very well said. I see this particularly in information security field where i work where there is a constant tug-and-pull between Risk vs Compliance. (The compliance part being heavy on process). This equates to the cost of doing business vs protecting the information assets, and when you have too much compliance (process) i see it detrimental to both the business and information security, because to achieve perfect state (unfeasible) you need infinite capital expenditure. Trying to achieve this state by tying down the business in process is a common problem in an organization that claims it understands risk management but really doesn’t.