When ‘Perfect’ Becomes the Enemy of Progress: A Cautionary Tale in Quality and Information Security

In regulated industries, precision and compliance are paramount, but there is a fine line between ensuring quality and creating unnecessary barriers to progress. At TQC, we’ve seen how the pursuit of perfection, when misapplied, can do more harm than good.

In this paper, we reflect on real-world scenarios where inflexible, overly pedantic consultancy practices not only stalled improvement but left a business dangerously exposed to risk. This paper isn’t a dismissal of quality practices, but a challenge to how they’re sometimes misapplied, and focuses on the documents rather than the processes.

At TQC, we call this the ‘80/20 mindset’; we know we aren't alone with this! But to clarify, we aim to get 80% of the core risk addressed immediately, then refine for completeness and compliance in iteration. That’s how we’ve helped so many companies through certification audits with no observations. Not by cutting corners or letting things slide, but by dealing with the big issues first and then tidying up once the risk is reduced, protecting the company, getting 'great' implemented, and coming back to strive for perfection.

The Risk of Inaction: A Case Study

We were engaged by a company that was operating without some of the most fundamental elements of an information security framework. They had no incident response plan. No information security policy. No access controls in place. The system was riddled with vulnerabilities, and the business lacked basic safeguards expected of any organisation handling sensitive data. Lots of coffee, late nights and trying to get things done for them to avoid breaches and potential fines.

Despite the clear urgency, progress was repeatedly blocked, not by internal resistance at the company, but by a third-party quality consultancy already engaged by the client to manage another arm of the company, which included document control. SOPs and documentation were being withheld from approval over relatively minor issues, such as the term “Risk” being used without a formal definition in a Risk Management SOP. While precision matters, these delays weren’t supporting quality. They were actively impeding it.

Those employees who were currently conducting the risk assessments would not need that word defined, after all, they drafted the processes. What they needed was an agreed-upon methodology, so they were all doing it the same way and focusing on the risks that mattered. Precision is essential, but only when it supports clarity, efficiency, and risk reduction. When it obstructs those things or delays critical processes being put in place, rather than reducing a company's risk, it increases it.

The Paralysis of Perfection

This isn’t an isolated experience. In my career, I've encountered other clients where similar patterns emerged. At one company, it took three months to obtain internal approval for a single presentation to make the company aware that a QMS was being implemented, with a due date for full adoption of 6 months. No work was allowed to start until this presentation had been given. The critical aspects that were holding up the whole implementation? Missing full stops on a couple of points, and the incorrect style of bullet points.

During those three months, the associated processes continued without any oversight, no standard practice, no change control, no competency and training, exposing the company to unmanaged risks. Ironically, the delay in approving governance was itself a governance failure. At TQC, we’d rather a document go out with a slightly squiffy bullet point if it means we can start training people on doing things the right way. Once the immediate threat has been reduced to an acceptable level, these types of clarifications can then be addressed.

The Root of the Problem

What we’re seeing is a recurring issue with certain QA and compliance consultants who, perhaps with good intentions, adopt a hyper-critical stance. Rather than enabling progress while managing risk, they become gatekeepers of theoretical perfection. This approach:

• Delays critical improvements.

• Creates bottlenecks that frustrate internal teams.

• Prioritises semantic precision over actual operational safety.

• Leaves organisations exposed while waiting for “perfect” documentation. SOPs are important, but let’s put the fires out first, before worrying if the word fire is in the wrong font?

A Better Approach: Risk-Based, Pragmatic Compliance

At TQC, we believe in a practical, scalable approach to compliance. The role of a consultant isn’t to block progress. It’s to facilitate it, without compromising the integrity of systems or processes. We prioritise:

• Implementing baseline controls quickly to reduce immediate risk.

• Iterating and improving documentation and processes over time.

• Applying proportionality and judgement in assessing documentation gaps.

• Ensuring definitions and frameworks are useful and usable, not just compliant.

In high-growth or resource-constrained environments, the luxury of perfection doesn’t exist. Pragmatism, speed, and clarity are what protect businesses, especially those handling regulated or sensitive data.

Conclusion

Quality and security don’t come from perfect documents. They come from clear thinking, timely action, and systems that work in practice, not just on paper. Organisations need advisors who enable them to move forward while staying compliant, not ones who trap them in endless cycles of review.