CMMI V2.0 Practice Areas

CMMI V2.0 is an integrated product suite that comprises of the model itself with three different views currently - Development, Services and Supplier Management.

The architecture of CMMII V2.0 model includes a set of specific Capability Areas that have specific Practice Areas under them.

The Practice Areas in V2.0 are categorized into common practice areas and view-specific practice areas.

 
Common Practice Areas:
  1. Requirements Development and Management (RDM)
  2. Process Quality Assurance (PQA)
  3. Verification and Validation (VV)
  4. Peer Reviews(PR)
  5. Estimating (EST)
  6. Planning (PLAN)
  7. Monitor and Control (MC)
  8. Risk and Opportunity Management (RSK)
  9. Causal Analysis and Resolution (CAR)
  10. Decision Analysis and Resolution (DAR)
  11. Configuration Management (CM)
  12. Process Management (PCM)
  13. Process Asset Development (PAD) 
  14. Managing Performance and Measurement (MPM)
  15. Governance (GOV)
  16. Implementation Infrastructure (II)
  17.  Organizational Training (OT)  - common area but coming from People view
Development View-specific Practice Areas:
  1. Technical Solution (TS)
  2. Product Integration (PI)
Services View-specific Practice Areas:
  1. Strategic Service Management (STSM)
  2. Service Delivery Management (SDM)
  3. Incident Resolution and Prevention (IRP)
  4. Continuity (CONT)
Supplier Management View-specific Practice Areas:
  1. Supplier Source Selection (SSS)
  2. Supplier Agreement Management (SAM) 
The model architecture lends a lot of flexibility to the adoption of CMMI V2.0 model by an organization.

In addition, an organization can even create and use a customized view of the model.

In summary, it can be said that the arrangement of Practice Areas in the CMMI V2.0 architecture is a good move.

The CMMI V2.0 architecture should help increase the adoption of CMMI by organizations and more importantly enhance the value organizations derive from the use of CMMI.

Why Someone May Show Reluctance and Resistance to Processes?

Sometimes you would come across an interestingly ridiculous person in an organization who would show visible reluctance and resistance to following processes he is supposed to follow.

He would say that something is not applicable to him and in the same breath also add that he doesn't understand that thing.

That's complete non-sense -how can you say that something is applicable or not applicable unless you understand that thing in the first place?

This kind of a situation is all the more surprising when this person is in a higher grade. Such a person is actually a senior only by grade but not by attitude and mental level.

The resistance and reluctance by such a character would come to the forth in various ways:
  • He pretends to be the busiest person in the company (quite funnily busier that the CEO himself!). The other funny thing is that this person is not handling anything critical like delivery operations but non-core things like accounts payable for the company.
  • He doesn't give time for discussions, giving one after another lame excuse. Then he says that the other side has delayed the entire thing. Such behavior is a clear indication of the fact that this man is playing stupid games and acting in a funny and even dangerously silly manner. It also shows that this man has complete lack of maturity.
  • He writes funny emails shifting his responsibility and work on to others. He would write things like "I am not going to approach anyone" which shows two things - one, he does not take ownership of the matters at hand and two, he is highly rigid, opinionated and with a closed mind.
  • He may be incompetent and hence not able to finish his work on time and thus ends up putting up unnecessary resistance and reluctance to shirk any additional work. He may essentially be a shirker and someone who doesn't want to put in his bit.
  • He lacks any understanding of organizational requirements and hence doesn't support organizational initiatives. He would pose to be expert in a field of which he doesn't even know the ABC.
  • He cites illogical and silly reasons for why something is not applicable. And that too when he doesn't know the ABC of that he says is not applicable.
  • He has empty haughtiness and arrogance about himself. The underlying reason might be his low self-esteem about himself. He knows that truly speaking he is a complete ass and a buffoon but to have a sense of grandeur he poses to be something much bigger than what he really is, a pesky, little corporate insect.
  • He puts up unreasonable requests and send unjustifiable emails just to show he is supreme. However, in front of his manager he is a very lowly creature.
  • He is a man who has become too big for his own boots and carries a sick attitude. He walks past you as if you don't matter. He shows as if he is the boss when he also clearly knows he is a pesky pest-like character. He ignores you to get a sense of self-worth.
Such a man will lead to hassles for you and you would need to find a way to handle such a person in an appropriate manner.

Remember, you are luckily not like this sick man (and must thank God that you are not such an ass-like pest, SP) and hence you should certainly handle things with maturity.

How to handle SP is a challenge for anyone.

You should stay focused on your interest and not position and negotiate accordingly.

Handling SP, who is an ass-like pest, is surely a great personal learning.

You might go through interesting situations.

The situation might be even more interesting if the person the big SP reports into is another character who thinks highly of himself and is very immature.

The manager of the big SP is a man who acts as if he knows everything and is the only one who cares about the company and also that he is the man who runs the company.

The man who knows everything (MK) is another challenge that makes things interesting.

Though this person MK is a silly guy he is in a position of power and you need to act smartly to keep yourself safe.

The situation gets even much more interesting because the man you are forced to report into is another funny character.

This man is a pesky pest (PP) and a crook beyond any limit.

He is a person who would smile in front of you but would do a lot of non-sense behind your back.

This man PP is where he is due to his blind loyalty to the top dog.

He enjoys his position and creates non-sense by not sharing anything and also taking actions without informing you.

In such a company where you have characters like SP, MK, PP it is but natural to expect reluctance and resistance to processes.

The SPs, MKs, PPs are really the symptoms of the widespread malaise of sick corporate culture in such organizations.

You must still do your best so that the right things happen.

So brace up.

Be ready for the show down.

And just get, set, go.

Why Those Who Challenge An Excellence Framework Saying It Doesn't Add Value Are Intellectual Pygmies?

You would often come across some tom, dick or harry posing as an intellectual and giving opinion about something he or she doesn't really understand.

"Things have changed, we shouldn't continue with ISO or CMMI or Malcolm Balridge".

"Now everyone is using Agile, it is so very different".

"Using CMMI means a lot of overhead".

Statements like the one above show just one thing.

The person making such statements is an intellectual pygmy.

As they say half knowledge is risky.

But no knowledge is simply fatal.

Some of these folks may be doing a lot of work that involves creating technical solution, designing system architecture, writing proposal, doing effort estimation, etc. but that by itself doesn't make them expert in anything.

They may not even be experts in the above activities.

Volume of processing a person has done can never be a true indicator of that person's efficiency and effectiveness.

An excellence framework is simply that.

A framework.

An overall approach.

Basics never change, they may get refined and fine-tuned over time.

The basic principles of project management have always been the same since ages:
  • project germination or acquisition
  • project initiation
  • project planning
  • project tracking
  • project closure.

This was true a decade back, is true today and will be true a decade hence too.

The basic principles of software engineering have also always been the same since ages:
  • problem definition/articulation (requirements)
  • solution approach determination (design)
  • solution implementation as per agreed approach (construction)
  • checking of solution against approach being followed (verification)
  • checking of solution against problem getting solved (validation)

Any excellence framework in the domain of project management and software engineering would contain elements and aspects to take care of above.

CMMI does that.

ISO also does that.

And Malcom Balridge also does that.

As for the intellectual pygmies, there is only one thing left for them to do.

Simply get lost.

Handling Change in the Lead Auditor

Any change in the lead auditor would result in changes related to the level of compliance expected from an organization's systems and processes.

At times the question is not just the level of compliance but the appropriateness of the manner in which compliance was being demonstrated by an organization till the point of change in the lead auditor.

Every person is different in terms of his or her viewpoint, outlook, perspective, understanding, expectations and articulation.

Auditors are no different on the above account.

With auditors the above aspect is compounded manifold due to the fact that they have extensive experience of seeing varied implementations of the standards for which conduct audits.

And when you are a lead auditor, you would tend to acquire an attitude also.

An attitude of "having seen it all and done it all".

Such an attitude will generally result in the person becoming rigid in terms of how easily and quickly he or she would want to understand and adopt alternative thought processes.

So if you are the one who is supposed to handle change in the lead auditor as the program lead for certification in your organization how should you go about it?

How do you handle change in the lead auditor?

Here are few points you should consider:
  • Initiate discussion with the lead auditor to get introduced to him or her and also to understand the kind of person you will be dealing with
  • Provide a broad overview of your organization's business context as well as salient aspects of the approach used for implementation of systems and processes in your organization
  • Share any challenge or peculiarity in your compliance set-up. For example:
    • You may  have a small remote site office 
      • that doesn't have many of the standard controls and practises that are there in the main office (like there is no dedicated security staff  but a shared one).
      • that doesn't have the usual support system from functional point of view (like there may be no team at that site to take care of process and compliance and such support is provided remotely by the team at the main office which may not really be that effective).
    • Certain part of the business is outside the ambit of compliance requirements (which in turn would be a deciding factor for the scope of audit).
    • Non-standard organization structure where the MR may not report into the CEO or the MD but someone lower down in the hierarchy (and this person would usually will not have the required competency for that position and is simply there due to his blind loyalty towards the master!).
    • Other certifications the organization has that would support or/and strengthen the implementation of the standard for which the lead auditor will conduct audits.
  • Organize a pre-audit or gap assessment by the lead auditor. This would help in following major ways:
    • Better understand the auditor as a person so as to know his or her expectations as well as any idiosyncrasies that you will need to manage.
    • Give the auditor chance to raise any fundamental issues upfront so that such issues won't come up later during the final audit which is a serious affair.
    • Use the pre-audit as an opportunity to ensure the auditor fully understands your business context and is fully made aware of any challenges and constraints the organization is facing that would bear upon process and compliance in the organization.
  • Close the observations and suggestions from the pre-audit before the final audit happens
    • This may sound simple but is an extremely fine point to be duly taken care of as the closure has to be exactly in line with the new lead auditor's expectations and not how they used to be closed with the earlier lead auditor around.
    • Even if all points do not get closed it is important the organization is able to demonstrate the seriousness of their intent and the fact that the extent of progress made was reasonable given the time available after the pre-audit and before the final audit.
  • Get ready for show time
    • Yes plan for, prepare for and get the final audit conducted.
    • Hope for the best.
    • But most importantly, expect the best if you indeed did manage the change in the lead auditor well!

How to Plan and Conduct a Gap Analysis Exercise?

In case an organization wants to implement a framework or a methodology, either at the enterprise-level or in a large part of its business, it must use gap analysis as the first step in its journey.

Gap analysis is a very useful mechanism that can make an organizational initiative if done well and mar it if done otherwise.

Gap analysis is conceptually like an audit or assessment where the objective is to determine the difference between the "To Be" state versus the "As Is" state.

Planning and conducting a gap analysis exercise requires consideration of several key aspects.

Some such aspects are explained below.

Pre-Gap Analysis
  • The first and foremost and the most important step in any organizational initiative is to designate a senior person as the leader of the initiative
    • The appointed person should be selected based on the competency and fitment requirements and loyalty should not have any role to play in that
    • The appointed person should be duly empowered, and his accountability should be backed up with adequate level of authority
    • In some organizations, initiatives are started to give "some job" to some "special folks who have nothing to do" in the real sense, such people can't be fired and are also not adding much value but someone senior enough likes them (no need to ask what for?) and unless that is the situation the leader should have no reason to worry!
  • The second thing is to build the required level of awareness and understanding among the leader, the second line and those who will be part of the primary task force as well the POCs from various departments

Planning Gap Analysis
  • Then comes the road map and the plan
    • Once the road map is in place it is important to know where the organization stands
    • Basically answer the question - "where do we stand today?"
  • That requires conducting gap analysis exercise
  • Planning for gap analysis requires clarity on several aspects such as:
    • Scope of business operations that are impacted by the initiative
    • Good idea about which entities to involve in the initiative
    • Expected or desired timeline
    • Assessment and selection of appropriate external agency (if engaging one of them is needed)
    • Budget at hand
    • Organizational structure and internal dynamics.

Conducting Gap Analysis
  • First step in this involves communicating the gap analysis purpose and schedule to the impacted stakeholders
  • Doing a kick-off meeting is generally recommended as it helps both in building wider visibility about the initiative in the organization as well as helps in sharing crucial details related to the gap analysis with the impacted stakeholders
  • At the very start of the gap analysis, the leader should clearly state the expectations from the initiative as well as ensure all support elements are well in place 
  • Gap analysis if planned well and scheduled well should generally run through smoothly
  • There might be some "funny" stakeholders in the organization who may want special treatment or considerations and that should be dealt with firmly and quickly
    • Letting such stakeholders dictate terms may derail the plan as well as trivialize the entire initiative
  • For coordinating the conduct of gap analysis the leader should appoint someone to take care of the logistics and operational aspects
    • Someone who is good with people handling and schedule management is generally a good choice for this job
    •  Someone who has been in the role of audit coordinator or site coordinator in external audits and has done a great job there would be the perfect choice
  • The leader should keep an eye on how the gap analysis exercise is progressing both in terms of the schedule as well as the quality of the technical results
    • The gap analysis should uncover salient points of difference between the "To Be" and "As Is" states so as to effectively guide the next leg of the initiative
    • The findings should be captured clearly and documented in much detail so that recommendations can easily follow from them
  • The last but one part of gap analysis involves preparing the final findings report and sharing with key stakeholders.
  •  And the last part of gap analysis is the draw up the recommended actions.

Post-Gap Analysis

After the gap analysis findings and recommended actions are made available to the organization, the leader of the initiative should get down to defining the detailed action plan.

The detailed action plan should clearly state who will do what and by when.

No ambiguities there.

This should then end logically with the dates for follow-up discussions for gap closure verification and the final closure of the gaps.

And if things go all well the "To Be" will eventually become "As Is".

When that happens, the gap analysis did serve its purpose.

And the gap analysis exercise can be termed as successful

Job done and mission accomplished.

Compliance of Business is Good for Business of Compliance but Great for the Society

These days business enterprises are supposed to ensure their compliance to various laws and regulations.

Over time, the list of such laws and regulations has kept on growing in size.

A very recent example being Data Privacy Laws.

On 28th May 2018, in the European Union, EU GDPR, a reformed legislation on Data Privacy came into effect which lays down rules for the protection of personal data of EU residents both inside and outside the EU.
On 27th Jul 2018, in India, the Government released Justice BN Srikrishna Committee of Experts Report on Data Protection as well as a Personal Data Protection Bill, 2018.
One important point that emerges when such a thing happens is that the compliance of business results in a positive impact on the business of compliance.

The business of compliance is a lucrative one.

Whenever a new act of law or legislation comes into force, it acts as a force multiplier for those in the business of compliance.

The advisers, consultants, auditors, lawyers and other experts find that there is sudden surge in their demand.

Obviously, increased demand means increased earning potential.

The business of compliance loves changes in the landscape constituting the compliance of business.

New laws, new regulations, new legislation are all good news.

Compliance of business is good for business.

For the organizations, however, this increases the cost of compliance and hence the eventual cost of doing business.

Which is eventually passed to the buyers and the consumers.

This is all fine because many of the new laws, new regulations, new legislation arise due to the ever evolving needs of the society, the buyers and the consumers and also several other stakeholders.

Governments and legislators read the signals and legislate new rules and regulations to keep pace with ever evolving needs of the society, the buyers and the consumers and also other stakeholders.

In summary, it can very well be said that compliance of business is good for business of compliance but great for the society.

CMMI V2.0 - Focus and Key Changes/Additions at PA level

In CMMI V2.0, at the practice area (PA) level, there are some important points that are related to focus in that PA and key changes/additions as compared to V1.3.

A 30,000 feet overview of the key changes/additions is as given below followed by the  PA-wise details of the focus and key changes/additions.


CAUSAL ANALYSIS AND RESOLUTION (CAR)
  • Recast from CAR in V1.3 with enhanced scope
  • Focus - Ensure bad things never happen again and good things happen again and again
  • Key changes/additions:
    • Identify causes underlying best practices and not just problems
    • Assess quantitatively the benefits versus cost of applying actions identified for addressing a cause in case of a local instance at a broader scale and scope
CONFIGURATION MANAGEMENT (CM)
  • Recast from CM in V1.3 with virtually no changes/additions
  • Focus - Manage integrity of work products through change control and audits
  • Key changes/additions:
    • Not much change fundamentally
DECISION ANALYSIS AND RESOLUTION (DAR)
  • Recast from DAR in V1.3 with major changes/additions
  • Focus - Take high impact decisions in an objective manner
  • Key changes/additions:
    • Use approval matrix (comes from PCMM)
ESTIMATING (EST)
  • New practice area in V2.0
    • Recast from the relevant specific practices in PP in V1.3 and promoted one level up from being a practice to a separate practice area in V2.0 with minor changes/additions
  • Focus - Estimate size, effort, schedule, cost for developing, delivering or procuring the product or service
  • Key changes/additions:
    • Use size explicitly to derive effort estimates
    • Use a formal method explicitly for estimation
    • Use historical data explicitly for estimation
GOVERNANCE (GOV)
  • New practice area in V2.0
    • Recast from GP 2.1 and GP2.10 in V1.3 with major changes/additions
  • Focus - Provide mechanism for senior management to sponsor and govern process and improvement activities in the organization
  • Key changes/additions:
    • Emphasis is on senior management commitment not only on paper but on ground too (like providing direction, resources, staffing, oversight)
    • Use of quantitative analysis for objective decision making by senior management
IMPLEMENTATION INFRASTRUCTURE (II)
  • New practice area in V2.0
    • Recast from GP 2.2-2.10 and GP3.1 in V1.3 with minor changes/additions
  • Focus - Emphasizes on consistent usage and continuous improvement in the processes used in the organization
  • Key changes/additions:
    • Requires explicit use of organizational processes for performing work
    • Ensure agreed processes are assessed not only for adherence but also for effectiveness
MANAGING PERFORMANCE AND MEASUREMENT (MPM)
  • New practice area in V2.0
    • Recast from an amalgamation of MA and OPP with infusion of QPM practices in V1.3 with major changes/additions
  • Focus - Achieve business objective by managing performance using data
  • Key changes/additions:
    • Take care of data quality (comes from DMM)
    • Analyze/mine performance data systematically to proactively identify areas requiring performance improvement
MONITOR AND CONTROL (MC)
  • Recast from PMC with infusion of IPM practices in V1.3 with major changes/additions
  • Focus - Increase the probability of meeting objectives by detecting early warning signals and addressing them proactively
  • Key changes/additions:
    • Focus on task completion as a key practice (which makes sense since any project at the end is a series of tasks)
    • Monitor the transition of products/services to operations and support (comes from CMMI for Services)
    • Manage critical dependencies (merges this IPM practice in V1.3 into MC in V2.0)
    • Monitor work environment issues (merges this IPM practice in V1.3 into MC in V2.0)
ORGANIZATIONAL TRAINING (OT)
  • Recast from OT in V1.3 with virtually no changes/additions
  • Focus - Develop the skills and knowledge of personnel for performing their assigned roles effectively and efficiently
  • Key changes/additions:
    • Not much change fundamentally
PEER REVIEWS (PR)
  • New practice area in V2.0
    • Recast from the relevant specific practices in VER in V1.3 and promoted one level up from being a practice to a separate practice area in V2.0 with minor changes/additions
  • Focus - Identify and address issues in work-products through reviews by technical reviews or subject matter experts
  • Key changes/additions:
    • Peer review can be used across the board for any work-product
PLANNING (PLAN)
  • Recast from PP with infusion of IPM and QPM practices in V1.3 with major changes/additions
  • Focus - Develop plan to elaborate upon what is needed to accomplish the work within the standards and constraints of the organization
  • Key changes/additions:
    • Focus on identification and assignment of tasks
    • Plan is seen as the approach for accomplishing work (PMP always contained the process approach in addition to references to various sub-plans)
    • Plan the transition of products/services to operations and support (comes from CMMI for Services)
    • Brings into fold IPM practices in V1.3 related to tailoring, use of organizational process assets and measurement repository, critical dependencies and work environment
    • Brings into fold QPM practices in V1.3 related to process composition
PROCESS ASSET DEVELOPMENT (PAD)
  • Recast from OPD in V1.3 with minor changes/additions
  • Focus - Develop and maintain the organizational process assets that are needed to perform the work
  • Key changes/additions:
    • Talks about not only developing but buying or reusing process assets just like what can be done for technical assets
PROCESS MANAGEMENT (PCM)
  • Recast from OPF and OPM in V1.3 with minor changes/additions
  • Focus - Continuous improvement of processes and process infrastructure for better performance and for accomplishing business objectives
  • Key changes/additions:
    • Take care of process issues also in addition to improvement opportunities
    • Set performance improvement objectives, they should be traceable to business objectives
    • Identify and improve processes that play a significant role in achieving business objectives
    • Develop the support system to fix process problems and to improve processes
PROCESS QUALITY ASSURANCE (PQA)
  • Recast from PPQA in V1.3 with minor changes/additions
  • Focus - Verify adherance to and enable improvement of processes and resulting work products
  • Key changes/additions:
    • Use quality assurance approach and plan based on historical quality data
PRODUCT INTEGRATION (PI)
  • Recast from PI in V1.3 with virtually no change
  • Focus - Integrate and deliver the solution that addresses requirements
  • Key changes/additions:
    • Not much change fundamentally
REQUIREMENTS DEVELOPMENT AND MANAGEMENT (RDM)
  • Recast from REQM and RD in V1.3 with minor changes/additions
  • Focus - Elicit requirements from customers, ensure common understanding by stakeholders and align requirements, plans, and work products
  • Key changes/additions:
    • Emphasis on requirements prioritization - mention of prioritized customer requirements and not just customer requirements
    • Explicit need for obtaining commitment from project participants for the implementation of the requirements
RISK AND OPPORTUNITY MANAGEMENT (RSK)
  • Recast from RSKM in V1.3 with enhanced scope
  • Focus - Manage potential risks or opportunities
  • Key changes/additions:
    • Manage opportunities in addition to risks (comes from ISO 9001:2015)
SUPPLIER AGREEMENT MANAGEMENT (SAM)
  • Recast from SAM in V1.3 with minor changes/additions
  • Focus - Ensure that the supplier performs in accordance with the agreement, manage supplier relationship
  • Key changes/additions:
    • Monitor and manage supplier invoices
    • Use data to manage supplier performance (comes from CMMI-ACQ)
TECHNICAL SOLUTION (TS)
  • Recast from TS in V1.3 with virtually no changes/additions
  • Focus - Design and develop solutions, products and services that meet customer requirements
  • Key changes/additions:
    • Not much change fundamentally
VERIFICATION AND VALIDATION (VV)
  • Recast from VER and VAL in V1.3 with virtually no changes/additions
  • Focus - Verify that solutions, products and services meet their requirements and validate that they fulfill their intended use in their target environment
  • Key changes/additions:
    • Not much change fundamentally

EU GDPR (General Data Protection Regulation) - Some Key Points

On 25th of May 2018, one of the most sweeping changes business organizations have seen in several years has come into effect - the General Data Protection Regulation (GDPR).

GDPR applies to every company that has collected data on EU and UK citizens regardless of its location or size – even “small” businesses and those based outside the EU and UK.

While it’s partly a security regulation, it’s also a privacy regulation designed to protect individual citizens’ basic human rights to control what personal data companies collect and keep about them.

It mandates that privacy needs to be built into systems, products, services, policies and processes as a default and by design.

Which means data privacy needs to be considered while the system is being designed and developed and not as an addition or afterthought.

Here are some key points related to privacy rights of an individual in EU GDPR:
  • Flow of personal information from consent till “forget me” needs to be handled with absolute care
  • Clear understanding of the end-to-end mapping of the flow of data is required to ensure the above
  • GDPR significantly enhances the rights of an individual over his or her personal information on key aspects such as consent, access, processing, oversight, deletion, breach and transfer
  • Allows users to object when their data is used improperly for marketing or profiling
  • Gives users the “right to be forgotten” by a company, e.g., have all of their data erased
  • Gives users the right to have their data transferred to another company
  • Privacy Impact Assessment (PIA) is required where privacy risks are high

Here are some key points related to consent management in EU GDPR:
  • Under GDPR, users must give clear consent in affirmative for companies to collect and use their data, and companies can only use the data for the purpose for which it was collected
  • It also outlines special protections for children’s data, so an organization must ensure that its systems are accurately verifying ages and getting parental or guardian consent for children before processing data
  • Consent to use data needs to be obtained in an intelligible and easily accessed form that uses clear and easy-to-understand language
  • Withdrawing consent must be equally easy

Here are some key points related to Personally Identifiable Information (PII) in EU GDPR:
  • Personally Identifiable Information (PII) includes location, IP address, online identifier
  • PII definition is much broader now and includes information related to 
    • genetic and biometrics aspects
    • health and medical condition
    • sexual orientation
    • race, ethnicity
    • mental condition
    • cultural, economic, social aspects
    • political opinion
    • criminal records
    • religion
    • ideological beliefs

Here are some key points related to major privacy related organizational roles in EU GDPR:
  • Data subject – an individual who can be identified by reference to an identifier
  • Data controller – privacy stakeholder that determines the purpose and means for processing PII
  • Data processor – privacy stakeholder that processes PII on behalf of and in accordance with the instructions of a PII controller
  • Data Protection Officer (DPO) - appointment of DPO, a custodian like role, is mandatory for companies processing high volume of personal data and good practice for others
  • Data Protection Authority (DPA) - DPA is a supervisory authority and companies doing business globally will have to deal with one supervisory DPA

Here are some key points related to breaches and violations in EU GDPR:
  • Mandates that users and governing bodies be notified if their personal data is compromised.
  • Data breach needs to be reported within 72 hours to Data Protection Authority (DPA) 
  • Imposes significant fines on non-compliance
    • Level 1 - €10 million or 2% of the worldwide annual revenue of the prior FY, whichever is higher
    • Level 2 - €20 million or 4% of the worldwide annual revenue of the prior FY, whichever is higher
  • Data processor can also be directly held liable for any breach of personal data

Handling an Egotist Auditor

The term egotist auditor can not be viewed as an oxymoron.

An auditor cannot but be an egotist.

And like any egotist will do, any auditor doesn't like to be challenged.

If you challenge an egotist he will dig his heels deeper.

He will be more adamant.

Also, like any egotist will do, any auditor would demand to be respected by those that are audited.

Auditors may have richer experience due to the fact that they visit different set-ups but then the other fact is also there that the concepts and basic principles remain same whichever organization it might be.

Auditors need to justify their worth.

So if they fail to find any gaps in an audit it, in their view. might reflect poorly upon their competency.

So at times they end up highlighting issues which may really be non-issues.

Some examples:
  • Something was missed five years back but after that that process continued to be followed. Is such a gap worth highlighting? Ideally, no. But auditors may take vicarious pleasure in doing so. And what action would be required to close this issue? Nothing, since its already happening.
  • The reference model or standard may not require it but the auditor may have his quirks and idiosyncrasies and demand certain things to be done for reasons best known to him. How can a "good to do" thing be a requirement? It can't be and shouldn't be but an egotist would not care to bother.
  • The auditor would raise illogical, unnecessary and meaningless findings that would be technically feasible and would need to be logically closed by saying this was analyzed and found to be technically not feasible. If that point is brought up to the auditor's notice he would refuse to even have a discussion on it. He might say, "is it urgent"and sweep the need for a discussion under the carpet. Or say "leave that to me". Basically wherever he is on weak ground he will refuse to listen. 
The above examples show what kind of idiotic things can happen when you have to handle an egotist auditor.

What else can be expected from an egotist?

Anyone full of lot of conceit and needlessly high sense of self-importance would do precisely that.

Also, such an auditor may take affront for trivial reasons.

This shows the fact that the egotist auditor has a short fuse which is always in a ready state to blow up.

The slightest of challenge or provocation can result in the auditor loosing his cool.

He may throw unnecessary tantrums too.

An auditee may fall sick and there's not much that can be done to help that.

Why, even the auditor may also fall sick.

If someone is not available for medical emergency, the audit process should have provision to handle such a situation.

So how to handle an egotist auditor?

This involves a very simple trick.

Pamper his ego. Keep him in good humour. Tolerate his tantrums.

Showing respect (fake or otherwise) for the ego of an egotist is all that is needed.

That's all. Nothing beyond that.

CMMI V2.0 Appraisals - Part 2

An earlier post titled CMMI V2.0 Appraisals - Some Important Points (https://business-process-improvement-blog.blogspot.in/2018/04/cmmi-v20-appraisals-some-important.html) elaborated upon some important and interesting points related to CMMI V2.0 appraisals.

Here are some more interesting observations regarding CMMI V2.0 appraisals.
  • The cost of CMMI appraisal and implementation preceding that will become substantially higher.
    • This starts with the CMMI model itself. It now comes at a price, and that too a steep one.
    • Not only that, the price is for one copy and tied to the individual on whose name it is purchased.
    • This is amusing, the organization will pay the money but the employee will own the copy of the CMMI model.
    • So what happens when an employee with a purchased CMMI model on his name leaves the organization?
  • The cost and stakes to become an appraisal team member will also go up.
    • An organization would need to pay a significantly higher amount for every appraisal team member who is a part of the CMMI model-based appraisal conducted in the organization
    • Not only that, those who want to become an appraisal team member will need to pass an exam on CMMI model proficiency also.
      • If you are in the process or excellence or quality group, this would still make some sense.
      • But if you are in the operations or delivery or development, it is any body's guess as to how much sense it would make.
  • Though the appraisal method now offers something called a sustainment appraisal, it will not make practical sense in most situations to go with that.
    • In today's business world, organizations are in a state of constant churn and change. 
    • The reality of business climate is such that organic and inorganic growth or de-growth, merger/de-merger or reverse merger, acquisitions or takeovers, spin-offs or sell-outs are too frequent and too many.
  • Also, the appraisal method and the model as well is still written with a view of a large defense software supplier developing a long-duration large-sized software-based system or product.
    • What about appraisals for other scenarios that are all too common these days:
      • software start-ups?
      • mobile apps development?
      • short-releases?
      • truncated SDLC work?
      • project teams working in an integrated mode with the customer and largely using customer processes/tools?
    • CMMI appraisals should be tailored to the above scenarios and the model should provide meaningful interpretations of the various practises in the above contexts.
    • Without that organizations that go for CMMI appraisal may need to do certain things only for the purpose of appraisal.
    • Model guidance should ensure practises are meaningful in different contexts and provide useful value and hence happen irrespective of whether appraisal happens or doesn't. 
Till and unless the CMMI model and its appraisal method takes a practical view of the above considerations and addresses them in a meaningful manner it will be a long and hard way for it to remain really useful.

High Maturity Practises in CMMI V2.0

CMMI V2.0 treats high maturity practises in a somewhat different manner.

The practice areas have practises distributed across capability levels, running from level 1 to level 5.

Practises at capability levels 4 and 5 cutting across the various practice areas would together constitute what can be called as high maturity practises in CMMI V2.0.

As explained in a previous post titled CMMI V2.0 - Some Interesting Observations (https://business-process-improvement-blog.blogspot.in/2018/04/cmmi-v20-some-interesting-observations.html):
  • There are two practice areas that have all the 5 capability levels - CAUSAL ANALYSIS AND RESOLUTION (CAR) and MANAGING PERFORMANCE AND MEASUREMENT (MPM).
  • And there are four practice areas that have 4 capability levels - SUPPLER AND AGREEMENT MANAGEMENT (SAM),  PLANNING (PLAN), PROCESS MANAGEMENT (PCM) and GOVERNANCE (GOV)
So the study of high maturity practises in CMMI v2.0 is essentially a close study of the capability level 4 and 5 practises of the following practice areas:
  • CAUSAL ANALYSIS AND RESOLUTION (CAR)
  • MANAGING PERFORMANCE AND MEASUREMENT (MPM)
  • SUPPLER AND AGREEMENT MANAGEMENT (SAM)
  • PLANNING (PLAN)
  • PROCESS MANAGEMENT (PCM)
  • GOVERNANCE (GOV)

CMMI V2.0 Appraisals - Some Important Changes Over CMMI V1.3

CMMI V2.0 appraisal method has also been released along with the CMMI V2.0 model.

Some interesting observations related to CMMI V2.0 model have been captured in an earlier post titled CMMI V2.0 - Some Interesting Observations (https://business-process-improvement-blog.blogspot.in/2018/04/cmmi-v20-some-interesting-observations.html)

The CMMI V2.0 appraisal method definition document (MDD) contains the details of appraisal method to be used while performing CMMI appraisals going ahead.


Here are some important points related to CMMI V2.0 appraisals:
  • In CMMI V2.0 three types of appraisal methods have been made available - benchmark, sustainment and evaluation
  • Benchmark appraisal
    • Like SCAMPI A in V1.3 (actually replaces SCAMPI A) or re-certification audit in ISO standards
    • Results in a maturity level rating valid for three years
  • Sustainment appraisal
    • Like SCAMPI A equivalent in V1.3 or surveillance audit in ISO standards
    • Appraisal performed on one-third of the scope of the benchmark appraisal
    • Results in extending the maturity level rating of a benchmark appraisal for another two years
  • Evaluation appraisal
    • Like SCAMPI B/C or equivalent in V1.3 (replaces SCAMPI B/C) or gap analysis in a general sense
    • Does not result in any maturity level rating
    • Intended for use by organizations against any scope both in terms of scope of organization and scope of CMMI V2.0 model
  • Projects in appraisal scope will be selected based on  statistically-validated random sampling using random sample generator system (goes live in October 2018)
    • This will help remove any bias from sample selection
    • This change is a very significant one and will certainly make things tougher for many organizations
    • However, if an organization has implemented the CMMI model in the right way, there is really no need to worry!
  • Appraisals against CMMI V2.0 model using CMMI V2.0 appraisal method will start getting accepted from January 2019
    • The random sample generator system is supposed to go live before that
  • Appraisals against CMMI V1.3 model using CMMI V1.3 appraisal model will stop getting accepted after 1 April 2020
    • After that only appraisals against CMMI V2.0 model using CMMI V2.0 appraisal method will be considered valid
  • An organization can undergo maximum three consecutive sustainment appraisals before it is mandatorily required to undergo another benchmark (re)appraisal
  • CMMI appraisals will follow a 9 year repetitive cycle similar to the 3 year repetitive cycle followed in the case of ISO certifications.
    • ISO certification cycle starts with a (re)certification audit followed typically by two surveillance audits at the end of year 1 and year 2 respectively and then another (re)certification audit  at the end of year 3. The audit cycle repeats as per the above rhytm.
    • CMMI appraisal cycle will start with a (re)benchmark appraisal followed by three sustainment appraisals at the end of year 3, year 5 and year 7 respectively and then another (re)benchmark appraisal at the end of year 9. The appraisal cycle repeats as per the above rhytm.
  • Period of validity of a maturity level rating resulting from a CMMI V1.3 appraisal is not allowed to be extended using sustainment appraisal
    • Hence upgrading to CMMI V2.0 appraisal method at the earliest is highly recommended from cost optimization point of view

CMMI V2.0 - Some Interesting Observations

CMMI V2.0 was released on March 28, 2018. V2.0 is the next release of V1.3 and would replace it completely after the sunset period gets over on March 31, 2020.


At the first glance, and on a cursory walkthrough of CMMI V2.0, here are some interesting observations on V2.0:
  • The structure of the framework has changed.
    • At the first layer, there are "Categories". There are 4 categories - Doing, Managing, Enabling and Improving.
    • At the second layer, there are "Capability Areas". There are 9 capability areas spread across the four "Categories".
    • At the third layer, there are "Practice Areas". There are 20 practice areas in all in CMMI V2.0.
    • At the fourth layer, there are "Capability Levels". There are 5 capability levels. Not every practice has all the five capability levels. 
      • In fact, there are just two practice areas that have all the 5 capability levels - CAUSAL ANALYSIS AND RESOLUTION (CAR) and MANAGING PERFORMANCE AND MEASUREMENT (MPM).
      • And there are four practice areas that have 4 capability levels - SUPPLER AND AGREEMENT MANAGEMENT (SAM),  PLANNING (PLAN), PROCESS MANAGEMENT (PCM) and GOVERNANCE (GOV)
      • There is just one practice area that has only 2 capability levels - CONFIGURATION MANAGEMENT (CM).
      • Remaining (thirteen) practice areas have 3 capability levels.
    • At the fifth and the final layer, there are "Practises", These practises, effectively speaking, constitute the CMMI V2.0 requirements. There are 198 practises in all spread across the 20 practice areas.
  • Estimation has become a full-fledged and separate practice area. It used be a part of "Project Planning" process area in CMMI V1.3.
    • Not only that, the work flow for estimation is clearly laid down in the model - Scope the work, Estimate the size, Estimate the effort using size, Estimate the time/schedule, Estimate the cost and record the rationale/assumptions throughout the above work flow.
    • There is no longer any ambiguity in V2.0 around the need for sizing unlike in V1.3 where it was implied by the specific practice "Establish and maintain estimates of work product and task"
  • In measurement related practises in V2.0, there is now an explicit practice related to "Data Quality". This was always important and was implicitly included in V1.3 as a note but with Data Management Maturity (DMM) coming into picture, this has acquired increased significance.
  • The practises at level 4 (in whichever practice areas they appear) seem to focus on using data/metrics to manage the related activity. In a similar manner, the practises at level 5 (in whichever practice areas they appear) seem to focus on using data/metrics to improve the related activity.
    • The twist in the tale is that though level 5 appears in only two practice areas - CAUSAL ANALYSIS AND RESOLUTION (CAR) and MANAGING PERFORMANCE AND MEASUREMENT (MPM) - however, both of these are so generic that they apply to every other practice area and virtually every activity that happens in any project!
  • The above has a fundamental, deep and direct connect with how an organization can achieve sustained success? There is essentially a very simple two-step approach:
    • What is step 1? Plan things very well. And how can this be taken care of? Follow practises similar to what would be expected in an area like MANAGING PERFORMANCE AND MEASUREMENT (MPM) .
    • What is step 2? In case things don't go as per plan, analyze and address the underlying reasons in a permanent manner, so that those reasons are forever addressed. And how can this be taken care of? Follow practises similar to what would be expected in an area like CAUSAL ANALYSIS AND RESOLUTION (CAR).
  • A schematic structure of CMMI V2.0 is given below. It shows the "Categories", "Capability Areas", "Practice Areas", "Capability Levels" and number of "Practises" at each capability level that appears for a specific practice area.

CMMI V2.0, CMMI V2.0, CMMI All the Way - Building World Class Company

CMMI V2.0, the next version of the CMMI model, is apparently ready for release.

We are right now in March of 2018, CMMI V2.0 is tentatively slated for release some time later this month.

CMMI V2.0 is structurally different as compared to CMMI v1.3, the current version that will soon become older!

CMMI V2.0 will have broad categories like doing, managing, enabling and improving.

This very well corresponds with the characteristics any world class organization should possess.

Any organization needs to focus on essentially four sets of activities.

Many of the business excellence frameworks focus on these very well.


Do Part

This includes the cycle of sell-develop-deliver or develop-sell-deliver and refers to performing those core activities that impact the "revenues from operations" like engineering, manufacturing, design and development, service provisioning etc.

This also includes acquiring customers and delivering to them.

Manage The Do Part 

This includes the activities to manage the core activities and refers to activities such as estimating scope of work, schedule, resources required and cost.

This also includes kicking off, planning, monitoring & controlling the various logical threads of work to their closure.

Manage The Environment Around The Do and The Manage Part 

This includes everything else the organization does apart from core activities and their management and includes those activities that would eventually constitute expenses on the profit & loss statement.

This also includes:
  • leadership & strategy
  • engagement with customers and suppliers
  • hiring, managing and motivating the staff
  • administrative activities like ensuring physical and IT/network infrastructure support,
  • compliance to rules and regulations that apply beyond the core activities and their management
  • managing communications to and dependencies with various stakeholders across the board.

Improve the Above Part

This includes improving the way the above three are being performed in the order of priority descending down from top to bottom.

One interesting question that would come up at this point.

How do the broad categories in CMMI V2.0 map against the  four sets of activities above?

So here it goes:

Doing in CMMI V2.0

"Do Part" covers CMMI practises pertaining to "Doing" in totality.

Managing in CMMI V2.0

"Manage The Do Part" covers CMMI practises pertaining to "Managing" in totality

Enabling in CMMI V2.0

"Manage The Do Part" covers CMMI practises pertaining to "Enabling" in totality. 

Enabling in CMMI is focused on core activities and their management. 

However, "Manage The Environment Around The Do and The Manage Part" covers the whole gamut beyond core activities and their management.

So that way this is a miss. But that would be so since in CMMI the  core activities and their management continue to be the focus.

"Manage The Environment Around The Do and The Manage Part" is important from an overall business excellence perspective.

"Improving in CMMI V2.0"

"Improve the Above Part"  covers CMMI practises pertaining to "Improving" in totality.

Improving in CMMI is focused on core activities and their management.

However, "Improving the Above Part" covers the whole gamut beyond core activities and their management.

When Christmas time is around one would often hear - Jingle bells, Jingle bells, Jingle all the way!

Well, same can probably be said about CMMI V2.0 at this point in time: CMMI V2.0, CMMI V2.0, CMMI All the Way!

List of Posts on CMMI V2.0

CMMI Next Gen
https://business-process-improvement-blog.blogspot.in/2015/09/cmmi-next-gen.html

Next Generation of CMMI Version 1.3 - Will it be Version 2.0? Or Version 1.4? Or Simply CMMI Next Gen v1.0?
https://business-process-improvement-blog.blogspot.in/2017/08/next-generation-of-cmmi-version-13-will.html

CMMI V2.0 - Some Major Changes and Improvements Over CMMI V1.3
https://business-process-improvement-blog.blogspot.in/2017/09/cmmi-v20-some-major-changes-and.html

CMMI V2.0 - Some Major Changes and Improvements Over CMMI V1.3 - Part 2
https://business-process-improvement-blog.blogspot.in/2017/10/cmmi-v20-some-major-changes-and.html

How to Handle a Bad Ass Auditor?

Before getting to the question "how to handle a bad ass auditor" it is useful to first understand what a bad ass auditor is.

So what a bad ass auditor is?

A bad ass auditor typically exhibits the following characteristics:
  • He is close to the top man in the organization and his cotrerie and is more like a friend who will oblige, eventually.
  • He is not really that competent in the subject matter but has this great (but unfortunately, totally false) impression going for him that "he is highly knowledgeable".
  • His knowledge is very shallow and at times totally wrong. However, in case he is challenged he immediately and visibly gets very upset.
  • He is very polished in his interactions but carries a jumbo-sized ego behind the facade of professionalism. When push comes to shove he shows his true colours.
  • He shows that he is very principled and highly ethical but scratch the surface a little bit and the underlying layer which is dark and dirty comes out into the open.
  • He has preconceived and cliched views on most of the concepts and doesn't deviate from them even when the situations would demand so.
  • He is generally incompetent but adopts a formulaic approach to talk about things and to get things done and thus create the impression that he is not incompetent.
So how to handle such a bad ass auditor?

Here are some tricks that can be considered.

However, remember the bad ass auditor has a big, jumbo-sized ego.

So the exact trick for handling him will have be to gradually evolved through several hits and trials.
  • Massage his ego, praise his knowledge and understanding of the formulaic things he speaks about, Some of those things will be completely incorrect and nonsensical but as long as he sticks to the formula it is perfectly fine.
  • Confront him in case he speaks something totally incorrect on anything outside the formulaic things he generally talks about. Though that will hurt his ego, there is a possibility he will be careful when speaking about new things and stick to his formula. Such occasions also bring forth his incompetence but never highlight that too much.
  • See if you can discuss about some of these aspects with the top man in the organization  and his coterie. This may as well back-fire because the bad ass auditor takes care to create great impression about himself with these folks. That's why he is bad ass and not only that the top man and his coterie in such organizations are also bad ass at some level. The simple corollary being, a bad ass will always like another!

Why is the Process Culture in an Organization so very Important?

What is an organization?

In a very simplistic sense, an organization can be defined as a group of people working on projects to develop and sell solutions, products and services to the identified set of target customers.

So an organization is a set of people and projects serving certain customers.

But people join and leave. Projects start and end. And customers come and go.

So what is an organization?

It is not people. It not projects. And it is not even customers.

The fabric tying the above three pieces together is what converts a group of people, projects and customers into an organization.

What is this fabric thing?

This fabric is like a glue that binds things together.

This fabric is nothing but the systems and processes that drive the business operations of the organization.

Since this fabric is so important, it thus makes process culture in an organization so very important.