Process Maturity in Determination of Risk

• Process maturity scoring provides a metric to communicate the capability of an organization to mitigate risks in terms of

– Prevention– Detection – Response

• The five point scale, from CMMI, is well known in Motorola

• Our operational definitions for scoring will be based on the methods used by CGISS to win the Malcolm Baldridge award several years ago

• We will need to design, and pilot test our process to gain a ‘proof of concept’

Level 1 – Initial

• Unpredictable environment where activities are not designed or in place

Level 2 – Repeatable

• Activities are designed and in place, but are not adequately documented

• Activities mostly dependent on individuals

• No formal training or communication of activities

Level 3 – Defined

• Processes are designed and in place

• Processes are documented and communicated to employees

• Deviations from processes will likely be detected

Level 4 – Managed

• Standardized processes with periodic testing for effective design and operation

• Automation and tools may be used for support

Level 5 – Optimizing

• Integrated internal control framework with real time monitoring for continuous improvement

• Automation and tools support controls and allow for rapid changes if needed

Initial

Initial

RepeatableRepeatable DefinedDefined ManagedManaged OptimizingOptimizing

Process Maturity Assessment Tool

Institutionalization starts at Level 4 – Managed level of process maturity.

Risk Heat Map Model

Optimized Managed Defined Repeatable Initial

Low

Medium

High

(Sustain) (Road Map to Mitigate)

(Long Term Plan)

Maturity Level

$ Im

pact

or

Sco

re