I've been doing a bit of reading-up on Operational Risk Management (ORM) this week. It's intriguing to me that yet another method set emanates from the DoD world and yet we're just now seemingly starting to pay attention. Actually, that's not quite true. It appears that the financial crises have triggered an increased focus by groups like the Basel Committee on operational risk (in the financial sector, this seems to be different from the DoD version, maybe? e.g., see the Basel Committee's "Principles for the Sound Management of Operational Risk"), which seems to have in turn caused yet another shift in viewpoint within the inforisk crowd (which is fine).
Anyway... one of the things I encountered several times is the notion that there are three (3) process levels within ORM (see Wikipedia for a light summary): In Depth, Deliberate, and Time Critical. In looking at these levels, they seem to essentially align to Strategic, Tactical, and Operational perspectives (and, actually, I've seen "In Depth" referred to as "Strategic" in a couple places). However, not only that, but they also seem to map to organizational maturity and, to perhaps a lesser degree, organization size and general capability.
Specifically, I'm starting to wonder if organizational evolution, from "no" to "go" (i.e., no program to underway and evolving) should first seek to target "Time Critical" processes that seek to improve situational awareness ("more data") while trying to establish reasonable processes and procedures around key areas (e.g., change management, incident response management). If your real-time decisions are of a decent quality, then in theory you'll be able to better protect yourself, and hopefully free-up resources over time to then work on maturing the organization.
What's potentially interesting to me is that I could easily see the Strategic level ("In Depth" processes) being dropped altogether in smaller organizations. If you're, say, less than 50 (or 100, or 200) people strong, then you may have an IT person, a security person, a compliance person, or some such combination, but it seems unlikely that your org is going to invest a lot into a formal GRC program. It's not until your org reaches a tipping point (no idea what size that is) that it'll need to organize and start using formal methods for decision and risk analysis. That is, focusing on "Time Critical" risk management may actually be the optimal condition.
Every org, regardless of size, is going to leverage, or should be leveraging, "Time Critical" processes, even if informally. With that lies an opportunity to get a foothold in helping organizations improve their practices. If you're a small org, then I'm starting to think you should ignore higher-level processes and instead focus on the more practical and operationally-focused processes. At the same time, we need to then find ways to leverage off of these practices to start pushing value higher in the food chain.
As such, if your organization has little or no formal practices, then your primary focus should be on establishing sensible "Time Critical" processes, and supporting capabilities (better situational awareness, checklists, certain kinds of awareness training). Once these practices are established and engrained within the corporate culture, you can then look at adding "Deliberate" processes, bearing in mind that these processes likely still need to be lightweight so as not to unnecessarily burden the organization or hinder business functions. Whether or not an organization matures any further is open-ended, but it seems to me that they wouldn't necessarily need to do so.
For a nice summary of ORM in practice, check out the Civil Air Patrol's official position.
