Moving Fast and Breaking Things: Software Startups Having a Compliance Reckoning

It’s been almost two years since Facebook CEO Mark Zuckerberg announced the move away from the company’s famous mantra, Move fast and break things, to a decidedly less catchy version Move fast with stable infrastructure. It reflected a turning point in the company’s maturity by recognizing that getting things right had to take priority over getting them done quickly.

While Facebook’s shift was focused on its development processes, the philosophy behind the shift can and should provide a philosophical guide for software companies’ approach to compliance. Because — let’s face it…our software startup brethren have taken a beating over the course of the past couple years for compliance failures and cultural breakdowns. This is an area that startups need to dedicate real-time and dollars to safeguard everything they’re working so tirelessly to build, lest they become yet another case study for their counterparts and fodder for everyone to dissect “what went wrong,” as GitHub, Tinder, ZenDesk and so many more can attest.

Full disclaimer from one fast-moving technology company to another: We get it. We don’t just understand the need for speed and agility—we embrace it. We also know that survival as an early-stage, high-growth tech company requires you to take risks and push boundaries—both of which seem at odds with the perception of compliance. And your priorities often lie elsewhere with product development, revenue generation and customer success. But instead of an obstacle, compliance should be seen as a business enabler, allowing for you to understand and know where the line is, and operate right up to it without stepping over.

PwC’s 2015 State of Compliance Survey showed less than one-third of technology CCOs were involved in business strategy meetings. The breakneck pace tech companies move require more and earlier visibility for CCOs to be effective in their roles.

Compliance is one area where asking permission is far preferable (and less expensive) than begging for forgiveness.

Because when something goes wrong, the regulators will take note that your “bring your dog to work” policy is more articulate than your policy on sexual harassment. They’ll see you spent thousands of dollars keeping your office kegerator stocked, but next to nothing on compliance training. They’ll wonder how you’ve somehow managed to get every employee communicating on #Slack, but haven’t given them a secure, anonymous channel to tell you when something’s gone wrong.

Best case scenario, it becomes a huge distraction from the work you’re doing. That’s a disruption few startups can afford when every hour of every day counts. This is to say nothing of what it might do to your ability to attract and retain the best talent, investors, business partners and buyers. In some cases, it can cost you thousands—if not millions—in litigation, enforcement and bad press taking a toll on your bottom line and good name.

If preserving the company’s future isn’t incentive enough, then compliance is a way to preserve your own. Because time and again, when scandals go public, heads roll. Ask former Zenefits CEO Parker Conrad; former GitHub president and co-founder Tom Preston-Werner; or former Tinder CMO Justin Mateen. Someone usually has to take accountability for what’s happened before employees, customers, directors, investors and the media can move on. Can you afford to lose—and replace—a member of the founding and/or executive team? The “disruption” compliance causes are a blip on the screen to an upheaval like that. 

All too often there are all too many excuses for not investing in compliance at software startups. And in almost every example of tech companies where things went wrong, you see one or more of these at play before the dirty laundry was publicly aired. These aren’t just learning moments—they’re ammunition you need to take to your leadership and board that this stuff happens, frequently, to companies that look and operate just like yours.

  • “We don’t have the time or money.”
    • This is your insurance policy. It’s how you know and can assure your stakeholders that one bad decision—or a series of them—won’t undermine your success. If you’re like most organizations and run into roadblocks when trying to justify a budget for compliance, change your value proposition: instead of business protection, where the value is in hypothetical cost avoidance, try business facilitation, where you can enable and stabilize growth and calculated risk-taking.
  • “We’re too small and don’t need that.”
    • Recent case law and enforcement action drive more expectations for smaller, private companies. If you’re a B2B company selling into the enterprise company, you’re likely encountering more requests for transparency and validation around your compliance program and history. If your ultimate goal is to IPO, you’ll be required to have compliance program elements in place when you do. And if you’re building your company to be sold, potential acquirers will want and proof that they’re not inheriting liability that they’ll have to answer (and pay) for in the future. It’s also challenging enough reconciling company cultures and workforces without having to course correct one that’s corrosive at the same time.
  • “We’re like a family.”
    • While it might seem like an open office equates to an open door culture, it can actually have the opposite effect, where employees don’t feel they can raise issues or concerns without being singled out and risk being cast out from a tight-knit culture.
  • “We don’t want to stifle our culture.”
    • HR and compliance can’t be seen or treated as the bureaucratic enemy of innovation and productivity. It’s a lot harder for discrimination, sexism and harassment to occur and corrode the company you worked so hard to build if you invest in those key functions. It’s also a hell of a lot easier to defend the organization when these things do happen as isolated incidents caused by a rogue employee(s)—not indicative of widespread cultural issues.

Appoint a CCO (according to PwC’s 2015 State of Compliance Survey, 70 percent of surveyed tech companies had a named CCO/CECO). If you don’t hire one, assign operational oversight for compliance to your general counsel or someone from legal for the time being. Give them the budget and resources they need to implement an effective compliance program and enable them to play a central role in your strategic decisions and the authority to address issues that put that strategy at risk. Then, when they make a plan and try to implement things like a hotline, or training and policies, help brainstorm how you can embrace them and weave them into your culture. This stuff is more likely to work if it’s shown to have executive buy-in and gets woven into the operational fabric of the company.

For all the good things about it, our culture has taken a beating recently. So let’s rise to the occasion. It’s time for the “brogrammers” to put on their proverbial big boy pants, or at a minimum appoint and empower someone to be the adult in the room. We understand the value of moving fast and breaking things. We just think some things aren’t worth breaking.