Post on 21-Dec-2015
Process Maturity in Determination of Risk
• Process maturity scoring provides a metric to communicate the capability of an organization to mitigate risks in terms of
– Prevention– Detection – Response
• The five point scale, from CMMI, is well known in Motorola
• Our operational definitions for scoring will be based on the methods used by CGISS to win the Malcolm Baldridge award several years ago
• We will need to design, and pilot test our process to gain a ‘proof of concept’
Level 1 – Initial
• Unpredictable environment where activities are not designed or in place
Level 2 – Repeatable
• Activities are designed and in place, but are not adequately documented
• Activities mostly dependent on individuals
• No formal training or communication of activities
Level 3 – Defined
• Processes are designed and in place
• Processes are documented and communicated to employees
• Deviations from processes will likely be detected
Level 4 – Managed
• Standardized processes with periodic testing for effective design and operation
• Automation and tools may be used for support
Level 5 – Optimizing
• Integrated internal control framework with real time monitoring for continuous improvement
• Automation and tools support controls and allow for rapid changes if needed
Initial
Initial
RepeatableRepeatable DefinedDefined ManagedManaged OptimizingOptimizing
Process Maturity Assessment Tool
Institutionalization starts at Level 4 – Managed level of process maturity.
Risk Heat Map Model
Optimized Managed Defined Repeatable Initial
Low
Medium
High
(Sustain) (Road Map to Mitigate)
(Long Term Plan)
Maturity Level
$ Im
pact
or
Sco
re