What is the Capability Maturity Model (‘CMM& – #8482;’)?

This discussion will be in the context of software development, although the later version of ‘CMM™’, known as CMMI™ (‘Capability Maturity Model Integration’), and other derivations, widened the application of CMM to the generalised business process world. Basically, it is a formal certification by an external agency of an organisation’s maturity of process framework – specifically the ability to deliver a software project.

Developed and owned by Carnegie Mellon University in the early 1990s, it was based on research into real data collected from companies about their delivery performance.

Consider how software companies grow – there are clear stages in their development as their level of process sophistication grows and they need to maintain and improve quality levels (one hopes) as their organisational complexity increases. For example, ‘Microsoft’ started in a backyard garage in the 1960’s with just two people. This has been typical of many software company startups.

We identify five process-related developmental stages in the model:

1. Initial (eg Microsoft in the backyard garage, informal and ad hoc)

2. Managed (typically there are processes in place with defined management – eg project management)

3. Defined (process standardisation is in place, with an organisation process focus)

4. Quantitatively managed (now with a software engineering perspective – product quality and process performance data is being collected – for example bug insertion rates, individual programmer coding performance).

5. Optimized – the organisation is formally and continually examining the effectiveness of its process performance, and optimising those processes and the ‘learning organisation’ becomes reality.

Each of these maturity levels have defined Key Process Areas (KPAs) which typify that maturity level. Further each KPA has five associated definitions:

1. Goals

2. Commitment

3. Ability

4. Measurement

5. Verification

The general nature of these KPAs is apparent and the broader application illustrates the reasons why CMMI was developed to widen application, even as far as ‘People CMM™’.

Just as with a human being, an organisation cannot skip a stage (‘miss out adolescence’), although able managers will be able to shorten the timescales. In the explosion of software development outsourcing to the Indian sub-continent, it provided a standardized way of assessing what were basically organisations ‘unknown’ to ‘western’ companies, thereby enabling outsourcing decisions to be made based on objective and independent quality criteria (besides obvious commercial criteria).

However, there is a distinction to drawn. With suitably experienced management software companies can grow and thrive without the CMM ‘badge’ – for example Microsoft.

CMM grew out of the US Government’s search for a framework by which to assess potential software / systems suppliers, and it is in this external delivery context that it is quite useful.

It is particularly beneficial to software/solutions companies engaging in one-off development projects, enabling them to promote a maturity level which should give customers a degree of confidence and enables potential customers to compare potential solutions suppliers.

CMM may be contrasted with ISO9001 standards. ISO does not provide a gradation of maturity as does CMM. ISO is about a minimum acceptable quality level for software processes. As someone who has worked in organisations under both categorisation (and implemented ISO9001 compliant systems in software houses), the difference to the author is only too obvious. In an ISO9000 accredited company (a customer), a manager once said to me (in somewhat stronger language) – ‘what we make is not of great quality, but its level of quality is consistent and standardized’.

2010 Phil Marks