very meaningful. If someone said to me, “Look: I have a requirement, this has to scale to five million concurrent users.” Then we wanna validate that, right? And so what we’ll do is we’ll simulate that environment, right? And does that lead to a certification of some kind? No, it doesn’t. 

PF Levels of confidence. 

RZ I mean there are certifications. There are like, “Yes, we’ve gotten—” Do you know what ISO Compliance and all that shit? 

PF Oh hell yeah, do I! That used to be such the—


RZ Yeah, I mean, factories have to do that stuff. Like, if you’re gonna bottle water, you have to meet certain agreed upon requirements so people don’t get sick, for example, and you don’t—you fall within environmental guidelines, et cetera, et cetera. And you’re not gonna go out and say, “Ok, you know what? I’m gonna eyeball this and make sure people don’t get sick.” You just have to meet those requirements. So the requirements are—

PF We really—I mean, people get upset about those requirements especially on the more libertarian side of the tech industry [yeah] but I like that my meat doesn’t kill me at random. Like, I’m a big fan of that part of it. 

RZ Yeah, that’s right. That’s right. 

PF Like, we actually—we accept those tradeoffs. Like, your car doesn’t explode. If it explodes, someone gets in trouble. There’s a huge incentive system—

RZ That’s right. 

PF —that allowing a car to just explode at any time is really bad. It’s a bad thing and you can go to jail. 

RZ True. And, you know, this is a debate that the American Bar Association often finds itself in because we are one of the most—if not the most litigious society—societies in the world. 

PF It’s hard to imagine—I mean there could be—it could be like, Liechtenstein has too—has like five lawyers per every 50 people but it’s hard to beat America. 

RZ And the truth is there are, you know, greaseball lawyers that do personal injury that frankly gain the system; you know, negotiate checks out of insurance companies, very common thing. But at the same time—

PF Well, or like, patent trolling is another good example of just like playing the system to—

RZ Yeah! Yeah. That’s shitty, right? But, at the same time, you know, there is—the case that the American Bar Association makes is that, “Guess what? You can open a can of anything and drink it and you’re gonna be fine cuz products liability can ruin a company and people should be careful! And bus drivers should be careful and truck drivers should be careful because we will—we will expose them and their companies with a lot of money. You know, we’ll get money out of them.” And therefore it creates a deterrent, right? So deterrents is an incredibly powerful—I mean, that is your risk management, right? I could blow through red lights but I have a deterrent in place: a) I don’t wanna die; and b) I’d rather not get sued and lose my house. Right? So those are powerful things. 


PF I’ve trotted this out a couple times but like, you know, I used to be an editor at a magazine. And, you know, the magazine had been around for a while, it had fact checking and all sorts of stuff. And it was a little glamorous, and people were like, “Oh! Hey, what’s it like? Oh, you work with famous writers bah bah bah.” And I got to the point where I would say, “You gotta understand the number one job of a mid-level editor like me . . . is to manage litigation risk.” 

RZ Mm hmm. 

PF My number one responsibility and especially cuz I was in front of the website which was a very large surface for inbound threat. Somebody would be like, “I found something you published ten years ago it wasn’t true, I’m gonna—” Or, “I want you to remove this piece,” and usually—

RZ Scary stuff! 

PF Well, and we were always—I was always happy to talk to people. There was always a situation, too, when the web archive goes up, all of a sudden people had written things or done things in their pasts that they no longer wanted surfaced. And then now they started showing up on Google. 

RZ Yeah, sure. Sure. 

PF And I was actually not—If it was a reasonable request, you could block that at robots.tx. Like you could say, “Google, don’t index this,” but like your internal search was still fine. 

RZ Yup. 

PF And I felt that was a pretty good compromise. We’re not gonna alter the record but yeah, I don’t need your entire life to be wrecked for some piece from 1998 poppin’ up in search records. And I would always be willing to have that conversation and it happened like twice and it was very ad hoc and you just try to do the right thing but then most of the time people wanna say, “I’m gonna get a lawyer.” They just wanna say ‘lawyer’ cuz they think that’ll get action and the action that it gets, it’s very dangerous. People should always know this. Don’t ever say ‘lawyer’ unless you really mean ‘lawyer’. It’s like pulling a gun. 

RZ It is. It’s true. 

PF Because the minute you—It was a formal protocol. The minute that happened, I would print out the email chain, walk it down to the general manager’s office, they would call the litigation insurance provider [mm hmm] and we would have a half hour conference call. You know, and I’d run it down. And that was—and then it was out of my hands. I could do nothing. I could act in no way. And I could no longer acknowledge the challenge. And the person would continue to write me and I’d be like, “I’m sorry, I’ve forwarded this to the general manager and you will now need to follow—all conversation needs to happen with them.” So this is my job as an editor, right? Like, that’s a certain part of it, especially being in front of the platform is that you are—you’re managing that risk and then you go in and you tune the paragraphs up and you write little things and come up with funny headlines but the—It’s hard to imagine, I think, like, when you’re thinking about these roles how much this plays into it. One of the tremendous benefits of starting Postlight with you, you’re a good product thinker and you’re a good leader, so that’s nice. Thanks. [Rich scoffs] But [chuckles] starting a company with a lawyer is a wonderful thing. 

RZ Yeah. 


PF Because you don’t worry about getting sued because you just took me aside and were like, “Don’t worry about getting sued.” 

RZ Yeah, yeah. 

PF That was it, “Yeah, you don’t have control. Just let it go.” 

RZ Yeah, I mean, look: part of the legal system, the legal profession, is intimidation. I mean, it’s part of it, right? A lot of times lawyers hope that the letter will get it sorted. Right? A strongly worded letter—

PF Ah, there’s nothin’ like that letter. 

RZ And that thick paper stock is often a way to get things lined up, right? Or at least have a phone call. 

PF If you’re an amateur and you get that letter, your house is gone. Yeah, your children aren’t going to college anymore, like everything just slides out of your fingers. If you’ve received that letter a couple of times, you go, “Oh, I got a letter.” 

RZ You’re touching on something very, very nuanced here which is people would love that kind of security and certainty in software. And the truth is yeah, you can validate some things but in the end, it’s such an incredibly fluid process. You know, I was flying into I think it was Fort Lauderdale, I was doing work down in Florida, and perfectly clear skies. You could see about as far—it’s flat. Like the—

PF Florida’s pretty. 


RZ The approach to Fort Lauderdale was just flat on—you know, I’m looking to my left was the ocean and to the right was Florida, right? 

PF Imagine Florida without the people, it would be paradise. 

RZ I can’t imagine Florida without the people. 

PF But that’s the problem with Florida. 

RZ Yeah, well, [high pitched] no, I like—Yeah, fine. Fine. 

PF Alright, alright, arlight. Ok. 

RZ Anyway—

PF Someone from Florida is sending an email right now. 

RZ And, you know, we hit a bunch of headwinds and [mm hmm] the interesting thing about it is you could kinda tell that the pilot was doing very little to make sure the plane stayed on the right approach to land. He was just sort of letting the headwinds do their thing and every so often he would right it. You could feel it [yup] actually. The plane would kind of drift off and you felt like, “Oh my God, he’s not doing anything.” And then he would kinda correct it every so often. And the—And as he’s descending in altitude and I think if that pilot had his hands tight on the, what is called, the yoke? 

PF Yeah. 

RZ And he’s just—

PF Yoke is fine. 

RZ And if he’s trying to control everything about that descent and that landing, it would not go well. And what he’s realizing and he’s accepting is that, look: “I’m gonna get yanked a bit here and there but I’m gonna mostly keep this on track.” 

PF Well it’s also—You’re gonna give up that control in order to exercise a larger form of control and not get into a situation in which a sudden threshold gets crossed and you’re in real trouble. 

RZ Exactly. Exactly. And like a lot of good things, good software development really has that kind of light touch. If you think you’re gonna chase down every single modification and change and bring the whole thing to a screeching halt every time you get blindsided, you’re gonna have a bad time, right? But the people that know when to push—to exert that control and when to let the winds do their thing, very often you just don’t know where it’s gonna come from. It could be a stakeholder; it could be user research; it could be a weird dependency to some component that’s out in the world that all of a sudden changed. It could be a million different things. 


PF The CEO’s daughter uses the app, has mixed feelings. 

RZ The email! You’ll get that email. It’s like, “What is this?” 

PF Oh yeah. 

RZ “This doesn’t feel right. I’m not feeling this.” And then all of a sudden, oh my God, how are you gonna handle that? Are you gonna stop everything? 

PF The brand changes. That’s another one. 

RZ The brand changes. New hire shows up. 

PF Oh yeah, new product manager? 

RZ New product manager and they really want you to get to know them really, really, really badly. I mean all of those things. 

PF Great one for an agency is they bring you in as the bootstrap team and they—you then help them hire the product manager who then changes their mind about everything you’ve done. 

RZ Yeah [laughs]. 

PF That happens [both laughing]. 

RZ And here’s the thing—

PF Those are classics. 

RZ Here’s the number one thing I think you have to take with you here is that you’re gonna hear all of it! The winds are gonna hit bad against that plane. But guess what? In the end? It’s gonna land. That plane—gravity is gonna win and it’s going to land. And that pilot, he may—he wants to get into a fist fight with the crosswinds but it’s gonna land! And if you’re a good product leader, a good product thinker, a good business leader, you just say, “You know what? I’m hearing everything you’re saying and God, you are wise! And true about everything you’re saying.” 


PF Anybody out there, you wanna get a promotion, I’ll give it to you in four words. You ready for the four words?

RZ Go. 

PF We’ll figure it out. 

RZ [Laughs] That was three words. Well, no. We’ll. Figure. It. Out. Yeah, that’s four words. Um, yeah. Yeah! 

PF You’ll get that promotion if you just simply say those words [mm hmm] every single time the wind changes [Rich laughs] . . . We’ll figure it out. And then you go back and you do every—also, memories in times of panic are about four to five seconds long. You can just go like, “Oh yeah, absolutely, we’re gonna figure that out.” And then you send like two emails and you’re like, “Yeah, look, check it out: we changed the color to blue.” And they’re like, “[Brief whistle of disbelief] Thank God.” 

RZ That’s really funny. 

PF “Ah, they did it.” You know what I think this comes down to? I’ve been thinking a lot about this because this is very pandemic thinking. This whole thing we’re talking about is very, very much like—We are currently, as a firm, we were set up to do this cuz we’re a small agency and we’re reactive to the market. We are flying into Fort Lauderdale. Every minute of every day [mm hmm]. I mean it’s changing. Things are changing. There’s different approaches and different ways we can take and we just—you wanna just avoid that moment where the plane just, you know, stalls. 

RZ Mm hmm. 

PF “A little to the left, a little to the right, but here we go: we’re goin’ on the runway.” What is different about our business from many, many businesses out there and this—this has taken me—this took me years to learn . . . There are growth businesses and then there’s what I’m gonna call optimization businesses. And the larger a firm is, the less likely it’s growth and the more it is focused on optimizing its current place in the larger business ecosystem. So, a growth business comes in and says, “I need to—I see a hundred thousand new customers, if I could just get an app that isn’t garbage, could you help me?” 

RZ Mm hmm. 


PF And the person is often a product manager who came in from either some other part of industry or whatever but it’s like people have something to prove. They wanna get new money in the door; new lines of business; new ways of doing things. Optimization is: we have a certain part of the market that we own. And if we just had a little better insight into marketing and we had a little better insight into what people were doing; or what they were buying; or what they were reading, we could adjust just a little bit and we could see five, ten percent growth in that part of the business, over there. And it’s actually not radically different. Different kinds of people do it different ways so the two can actually end up looking a lot alike. But what happens is like, that growth oriented ends up being way— usually way more flexible because they know it’s gonna blow up. You know if you’re looking for growth that—that really the world doesn’t want you to have it and you gotta figure it out. The optimization tends to come from this place of why—And really what optimization people love to do is buy services that let them turn knobs, right? Because that’s the control they want. They want—they’re like, “I know the rules of my business. You’re never gonna change those. It’s never gonna happen.” 

RZ This is back to your point. And I think this is how we bring this all full circle cuz this is a lot of different ideas. Rules: you can follow them. Risks require real time thinking. And rules don’t because you just have to know them and there are experts who spend their lives and become certified X and certified Y because all they do is navigate the rules, right? That’s all they do. 

PF Well and if you’re at a big firm what you do is you hire consultants to help you with the risk. You operate along the rules. 

RZ Yes. 

PF The consultants tell you how to deal—Like you hire one of those big firms [mm hmm] to help you deal with the plan around the risk. 

RZ That’s right. They spend time . . . absorbing information; doing research; doing surveys; doing whatever, and then they digest that and they come back to you and say, “Here are your risks.” Right? 

PF Well, I think that’s—People often wonder. Look: there’s a lot of easy and not untrue things to say about big consulting showing up in big firms. 

RZ Mm hmm. 

PF And why it’s there and what it does for executives. And it’s really easy to roll your eyes at it but if you think about it in this framework, right? I have a company where people know what they’re supposed to do; it’s relatively well organized; and I have a structure where people come in, do their jobs, and the company makes money for its shareholders. And this is the way the world works. And we like it. And we make billions of dollars over the courses of many years and people feel good about themselves and get to buy cars and houses. And then, change starts coming. And the fantasy is, “Well, we’ll create a little startup,” or, “We’re gonna be innovators here.” And it’s like no, why would—how? Why? You just created a whole system around rules [mm hmm] that might be 20, 30 years old. How are you going to suddenly in like a year become a risk organized organization. How the hell?!? 


RZ You know what you’re touching upon now? Is the innovation group. That’s how. 

PF Oh yeah. 

RZ That’s how! The innovation group is like, “Uh! No! This is—this is the place, we’ll get the neon paint, we’re gonna paint really interesting murals on the walls, and this is where we innovate. Because here? No rules!” 

PF Oh, you know the danger move? The danger move is we’re gonna hire that person from Airbnb . . . we’re gonna bing in—

RZ Groupon. 

PF Or Uber. Groupon. Right. And we’re gonna bring ‘em in because they understand how to do this and they land and they’re just immediately hit with a regulatory framework that’s [Rich laughing] 700 feet high and they’re like, “How do I get—” 

RZ Well, they’re trying to get 150 grand cleared and it’s like, “Well, you gotta go through procurement.” [Laughs

PF No that’s right and they can’t get on Github. They’re like, “What do you mean I can’t get on Github?” And—“Well, it’s not approved.” Right? Like, we use—we use Subversion hosted by Microsoft. And you’re like, “What?” 

RZ This is a—We’ve seen this movie so many times. So many times. And some groups do a better job at truly giving freedom to that innovation group versus others but this is—the rules, once they are in place are very hard to dislodge and very hard to ignore. 

PF Everybody has a fantasy that somehow the rules driven organization will be flexible and fluid given reality but there is no reality aside from the rules. The rules are all that matters to the people who follow and work against the rules. And so I think like why do you bring in a big consulting firm? It’s so that they can wander around and think about risks to the business from the larger world that have nothing to do with the rules, systems, and processes that you have set up. And in doing so, they can actually tell you what needs to come next. And I make fun of big consulting as much as literally any human alive, however, that is a function in a big org you can’t be without. 


RZ Yeah, and to add to that: they are an external force that’s much more immune, they are already vaccinated against the political system that’s in place, right? I don’t care. Like, we’ve gone into organizations where we’re spectators of the politics because we are there to do a thing, they could send us home at any time so we’re constantly paranoid about it and we’re gonna do it! And if things start blockin’ us, we just say, “Hey, you know, I don’t really know who this person is that just showed up but they’re slowin’ us down.” 

PF Well, also, we’re in a position—you’re in a funny position, right? Because people will try to kinda bring you over and seduce you to their way of thinking. But if their way of thinking and their strategy slows down our ability to deliver our product, our business is at risk. So it doesn’t matter. I’m like, “Those are great rules! Oh my God, your system really makes sense to you. Please get me out of this room because you’re costing my company a lot of money.” 

RZ That’s right. That’s right. 

PF And we’re hired with that mind. Like smart execs know you actually use an organization like ours as a forcing function. 

RZ That’s right. 

PF What are the things that you could extract from this? I mean, I’ll throw one out which is: know if somebody is like a rules driven person or a risk driven person. 

RZ Very helpful. Absolutely. 

PF Make that—Don’t roll your eyes at the rules driven person. That’s their job. And it doesn’t mean that the risk driven person is like some sort of absolute goofball either. 

RZ No. No, no, no. 

PF A dynamic organization has to have a lot of both. 

RZ Yes. And—and I think, you know, this is a more subtle piece of advice but keep a light touch on the wheel. There is no exact rule book, especially, I mean, we’re talking software. This applies kind of universally but in software, if you think there is an exact rule book as to how this is gonna go down, you’re gonna have a hard time. It’s just really hard to do because it’s just such a—it’s headwinds, right? You will face those headwinds and some are human and some are not but think on your feet. You know, think through what is in front of you at any given point and time. You think maybe you can get the answer in a Google search, you’re just not going to. This is the part where you’re not—Yeah, you can debug a component with a Google search but you’re not gonna solve the higher level stuff. 


PF No, and that’s why the four most important words are we can figure it out. 

RZ We’ll figure it out. 

PF Everybody’s panicking, running around. You’re not promising that you have a solution right there. You’re not saying that you’re gonna get it exactly the way—We can figure it out. 

RZ Yeah. 

PF You’re gonna go back and put a good faith effort into figuring it out. [Rich laughs] That’s all anybody needs. That’s all—If you say that to me, I’m like, “Great, let’s replace my liver! Go for it. Whatever it takes.” [Rich laughs] We can figure it out. Alright, so, a little abstract but this has been on my mind cuz we’re, you know, we’re thinkin’ about how we communicate and talk and the kind of companies we deal with. 

RZ Mm hmm. 

PF And it’s important to draw these lines, right? Because like, I think what happens is everybody thinks everyone else is an idiot. They’re either goofballs from the future or high bound, old, unbudging factotums and so it’s never that simple. Ever. Ever. Ever. Like you gotta—If somebody follows the rules it’s because it’s in their best interests to follow the rules. If somebody’s really excited and motivated by taking lots of chances it’s because they think they can get a lot more reward for more risk—more risk taking and so we deal with that a lot. And we think about it a lot which is sort of funny for a company that identifies itself or has identified itself as a build focused firm but that’s frankly not what we are as much anymore. We tend to be more on the strategy side up front and then we see it through the build. 

RZ I mean this is—we’re gonna be talking more about this in future podcasts but, you know, Postlight has matured into really a strategic partner, a company you want nearby to help you with sort of the bigger conversations about what you’re doing; why you’re even doing it; what it’s gonna take; where the risks are; and then we execute. So that was maybe the smoothest transition into an advertorial uh—

PF Well, let me tell ya, that’s how a strategic partner does it! 


RZ Exactly!

PF You [chuckling] don’t just stumble—You know how this happened though? It’s worth noting. This happened because after seeing the same patt—You and I don’t have MBAs. We saw the same patterns four trillion times. 

RZ Yeah. 

PF You see suffering. [Chuckles] You see people making decisions that hurt their business and you start going in a little bit earlier, before the meeting [music fades in], and going, “Yeah, that’s interesting but what if the slide said this?” And before you know it: you’re a strategic consultant. 

RZ Yup and I think that’s—I think that’s been a big part—We’ve got some exciting announcements that are coming very soon about some of the bigger case studies, the bigger projects we’ve done that we’re really proud of. So you’ll be hearing more about us but reach out to us! We love to talk! We love giving that strategic guidance even if nothing else materializes. We are a great team of designers, engineers, and product leaders but we love to talk: Email us. This was great, Paul.

PF That’s all you gotta do! Hey, no, I mean, thank you for taking a very abstract concept and helping me figure it out, turn it into a podcast. 

RZ This is what we do. This is how we work. Everyone, be safe, have a great week. 
PF Hang in there, everybody., anything you need. Bye! [Music ramps up, plays alone for three seconds, fades out to end.]