The following cases are drawn from direct operational and advisory experience. Each presents a real decision made under constraint, with a defined dilemma and a measurable outcome. They are available for use in executive education, MBA programmes, and governance seminars, individually or as a set, and connect to a broader research programme on governance failure and assurance design.
Enquiries regarding teaching use: vshabad@vshabad.com
In early 2021, the head of cybersecurity at a major regulated bank faced an operational crisis: 90 percent of security incidents were approaching the maximum resolution time permitted under internal compliance rules, with no budget for additional headcount and no time for a technology procurement cycle.
The case traces a five-month transformation using Kanban workflow principles and ITIL 4 process separation — reducing resolution times from 29 days to under one day without new staff or systems. Central to the transformation was a deliberate shift: analysts were taken out of a role as process components and given genuine agency over their work. In environments where headcount cannot grow and salaries cannot rise, removing work that delivers no downstream value — and making the value of remaining work visible to those doing it — produced a measurable shift in motivation and engagement.
A secondary episode in September 2021 revealed the fragility this created. When a technically novel piece of malware appeared in the queue, analysts exercised their new autonomy — and applied it to the wrong thing. They abandoned routine queued work to collectively examine the specimen for two days, degrading the metrics that had taken months to build. The episode was not a failure of discipline. It was a predictable consequence of granting agency before establishing a shared understanding of the value stream the team existed to serve. Autonomy without value-awareness is not neutral: it actively redirects effort toward what individuals find meaningful rather than what the system needs.
Central dilemma: Agency is necessary for motivation and resilience — but agency without value-awareness produces a new class of failure. How should an operational leader sequence these two conditions, and what does it take to build genuine value-awareness in a team under pressure?
Teaching themes include constraint-based process design, separation of incident and problem management, value-stream thinking, the relationship between agency and organisational purpose, and intrinsic motivation under resource constraints.
A global conglomerate operating across energy, mining, and manufacturing faced active nation-state threats against its operational technology systems with no realistic prospect of a dedicated security budget in the near term. Standard frameworks — NIST SP 800-82, ISA/IEC 62443 — provided technically sound guidance that assumed organisational capacities the enterprise did not have.
The case examines how the author, serving as a senior security leader, developed and implemented a flow-constrained approach: one major security improvement per quarter per asset (a mine, a power station, a processing plant — each with its own operational technology environment, safety constraints, and local engineering culture), a maximum of three minor improvements in parallel, and a progressive risk quantification method that built executive credibility through operational evidence rather than external data that did not exist. The approach drew on queuing theory, lean manufacturing principles, and structured stakeholder engagement designed to overcome the "not-invented-here" resistance characteristic of operational technology environments.
Central dilemma: When resource constraints make comprehensive security frameworks unimplementable, what is the most defensible allocation of limited capacity — and how do you persuade a sceptical board that measured progress is not failure?
Teaching themes include resource-constrained decision-making, risk quantification under data scarcity, executive psychology and behavioural bias in investment decisions, and the gap between framework design and implementation reality.
In 2023, a working group of the Kazakhstan Majilis (Parliament) was drafting amendments to the country's personal data protection and information security legislation. The proposed changes would significantly tighten regulatory requirements — well-intentioned, but the working group had not fully examined the downstream consequences: increased compliance burden on SMEs, expanded state enforcement capacity requirements, and costs that larger enterprises would pass through to consumers.
The author, invited as an expert contributor, drew attention to a direct comparative problem: the United Kingdom and the European Union were at that moment moving in the opposite direction. The UK Data Protection and Digital Information Bill and contemporaneous GDPR reform debates reflected a growing consensus in more experienced regulatory jurisdictions that existing frameworks had overtightened — imposing disproportionate burden without commensurate citizen benefit. The question posed to the committee was direct: why would Kazakhstan replicate provisions that more experienced jurisdictions were unwinding?
The analysis examined the proposed changes through the lens of multiple stakeholder groups: citizens seeking protection of their personal data; SMEs facing compliance costs that larger enterprises could absorb but they could not; large corporations able to pass costs through to consumers; and the state itself, which would require significantly expanded enforcement capacity it did not yet have. The argument was not that international standards lack legitimacy — it was that uncritical adoption of standards under revision elsewhere, without examining how they distribute costs and benefits across different stakeholders in a different institutional context, substitutes borrowed authority for local analysis.
Central dilemma: When is alignment with international regulatory best practice genuinely appropriate, and when does it mean importing solutions designed for different stakeholder configurations? How should a working group weigh the legitimacy of established international standards against evidence that the jurisdictions which created them are reconsidering their design — and whose interests does that reconsideration serve?
The contribution was formally acknowledged by the Secretary of the Committee on Economic Reform and Regional Development in a Letter of Gratitude.
Teaching themes include multi-stakeholder regulatory analysis, comparative regulatory design, the political economy of compliance costs, critical adoption of international standards, and expert advisory roles in legislative processes.
Cases are drawn from direct professional experience. Organisational details are anonymised.