The following are a set of thoughts I've had watching a company grow from 60 people to 600 people - it's not a complete thesis, but I wanted to put it out there to start getting feedback from people.
Thoughts on Organizations
Processes are sets of rules in the same way that computer programs are just sets of rules. In the case of programs, it's the computer doing the work of executing the rules of the program and they have no choice but to take what you wrote literally. In the case of processes, it's people executing them. However, both have bugs - unexpected outcomes of the rules. With humans, you get some leeway because you can explain what you meant or you can say we're implementing the 'intent' rather than what's actually written but you will run into people who execute policies like they are computer programs and follow exactly what's written, as opposed to what is intended.
Making matters worse, policies often have very long feedback loops before the bugs are detected and can be addressed. As such I think we should try and avoid process until absolutely necessary. Too many people want to rush to create a process every time someone makes a mistake so that mistake can never happen again, without regard for the bugs that can be introduced as a result.
Trust, Talent and Communication vs Rules
Why create rules at all? I think this is the same as asking why society has laws and I think the reason is because you can't trust people to do the right thing. More specifically, there's a limit to the number of people whose reputation you can keep in your head at any one time. This limit is called the Dunbar number, named after the social scientist who studied why tribes separate into two tribes. He found that after about ~120 relationships, we can no longer keep track of who owes whom money, who is trust worthy, who likes to short change people, etc. Rules are an abstraction over behavior. If we all agree to follow the rules, we can use them as a short cut for knowing someone's reputation. The reason I can go to the store and buy a bacon, egg and cheese from a complete stranger is because I have trust in the rules for proper food storage and preparation.
I think that organizations that are growing don't need any policies until they reach this 120 size. After that we start seeing faces around the office that we don't recognize, and we hear about projects starting up being lead by people we have never heard of. People who's reputations we don't know/trust.
Minimum Viable Process
So what do we do? Policies (and laws) are really useful abstractions. They allow us to trust each other without actually knowing the individual's reputation the same way I trust the food cart guy is not going to poison me because of the FDA. However, policies like all rules - have bugs.
The #1 predictor of bugs in code is the number of lines of code. Each line is a little rule, and the more rules you have the more likely you are to introduce bugs. Since policies are rules that often contain more rules (the entire workflow is a set of rules to follow), the more policies you have (or the more complicated they are) the more likely they are to introduce bugs, and so the goal is to have the smallest set of effective policies possible.
How do you accomplish this?
Developers find bugs by compiling and executing their code, thus seeing that it does not do quite what they expected. It's a tight feedback loop that allows them to identify and resolve bugs quickly. What we need from policies is a similar feedback loop and the easiest way to do that is with this 1 weird trick.
Make people feel the consequences of their decisions.
That's it. Ok maybe the golden rule is nice too, do unto others as you would have them do to you is probably always a good rule.
What does this mean? It means one can never make a rule for someone else, that they themselves don't have to follow. The reason is so they can get immediate feedback on both the good and the bad of the rule and make adjustments accordingly. This is remarkably difficult in practice. People really really don't like feeling the pain of their decisions, and we set up all sorts of elaborate systems to protect ourselves from get that feedback. I don't think anyone making other people's lives hell on purpose, we do this almost subconsciously.