Risk CMM
Home Up About Risks Some History Case Study Risk CMM The Process Analysis Public Service View

Home
Feedback
Site Map
Search

 

Article: Capability Maturity Model (RM-CMM) for Risk Management

By Nevill J Fox

The Capability Maturity Model for Risk Management [i] describes the principles and practices underlying management process maturity and is intended to assist organisations in management of risk through maturing the decision support processes.  

A surprisingly large number of companies have yet to implement Risk Management (RM) within their organisations.   Of those organisations that have started implementing RM, the level of implementation is low or uncertain.   The Capability Maturity Model is a suitable device for basing an assessment of implementation on.

The CMM [ii] is divided into five maturity levels:

  1. Initial.   The decision support process for managing risk is characterised as ad hoc, and occasionally even chaotic.   Few processes are defined and success depends on the individual’s abilities and experience.   Remove an individual and the processes may change dramatically commiserate with the next individual’s level of ability & experience.
  1. Repeatable.   Basic management processes are established to document the management of the organisation.   The necessary process discipline is in place to repeat earlier successes on similar tasks, based on previous experience of the organisation.
  1. Defined.   The process for standardising, documenting, integrating risk management into the normal decision-making processes of the organisation.   All decisions use the approved detailed version of the organisation’s standard risk management process for decision-making.
  1. Managed.   Detailed measures of management decisions made, the formal process of managing risk and the quality of the risk management (planning, including setting context, risk identification, assessment of risk, evaluation of risk, mitigation of risk to an acceptable, the monitoring of risk and review of the whole process).   All the business processes and the output products or services are quantitatively understood and controlled.
  1. Optimising.   Continuous process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies to measurement of the public affected by the decision/s.

As with SW-CMM, RM-CMM contributes to the predicability, effectiveness and control of an organisation’s business processes and is expected to improve the decision-making process with the application of risk management.

All levels except level 1 are decomposed into several key process components areas that direct the organisation focus to improve its decision-making processes.

The key process areas at level 2 focuses on the business process decision-making concerns relating to establishing basic framework of risk management.   The basic framework is set by AS/NZS 4360:1999 including Establishing context, Identify risk, Analyse risk, Evaluate risk, Treat risk, Monitor & Review and Communicate & Consult.  

The key process areas at level 3 address both the risks and the organisational responses to risk related issues.   Such as establishes an infrastructure that supports a culture of effective business decision-making processes.   They are strategic planning, business plans for each business unit, corporate education & training, business process integration, ongoing business process development, effective communication including reporting against strategic & business plans and peer reviews.

The key process areas at level 4 focus on establishing a quantitative understanding of the risks inherent in the business process and the products & services being provided or developed.   The management of quality for all business process need to be encapsulated at this level.    The process areas are enterprise reporting, enterprise risk analysis, contingency planning and Process measurement (AS/NZS 1199 & 2490).

The key process areas at level 5 cover the issues that organisations must address to implement continual, measurable process improvement.   They are Process Failure Prevention, Technology Change Management and Process Change Management.   The last two rarely exist without each other and therefore should integrated or well coordinated. [iii]

To continue the practical adaptation of CMM to Risk management each level of maturity must build upon the previous level to progress.   Each of the key process areas are described in terms of the practices that contribute to the goals of the level.   The key practices described by the infrastructure and activities that contributes most to the effective implementation and institutionalisation of key process area.

[i] Based on the Capability Maturity Model (SW-CMM) for Software V1.1 this paper has a specific focus on Risk Management as applicable to all organisations (adapted from SW-CMM by Nevill J Fox of Odinn Intelligence).   The adaptation of the SW-CMM for RM-CMM is based on the perceived gap by the author and the familiarity with both the SW-CMM and application of Risk Management in large organisations.   Significant gaps exist in the implementation and application of the formal risk management process in the support of the decision making process.  

[ii] Capability Maturity Model SM (SW-CMM) for Software, Version 1.1, Technical Report CMU/SEI-93-TR-024 ESC-TR-93-177 February 1993

[iii] The author continues to strive for the integration of risk management and knowledge management into the decision-making process, with the goal of achieving exponential growth within organisations rather than haphazard development and premature demise.