Business planning session

Planning Is Easy. Execution Is A Breeding Ground For Unanticipated Risk.

January feels productive.

New goals are set. Plans are written. Budgets are approved. On paper, everything looks ready to go. Many business leaders start the year with a sense of optimism and control. There is a fresh start feeling, a belief that this year will be different because the planning was done “right.”

Execution risk is quietly present from the beginning. It exists alongside planning, even when the initial direction or strategy feels clear and well considered.

This often-overlooked risk doesn’t always show up during planning. It can lie hidden in the shadow of great expectations. However, it is certain to pay you a visit as soon as planning shifts to execution.

This is not a failure of intelligence or effort. Most plans are reasonable. Many are well thought out. The problem is not bad planning. It is fragile follow-through.

January is often when that fragility begins to surface.

The Gap Between Plans and Reality

Many small and mid-sized businesses assume that a completed plan guarantees successful execution. Once something is approved, it feels settled. The assumption is that people will adjust their behavior, systems will align, and progress will naturally follow. There might be a few obstacles to overcome, but the plan is solid. It is expected to play out exactly the way it looks on paper.

In reality, most plans do not fully anticipate the type of obstacles that appear once the first step is taken.

Policies may exist, but behavior does not change. Tools are purchased, but workflows stay the same. Expectations are set, but ownership is unclear. Early gaps often go unnoticed because nothing has broken yet. Systems are still running. No audit has failed. No incident has occurred.

That quiet period can be misleading. It creates the impression that execution is on track when, in fact, it has not truly started. This marks the calm before the storm.

Why Execution Fails First

Planning focuses on intent and envisioned outcomes. If all the stars align, this project will look just like it does on the approved project plan. Like that perfect image of the venerable Big Mac®. Sadly, when the box is opened, it is unusual to find within such a pristine replication of the iconic image. Execution reveals friction.

Once plans move into the real world, several patterns tend to appear.

Ownership failures surface first. Tasks are approved, but responsibility is vague. Decisions fall between roles. Enforcement becomes inconsistent or biased based on time pressure or convenience.

In some cases, no one is given overall responsibility for the outcome. In many cases, the wrong person is put in charge and follow-through becomes fallout.

Process failures follow closely behind. Existing workflows do not support the new plan. Scope creep begins as “small exceptions” and end up turning what was once a well-designed project into something barely recognizable as the original intent. Competing priorities push planned changes to the side. Budgetary priorities often derail projects which are viewed as “want to’s”.

Cultural friction often creates the most resistance. Confirmation bias leads teams to see what they expect to see. Long-standing habits reassert themselves. “We’ve always done it this way” becomes an unspoken override. For many, change is hard and so relying too heavily on familiar patterns can undermine even well-designed plans.

January exposes these weaknesses faster than any other month. In some cases, this is amplified by changes in regulations, best practices, or guidelines that take effect at the start of the year. In others it is the convergence of multiple competing agendas that will vie for time, finances, and personnel resources. Expectations shift, but execution does not keep pace.

Execution Risk in IT and Compliance

IT and compliance plans depend heavily on consistent daily behavior. The compound effect has two facets – the results of applying positive processes daily, and consequences of failing to commit to the discipline required to make effective change.  The gap between these two outcomes is where execution risk tends to live.

In the current climate of cyber risk, many businesses are working to implement enhanced security practices and protocols. In many cases, organizations move quickly to improve security but underestimate the effort required to fully implement and sustain new controls. Common examples include:

  • Multi-factor authentication being approved but not enforced everywhere.
  • Backup policies are written but never tested.
  • Access reviews are planned but repeatedly postponed.
  • Incident response plans exist on paper but are never exercised.

These are not necessarily signs of negligence on the part of the organization. They can, at times, be attributed to a failure of follow-through on the part of the vendor that sold the platform. Whatever the reason, these reflect delays in recognizing the potential for gaps. In the case of a security control such as MFA not being fully implemented, the gap is often that the planning stage did not fully comprehend the challenge of changing culture.

With compliance being such a well of complex and at times far reaching requirements, it is easy to understand why gaps are missed. Our experience with organizations seeking help with compliance after either self or assisted efforts had fallen short has shown a common theme – A tendency to underestimate the difficulty of implementation, while overestimating how easily change can be absorbed operationally.

When the plans are initially made, a number of processes are put into motion. The costs are weighed, steps are considered, schedules agreed to, and the expected outcomes are made into inspirational slogans.

The underlying concepts are solid, unfortunately things like the impact of corporate culture on those outcomes is rarely weighed. When they are noticed, they often remain unmanaged because ownership has not been clearly defined. Further, time to resolve isn’t part of the plan.

The end results are incomplete remediation items where cultural support for the plan never fully takes hold. Over time, the plan still exists, but execution drifts further from the original intent.

Reducing Early-Year Execution Risk

Reducing execution risk in January does not require new tools or sweeping changes. It requires attention to follow-through.

Start by confirming ownership, not just approval. Make sure every key part of the plan has a clear owner who understands their responsibility. The right seat needs to be filled by the right person.

Next, test one assumption from the plan. Look for where friction might appear. Identify barriers before they cause delays. This is about learning, not fault-finding.

Carefully consider the impact that the current culture will have on the plans prescribed outcome. If the plan requires significant changes in operational methodology, is there a willingness to implement the necessary discipline to ensure a successful implementation?

Once these preliminary checks are completed, you will need to watch for drift rather than failure. Early signs include scope creep, shifting priorities, and quiet exceptions to proposed changes. These are signals, not setbacks.

Finally, fix friction points before adding new controls. When obstacles are found, acknowledge them quickly. Assign the right person or team to address them and follow up to confirm the issue was resolved. Waiting for a project to fail makes recovery harder than it needs to be.

What Happens When Execution Is Managed

When both the planning process and execution are actively managed early in the year, fewer surprises appear later. Compliance related changes feel steadier and more proactive instead of reactive. IT related initiatives now fall into alignment and closely track with both the legacy culture as well as the desired changes.

Most importantly, there is alignment between business goals, IT execution, and compliance reality. Progress becomes visible and measurable, not assumed.

When execution is not managed, small misses tend to grow. Minor gaps turn into audit findings. Security controls exist, but do not protect. Leadership believes progress is being made when it is not.

The difference is rarely the plan itself. It is how closely execution is observed and adjusted.

A January Question Worth Asking

January is still early enough to adjust course.

A useful question to ask now is simple: Which part of your plan assumes perfect execution?

That question often reveals more than any checklist. It encourages awareness without blame and helps leaders see where follow-through needs attention before the year gains momentum.