This is a sentence that has killed more innovation, buried more improvements, and protected more mediocrity than any policy ever written. It is not delivered with malice. It is delivered with confidence — sometimes even with pride.

"That's how we've always done it."

Five words. Zero justification. Infinite staying power.

If you've spent any time inside an organization — corporate, government, nonprofit, it doesn't matter — you know this sentence. You've probably felt the specific frustration of raising a legitimate concern, proposing a better approach, or pointing out that a process hasn't been reviewed in six years or frankly in some cases NEVER, only to receive those five words as if they were a complete and sufficient answer.

They are not. But understanding why people say them, and why it lands with such finality, is the first step toward changing anything.

Where It Comes From: The Psychology of the Status Quo

Resistance to change is not stupidity. It's not even laziness, most of the time. It's a deeply wired human response.

Status quo bias is a cognitive tendency to prefer the current state of affairs over alternatives, even when alternatives are objectively better. First formally described by researchers William Samuelson and Richard Zeckhauser in 1988, it's since been replicated across hundreds of studies. The finding is consistent: losses loom larger than equivalent gains. Changing something that works tolerably feels riskier than keeping something broken but familiar.

In organizational settings, this gets amplified by several overlapping dynamics:

Loss aversion at the institutional level. When a team has invested years — sometimes careers — in a particular process or system, changing it feels like an implicit indictment of everything that came before. Nobody wants to admit that what they built, defended, or inherited was suboptimal. The process becomes identity.

Uncertainty as threat. A process you know, even a bad one, is predictable. You know where the failure points are. You've built informal workarounds. A new process means new failure modes, new learning curves, new risks — and in environments where failure is punished, that's genuinely dangerous.

Social inertia and conformity pressure. Organizations develop norms, and challenging those norms carries social risk. The person who keeps asking "but why do we do it this way?" can quickly earn the reputation of being difficult, disruptive, or naïve about "how things really work here." Eventually, people learn to stop asking.

Procedural comfort as competence signal. In many workplaces, knowing the current process deeply is a form of demonstrated expertise. Someone who can navigate the legacy system, knows which forms go to which department, and remembers why certain exceptions exist — that person has status. A new process erases that status advantage. Of course they resist.

The Organizational Layer: When Resistance Becomes Structure

Individual psychology explains the behavior, but organizations can institutionalize it. This is when "we've always done it this way" stops being a cognitive bias and becomes governance failure.

Signs you're dealing with structural resistance, not just individual reluctance:

  • No documented rationale for current processes. They exist because they exist.
  • Change proposals require extraordinary burden of proof while the status quo requires none.
  • Process owners have veto power over reviews of their own processes.
  • "We tried that before" is treated as a permanent closed door, without any analysis of whether conditions have changed.
  • Post-mortems don't happen, so lessons never make it back into process design.
This is what could be called **governance theater** — the appearance of managed, intentional operations masking the reality that decisions were made long ago by people who have since left, under conditions that no longer exist, for reasons nobody can articulate anymore.

The processes are running. The rationale is gone. And challenging them feels like challenging the organization itself.

The Real Cost Nobody Calculates

Here's what the defenders of the status quo never put on the table: the cost of not changing.

Every year a broken process runs, you're paying for it in:

  • Compounded inefficiency. The friction is small per transaction but massive at scale and over time.
  • Talent attrition. High performers — the ones with options — leave environments that signal their ideas don't matter. The ones who stay are often the ones most comfortable with stagnation.
  • Technical and process debt. Workarounds breed workarounds. Exceptions become informal policy. The system becomes unmaintainable by anyone except the few who built it.
  • Competitive erosion. In any sector where external conditions evolve — technology, regulation, client expectations, threat landscapes — static processes fall behind. Sometimes slowly, then suddenly.
  • Risk accumulation. Old processes were often designed around old threat models. In cybersecurity especially, "we've always done it this way" isn't just inefficient — it can be actively dangerous.
The status quo has a cost. It just isn't on a line item anyone tracks.

How to Actually Change Things: A Practitioner's Framework

This is the part where most articles hand you five bullet points that sound good and accomplish nothing. Instead, let's talk about what actually works when you're trying to move an organization that doesn't want to move.

1. Never Fight the Sentence Directly

When someone says "that's how we've always done it," arguing with them head-on rarely works. It triggers defensiveness, signals disrespect for institutional knowledge, and makes you the problem. Instead, get curious.

"That's interesting — do you know why that approach was originally chosen?"

This does several things at once: it signals respect for institutional context, it forces the other party to either produce a rationale (useful) or admit they don't have one (more useful), and it moves the conversation from values to evidence.

2. Separate the What from the Why

Most processes were rational when they were designed. The goal is usually still valid; the method is often just outdated. When you can isolate the underlying objective — the why behind the what — you create room to propose alternatives that serve the same goal with less friction.

"We audit these records manually because we need an accurate trail" becomes a conversation about whether manual auditing is still the best method to produce an accurate trail — not a fight about whether an accurate trail matters.

3. Use Data, But Frame It as Risk

Governance-speak for "this process is inefficient" is largely ignored. Governance-speak for "this process creates documented organizational risk" gets attention. Reframe improvement proposals in the language your audience actually responds to: liability, compliance exposure, audit findings, operational risk.

This isn't manipulation. It's translation.

4. Find the Pilot

You rarely change everything at once, and you shouldn't try to. Find a bounded context — a project, a team, a defined scope — where you can run the new approach alongside the old one and produce visible results. A successful pilot is worth ten arguments.

It also shifts the burden of proof. Instead of defending why change might work, you're showing that it already did.

5. Give People an Exit, Not a Defeat

Resistance often has less to do with the process and more to do with the person who owns it. If changing a process means implicitly declaring that someone spent years doing things wrong, they'll fight it. Frame change as evolution, not indictment. Position long-tenured staff as the institutional knowledge that makes new approaches viable — not as obstacles to be worked around.

People will defend what makes them feel competent. Make them feel competent in the new world, not obsolete in it.

6. Address the Unspoken Question: "What Happens If It Fails?"

Change resistance is often rational risk management in disguise. If the culture punishes failure, people won't volunteer for experiments that might fail. Before asking your team to embrace a new approach, answer the question they're too smart to ask out loud: what happens to us if this doesn't work?

If the honest answer is "someone gets blamed," you haven't fixed the change management problem — you've just added a new process on top of a punitive culture. The culture has to change too.

Decision-Making That Doesn't Calcify

Long-term, the solution to "we've always done it this way" isn't a single change initiative. It's a decision-making culture that builds in periodic review as standard practice.

That means:

Sunset clauses on processes. Policies and procedures that automatically trigger a review after a defined period — not because they're broken, but because conditions change and assumptions should be validated.

Documented rationale at the point of creation. When a process is designed, capture why it was designed that way, what alternatives were considered, and under what conditions it should be revisited. This sounds obvious. Almost nobody does it.

Structured devil's advocacy. Formally assign someone the role of challenging proposed continuations of existing processes. Not as a bureaucratic checkbox, but as a genuine check on inertia.

Incentives for improvement, not just stability. If your performance management system rewards people for maintaining the status quo and says nothing about improving it, you will get exactly what you measure.

The Deeper Issue

"That's how we've always done it" is ultimately a statement about power as much as process. It says: the legitimacy of this approach derives from its persistence, not from its quality. Longevity as justification. Precedent as authority.

In governance terms, this is a category error. Duration is not evidence of fitness. A bad process that has run for twenty years is still a bad process.

The organizations that stay adaptive — that don't calcify around their own precedent — are the ones that treat "why do we do it this way?" not as a challenge to institutional authority, but as a standard operating question. Curiosity as default. Evidence as arbiter.

That's a culture shift, not a process change. And it starts with being willing to ask the question out loud, even when you know the answer is going to be "we've always done it this way."

Ask it anyway.

Hani Esmael is an Information Security Analyst and governance practitioner writing on IT governance, organizational design, and decision-making at EsmaelNexusX.