Tredecillion talked about a horror of my current role: filling out compliance and regulatory forms. Requests for these come up about once a week, when my salespeople or I are working with a enormous company, government department, or research facility. The Bureau of Self-justification (BS for short), which has ensconced itself in the purchasing loop with a tenacity that would make a barnacle feel like a thrice-used Post-It note, catches wind of it and casts a +3 Spell of Paperwork. A player (we) can accept the damage: fill out the form, wait six to eight weeks for processing – or attempt a saving throw by applying for waiver. This counter-bureaucracy maneuver is largely ornamental, often more complex than the original forms. Worse, you’ll need to roll a 00 for it to be accepted. When it’s not, you’ll still have to fill out the original set of documents.
I think the conversation probably goes a lot like this:
Customer: We’re all ready to buy, but BS needs the XYZPDQ certification statement and a recent radio-carbon dating of the product.
Sales person: Well, I can get the radio-carbon dating done, but are you sure there’s no way around the XYZPDQ certification?
Customer: (looking downtrodden) There’s a waiver process but (looks over shoulder), but it’s modeled after the Divine Comedy.
Sales person: (pales) You mean, “Abandon Hope All Ye Who Enter Here?”
Customer: (Nods, looking really nervous now.)
Sales person: Well, then,(claps hands) I’ll get our product manager right on it. I’ll bring the purchase order in (looks at watch reflexively) eight weeks.
Customer: (perking up) Dandy!
Having completed several these compliance forms lately, I’ve noted these generalities:
- Every organization has its own special form.
- Forms are not interchangable. Cross the streams, and bad things will happen
- A lot of the information requested is identical, but there’s also a lot of really weird stuff asked.
- If possession is 9/10 of the law, completion of every line of the form is 9/10 of the requirement. Keeping a copy for consistency is the other 1/10. Accuracy… is not so important.
Here’s a sample request I received three weeks ago:
Due to government regulations, [Company] is now required to obtain information associated with classification of applications for internal distribution within [Company]. This is commonly known as “Export Compliance” or ECCN. Please complete the spreadsheet for your
applications below, including any ECCN designation you have already
received, and return to me as soon as possible. We will need this
information in order to continue to distribute the software internally.
Even though you may have already provided this information to [Company
Consulting Arm] as part of your agreement with them, we need to complete this exercise with [Company] directly.
Note how the request blames Government Regulations. That’s a classic maneuver to deflect hostility. While they admit that you may have already completed the information, the point out you have to complete it again. There’s also plenty to keep the BS busy. For our (cough, cough) convenience, they attached a spreadsheet containing two rows and eighty-five columns of pure, bureaucratic terror.
Their form starts off asking the usual stuff they already have on file: who are we, where are we based, what’s our product. Next, the fishing expedition begins: please list the number and countries of origin for non-US Citizens (“including Green Card holders”) employed with your organization. Do any have access to the source code? How many troops? Where are they located?
The information hose is about to be ratcheted up some more:
Does the software product developed internally incorporate or utilize any third party software, third party libraries or third party code or modules in order to function? (A database would be included as “utilize to function”.) If yes, complete columns AD through AM
To make you rue the day you implemented open source, these columns ask for the product name, version, functional description, address, contact and ECCN of the third-party.
The next couple dozen columns “not applicable” softballs like
“Is this product specifically developed or designed to control nuclear facilities, nuclear materials, nuclear equipment, firearms or other military weaponry?”
The next section asks about encryption, beginning casually with “Does this product use encryption for password protection?” and, twenty questions later, working up to “Please describe the API.” Did I mention that each answer must fit neatly into the apportioned cell?
Finally, they bring it all home by asking if we have documentation and, oh yeah, what’s our ECCN (export classification) number.
The form took an hour to finish. I could have easily spent much more time on it if I seriously thought Top Men would be poring over its information. The reality is it’s locked in an email message somewhere in Michigan, hopefully never to be seen again.