Resolve conflict on trust versus growth priorities

# 1) End-to-end conflict management plan ## Stakeholder mapping (RACI-style) - Accountable/Decision authority: Product VP (backed by Growth PM), Trust/Integrity Director. - Responsible/DRIs: Growth PM, Trust PM/Analyst (you), Eng Lead, Data Science, Policy/Legal, Safety Ops/Moderation. - Consulted: Security/Privacy, Comms/PR, Country/Regional leads (for regulatory hotspots), Abuse ML team, Risk/Compliance. - Informed: Executive staff, On-call leads (Eng, T&S Ops), Incident Response. Tip: Publish a named DRI list and a single Slack channel/Doc hub to prevent side threads. ## Alignment on goals and constraints - North star: “Increase DAU without breaching safety/regulatory thresholds.” - Non-negotiables: Compliance with policy and law, avoid material increases in violating content exposure, reversibility of changes, auditability. - Success criteria (example): - Growth: +X% DAU uplift or +Y% upload completion rate at p-value < 0.05. - Safety: Violating impressions per 10k impressions (VI/10k) not to exceed baseline +10% at hourly p95, no increase in severe categories (e.g., CSAM, violent extremism), no Ops SLA breach. - Constraints: New team members (assign buddies, pre-reads), cross-org coordination time, launch deadline. ## 1-page decision memo (circulate as a pre-read) Title: Decision on Upload Filter Loosening (Launch T–7) - Problem: Growth request to reduce filter strictness to boost DAU; analysis predicts +25–40% violating exposure. - Context: Current filter precision/recall, baseline VI/10k, regulatory hotspots, Ops capacity. - Options: 1) Do nothing for this launch; revisit post–safety improvements. 2) Phased, reversible rollout (canary + RCT) with strict kill-switch and guardrails. 3) Compromise: Shadow-mode + new-upload-only + low-risk geos; ship a smaller growth feature now; defer filter change. 4) Alternative mitigation: Pair loosening with compensatory controls (e.g., stricter post-upload classifier, reviewer queue, rate limits). - Risks (per option): Safety exposure, regulatory, reputational, ops overload, metric displacement (DAU vs. retention), dark patterns. - Mitigations: Feature flag + instant revert, geo scoping, severe-category hard blocks, pre-commit Ops headroom, on-call runbook. - Owner/DRI: Trust Analyst (risk metrics), Growth PM (growth metrics), Eng Lead (feature flag/revert), T&S Ops (SLA). - Decision framework: Ship only if guardrails met in canary and VI/10k remains ≤ baseline +10% at hourly p95 for 48 hours; otherwise revert. - Success metrics: DAU uplift, Upload completion rate, Retention D7, VI/10k, User reports per 10k sessions, Ops SLA (% within 2 hours). - Reversibility: Config flag; rollback in <5 minutes; data logging to support audit. ## Facilitation tactics when tempers rise - Pre-read + write-first: 10 minutes silent read; comments in doc to reduce live debate heat. - Re-anchor to principles: Safety bar and decision criteria agreed upfront. - Separate people from problems: Use neutral language; time-box disagreements; adopt “steel-man” summaries of the other side. - Use facts and forecasts: Show ranges and uncertainty; scenario table with best/base/worst cases. - Parking lot: Capture non-blocking items; move on. - Mediator: Invite neutral senior (Policy/Legal) if stuck. - Decision clarity: Confirm DRI and tie-break; “disagree-and-commit” when needed, with documented dissent. # 2) Reversible experiment / phased rollout ## Objective and units - Objective: Measure DAU uplift while ensuring violating exposure does not exceed policy thresholds. - Population and units: - Unit of randomization: User ID for uploaders; impressions for exposure assessment; geo as stratification. - Scope: Start with low-regulatory-risk geos; exclude minors and high-risk categories. - Surface: New uploads only (no retroactive application). ## Pre-launch validation - Offline replay: Run relaxed threshold in shadow on historical uploads; estimate delta in violations via labeled set. - Red-teaming: Manual adversarial tests on edge cases. - Shadow mode: Compute decisions in parallel without exposing to users for 48 hours; validate metrics + logging. ## Architecture and reversibility - Feature flag with two switches: Decision switch (on/off) and exposure switch (shadow/live). - Config-driven thresholds; instant rollback (<5 minutes) via playbook. - Audit logs: Store model score distributions, decisions, and reviewer outcomes. ## Experiment design - Canary: 0.1% of eligible users in 1–2 low-risk geos for 24–48 hours. - Ramp: 0.1% → 1% → 5% → 10%, gate each step on guardrails. - Stratified sampling: Balance by geo, device, language; exclude regulated regions initially. - Duration: Minimum 48 hours per step or until precision on safety metrics reaches desired margin of error. ## Metrics - Growth primary: Upload completion rate or DAU among creators. - Safety primary (kill-switch): Violating impressions per 10k impressions (VI/10k). - Formula: VI/10k = (Violating impressions / Total impressions) × 10,000 - Baseline example: 2.0 per 10k; predicted +25–40% if fully loosened. - Safety guardrails: Severe-category exposure (must be zero), User reports per 10k sessions, Takedown rate, Ops review backlog and SLA, New violator incidence per 1k uploaders. ## Hard kill-switch and threshold - Single kill-switch metric: Hourly p95 of VI/10k. - Threshold: If hourly p95(VI/10k) > baseline × 1.10 for 2 consecutive hours OR any hour > baseline × 1.25, immediately revert. - Example with baseline 2.0: revert if p95 > 2.2 for 2 hours, or any hour > 2.5. - Severe-category rule: Any detected severe violation exposure > 0 triggers immediate revert regardless of VI/10k. ## Guardrails and stop conditions - Stop conditions (any one triggers revert or hold): - Kill-switch exceeded (above). - User reports per 10k sessions > 2× baseline for 2 hours. - Ops SLA breach: >10% of safety reviews exceed 2-hour SLA for 2 consecutive hours. - Reviewer backlog > 1.5× staffed capacity for 2 hours. - Legal/Policy flag in any geo. - Compensatory controls: - Tighter downstream classifier for high-severity; quarantine queue for borderline content. - Rate limit per uploader; additional review for new accounts. - Geo blocklist for high-risk jurisdictions; age-gating. ## On-call escalation plan - Roles: Eng on-call (feature flag/rollback), T&S Ops on-call (queue), DS on-call (metrics), Incident commander (rotating), Policy on-call. - Tooling: PagerDuty alerts tied to kill-switch and guardrails; live dashboard with baselines and thresholds; runbook with revert steps. - Comms: Single war-room Slack channel; status updates every 30 minutes during canary; post-mortem template. # 3) Handling an unsafe directive ## Document dissent - Send a brief dissent note (email/doc) titled: "Dissent on Upload Filter Loosening – Risk Summary and Conditions." Include: - Risk summary with quantified ranges and modeled worst case. - Evidence (offline/shadow/labels), assumptions, and uncertainties. - Proposed safer alternatives and exact conditions under which you would support shipping. - Request for independent review and decision owner acknowledgment. - Record in the risk register with a unique ID, linked dashboards, and kill-switch definition. ## Independent safety review - Trigger a rapid review with Trust/Policy/Legal/Privacy and Safety Ops; attach the 1-pager and data. - If available, use an established launch-review or “red” review path; book a 30-minute decision meeting with pre-read. ## Respectful escalation - Escalate facts, not people: "Our modeled VI/10k exceeds the policy guardrail by X; proposing canary with kill-switch Y." - Offer a compromise path: shadow mode + canary with strict thresholds. - Confirm decision rights: Ask the decision-maker to sign off on the risk and kill-switch criteria; document “disagree and commit” if proceeding within guardrails. ## If the deadline is 48 hours away - Narrow the scope: Low-risk geos only, new accounts excluded, new uploads only. - Increase protections: Shadow mode immediately; 12-hour canary with on-call coverage; pre-approve rollback. - Upfront sign-offs: Get written approval from Policy/Legal and the Product VP on the kill-switch. - Ship only with reversibility: No irreversible migrations; ensure dashboards and alerts live before exposure. - If approvals are not obtained: Default to safe alternative (Option 3 from memo) and propose a follow-up launch window. # 4) Example conflict across teams (sample candidate story) - Stakeholders and stakes: Growth PM and Sales wanted to broaden content eligibility to hit quarterly DAU/revenue goals. Trust/Policy flagged increased risk of policy-violating exposures and potential advertiser complaints. Engineering concerned about on-call load; Ops about review capacity. - What I did: 1) Built a counterfactual simulation using 30 days of labeled data to estimate the delta in VI/10k by category; partnered with Ops to quantify review headroom. 2) Drafted a 1-page decision memo with three options and explicit kill-switches; secured pre-reads from Policy/Legal. 3) Ran a geo-canary (two low-risk markets, 0.5% of users) with feature flags and live dashboards; staffed a cross-functional on-call rotation. 4) Kill-switch almost triggered on day 1 (user reports per 10k at 1.9× baseline). We paused ramp, added a compensatory classifier for new accounts, and introduced a quarantine for borderline content. Re-ran canary; metrics stabilized (VI/10k +6% vs. baseline, within the +10% guardrail). 5) Scaled to 10% with continued monitoring; deferred high-risk geos to a later release. - Measurable outcome: - +3.8% upload completion and +1.2% DAU in the test regions. - Safety metrics within guardrails: VI/10k +6% (threshold +10%); severe-category exposure remained zero. - No Ops SLA breach; reviewer backlog peak 1.2× capacity with mitigation. - What I would do differently: - Engage Legal earlier to pre-clear geo scope; it would have saved 1 day. - Add automated back-pressure (auto-rate limit when backlog > 1.3×) instead of manual toggles. - Pre-commit executive visibility on the kill-switch to reduce live debate during ramp. # Notes and pitfalls - Define safety metrics and thresholds before seeing experiment results to avoid p-hacking. - Prefer p95/percentile-based guardrails to catch bursts, not just averages. - Ensure label quality for offline/shadow estimates; sample stratified reviews to validate classifier precision/recall. - Always tie reversibility to a tested rollback path; practice it before exposure. - Log and publish decisions and dissent; it protects users and the team if incidents occur.