Physical Address
London, UK
Physical Address
London, UK
On the opening weekend of this year’s Giro d’Italia Women, Lorena Wiebes won the first stage in a bunch sprint, pulled on the race leader’s jersey, and was disqualified a few hours later. The reason had nothing to do with how she rode. Her bike weighed 6.78 kilograms against a mandatory minimum of 6.8. Her team pointed out that the same bike had been weighed several times already this season, always comfortably above the limit, and that a second weighing on the same day produced a reading fifty grams different from the first. Nothing about the bicycle changed between those two readings. What changed was which number the process happened to catch.
That small, brutal episode is a useful way into a much larger problem sitting inside enterprise technology right now: the difference between passing a compliance check and actually managing risk, and how rarely leadership discovers which one they have until a regulator, an auditor, or an attacker finds out first.

A Pass/Fail Reading Is Not a Risk Assessment
The UCI’s minimum weight rule was introduced in 2000 to stop bikes becoming dangerously light as carbon fibre took over the peloton. Since then, the UCI has built a genuinely thorough safety regime around equipment: frames must be submitted for approval against ISO 4210 structural standards, wheels must pass impact testing, and a clarification guide running to more than eighty pages governs everything from tube dimensions to handlebar geometry. None of that machinery was in question when Wiebes was disqualified. A single scale reading was.
That is the pattern worth noticing. A rule can be strictly enforced, produce a clean binary outcome, and still measure almost nothing about the risk it was originally written to prevent. Twenty grams is roughly the weight of four sugar cubes. It says nothing about whether a frame holds under load on a mountain descent. It says only what the scale read that afternoon.
Compliance theatre works the same way inside a business. A checklist gets completed. A control is marked “implemented.” A privacy policy gets published. The dashboard reads green. Whether any of it says something true about the underlying risk is a separate question, and it is the one that rarely gets asked until something goes wrong.
The Reverse Failure Is Just as Expensive
Sometimes the theatre runs the other way: every box ticked, and the real vulnerability sitting untested underneath. When Meta’s “View As” feature exposed data belonging to 29 million Facebook accounts in 2018, the eventual regulatory finding was not simply that a bug existed. Investigators concluded the breach could have been prevented with more thorough testing of the feature before release. The controls, the sign-offs and the policies had all been present. The specific interaction that let attackers generate access tokens through the feature had not been examined closely enough to catch it.
The financial consequences of that gap between documented compliance and demonstrated risk management keep compounding. DLA Piper’s most recent GDPR enforcement survey put fines issued across a single twelve-month period at €1.2 billion, spanning financial services, healthcare, retail, energy and the public sector. Several 2024 enforcement decisions explicitly cited the absence of demonstrable technical controls, encryption and audit logging as evidence of negligence rather than misfortune.
What Genuine Evidence Actually Looks Like
Professional cycling already runs a working example of the alternative, and it is not the bike-weighing scale. It is the Athlete Biological Passport. Rather than a single test looking for one substance at one moment, the passport tracks a rider’s blood markers over years, building a personal baseline and flagging only genuine deviation from it. The rider becomes their own point of reference. A result only carries weight when it breaks a longitudinal pattern, not when it crosses a fixed external line taken once.
That is the distinction leadership should be drawing between documentation and evidence. Documentation says a control exists. Evidence shows the control holding under the conditions that matter, tracked over time, against the organisation’s own risk baseline rather than a generic template lifted from last year’s audit pack. One is a policy binder. The other is a testing strategy doing its job.
The Forensic Arithmetic
Consider what a mid-sized financial services firm might carry into a serious enforcement action. At the fine levels cited above, a single case can run into eight figures before legal costs, remediation and customer notification are added. Layer on CISQ’s long-standing estimate that the cost of poor quality typically runs 15–20% of revenue in organisations that discover risk only after it materialises, and the arithmetic turns uncomfortable quickly: a business with genuinely tested controls is not spending less on compliance. It is spending the same money on something that actually works.
THE LEADERSHIP QUESTION
“When regulators or auditors ask ‘how do you know?’—can your testing provide evidence, or just documentation?”
The Path Forward
None of this requires an army of new auditors or another layer of governance theatre. It requires testing designed to answer the question a regulator will actually ask, rather than the one a checklist assumes. Previously in this blog, we talked about customer trust as the asset your testing strategy protects; regulatory resilience is the other half of that same asset. Trust built on a compliance function that has never actually been tested is trust you have not yet earned.
The good news, and it is genuinely good news, is that this is within reach. Testing teams that already think in terms of risk are best placed to build it: establish what “normal” looks like for your own systems, track deviation over time rather than relying on point-in-time snapshots, and make sure every control produces evidence a regulator could follow, not just a policy they could read. Organisations that do this do not merely survive an audit. They walk into one already knowing what it will find, because they found it first.
That is worth doing. It is worth doing because the alternative is discovering, the way Lorena Wiebes did, that the gap between a career-defining win and a very public disqualification can come down to twenty grams, a scale nobody recalibrated, and a system nobody thought to test until the moment it mattered most.
Sources: