Once upon a time I worked with a company whose numbers were, so far as I could tell, unreliable.

Not unreliable as in a rounding error. Not unreliable as in having to place asterisks in the annual report.

Unreliable as in a billion dollars a month in unaudited transactions being posted to the general ledger through improvised patch programs that gathered data from an ancient legacy system in which the “source of truth” rotated among three different databases.

Our client’s executive team assured us their financial reportage was squeaky clean. The employees we interviewed who were closer to the action, in contrast, predicted a future need for significant, embarrassing, and high-impact balance-sheet corrections.

Assuming you consider multiple billions of dollars to be significant and embarrassing, not to mention high impact, a few years later the employees were proven right.

How do these things happen? It’s more complicated than you might think. A number of factors are in play, none easy to overcome. Among them:

Confirmation bias: We all tend to accept without question information that reinforces our preferences and biases, while nit-picking to death sources that contradict them. Overcoming this — a critical step in creating a culture of honest inquiry — starts with the CEO and board of directors, and requires vigilant self-awareness. If you need an example of why leading by example matters, and how leader behavior drives the business culture, look no further.

Ponzi-ness: Ponzi schemes — where investment managers use new investor money to pay off longer-term investors instead of using it to, well, invest — often don’t start out as fraudulent enterprises launched by nefarious actors.

My informal sampling suggests something quite different: Most begin with an investment manager making an honest if overly risky bet. Then, rather than fessing up to the investors whose investments have shrunk, they find new investors, putting their funds into bets that are even more risky in the hopes of enough return to pay everyone off and get a clean start.

It’s when that attempt fails that Ponzi-ness begins.

Middle managers aren’t immunized against this sort of behavior. It’s how my former client got into trouble. A manager sponsored the effort to replace the creaky legacy system. Part of the business case was that this would replace a cumbersome, expensive, and error-prone month-end process with one more streamlined and efficient.

When the legacy replacement didn’t happen on schedule the manager was still on the hook for the business case, leading him to turn off the maintenance spigot — hence the need for improvised transaction posting programs.

Delivering pretend benefits by increasing risk is the essence of Ponzi-ness.

View altitude and failed organizational listening: Management knows how the business is supposed to work. They are, in general, several steps removed from how it actually works, depending on lower-level managers to keep them informed, who rely on front-line supervisors to keep them informed, who in turn rely on the employees who report to them to make sure (that is, provide the illusion) that they know What’s Going On Out There.

Executives enjoy the view from 100,000 feet; middle managers from 50,000. Smart ones recognize their views are at best incomplete and probably inaccurate, so they establish multiple methods of “organizational listening” to compensate.

Those who skip levels to direct the action are, rightly, called micromanagers. And yet, everyone below them in the management hierarchy has a personal incentive to keep bad news and their manager as far apart as they can. The solution is to recognize the difference between expressing interest in What’s Going On Out There and needing to direct it.

Managers should listen to everyone they can, but instruct only those who report to them directly.

Holding people accountable: As discussed in this space numerous times and detailed in Leading IT, managers who have to hold people accountable have hired the wrong people. The right people are those who take responsibility. Managers never have to hold them accountable because they handle that little chore themselves.

But those who have bought into the hold ’em accountable mantra effectively block the flow of What They Need to Know because why on earth would anyone risk telling them?

If something is amiss in an organization, someone in it knows that something is wrong, and usually knows what to do about it.

What they too-often lack is an audience that wants to know about the problem, and, as a consequence, has no interest in the solution.

What do self-driving cars have to do with IT governance?

As it turns out, quite a lot.

Start with (self-promotion alert #1) the phrase “IT governance.” As long-time (and, I hope, short-time) readers know, in KJR-land there’s no such thing as an IT project — an idea so important Dave Kaiser and I named our soon-to-be-available book after it.

You’d give a perfect self-driving car your destination and let it figure out whether the best solution is to drive you there, to fly … at which point it would book your tickets and drop you at the airport … or make some other arrangements. Self-driving car governance should be transportation governance, just as IT governance should be business change governance.

More important than even this is how badly many designers of all forms of corporate governance ignore one of the most basic elements of delegation.

The element in question is the difference between delegating goals and delegating tasks. You’ll find (self-promotion alert #2!) what you need on this subject in Leading IT: <Still> the Toughest Job in the World. Put simply, the most effective leaders only delegate tasks when they can’t trust the person they’re delegating to enough to delegate the goal and leave the details to the delegate.

Look at it from the perspective of a self-driving car’s owner, who, even if the current state of the art doesn’t include booking tickets for some other mode of transportation, should be able to enter the destination and let the car handle the rest.

Except that no self-driving car is reliable and adaptable enough to handle all the details without human supervision. Humans metaphorically delegate driving tasks to the car but … and this is the essential point … can’t trust the car to handle the job without oversight.

Take a look at business governance as usually practiced and you’ll find distrust is baked into the heart of it. Governance is all about controls. Some controls are useful — they make sure processes are … well … in control.

They’re fine. But then there’s the other kind — approvals, to make sure those who have a job to do lack the authority to screw it up by just doing it, by requiring one or more signatures first.

This doesn’t mean organizations should become free-for-alls. No, organizations should prescribe their processes and practices clearly enough, and educate their managers and supervisors enough that those responsible for doing stuff know when there’s a corporate recipe in place because, for example, legal and regulatory requirements don’t leave room for creativity.

They should prescribe processes and practices in detail when the company’s systems and process management would be messed up if everyone accomplished similar goals in radically different ways.

That’s all fine. What isn’t so fine is when what’s prescribed is, in self-driving car terms, turn-by-turn directions, each turn of which requires someone’s signature.

Because that’s what controls end up looking like — the need for outside approval of each step managers, supervisors, and employees need to take to get their jobs done.

Governance by controls, which is what we’re talking about, has three major disadvantages. The first: it slows things down, because each approval takes actual time, which incurs delays.

The second: It adds to the workload of already up-to-their-eyeballs-in-more-important-matters executives. This doesn’t have to be overly onerous, so long as the executives in question are willing to just rubber-stamp the decisions in question. But if they rubber-stamp everything, what’s point of requiring their signature?

The third disadvantage? It’s demoralizing. I worked with a company a number of years ago that wanted to revamp its capital approval process. Something my team learned along the way was that the smallest decisions required the most signatures (six), and each signatory except the last resented being second-guessed.

What we heard, over and over again, was the same complaint: “If the company doesn’t trust me to make a decision like this, why did they hire me?”

Which might (and, I hope, did) lead you to ask, if governance isn’t to operate through controls, what’s the superior alternative?

The self-promotion-opportunity #3 answer: As Scott Lee and I point out in The Cognitive Enterprise, culture is (or should be) the new governance.

That is, for self-driving cars, culture provides, metaphorically, the lane markers. Controls are the guardrails, something self-driving cars that stay in their lanes will never make contact with.

The parallel? Governance bodies should spend most of their time instituting a culture that makes most controls unnecessary.

Oh, and I hope I didn’t hurt your feelings by comparing you to a car.