What is CMM?
by Phil Marks
This discussion will be in the context of software development, although the later version of CMM, known as CMMI
(‘Capability Maturity Model Integration’) widened the application of CMM to the generalised business process
Basically, it is a formal certification by an external agency of an organisation’s maturity of process framework –
specifically the ability to deliver a software project.
Developed and owned by Carnegie Mellon University in the early 1990s, it was based on real data collected from
companies about their delivery performance.
If we consider how software companies grow, then there are clear stages in their development as their level of
process sophistication grows and they need to maintain and improve quality levels (one hopes) as their
organisational complexity increases. After all, ‘Microsoft’ started in a backyard garage in the 1960’s.
There are five process-related developmental stages recognised in the model:
- Initial (the backyard garage – typified by a degree of chaos)
- Managed (typically there are processes in place with defined management – eg project management)
- Defined (process standardisation is in place, with an organisation process focus)
- Quantitatively managed (product quality and process performance data is being collected – for example bug
insertion rates, individual programmer coding performance – from an ‘engineering’ perspective ).
- Optimized - process management – the organisation is formally and continually examining the effectiveness
of its process performance, and optimising those processes and the ‘learning organisation’ is achieved.
Each of these maturity levels have defined Key Process Areas (KPAs) which typify that maturity level. Further
each KPA has five associated definitions:
The general nature of these KPAs is apparent and the broader application illustrates the reasons why CMMI was
developed to widen application, even as far as ‘People CMM’.
Just as with a human being, an organisation cannot skip a stage (‘miss out adolescence’), although able managers
will be able to shorten the timescales.
In the explosion of software development outsourcing to the Indian sub-continent, China and elsewhere, it
provided a standardized way of assessing what were basically organisations ‘unknown’ to ‘western’ companies,
thereby enabling outsourcing decisions to be made based on objective and independent quality critieria (besides
obvious commercial criteria).
However, there is a distinction to drawn. With able (and suitably experienced) management software companies can
grow and thrive without the CMM ‘badge’ – for example Microsoft. Whilst not necessarily pursuing formal assessment,
the CMM checklists provide managers with a useful way of internally assessing their organisation.
After all, CMM grew out of the US Government’s search for a framework by which to assess potential contractors,
and it is in this external delivery context that it is most useful. It is particularly beneficial to
software/solutions companies which are delivering one-off development projects. It enables them to promote a
maturity level which should give customers a degree of confidence and enables potential customers to compare
potential solutions suppliers.
CMM may be contrasted with ISO9001 standards. ISO does provide a gradation of maturity as does CMM. ISO is about
a minimum acceptable quality level for software processes. As someone who has worked in organisations under both
categorisations (and implemented ISO9001 compliant systems in software houses), the difference to the author is
only too obvious.
In an ISO9000 accredited company (a customer of mine), a manager once said to me (in somewhat stronger language)
– ‘what we make is not of great quality, but its level of quality is consistent and standardized’.
© 2010 Phil Marks. All Trade and Service Marks are acknowledged.