CIO

Bursting the CMM Hype

As companies stampede offshore to find companies to do their development work, they first need to understand what CMM ratings really mean. Yet few CIOs bother to ask crucial questions, say IT industry analysts and the service providers themselves.
Page:

CIOs want to do business with offshore companies with high CMM ratings. But some outsourcers exaggerate and even lie about their Capability Maturity Model scores.

As soon as she walked into the meeting, Jane Smith knew that the executive on the other side of the desk wanted to buy something that Smith wasn't supposed to sell: a trumped up rating for the executive's software development division so that his company could qualify to bid on contracts from the United States Department of Defence.

Smith (not her real name) is one of a select group of experienced IT pros, called lead appraisers, who go into companies and assess the effectiveness of their software development processes on a scale from 1 (utter chaos) to 5 (continuously improving) under a system known as the Capability Maturity Model, or CMM. The company she was visiting wanted to move up to Level 2, but based on some initial discussions, Smith knew that the company was a 1. Level 1 describes most of the software development organizations in the world: no standard methods for writing software, and little ability to predict costs or delivery times. Project management consists mostly of ordering more pizza after midnight.

After a few initial niceties, the executive leaned across the table to Smith and another lead appraiser who had accompanied her to the meeting and asked: "How much for a Level 2?"

"That's when I got up and left the room," Smith recalls. "The other appraiser stayed. And the company got its rating."

The stakes for a good CMM assessment have got only higher since Smith's close encounter with corruption some 10 years ago. Today, many US government agencies in addition to the DoD insist that companies that bid for their business obtain at least a CMM Level 3 assessment - meaning the development organization has a codified, repeatable process for an entire division or company. CIOs increasingly use CMM assessments to whittle down the lists of dozens of unfamiliar offshore service providers - especially in India - wanting their business. For CIOs, the magic number is 5, and software development and services companies that don't have it risk losing billions of dollars worth of business from American, European - and increasingly - Australian corporations.

"Level 5 was once a differentiator, but now it is a condition of getting into the game," says Dennis Callahan, senior vice president and CIO of Guardian Life Insurance. "Having said that, there are some Level 3 or 4 start-ups that we might consider, but they have a lot more convincing to do before I would do business with them. They would be at a disadvantage."

With CIOs increasingly dependent on outside service providers to help with software projects, some have come to view CMM (and its new, more comprehensive successor, CMM Integration, or CMMI) as the ultimate seal of approval for software providers. Yet CIOs who buy the services of a provider claiming that seal without doing their own due diligence could be making a multimillion-dollar, career-threatening mistake.

That's because software providers routinely exaggerate their assessments, leading CIOs to believe that the entire company has been assessed at a certain level when only a small slice of the company was examined. And once providers have been assessed at a certain level, there is no requirement that they test themselves ever again - even if they change dramatically or grow much bigger than they were when they were first assessed. They can continue to claim their CMM level forever.

Worse, some simply lie and say they have a CMM assessment when they don't. And appraisers say they occasionally hear about colleagues who have had their licences revoked because of poor performance or outright cheating in making assessments.

Page:

Join CIO, the CIO Executive Council & IDC on 6 October at Australia’s premier Melbourne event for senior IT executives – the CIO Summit 2010. Find out more or register now.

More about: Bluechip Infotech, Carnegie Mellon University, Department of Defence, Forrester Research, Hayes, HIS Limited, IBM, ICICI Infotech, IMP, Infotech, ISO, Level One, Mellon, Northrop Grumman, OnStar

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
 
Featured Whitepapers
3 Things Business Decicion-Makers Need to Know About SOA

This white paper cuts through the marketing hype surrounding Service Oriented Architecture (SOA) and focuses what you really need to know.

Wondering how to improve your business with UC on an IP Network?

Join Computerworld's Live Webinar where we will address the move many companies are making towards IP based voice services (SIP trunking, VoIP) and look at how they are using a single connection for data and voice rather than separate lines. Learn about the latest in IP networks and how it can help your organisation.

Wednesday 25th November 2009, Time 10.30 am EST (Sydney, Australia) Screening at your desk

Register now

  • +

    Moving day: How to protect your company during a relocation 09 September, 2010 07:12:00

    When moving you'll need to keep tabs on a lot of assets. Careful planning will secure your business & get you back up quickly
    In its 16 years of business, DataServ Solutions has relocated five times. That makes David Berndt, CIO at the document-digitization and process-automation company in St. Louis, Mo., something of an expert on the topic of securing corporate moves. "By now, we've got a good process," he says. In the most recent move this past February, nothing was lost or damaged. "We shut down the office at about 2:30 on Friday, and we were up 100 percent on Monday, with no disruption for our clients and no service levels missed."
  • +

    Keycorp asks shareholders to accept Archer offer 09 September, 2010 11:32:00

    Archer's offer a 42 per cent per share premium
    Payments technology group Keycorp (ASX:KYC) is pushing for its shareholders to accept a cash offer from Australian private equity firm Archer Capital which has the potential to lift the struggling company.
  • +

    Enterprise risk management: Get started in six steps 08 September, 2010 01:15:00

    Let's say your organisation doesn't have a formal enterprise risk management program. If you're at a big company, ERM might seem daunting because of silos, inertia and so on.
    Let's say your organization doesn't have a formal enterprise risk management program. If you're at a big company, ERM might seem daunting because of silos, inertia and so on.
  • +

    Senate data retention inquiry to be delayed 09 September, 2010 15:05:00

    Australian Federal Police and Attorney-General's Department yet to make clear whether they will cooperate with proceedings
    Greens senator, Scott Ludlam, will propose a Senate inquiry’s report into data retention and online privacy be delayed when Parliament next sits.
  • +

    Freed journalist tricked captors into Twitter access 08 September, 2010 04:25:00

    Japanese freelancer hooked up his captor's cell phone for Internet access before tweeting to the world
    A Japanese journalist freed over the weekend by captors in Afghanistan managed to send two Twitter messages before his release while teaching a captor how to access the Internet on a new cell phone, he said Tuesday.

Recent comments
Media Releases
Zones
SAS Resource Centre

This Resource Centre hosts a wealth of thought leadership articles, whitepapers, and success videos, to help you make the most out of your corporate information in order to swiftly make sound business decisions to survive and thrive in the current economic climate.

Oracle Resource Centre

News, Features and the latest whitepapers on SOA, Application Grid, Enterprise Management and Database

Upcoming Industry Events
more
CIO Industry Insight Podcast #9: Tim Ayling, Chief Executive Officer, Platform46
Listen to the latest edition of CIO Live which is now available for download.
Listen to the podcast
Sign up to the CIO Live email
Whitepaper
Securing People and Information: How to Protect Against Today’s Web-based Threats

This white paper explores the benefits of an Application Delivery Network, highlighting the ability to protect your users and applications and still deliver outstanding application performance with confidence, consistency and cost-effectiveness across your distributed network.

Read Whitepaper

Brought to you by
Videos
Get a job Careerone