Research overview: Where strategy reports vs. what frameworks it uses

Research material for a LinkedIn post arguing that the reporting line of a technical strategy function determines what it can honestly say — more than any framework choice. Organized to match the six requested research areas. All citations are inline; primary sources prioritized.

1. The embedding vs. independence tension in strategy functions

The core dynamic, documented

The structural tension is well-documented in McKinsey's CSO research. The 2024 refresh ("The strategy leader's evolving mandate," McKinsey Strategy & Corporate Finance) found 91% of chief strategy officers own functions beyond core strategy — sustainability, digital, data and analytics, chief of staff being most frequent. McKinsey's companion piece "Rethinking the role of the strategist" reports that six out of ten chief strategists wish they could spend more time on strategy — a direct measure of role capture by adjacent execution work. ^[1][2]

McKinsey's "Redefining corporate functions" frames the embedding/independence question as oscillation: "Functions in an organization continuously shift between centralized and decentralized modes, first centralizing to achieve efficiency, then giving power back to business units to spur responsiveness and accountability." Both poles fail; the oscillation itself is the disease. ^[3]

The canonical CSO design source is Breene, Nunes & Shill, "The Chief Strategy Officer," HBR October 2007. Their thesis: the CSO must be "that person who, in the CEO's stead, can walk into any office and test whether the decisions being made are aligned with the strategy and are creating the desired results." This requires structural proximity to the CEO — without it, the CSO loses authority to challenge. ^[4]

Technical strategy / Office of the CTO positioning

The Bowdoin Group taxonomy of CTO / VP Engineering / Chief Architect roles documents a common failure mode: the Chief Architect "is not an executive leadership position" and "reports in to whoever is running engineering" — a setup that systematically subordinates technical strategy to delivery. A widely-cited Hacker News practitioner observation about Offices of the CTO: "In larger companies, CTOs have become like VPs at a bank — lots of them with little if any strategic influence. The 'office' can be so large that a member may never see or even talk to the CTO proper." ^[5][6]

The most credible voices for an engineering audience:

• Will Larson (Staff Engineer, 2021): four staff-plus archetypes — Tech Lead, Architect, Solver, Right Hand. The Right Hand archetype "borrows an executive's attention, scope and authority to operate a particularly complex organization." Influence requires structural proximity, not methodology. ^[7][8]
• Tanya Reilly (The Staff Engineer's Path, 2022): frames staff engineers as "leaders without direct authority"; explicit chapters on strategy and technical vision. ^[9]
• Gregor Hohpe (The Software Architect Elevator, 2020): architects must ride between penthouse (strategy) and engine room (implementation). Position on the org chart, not framework choice, determines whether they can do so. ^[10][11]
• Charity Majors (counterweight): "Having 'pigeon architects' who 'swoop and poop' — make technical decisions for engineers to implement — is a recipe for resentment and weak architectures." Argues for pendulum rotation between IC/manager/architect. ^[12]

Frameworks that name the tension

• Rumelt's kernel of good strategy (Diagnosis + Guiding Policy + Coherent Action) and the four hallmarks of bad strategy: Fluff, Failure to face the challenge, Mistaking goals for strategy, Bad strategic objectives. Good Strategy/Bad Strategy (2011). The International Harvester 1979 case is Rumelt's textbook example of a strategy function generating projections without diagnosis. ^[13]
• Roger Martin & Lafley, Playing to Win (2013): Strategy Choice Cascade. Martin's HBR 2017 article rejects "the widespread, artificial, and unhelpful attempt to distinguish between choices that are 'strategic' and ones that are 'executional' or 'tactical'" — a sharp counterargument to over-independent strategy functions. ^[14]
• BCG Reeves et al., Your Strategy Needs a Strategy (2015): five archetypes (Classical, Adaptive, Shaping, Visionary, Renewal). A centralized "guardian" model fits Classical environments; Adaptive/Shaping environments require embedded strategy. ^[15][16]
• Strategy-as-Practice school (Whittington 1996; Jarzabkowski, Balogun & Seidl 2007; Vaara): Practitioners, Practices, Praxis. Frames the internal strategist as a practitioner whose position shapes which praxis is possible. ^[17][18]

The counterargument — when independence becomes ivory tower

• Roger Martin (HBR 2017): strategy held separate from execution produces "fantasy, not strategy." ^[14]
• Bob Finocchio (Markkula Center, SCU): "Truthtellers are wrong. They think they're right but they're not… There is a danger of always being in truth-telling mode and always listening and not acting." ^[19]
• Charity Majors: independent architects who don't ship become decorative; recommends same comp band as principal engineers and rotation.
• Aaron Painter (Nametag): "Org charts matter far less than influence. When that's true, the structure works. When it's not, no reporting line will save it." ^[20]

2. How reorg cycles and dotted-line reporting erode strategy roles

The foundational source

Davis & Lawrence, "Problems of Matrix Organizations," HBR May 1978. Nine pathologies of matrix design: tendencies toward anarchy, power struggles, groupitis, collapse during economic crunch, excessive overhead, sinking, layering, navel-gazing, decision strangulation. Direct quote: "The layering of a matrix can frequently result from the dynamics of power rather than from the logic of design, and there is a tendency for matrixes to sink to group and division levels." ^[21][21]

Forty-six years later, the diagnosis still holds. Kesler & Schuster, "Making Matrix Organizations Actually Work" (HBR March 2016) explicitly counsel: "Don't make a distinction between a dotted and full reporting line." Their argument: solid-versus-dotted designation "can unintentionally set up a hierarchy" that atrophies the secondary role — exactly the trap for dotted-line strategy functions. ^[22][23]

Gill Corkindale, "Lost in Matrix Management" (HBR June 2008), names the symptoms: "multiple and complex reporting lines, confusion over accountability, competing geographical and functional targets, lack of role clarity, too many people involved in decisions… politics and conflicts arising from continual organisational restructuring." ^[24]

McKinsey's Helix Organization model (Aaron De Smet et al.) is explicit: "complex matrix structures that simply don't work anymore. We are overreliant on the same management tools for organization structure that we've been using for decades, namely hierarchical org charts with solid- and dotted-line reporting relationships." Helix proposes two parallel solid lines (people-management + value-creation) instead of solid + dotted. ^[25]

"PMO with extra steps" — the failure mode quantified

• Only 18% of PMOs are "fully integrated" into enterprise strategy execution (Gartner survey, 2024, cited in pmo365 / blog.totaltek). The remainder track milestones, enforce compliance, and report status without influencing outcomes. ^[26]
• CIO.com on PMO decay: "The leaders of a given project turn to the PMO for transactional needs… but they don't see the PMO as a resource to help guide best practices… much less to impress upon a project's leaders a broader sense of a project's risks." Without sustained executive sponsorship, the PMO devolves into "toolshed status." ^[27][27]

Reorg cycles as innovation theater

Steve Blank, "Why Companies Do 'Innovation Theater' Instead of Actual Innovation" (HBR October 2019) names three failure modes: Organizational Theater (the reorg cycle), Innovation Theater (hackathons/labs), Process Theater (process reforms). On reorgs: "Often the first plan from leadership for innovation is hiring management consultants who bring out their 20th-century playbook. The consultants reorganize the company (surprise!)… The reorg keeps everyone busy for a year… but in the end is an inadequate response." ^[28]

McKinsey: two-thirds of organizations have redesigned their operating models in the past two years, and half plan to do so in the next two. The cycle is the norm, not the exception. ^[29]

Strategy decay statistic

Sull, Sull & Turconi, "No One Knows Your Strategy — Not Even Your Top Leaders" (MIT Sloan Management Review): 51% of top management could list the company's top three priorities; this fell to 13% among front-line supervisors. The headline data point cuts both ways — it's evidence that pure-independence strategy functions fail to cascade, and that strategy functions need embedded translation work. ^[30]

Chief of Staff drift

Terrance Rogers' "Demystifying the Chief of Staff Role" framework: Q1 (execution assist) → Q4 (strategic thought partner). "A more junior Chief may never leave the first 2." Industry observation: "Many Chiefs of Staff report to one leader but are expected to influence many others without direct authority — leading through trust and EQ, not hierarchy." (Chief of Staff Network) The role-drift pattern is generalizable to any influence-without-authority strategy role. ^[31][32]

3. Loss of independent judgment and crisis blind spots

Boeing 737 MAX (2018–19): the engineering function captured

The cleanest modern parallel for a healthtech audience. Boeing's Designated Engineering Representatives — engineers acting as the FAA's eyes under the Organization Designation Authorization (ODA) — reported up through Boeing program management, not an independent safety/engineering line. A 2016 internal Boeing survey found 39% of Authorized Representatives perceived "undue pressure" from management (House T&I Final Report, September 2020). ^[33]

The House report's verdict: "The MAX crashes were not the result of a singular failure, technical mistake, or mismanaged event. They were the horrific culmination of a series of faulty technical assumptions by Boeing's engineers, a lack of transparency on the part of Boeing's management, and grossly insufficient oversight by the FAA." Five themes: Production Pressures, Faulty Design Assumptions, Culture of Concealment, Conflicted Representation (the ODA problem), Boeing's Influence Over the FAA. ^[34][35]

The Joint Authorities Technical Review (JATR, October 2019, chaired by former NTSB Chair Christopher Hart) recommended that the FAA review the ODA work environment "to ensure the Boeing ODA engineering unit members (E-UMs) are working without any undue pressure when they are making decisions on behalf of the FAA. This review should include ensuring the E-UMs have open lines of communication to FAA certification engineers without fear of punitive action." ^[36]_-_Boeing_737_MAX_Flight_Control_System)

Boeing whistleblower Curtis Ewbank (flight-deck systems engineer 2010–2015): "Boeing management was more concerned with cost and schedule than safety or quality… I was willing to stand up for safety and quality, but was unable to actually have an effect in those areas." His proposed Synthetic Airspeed cross-check was killed on cost/training grounds. His manager's reported response: "People have to die before Boeing will change things." ^[37]

The post-crash structural fix: Boeing reorganized so that Authorized Representatives now report into a separate aviation-safety organization, not program management. The remediation was the reporting line, not the framework. ^[38]

NASA Challenger (1986) & Columbia (2003)

Diane Vaughan, The Challenger Launch Decision (Univ. Chicago Press, 1996) is the canonical source. Her definition of normalization of deviance: "Social normalization of deviance means that people within the organization become so much accustomed to a deviation that they don't consider it as deviant, despite the fact that they far exceed their own rules for the elementary safety." And: "No fundamental decision was made at NASA to do evil; rather, a series of seemingly harmless decisions were made that incrementally moved the space agency toward a catastrophic outcome." ^[39]

The Columbia Accident Investigation Board report (CAIB, 2003) is a 248-page argument that frameworks cannot substitute for structural independence. Chapter 7: "The Board concludes that NASA's current organization does not provide effective checks and balances, does not have an independent safety program, and has not demonstrated the characteristics of a learning organization." Chapter 5: "By the eve of the Columbia accident, institutional practices that were in effect at the time of the Challenger accident — such as inadequate concern over deviations from expected performance, a silent safety program, and schedule pressure — had returned to NASA." Chapter 8: "Over time, slowly and unintentionally, independent checks and balances intended to increase safety have been eroded in favor of detailed processes that produce massive amounts of data and unwarranted consensus, but little effective communication." ^[40]

CAIB's central remediation: create an Independent Technical Engineering Authority funded and managed outside the Shuttle Program. Change the org chart, not the methodology. ^[41][41]

Richard Feynman, Rogers Commission Appendix F (1986): "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled."

Financial crisis: CRO independence as the differentiator

Aebi, Sabato & Schmid (2012), Journal of Banking & Finance 36(12):3213–3226 — the empirical anchor. Sample of 372 US bank holding companies through the 2007–08 crisis. Banks where the CRO reported directly to the board (not the CEO) showed significantly higher stock returns and ROE during the crisis. Standard corporate-governance variables were mostly insignificant or even negatively related to performance. The reporting line was the variable that mattered. ^[42]

The UBS Shareholder Report on Subprime Write-Downs (April 2008) — a rare bank self-investigation — found: "UBS was not aware of the extent and the nature of its risk exposure to the Subprime mortgage and related markets until the beginning of August 2007… This lack of awareness was the result of significant organizational weaknesses." Risk Control was organizationally subordinated and "focused on statistical (VaR) measures and did not sufficiently challenge" the businesses.

The Wells Fargo Independent Directors' Report (April 2017): "Wells Fargo's decentralized corporate structure… gave too much authority and autonomy to the Community Bank's senior leadership without the necessary oversight and encouraged deference to the business units, which housed their own risk and human resource management systems." Carrie Tolstedt and Community Bank leaders "resisted and impeded scrutiny or oversight from corporate risk management and the Board." The board only learned about ~5,300 terminations from press reporting in 2016. ^[43]

Healthcare / IT failures — the same pattern

• Theranos: Tyler Shultz discovered ~20% false positive rates internally; the lab and statistics functions had no organizational separation from Holmes/Balwani. No independent technical authority existed. ^[44]
• NHS National Programme for IT (2002–11): £9.8bn programme dismantled. NAO 2011: "The original vision for the National Programme for IT in the NHS will not be realised." ^[45]
• Healthcare.gov (2013): GAO-14-694 found "CMS undertook the development of Healthcare.gov and its related systems without effective planning or oversight practices." HHS OIG found no clear lead systems integrator until after launch; CGI thought CMS was the integrator, CMS thought CGI was. The technical-architecture authority was undefined. ^[46][47]

Academic mechanism — why engineers go silent

• Morrison & Milliken (2000), Academy of Management Review on "organizational silence": managerial beliefs (employees are self-interested; management knows best; unity is healthy) → structures that suppress upward feedback → shared employee belief that speaking up is futile → silence. ^[48]
• Amy Edmondson (1999), Administrative Science Quarterly on psychological safety: "a shared belief held by members of a team that the team is safe for interpersonal risk taking." ^[49]
• Irving Janis, Groupthink (1972/1982) — applied directly to NASA in CAIB analyses.
• Rosen & Tesser (1970), the "MUM effect": hierarchies filter bad news at every layer. In healthcare specifically: "Fewer than 10 percent of physicians, nurses, and clinical staff directly confronted their colleagues when they became aware of poor clinical judgment or shortcuts that could cause harm" (Maxfield et al. 2005). ^[50]

The crisis pattern

Across every case: frameworks were present, sometimes elaborate (ODA manuals, FMEA/CIL, VaR, three lines of defense, FAR). What was missing was a function with the authority and reporting line to say no. Post-crisis remediation always changed the org chart, not just the framework.

4. The internal audit and risk parallel — the user's central analogy

The mechanism that solved this problem in another field

The IIA's 2024 Global Internal Audit Standards (effective January 9, 2025) state three essential conditions, the second of which is the load-bearing one: "The internal audit function is independently positioned with direct accountability to the board." The 2017 IPPF Standard 1110 is the most widely-cited formulation: "The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities." Implementation Guide 1110: "Organizational independence is effectively achieved when the chief audit executive reports functionally to the board." ^[51]

The IIA explicitly distinguishes independence (structural, organizational) from objectivity (a mental state). Independence enables objectivity but isn't the same thing. An honest function needs both — and the structural piece is what management actually controls.

Three Lines of Defense → Three Lines Model

The 2013 IIA position paper established the canonical model: (1) operational management owns risks; (2) risk and compliance oversee the first line; (3) internal audit provides independent assurance to the board on all of it. Lines 2 and 3 must be structurally separate from line 1. The 2020 update ("The IIA's Three Lines Model") softened the defensive framing toward value creation but reinforced that "internal audit's independence from the responsibilities of management is critical to its objectivity, authority, and credibility."

History of how this came to be — every fix followed a failure

Pre-Enron, internal audit frequently reported into the CFO or controller, and external auditors were paid by management while providing consulting alongside audit. WorldCom's $11B fraud was uncovered by internal auditor Cynthia Cooper specifically because she circumvented her reporting line to CFO Scott Sullivan and went directly to the audit committee — a forcing case for what came next.

Sarbanes-Oxley Act of 2002, Section 301: "Each member of the audit committee of the issuer must be independent… the audit committee shall be directly responsible for the appointment, compensation, and oversight of the work of any registered public accounting firm employed by that issuer… and each such registered public accounting firm shall report directly to the audit committee." Section 302 added personal CEO/CFO certifications. Section 404 required internal control assessment and external attestation. SEC Rule 10A-3 (April 2003) and NYSE Section 303A / NASDAQ Rule 5605 implemented and extended it. ^[52]

The mechanism that emerged is the dual reporting model: functional reporting to the audit committee (charter, plan, budget, scope, findings, hire/fire/comp of the chief audit executive) plus administrative reporting to senior management (HR support, day-to-day operations). The auditee cannot fire or pressure the auditor, but the auditor still operates inside the organization. ^[53]

Banking sector post-2008 — the same prescription

Walker Review (UK, November 2009), Recommendation 24 is the most quotable single passage: "A BOFI board should be served by a CRO who should participate in the risk management and oversight process at the highest level on an enterprise-wide basis and have a status of total independence from individual business units. Alongside an internal reporting line to the CEO or FD, the CRO should report to the board risk committee, with direct access to the chairman of the committee in the event of need. The tenure and independence of the CRO should be underpinned by a provision that removal from office would require the prior agreement of the board. The remuneration of the CRO should be subject to approval by the chairman or chairman of the board remuneration committee."

This is a complete structural template — reporting line, removal protection, compensation independence — and it generalizes to any function whose job is honest assessment.

Dodd-Frank Section 165(h) and Fed Regulation YY require a separate board risk committee that "cannot be part of, or combined with, any other committee." OCC Heightened Standards (12 CFR Part 30 Appendix D, 2014) specify that the Chief Risk Executive "is one level below the Chief Executive Officer in a covered bank's organizational structure" and that "no front line unit executive oversees any independent risk management unit." Structural rank is regulated, not optional. ^[54]

Basel Committee Corporate Governance Principles for Banks (BCBS d328, July 2015), Principle 6: "Banks should have an effective independent risk management function, under the direction of a chief risk officer (CRO), with sufficient stature, independence, resources and access to the board… Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee." The 2015 update also added a market-discipline mechanism: removal of the chief audit executive must be publicly disclosed and discussed with the supervisor. ^[55][56]

What happens when audit/risk lacks substantive independence

Formal independence is not sufficient — every audit committee at every failed firm met the technical independence test.

• Wells Fargo: OCC fined former Chief Auditor David Julian $7M and former Community Bank CRO Claudia Russ Anderson $10M (and banned her from banking) for failing to challenge bank misconduct. ^[57]
• Wirecard: EY signed unqualified audits for 10+ years; €1.9B in trustee balances "did not exist." German APAS regulator (2024): EY's audit opinions were "objectively inaccurate" with "grave failure" in internal quality controls. Triggered Germany's FISG Act (2021) — mandatory firm rotation, raised liability caps, mandatory audit committees. ^[58][59]
• Carillion (2018): UK joint parliamentary committee: "Deloitte [internal auditor] was paid £10M but was unable or unwilling to identify the terminal failings in Carillion's risk management and financial controls, or too readily ignored them." The UK audit market was "a cosy club incapable of providing the degree of independent challenge needed." ^[60][60]
• HBOS (2008): UK Parliamentary Commission ("An accident waiting to happen," 2013) — Group Risk function was repeatedly downgraded and its head (Paul Moore) dismissed after raising concerns.

The lesson: formal independence on paper is undermined when the chief auditor still reports administratively to the CFO whose financials they audit. IIA 2024 North American Pulse: 41% of CAEs report administratively to the CFO; 37% to the CEO. Richard Chambers (former IIA CEO) called the CFO figure "jaw-dropping." ^[61][62]

The full mechanism — adaptable to a strategy function

The four-part structural template that emerged in audit/risk and is directly transposable to technical strategy:

1. Dual reporting — functional line to the body that needs honest assessment (board / CEO), administrative line to a senior executive for HR and day-to-day support. Hire/fire/comp decisions sit with the functional line. ^[53]
2. Charter — a written, board-approved document fixing mandate, authority, access rights, and scope before any conflict arises. Resisting interference becomes a governance issue, not a personality issue.
3. Rank protection — the OCC's "one level below the CEO." A function whose head is buried under the function it must critique cannot be honest.
4. Visibility of capture attempts — public disclosure of removals, whistleblower channels to the audit committee (SOX 301), executive-session rights with no management present. These make retaliation expensive.

Counterarguments to over-independence

• Norman Marks: internal audit that reports too purely to the board loses business context and timeliness; findings become stale or ceremonial.
• Elamer et al. (2018) on FTSE-100 financial institutions 2010–14: firms with separate risk committees had lower ROA/ROE. (Interpretation: independent risk constrains profit-maximizing risk-taking — which is the point, but it has a cost.) ^[63]
• Substantive vs. formal independence (Cohen, Krishnamoorthy & Wright 2010; Lisic et al. 2016): when CEOs influence audit committee selection or hold high power, formal independence doesn't translate. Wells Fargo, Carillion, Wirecard, HBOS all had formally independent audit committees.
• SOX 404 compliance now averages $2.3M and ~15,581 hours annually per public company (KPMG 2025 SOX Survey). Independence has a price. ^[64]

5. Reporting line design and its effects

Foundational frameworks

Galbraith's Star Model (Jay R. Galbraith, late 1960s–70s): five interlocking design policies — Strategy, Structure, Processes, Rewards, People. Galbraith's own warning: "Structure is usually overemphasized because it affects status and power, and a change to it is most likely to be reported in the business press." The Star Model is itself an argument that reporting lines are necessary but not sufficient — they must be aligned with processes, incentives, and talent. ^[65]

Mintzberg's Structuring of Organizations (1979) distinguishes line (strategic apex → middle line → operating core) from staff (technostructure and support). The technostructure — analysts who "standardize work processes" — is off the line of command. Mintzberg: "This definition does not mention the power to decide or advise." Strategy functions sit in the technostructure; their power is therefore indirect and structurally contingent. ^[66][67]

Conway's Law (Melvin E. Conway, "How Do Committees Invent?", Datamation, April 1968): "Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure." Originally rejected by HBR as "unproven"; named Conway's Law by George Mealy in July 1968; popularized by Fred Brooks in The Mythical Man-Month. Martin Fowler's modern reformulation: "Microservices [are] primarily a tool to structure a development organization." ^[68]

Inverse Conway Maneuver (Jonny LeRoy & Matt Simons, ThoughtWorks; popularized in Skelton & Pais, Team Topologies, 2019): "Organizations should evolve their team and organizational structure to achieve the desired architecture rather than expecting teams to follow a mandated architecture design." Forsgren/Humble/Kim, Accelerate (2018), supplies empirical support: reorganizing reporting lines is itself a strategic intervention, not a precursor to strategy. ^[69][70]

Empirical data — CISO reporting (the best-studied case)

The CISO reporting-line debate is the closest analog to the user's argument, and has produced clean empirical data:

• Heidrick & Struggles 2025 Global CISO Compensation Survey (n=371): 42% of CISOs report directly to CEO — three times the 2024 proportion. The share reporting to CIO/CTO fell from ~50% to 30%. ^[71]
• IANS Research / Artico Search 2026 State of the CISO (n=662): 64% of CISOs still report into IT; only 11% to the CEO. In firms over $1B revenue, 44% of executive-tier CISOs report to business; in smaller firms, 64% report to IT. (The Heidrick/IANS gap reflects sampling — Heidrick samples more executive-tier respondents.) ^[20][72]
• ISACA: ~40% of organizations whose security function reports to a CISO are confident in detection/response, vs. only 31% where it reports to a CIO. ^[73]
• Foundry State of the CIO: companies spending under 5% of IT budget on security split evenly between CSO→CIO and CSO→CEO; companies spending over 10% on security are nearly twice as likely to have CSO→CEO. Reporting line correlates with investment intensity. ^[74]

Quotable practitioner takes:

• Sanchit Vir Gogia (Greyhound Research): CISO-to-CIO reporting is "like asking the fire marshal to report to the person whose bonus depends on cutting the number of sprinklers." ^[20]
• Alexander Yampolskiy (SecurityScorecard CEO): "A CIO is usually rewarded for delivering business projects, which affect revenue. The CISO's job is to fix vulnerabilities — and those security projects will always create tension for resources with revenue-driving projects." ^[74]
• Dave Burg (EY Americas Cybersecurity): CSO→CIO can produce "over-leveraging towards cost management as opposed to risk management." ^[74]
• Cyber Sierra synthesis: "A CISO reporting to a CIO may feel pressured to soften or downplay security audit findings to avoid making their boss's department look bad." ^[73]

Other reporting-line empirical data

• Chief Data / Analytics Officer: Foundry 2023 — 53% of CDOs report to CIO, 35% to CEO. Gartner (2022, n=566): only 44% of data and analytics leaders say their teams are effective. Gartner forecast: "Three-quarters of CDAOs who fail to make companywide influence and measurable business impact their top priorities by 2026 will be swallowed up by IT functions." ^[75][76]
• Chief AI Officer: IBM IBV 2026 — 76% of organizations have a CAIO (up from 26% in 2025); companies with a CAIO report 5–10% higher AI ROI. Foundry 2025: of the 14% of orgs with CAIOs, 40% report to CEO, 24% to CIO. ^[77]
• CSO/CSO reporting: HBR (Breene/Nunes/Shill 2007) — universal finding that CSOs must report directly to CEO with deep CEO trust; "a long professional and personal history helps." Without proximity, the CSO loses challenge authority. ^[78]

Counterarguments — when separation backfires

• Gartner (CISO doc 6891166): "Most CISOs want to report to the CEO/board to maximize visibility and reduce conflict with the CIO, but doing so can transfer conflict to a larger stage with more powerful players." Loses operational coordination with IT. ^[79]
• JC Gaillard (CSO Online 2026): "If the executive above the CISO understands the importance of cybersecurity… the reporting structure can work extremely well. If that support is absent because the business at large does not see the strategic importance of cybersecurity, no reporting line will magically solve the problem." ^[80]
• Flavio Villanustre (LexisNexis Risk): CISO reporting to GC or CFO "could negatively impact the alignment between CISO and IT, which is paramount to making the CISO job more effective." ^[20]
• Galbraith himself: structure alone (without aligned processes, rewards, people) recreates old problems in new boxes.

6. The "frameworks vs. structure" point

The thesis, named

Conway's Law is the founding claim: systems (including processes, frameworks, methodologies) are downstream of communication structure. A framework cannot escape its org chart — the org chart reshapes the framework into its own image.

Skelton & Pais (Team Topologies) make this explicit: "Conway's law tells us that we need to understand what software architecture is needed before we organize our teams, otherwise the communication paths and incentives in the organization will end up dictating the software architecture." ^[81]

Gregor Hohpe — the most useful single voice for the user's audience

The Software Architect Elevator (O'Reilly, 2020). Core thesis: architects must ride between penthouse (executive strategy) and engine room (implementation) — and position on the org chart determines whether they can. ^[10]

• Hohpe's Law: "Excessive complexity is nature's punishment for organizations that are unable to make decisions." ^[82]
• On frameworks (Agile India 2018): "A framework can be a useful tool but is just that — nothing more, nothing less. The tools are helpful, but as soon as they take center stage, it's a slippery slope. Enterprise Architecture done right is not about being in the ivory tower." ^[83]
• On information loss across organizational layers: "In large organizations… information is passed by taking the stairs from floor to floor, causing the well-known telephone game effect: when a message passes through many stations, it not only takes time, but its meaning can also be completely changed." ^[10]
• On architecture as decision-making: "It's simply a matter of whether you consciously choose your architecture or whether you let it happen to you." ^[82]

Framework-specific critiques

TOGAF: Ben Morris ("Enterprise architecture anti-patterns"): "Relatively few organisations can benefit from a full TOGAF implementation. It requires such an enormous force of will and commitment from the very highest levels of the organisation. Unless everybody in the senior leadership can explain why TOGAF can add value, then any implementation is probably doomed." The framework's effectiveness depends entirely on the structural position of the function deploying it. WWT, "Breaking Down the Ivory Tower": TOGAF/Zachman applied "only from the perspective of the EA team" produces models "typically not well received in the absence of collaboration with and buy-in from the greater organization." ^[84][85]

SAFe: Alex Ewerlöf: "SAFe is an elaborated process with many roles and rituals. It promises to make large software teams 'agile' but in practice it's yet another waterfall process packaged for profit." Stephen Clarke ("Cargo Cult Agile"): "Project Managers and Business Analysts by leadership fiat magically become Scrum Masters and Product Owners… Changing names and carrying out empty ceremonies is not going to magically land your project." ^[86][87]

DORA / Accelerate: actually supports the structural argument. DORA's capability list includes transformational leadership; their data shows "teams with the least transformative leaders (the bottom third) were also far less likely to be high performers at software delivery — in fact, they were half as likely to exhibit high software delivery performance." The framework's metrics only produce results when the function applying them has structural leadership backing. ^[88]

Wardley Mapping: practitioner consensus — maps without strategic decision authority become "PowerPoint maps." Mapping is valuable only when the mapper has standing to influence allocation.

Culture and structure containing strategy

The popular Drucker quote "culture eats strategy for breakfast" is misattributed (per Quote Investigator and the Drucker Institute) — earliest documented use was in a Giga Information Group publication, March 2000, popularized by Mark Fields at Ford ~2006. The accurate primary-source equivalent is Edgar Schein, Organizational Culture and Leadership (1985): "Culture determines and limits strategy." Schein's broader point: structure and culture contain strategy; a framework imposed by a function without cultural authority gets digested by the existing culture. ^[89][90]

Charity Majors — direct application to engineering

Announcing the 2nd edition of Observability Engineering: "I was writing tactical advice for teams who were surviving in a strategic vacuum." The biggest barrier to effective observability is not technical — "the lack of shared strategic alignment between engineering teams and organizational leadership about what problem they're actually trying to solve." Methodology beneath structural alignment. ^[91][91]

The common failure pattern

Across all these critiques, one pattern recurs:

1. Organization adopts methodology (SAFe, TOGAF, DORA metrics, OKRs, Wardley Maps).
2. The function adopting it lacks reporting-line authority to act on findings.
3. Findings are filtered, softened, or ignored between the function and the decision-maker.
4. Methodology produces theater — rituals, dashboards, maps — without outcomes.
5. Failure is attributed to the methodology rather than the structural setup.

Strongest quotable lines for a LinkedIn post

Primary-source quotes ranked by punch and credibility for an engineering-leadership audience:

1. Melvin Conway, 1968: "Any organization that designs a system… will produce a design whose structure is a copy of the organization's communication structure."
2. CAIB, 2003: "Independent checks and balances intended to increase safety have been eroded in favor of detailed processes that produce massive amounts of data and unwarranted consensus, but little effective communication." ^[92]
3. House T&I Report on Boeing 737 MAX, 2020: "A horrific culmination of a series of faulty technical assumptions… a lack of transparency… and grossly insufficient oversight." ^[33]
4. Curtis Ewbank (Boeing whistleblower): "People have to die before Boeing will change things."
5. Walker Review, 2009: The CRO must have "a status of total independence from individual business units" with "direct access to the chairman of the committee." ^[93][93]
6. IIA Standard 1110: "The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities."
7. OCC Heightened Standards (12 CFR Part 30 App. D): "No front line unit executive oversees any independent risk management unit"; the chief risk executive is "one level below the Chief Executive Officer." ^[94]
8. Gregor Hohpe: "Excessive complexity is nature's punishment for organizations that are unable to make decisions."
9. Sanchit Vir Gogia, on CISO-to-CIO reporting: "It's like asking the fire marshal to report to the person whose bonus depends on cutting the number of sprinklers." ^[20]
10. Edgar Schein, 1985: "Culture determines and limits strategy."
11. Diane Vaughan, 1996: "No fundamental decision was made at NASA to do evil; rather, a series of seemingly harmless decisions… incrementally moved the space agency toward a catastrophic outcome." ^[95]
12. Aebi/Sabato/Schmid, 2012: "Banks in which the CRO directly reports to the board of directors and not to the CEO… exhibit significantly higher stock returns and ROEs in the crisis."

Strongest quotable statistics

1. 91% of CSOs own functions beyond core strategy (McKinsey 2024). ^[1]
2. 6 in 10 chief strategists wish they could spend more time on strategy (McKinsey). ^[2]
3. Only 18% of PMOs are "fully integrated" into enterprise strategy execution (Gartner 2024). ^[26]
4. 39% of Boeing Authorized Representatives reported "undue pressure" from management in a 2016 internal survey (House Report 2020). ^[33]
5. 64% of CISOs still report into IT; only 11% report to the CEO (IANS 2026). Heidrick (executive-tier sample) finds 42% to CEO, up 3× year-over-year. ^[20]
6. 40% vs. 31% confidence in threat detection/response when security reports to CISO vs. CIO (ISACA). ^[73]
7. 44% of data and analytics leaders say their team effectively delivers value (Gartner 2022, n=566). ^[75]
8. 75% of CDAOs forecast to be absorbed back into IT by 2026 if they don't drive enterprise impact (Gartner). ^[76]
9. Two-thirds of organizations have redesigned their operating models in the past two years; half plan to in the next two (McKinsey). ^[29]
10. 51% / 13%: top management vs. front-line supervisors who can name the company's top three priorities (Sull, Sull & Turconi, MIT Sloan).
11. ~70% of corporate transformations fail to achieve initial goals (BCG, consistent across studies). ^[96][97]
12. DORA: bottom-third leadership orgs are ~50% less likely to be high software delivery performers.

Counterarguments and complicating perspectives

A LinkedIn post arguing "structure beats frameworks" should acknowledge these to be credible:

• Independence becomes ivory tower: Roger Martin (HBR 2017) rejects the artificial strategy/execution distinction; Charity Majors' "pigeon architects" critique; Marks on stale findings from over-independent audit.
• Substantive ≠ formal independence: Wells Fargo, Carillion, Wirecard, HBOS all had formally independent audit committees. The org chart is necessary but not sufficient. ^[98]
• Sponsorship matters more than structure: JC Gaillard — without executive sponsorship, no reporting line solves the problem. Aaron Painter — "Org charts matter far less than influence."
• Independence has costs: Elamer et al. (2018) found firms with separate risk committees had lower ROA/ROE (the point of risk constraint, but the cost is real). SOX 404 compliance averages $2.3M and 15,500 hours per public company. ^[63]
• Galbraith's caveat: changing only the reporting line, without aligning processes, rewards, and talent, recreates old problems in new boxes. ^[99]
• Embedded strategy can be sharper: McKinsey on frontline-embedded strategy teams producing "sharper and more relevant" output with stronger execution ownership.

Synthesis the user can adapt

The argument the audit and risk profession won — and that maps onto technical strategy — is structural, not philosophical:

A function whose job is to honestly assess decisions cannot report to the people making those decisions.

The mechanism that resolved this for audit/risk was four design choices, every one of which followed a major failure:

1. Dual reporting (functional to board, administrative to executive) — emerged from Enron/WorldCom via SOX 301.
2. Charter — board-approved mandate that pre-commits authority before conflict.
3. Rank protection (one level below CEO) — emerged from 2008 via OCC Heightened Standards.
4. Visibility of capture attempts (disclosure of removals, executive-session rights) — emerged from Carillion/Wirecard via FISG and Basel d328.

Boeing, NASA Challenger and Columbia, UBS, Wells Fargo, Theranos, NPfIT, Healthcare.gov — every one of these failures featured a technical or strategic judgment function that was structurally co-located with the people creating the risk. Frameworks were present in all of them. Authority was not. Post-crisis remediation always changed the org chart. Technical strategy faces the same structural problem the pre-SOX internal audit function faced, and the question is whether the function gets its independence by design or after a crisis.

The right framing for the engineering audience is not "be more independent" (a vibe) but specify the four structural design choices for the technical strategy function: who approves its scope, where it sits relative to delivery, who controls its hire/fire/comp, and what protected channel exists for unwelcome findings. Wardley Maps, Team Topologies, DORA, and TOGAF will produce different outputs depending on which boxes those four answers fill.

1. McKinsey & Company — https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/the-strategy-leaders-evolving-mandate
2. McKinsey & Company — https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/rethinking-the-role-of-the-strategist
3. McKinsey & Company — https://www.mckinsey.com/capabilities/people-and-organizational-performance/our-insights/redefining-corporate-functions-to-better-support-strategy-and-growth
4. Harvard Business Review — https://store.hbr.org/product/chief-strategy-officer/R0710D
5. Bowdoin Group — https://www.bowdoingroup.com/blog/cto-vp-engineering-chief-architect-differences/
6. Hacker News — https://news.ycombinator.com/item?id=13556488
7. Medium — https://ivanahuckova.medium.com/book-notes-staff-engineer-leadership-beyond-the-management-track-by-will-larson-41248b1ca1c6
8. Medium — https://medium.com/@HarlanH/staff-data-scientist-comments-on-will-larsons-staff-engineer-book-a8a0b8438c36
9. O'Reilly — https://www.oreilly.com/library/view/the-staff-engineers/9781098118723/
10. Martin Fowler — https://martinfowler.com/articles/architect-elevator.html
11. Amazon — https://www.amazon.com/Software-Architect-Elevator-Redefining-Architects/dp/1492077542
12. Charity — https://charity.wtf/tag/careers/
13. You Exec + 3 — https://youexec.com/book-summaries/good-strategy-bad-strategy
14. LinkedIn — https://www.linkedin.com/pulse/strategic-choices-need-made-simultaneously-roger-l-martin-munjal
15. BCG — https://www.bcg.com/publications/2018/your-strategy-process-needs-a-strategy
16. BCG — https://bcg.com/publications/2018/your-strategy-process-needs-a-strategy.aspx
17. Redalyc — https://www.redalyc.org/journal/840/84064926005/html/
18. ScienceDirect — https://www.sciencedirect.com/science/article/abs/pii/S1877858509000072
19. Santa Clara University — https://www.scu.edu/ethics/focus-areas/business-ethics/resources/speaking-truth-to-power-the-role-of-the-executive/
20. CSO Online — https://www.csoonline.com/article/4136293/its-time-to-rethink-ciso-reporting-lines.html
21. Harvard Business Review — https://store.hbr.org/product/problems-of-matrix-organizations/78303
22. Boulden Insights — https://www.boulden.net/blog/managing-in-a-matrix/
23. Brianheger — https://www.brianheger.com/how-to-make-your-matrix-organization-really-work-mit-sloan-management-review/
24. Harvard Business Review — https://hbr.org/2008/06/lost-in-matrix-management
25. McKinsey & Company — https://www.mckinsey.com/capabilities/people-and-organizational-performance/our-insights/the-helix-organization
26. Totaltek — https://blog.totaltek.com/why-pmo-failures-still-happen-and-how-to-fix-them
27. CIO — https://www.cio.com/article/4065713/why-pmo-offices-fail-and-7-ways-to-help-your-pmo-succeed.html
28. Steve Blank — https://steveblank.com/2019/10/15/between-a-rock-and-a-hard-place-organizational-and-innovation-theater/
29. McKinsey & Company — https://www.mckinsey.com/capabilities/people-and-organizational-performance/how-we-help-clients/organize-to-value
30. LinkedIn — https://www.linkedin.com/pulse/role-chief-staff-strategy-execution-top-priorities-fitbots
31. LinkedIn — https://www.linkedin.com/pulse/demystifying-chief-staff-role-terrance-rogers
32. Chiefofstaff — https://www.chiefofstaff.network/blog/what-does-a-chief-of-staff-do-a-guide-to-the-most-versatile-role-in-business
33. Time — https://time.com/5889376/boeing-737-max-house-report/
34. WJLA — https://wjla.com/features/i-team/house-committee-investigation-finds-culture-of-concealment-at-boeing-and-faa
35. House — https://democrats-transportation.house.gov/news/press-releases/after-18-month-investigation-chairs-defazio-and-larsen-release-final-committee-report-on-boeing-737-max
36. SKYbrary — https://www.skybrary.aero/index.php/The_Joint_Authorities_Technical_Review_(JATR
37. CNN + 2 — https://www.cnn.com/2019/10/02/politics/boeing-whistleblower-complaint-737-max/index.html
38. The Seattle Times — https://www.seattletimes.com/business/boeing-aerospace/congressional-panel-wants-to-interview-whisteblower-who-says-boeing-blocked-key-safety-upgrades-for-737-max-over-costs/
39. NASA — https://sma.nasa.gov/docs/default-source/safety-messages/safetymessage-normalizationofdeviance-2014-11-03b.pdf
40. USACCESS — https://ehss.energy.gov/deprep/archive/documents/0308_caib_report_volume1.pdf
41. Space.com — https://www.space.com/19476-space-shuttle-columbia-disaster-oversight.html
42. Unisg + 2 — https://www.alexandria.unisg.ch/entities/publication/9886b934-02ba-44f3-a4a6-6e861e9f5eae
43. Congress.gov — https://www.congress.gov/crs-product/IF11129
44. The Texas Lawbook — https://texaslawbook.net/inside-a-whistleblowers-ordeal-tyler-shultz-details-the-battle-to-expose-theranos/
45. National Audit Office — https://www.nao.org.uk/reports/the-national-programme-for-it-in-the-nhs-an-update-on-the-delivery-of-detailed-care-records-systems/
46. U.S. GAO — https://gao.gov/products/GAO-14-824T
47. Medium — https://medium.com/@bishr_tabbaa/small-is-beautiful-the-launch-failure-of-healthcare-gov-5e60f20eb967
48. Semantic Scholar — https://www.semanticscholar.org/paper/Organizational-Silence:-A-Barrier-to-Change-and-in-Morrison-Milliken/6037c59b9f8106eb8f148210a8f7d6982aa342fa
49. Leadership IQ — https://www.leadershipiq.com/blogs/leadershipiq/psychological-safety-at-work-a-comprehensive-science-backed-guide-for-business-leaders
50. PubMed Central — https://pmc.ncbi.nlm.nih.gov/articles/PMC1955340/
51. The Institute of Internal Auditors + 2 — https://www.theiia.org/en/standards/
52. Sarbanes-Oxley Act — https://sarbanes-oxley-act.com/
53. Eduyush — https://eduyush.com/en-us/blogs/cima/chief-audit-executive
54. The Clearing House + 2 — https://www.theclearinghouse.org/advocacy/Articles/2012/03/dodd-frank-section-165-risk-management-and-corporate-governance
55. Bank for International Settlements — https://www.bis.org/fsi/fsisummaries/corp_gov_principles.htm
56. Lexology — https://www.lexology.com/library/detail.aspx?g=aae3067d-dc27-4303-ba20-1d8bcfc1f50b
57. Radical Compliance — https://www.radicalcompliance.com/2025/01/14/former-wells-fargo-execs-fined-millions/
58. PYMNTS.com — https://www.pymnts.com/news/security-and-risk/2024/german-agency-criticizes-eys-audits-of-wirecard/
59. ciferi — https://ciferi.com/blog/wirecard-audit-failure-european-regulation
60. StrategicRISK Global — https://www.strategic-risk-global.com/esg-risks/carillion-enquiry-slams-big-four-audit-firms/1427052.article
61. Internal Audit 360 — https://internalaudit360.com/reporting-lines-whom-should-internal-audit-leaders-call-boss/
62. Wordpress — https://normanmarks.wordpress.com/2022/04/18/where-should-internal-audit-report/
63. Academia.edu — https://www.academia.edu/36166019/The_Impact_of_Risk_Committee_on_Financial_Performance_of_UK_Financial_Institutions
64. Optro — https://optro.ai/blog/sox-404
65. Toolshero + 2 — https://www.toolshero.com/management/jay-galbraiths-star-model/
66. Business.com — https://www.business.com/articles/management-theory-of-henry-mintzberg-basics/
67. Wordpress — https://amirone2006.wordpress.com/wp-content/uploads/2013/09/henry-mintzberg-21.pdf
68. Psych Safety + 5 — https://psychsafety.com/psychological-safety-conways-law/
69. Ilyazakharau — https://ilyazakharau.com/blog/team-topologies
70. Agileanalytics — https://www.agileanalytics.cloud/blog/team-topologies-the-reverse-conway-manoeuvre
71. Heidrick & Struggles — https://www.heidrick.com/en/insights/cybersecurity/2025-global-chief-information-security-officer-compensation-survey
72. Infosecurity Magazine — https://www.infosecurity-magazine.com/news/ciso-role-inflexion-point/
73. Cyber Sierra — https://cybersierra.co/blog/ciso-report-to-ceo/
74. CSO Online — https://www.csoonline.com/article/565560/does-it-matter-who-the-ciso-reports-to.html
75. CIO — https://www.cio.com/article/465451/why-data-leaders-struggle-to-produce-strategic-results.html
76. CIO — https://www.cio.com/article/3537260/cdos-and-cdaos-rethink-your-role-or-fade-away.html
77. CNBC + 2 — https://www.cnbc.com/2026/05/11/heres-how-artificial-intelligence-is-changing-boardrooms.html
78. Harvard Business Review — https://elb.hbr.org/2007/10/the-chief-strategy-officer
79. Gartner — https://www.gartner.com/en/documents/6891166
80. CSO Online — https://www.csoonline.com/article/4158505/the-endless-ciso-reporting-line-debate-and-what-it-says-about-cybersecurity-leadership.html
81. IT Revolution — https://itrevolution.com/articles/conways-law-critical-for-efficient-team-design-in-tech/
82. Ibrahim Cesar — https://ibrahimcesar.cloud/blog/the-software-elevator-redefining-the-architect-role-in-the-digital-enterprise-gregor-hohpe/
83. Agileindia — https://2018.agileindia.org/enterprise-architecture-done-right-is-not-about-being-in-the-ivory-tower-says-gregor-hohpe/
84. Ben-morris — https://www.ben-morris.com/enterprise-architecture-anti-patterns/
85. World Wide Technology — https://www.wwt.com/article/breaking-down-ivory-tower-practical-guide-to-enterprise-architecture
86. Alexewerlof — https://blog.alexewerlof.com/p/cargo-culting
87. LinkedIn — https://www.linkedin.com/pulse/cargo-cult-agile-stephen-clarke
88. DORA — https://dora.dev/capabilities/transformational-leadership/
89. Quote Investigator — https://quoteinvestigator.com/2017/05/23/culture-eats/
90. Changemanagementreview — https://changemanagementreview.com/why-culture-eats-change-management-for-breakfast/
91. Spicytakes — https://charity.spicytakes.org/
92. Mit — http://sunnyday.mit.edu/papers/issc04-final.pdf
93. Harvard Law School Forum on Corporate Governance — https://corpgov.law.harvard.edu/2009/12/26/a-review-of-corporate-governance-in-uk-banks-and-other-financial-industry-entities/
94. eCFR — https://www.ecfr.gov/current/title-12/chapter-I/part-30/appendix-Appendix%20D%20to%20Part%2030
95. SAGE Publications — https://sk.sagepub.com/ency/edvol/criminologicaltheory/chpt/vaughan-diane-normalization-deviance
96. BCG — https://www.bcg.com/publications/2024/how-to-create-a-transformation-that-lasts
97. CIO — https://www.cio.com/article/4153245/bad-cios-are-good-for-the-business.html
98. ResearchGate — https://www.researchgate.net/publication/314904409_CEO_Involvement_in_Selecting_Board_Members_Audit_Committee_Effectiveness_and_Restatements
99. Umbrex — https://umbrex.com/resources/frameworks/strategy-frameworks/galbraith-star-model/