A target operating model in four layers. Click any box to drill down. The framework Andrew Wyatt uses with growth-stage CEOs to prepare for scale, board readiness, and AI deployment. Built across multiple executive operating roles, including as Chief Operating Officer at Lumeon.
| ID | Risk | Causes | Existing controls | Initial | Mitigation | Owner | Status | Mitigated | ALARP |
|---|---|---|---|---|---|---|---|---|---|
| 01 | Annual plan obsolete by Q2 | Market shifts, no replan trigger | Annual Board review | H · P · 9 | Quarterly plan refresh; trigger-based replan | CEO | In progress | H · L · 6 | ALARP pending |
| 02 | Board approval lags into operating quarter | Calendar misalignment with year-end | Quarterly Board meetings | M · P · 6 | Pre-circulate plan four weeks before vote | CEO | Open | M · R · 3 | Yes |
| 03 | Cascade fails to reach operational level | Translation gap from Exec to Department | Quarterly Exec cadence | M · P · 6 | OKR cascade tool; Department review with CEO | Exec Team | Open | M · R · 3 | Yes |
| 04 | KPIs misaligned with strategic objectives | Bottom-up KPI design without ratification | Board KPI review | M · L · 6 | Top-down KPI framework; Board ratification | CEO | Open | L · L · 3 | Yes |
| ID | Risk | Causes | Existing controls | Initial | Mitigation | Owner | Status | Mitigated | ALARP |
|---|---|---|---|---|---|---|---|---|---|
| 01 | Triage lag exceeds 24h SLA on a Sev 1 | Single-channel paging, no on-call rota | Inbound monitoring; pager-duty integration | M · L · 6 | Two-person standby rota; multi-channel paging | CS Manager | Open | M · R · 3 | Yes |
| 02 | Incident team cannot convene inside SLA window | No predefined roster; meeting scheduling friction | Slack channel pre-created | H · P · 9 | Standby roster, pre-booked recurring war room, fallback comms protocol | Incident Owner | In progress | H · R · 6 | ALARP pending |
| 03 | Improper severity classification routes incident to wrong path | Severity matrix not codified; one-reviewer policy | Internal training; matrix in playbook | M · P · 6 | Two-reviewer policy on Sev 1-2 classification; decision matrix in tool | Incident Owner | Open | M · R · 3 | Yes |
| 04 | Customer comms sent without legal review on a Sev 1-2 | SLA pressure; legal review bottleneck | Standard template requires legal sign-off | H · P · 9 | Pre-approved template library for top scenarios; named legal on-call | Legal | Open | H · R · 6 | ALARP pending |
| ID | Risk | Causes | Existing controls | Initial | Mitigation | Owner | Status | Mitigated | ALARP |
|---|---|---|---|---|---|---|---|---|---|
| 01 | EOL announced without viable migration path | Rushed decision; no migration product | EOL playbook | H · P · 9 | Migration plan required as gate to EOL announcement | Product | In progress | H · R · 6 | ALARP pending |
| 02 | Customers in long-term contracts unable to migrate by EOL | Contract terms mismatched to EOL timeline | Pre-EOL legal review | H · P · 9 | Per-contract review twelve months pre-EOL | CS Manager | Open | H · R · 6 | ALARP pending |
| 03 | Data migration failures during transition | Schema differences; tooling gaps | Manual migration support | M · L · 6 | Automated migration tools; dry-run pilots | Eng Lead | Open | M · R · 3 | Yes |
| 04 | Reputational impact from forced sunset | Communication missteps; surprise | Standard EOL comms template | M · P · 6 | Customer Advisory Board notification twelve months out | CS Manager | Open | L · R · 2 | Yes |
| ID | Risk | Causes | Existing controls | Initial | Mitigation | Owner | Status | Mitigated | ALARP |
|---|---|---|---|---|---|---|---|---|---|
| 01 | Detection lag — incident undetected for over 24h | Insufficient monitoring; alert fatigue | SIEM tool; on-call rota | H · P · 9 | Tuned alerting; quarterly detection drills | CISO | In progress | H · L · 6 | ALARP pending |
| 02 | Investigation blocked by insufficient logging | Logs not retained; aggressive rotation | 30-day retention policy | M · P · 6 | Twelve-month log retention for critical systems | CISO | Open | M · R · 3 | Yes |
| 03 | Regulatory disclosure missed (GDPR 72h) | Unclear breach criteria; legal not looped early | Breach checklist | H · P · 9 | Standing legal partner; pre-approved disclosure templates | Legal | Open | H · R · 6 | ALARP pending |
| 04 | Slow response due to absence of playbook | Ad hoc handling; no named owner | Generic IT incident process | M · L · 6 | Security-specific playbook with named owners | CISO | Open | L · L · 3 | Yes |
How a growth-stage SaaS business might equip each layer in 2026, with AI tooling integrated into the operating model rather than bolted on the side. Named tools are representative, not exhaustive. The principle is one platform per layer where possible, with AI woven through.
// One platform per layer where the volume justifies it. AI tools chosen for the tasks that are narrow, codified, and rule-tolerant. Strategic and regulated work stays human-owned.
The map is the easy bit. The harder work is owning each component, codifying the process, scoring the risk, and reviewing it quarterly. That is the work that makes an operating model a living tool rather than a deck artefact. If you would like help installing this discipline in your own business, most engagements start with a Sprint Diagnostic: four to eight weeks, fixed fee, a defensible answer and a plan your leadership team can execute on Monday.