A planned BPM (business process maturity) model developed by two of the authors of CMM (Capability Maturity Model) will act as a framework to link CMM, ITIL and Cobit (the audit standard for IT and a component of Sarbanes-Oxley).
One of the authors of CMM, Bill Curtis, was in New Zealand last month. He is Borland’s chief process officer and a former director of the Software Process Programme at the Software Engineering Institute at Carnegie Mellon University in the US.
He says he and another of CMM’s authors, Charlie Webber, were driven to develop the BPM model by a request in 2002 from a divisional president at South African bank Nedbank, which had achieved a 25% productivity gain by implementing Level 2 of CMM.
“But software was only 15% of his cost and he wanted us to build CMM for the rest of the business, for things like services process,” he says.
The BPM model is being piloted in several industries and, says Curtis, will be formally launched later this year or early next year. “Ultimately, the BPM standard should integrate to any standard. It was a good standard to begin with. It will eventually have to be an open-source model,” he says.
In the 1990s, Curtis led the project to create CMM and architected the workforce process module, People CMM, which has been widely implemented by Indian software companies. He spends much of his time in India, which, he says, has a huge advantage because companies have gone through CMM training and executive engineers expect to work in that environment. Outsourced business to India is worth around US$17 billion (NZ$24 billion) a year.
Many of the Indian companies have been certified at the top level of CMM, Level 5. By comparison, in New Zealand, EDS has been certified at Level 3 and the prevalence of CMM certification among other organisations here is unclear.
The Software Engineering Institute at Carnegie Mellon is federally funded and driven by the US Department of Defence, the world’s largest software buyer.
The reason was that the DoD was increasingly fed up with software that didn’t work, Curtis says.
Curtis founded TeraQuest in 1993, which was bought by Borland in 2005. Previously, he has developed a global software productivity and quality measurement system at ITT’s programming technology centre, evaluated software development methods in General Electric’s Space Division, and taught statistics at the University of Washington.
The Capability Maturity Model focuses on building quality practices into most of a business, reducing complexity along the way.
“It takes the organisation through a series of transformations that provide different values at different levels,” Curtis says. “It transforms the organisation [in line with] Edwards-Deming’s vision.”
(W Edwards-Deming was a US quality management guru who was credited with the revival of Japanese industry after World War II).
Under CMM, the nature of improvement changes at each level. Levels 1 and 2 focus on the stability of the local work environment to meet commitments. Curtis says that after implementation at these levels, the amount of reworking in software drops by more than half.
“30–50% of software is reworked. In the business world, 30% of work in business is redone — it isn’t that different. People don’t have the resources to do their jobs properly, so they rush things. It really snowballs in business.”
Level 3 is about getting a consistent method of work process so applications and training become simpler, taking the complexity out of business. By way of example, says Curtis, a business may be told to cut costs by 20% a year. By year three, it becomes very difficult, so improvement in efficiency is the only way to meet the requirement. But this has to be at an organisational rather than branch level.
“At Level 3, we’re seeing software productivity doubled,” he says.
Level 4 is about trying to control the process statistically and take action on projections, bringing real-time control to the business process.
“This brought a huge amount of software productivity growth we hadn’t anticipated, because software reuse explodes,” he says.
“For 25 years, reuse didn’t get there because the software wasn’t designed well enough in the first place and it was easier to start again. With CMM, you can trust the software.
“The same thing will happen in the business space.”
Level 5 follows getting the organisation under quantitative, predictive control. It’s about closing the gaps between what there is and what is needed to achieve targets. He gives as an example a telco that needs to reduce its downtime where that downtime attracts enormous penalties. “Level 5 is about being proactive and, sometimes, experimental.”
Curtis says the biggest resistance to an organisation implementing CMM comes from middle management. “Executive management reads a lot and understand such things. But the guys in the middle have got their own little bailiwick and you’re going to upset their apple cart because they don’t know exactly what will work.”
He says there may also initially be resistance from software developers who think applied methods such as CMM limit their creativity. “In fact, it’s the opposite, because Level 2 makes more time for them if they need it to be creative.”
A CMM certifier goes through a rigorous qualifying regime. The assessor must have a background in software or systems development, then have been on two appraisals with a lead assessor. There is a five-day course at the Software Engineering Institute, and they must then lead an appraisal under observance.
Curtis says that if a business is immature, it becomes a nightmare for the IT department. “But the business doesn’t recognise the problem until its IT gets mature enough and the business has to acknowledge the problems belong to it.
“It’s a reason why big ERP systems crash,” he says. “The business is too complex.
“CMM is about taking complexity out of the business and that happens at Level 3.”