20th PCI London
The problem with many compliance regimes is that they effectively ignore the realities of risk. They assume that a particular risk must be 'solved', and then evolve a set of ever more complex rules to achieve this. They tend not to seek to quantify the risk they are designed to mitigate, nor to place that risk in the context of a real-world business and all the other operational risks it faces, nor to think realistically about whether the costs of the regime itself are appropriate to how these risks manifest. They also struggle with the idea of risk as a variable on a sliding scale, rather than as an absolute, and generally do a poor job of understanding whether the regime is executable by the types and number of staff available to do it.