CMM vs. ISO

1
CMM vs. ISO

• David S. Craft CIRM, PMP

2
Agenda

• Who Am I
• Software Systems Development
• ISO
• CMM
• Sarbanes Oxley

3
Who Am I
Managing Consultant, Engineering and
Manufacturing Services
Inventory Control Manager
Shift Supervisor
Internal ISO Auditor
Industrial Engineer
Team Leader
Consultant
Materials Manager
VISTA Volunteer
Manager Production Planning Control
Chief Industrial Engineer
Project Manager
4
(No Transcript)
5
Process

• To Develop Software and Systems You Need A
  Process
• Anything goes
• Defined
• Structured

6
Process, people and technology are the major
determinants of project cost, quality and
schedule.
7
(No Transcript)
8
(No Transcript)
9
Common Misconceptions

• I dont need defined processes I have
• Really good people
• Advanced Technology
• An experienced manager
• Defined Processes
• Interfere with creativity
• Equals bureaucracy regimentation
• Isnt needed when building prototypes
• Is only useful on large projects
• Hinders agility in fast moving projects
• Costs too much

10
Why We Need Standard Processes

• Estimating (History)
• Scope
• Cost
• Time
• Tools
• Deliver the Product to Estimate (Visibility)
• Time
• Cost
• Quality
• Handling/Controlling Changes
• Planned
• Unplanned
• Scope Creep

11
How to Achieve Quality Processes

• ISO
• CMM

12
ISO CMM Differences
ISO90012000 CMMI-DEV
International standard, applies to all types of organizations, supports both product and service oriented organizations Written specifically for software development companies
A brief document about 25 pages long, identifying the minimal requirements for a quality system A detailed document over 500 pages long
Emphasizes on a management of continuous improvement process, based on the PDCA (Plan-Do-Check-Act) model Emphasizes on achieving maturity and improving its process continuously
One level of standard. The standard is based on recommendation Defines 5 maturity levels of the organization, covering 25 process areas (PAs)
Netta Dotan, Quality Assurance project
management, Ronkal Office Technologies
13
ISO CMM Differences My View
ISO 9000 SW-CMMI
Outwardly focused Inwardly focused
Minimum requirements with implied continuous improvements Explicit continuous quality improvement
Registration Document No documentation
Certification audit for a 50 employee organization will be executed by 1 -12 auditors during one day Certification audit for a 50 employee organization will be executed by 4 auditors during 4-5 days
Netta Dotan, Quality Assurance project
management, Ronkal Office Technologies
14
ISO CMM Similarities

• Both require the organization be explicit about
  what their processes and quality systems are
• Say what you do do what you say
• The organization records and tracks data for
  objective analysis
• Require strong management support to succeed
• Provide a structured and measured approach to
  quality improvement
• Require an outside audit for certification
• Both are refined/improved over time

15
Meet ISO

• The International Organization for
  Standardization (ISO) is a worldwide federation
  of national standards bodies from some 162
  countries, representing approximately 95 of
  worldwide production. ISO is a non-governmental
  organization established in 1947 to promote the
  development of standardization and related
  activities in the world with a view to
  facilitating international exchange of goods and
  services and development of cooperation in the
  spheres of intellectual, scientific,
  technological and economic activity
• ISO (International Organization for
  Standardization) is the world's largest developer
  and publisher of International Standards.
• ISO is a non-governmental organization that forms
  a bridge between the public and private sectors.
  On the one hand, many of its member institutes
  are part of the governmental structure of their
  countries, or are mandated by their government.
  On the other hand, other members have their roots
  uniquely in the private sector, having been set
  up by national partnerships of industry
  associations. Therefore, ISO enables a consensus
  to be reached on solutions that meet both the
  requirements of business and the broader needs of
  society.

16
ISOs Impact

• In the global economy
• ISO 90012000 and ISO 140012004 have become
  thoroughly integrated with the world economy.
• ISO 90012000 is now firmly established as the
  globally accepted standard for providing
  assurance about the quality of goods and services
  in supplier-customer relations.
• The positive roles played in globalization by
  ISOs standards for quality and environmental
  management systems include the following
• a unifying base for global businesses and supply
  chains such as the automotive and oil and gas
  sectors
• a technical support for regulation as, for
  example, in the medical devices sector
• a tool for major new economic players to increase
  their participation in global supply chains, in
  export trade and in business process outsourcing
  
• a tool for regional integration  as shown by
  their adoption by new or potential members of the
  European Union
• In the rise of services in the global economy
  nearly 33 of ISO 90012000 certificates in 2005
  went to organizations in the service sectors.

17
Where are the Standards (12/31/09)
Sector Standards Pages
Generalities, Infrastructure and Sciences 1,601 64,568
Health, Safety and Environment 734 29,491
Engineering Technologies 4,937 223,394
Electronics, Information Technology and Telecommunications 2,902 506,057
Transport and Distribution of Goods 1,957 55,646
Agriculture and Food Technology 1,054 26,286
Materials Technology 4,373 114,269
Construction 380 14,632
Special Technologies 145 3,602
Total 18,083 737,345
18
What are standards?
19
What standards do

• ISO standards
• Make the development, manufacturing and supply of
  products and services more efficient, safer and
  cleaner
• Facilitate trade between countries and make it
  fairer
• Provide governments with a technical base for
  health, safety and environmental legislation, and
  conformity assessment
• Share technological advances and good management
  practice
• Disseminate innovation
• Safeguard consumers, and users in general, of
  products and services
• Make life simpler by providing solutions to
  common problems

20
Which ISO Standards

• ISO 9000 represents consensus on what
  requirements a quality system must meet but does
  no dictate how they should be met.
• The ISO 9000 series addresses quality management
  and quality assurance standards. It is designed
  to assist organizations in implementing and
  operating an effective quality management system
  (QMS). ISO 9001 defines what quality standards
  should be followed. It does not tell how.
• The ISO 90002000 series is based on 8 key
  principles Customer Focus, Leadership,
  Involvement of People, Process Approach, System
  Approach to Management, Continual improvement,
  Factual Approach to Decision Making and Mutually
  Beneficial Supplier Relationships

21
ISO 9000 family

• The ISO 9000 family addresses "Quality
  management". This means what the organization
  does to fulfill
• The customer's quality requirements
• Applicable regulatory requirements,
• Enhance customer satisfaction,
• Achieve continual improvement of its performance
  in pursuit of these objective

22
Quality System Documentation
23
ISO 90012000 Structure

• Quality Management System
• 4.1 General requirements
• 4.2 Document requirements

• Management Responsibility
• 5.1 Management commitment
• 5.2 Customer focus
• 5.3 Quality policy
• 5.4 Planning
• 5.5 Responsibility, authority, communication
• 5.6 Management review

• Product realization
• 7.1 Planning of product realization
• 7.2 Customer-related processes
• 7.3 Design and development
• 7.4 Purchasing
• 7.5 Production and service provision
• 7.6 Control of monitoring and measuring devices

• Measurement, Analysis Improvement
• 8.1 General
• 8.2 Monitoring and measurement
• 8.3 Control of nonconforming product
• 8.4 Analysis of data
• 8.5 Improvement

• Resource Management
• 6.1 Provision of resources
• 6.2 Human resources
• 6.3 Infrastructure
• 6.4 Work environment

24
Evaluation

• ISO is a certification model. Typically, an
  internal quality system assessment (audit) is
  performed, repairs made and the organization may
  then submit to a formal system audit lasting for
  several days performed by one of the ISO
  certification Bodies. The certificate usually is
  valid for three years and also requires that a
  system of Quality Management be in place,
  including performance of regular internal audits
  and intermediate external audits.

25
Meet CMMI

• CMMI (Capability Maturity Model Integration)
  models are collections of best practices that
  help organizations to improve their processes.
  These models are developed by product teams with
  members from industry, government, and the
  Software Engineering Institute (SEI). These
  models provides a comprehensive integrated set of
  guidelines for developing products and services.
• The CMMI-DEV model provides guidance for
  applying CMMI best practices in a development
  organization. Best practices in the model focus
  on activities for developing quality products and
  services to meet the needs of customers and end
  users.
• Other CMMI models
• Acquisition
• Services
• People

26
Scope of CMMI

• CMMI is designed to help identify and prioritize
  process improvement opportunities and facilitate
  organizational change management. The model is
  used for internal process improvement, sourcing
  selection and benchmarking, rather than
  certification
• CMMI is organized as a process framework that
  cluster related practices into process areas
  that, when performed collectively, satisfy a set
  of goals. It requires that you define specific
  practices to meet specific goals but does not
  define how they are to be implemented.
• The CMMI provides two representations staged
  and continuous. The staged view provides five
  maturity levels Initial, Managed, Defined,
  Quantitatively Managed, and Optimizing and 22
  process areas PAs). The PAs at each maturity
  level build on the previous level.
  Alternatively, continuous representation is used
  to focus on a process capability in a desired
  functional area (project management, process
  management, engineering and support) rather that
  maturity levels.

27
Evaluation

• This is not a certification model, but ratings
  may be announced and published. The SEI
  publishes ratings provided the company gives it
  permission. Formal appraisals are typically 5
  10 days and led by SEI-authorized internal or
  external lead appraisers, using trained teams and
  a formal methods. The method is named SCAMPI
  (Standard CMMI Appraisal Method for Process
  Improvement).

28
(No Transcript)
29
SCAMPI Standard CMMI Appraisal Method for
Process Improvement
30
Process Areas
Requirements Management Organizational Process Definition
Project Planning Organizational Training
Project Monitoring Control Integrated Project Management
Supplier Agreement Management Risk Management
Measurement Analysis Integrated Teaming
Process Product Quality Assurance Integrated Supplier Management
Configuration Management Decision Analysis Resolution
Requirements Development Organizational Environment for Integration
Technical Solution Organizational Process Performance
Product Integration Quantitative Project Management
Verification Organizational Innovation Deployment
Validation Causal Analysis Resolution
Organizational Process Focus
31
(No Transcript)
32
EIA Electronic Industries Alliance Interim
Standard
33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
(No Transcript)
37
(No Transcript)
38
(No Transcript)
39
(No Transcript)
40
(No Transcript)
41
(No Transcript)
42
Staged Process Area Continuous
L2 Requirements Management Engineering
L2 Project Planning Project Mgmt
L2 Project Monitoring and Control Project Mgmt
L2 Supplier Agreement Management Project Mgmt
L2 Measurement and Analysis Support
L2 Process and Product Quality Assurance Support
L2 Configuration Management Support
L3 Requirements Development Engineering
L3 Technical Solution Engineering
L3 Product Integration Engineering
L3 Verification Engineering
L3 Validation Engineering
L3 Organizational Process Focus Process Mgmt.
L3 Organizational Process Definition Process Mgmt.
L3 Organizational Training Process Mgmt.
L3 Integrated Project Management Project Mgmt
L3 Risk Management Project Mgmt
L3 Integrated Teaming Project Mgmt
L3 Integrated Supplier Management Project Mgmt
L3 Decision Analysis and Resolution Support
L3 Organizational Environment for Integration Support
L4 Organizational Process Performance Process Mgmt.
L4 Quantitative Project Management Project Mgmt
L5 Organizational Innovation and Deployment Process Mgmt.
L5 Causal Analysis and Resolution Support
CMM Process Areas
43
Examples of CMMI Impact ROI

• 51 ROI for quality activities (Accenture)
• 131 ROI calculated as defects avoided per hour
  spent in training and defect prevention (Northrop
  Grumman Defense Enterprise Systems)
• Avoided 3.72 M in costs due to better cost
  performance (Raytheon North Texas Software
  Engineering) as the organization improved from
  SW-CMM level 4 to CMMI level 5
• 21 ROI over 3 years (Siemens Information Systems
  Ltd, India)
• 2.51 ROI over 12st year, with benefits amortized
  over less than 6 months (reported under non
  disclosure)
• (reported by the American Society for Quality)

44
Sarbanes-Oxley Implications

• With its more than 300 discrete points of
  enforceable law, this is the most significant
  piece of account legislation passed since the
  formation of the SEC in 1933
• SOX was passed with the specific intent of
  increasing accountability and attempting to
  install ethical behavior in financial reporting
  and business operations.
• With this increase spotlight on reporting,
  companies must invest resources and focus into
  their internal control process
• The Act created the Public Company Accounting
  Oversight Board (PCAOB) to oversee the activities
  of the auditing profession and mandated reforms
  to enhance corporate and criminal fraud
  accountability.
• A goal of SOX legislation is to continually
  improve the transparency of financial and
  business events that can impact the accuracy and
  future validity of financial statements.
  Projects to improve processes and regular review
  of controls will become common-place activities
  as compliance evolves. Tools that simplify
  project completion and track status will better
  enable organization to cost-effectively undertake
  these projects.

45
SOX Major Section

• 302 Corporate Responsibility for Financial
  Reports
• Requires Executives to certify the accuracy of
  corporate financial reports
• 404 Management Assessment of Internal Controls
• Requires executives and auditors to confirm the
  effectiveness of internal controls for financial
  reporting
• 409 Real Time Issuers Disclose
• Requires any material changes in financial state
  of issuer be communicated quickly and with
  supporting data to the public

46
Implications for IT

• Configuration management is now a must
• Change controls must be handled more carefully
• Security, security, security
• All system changes must be verifiable by a clear
  audit trail
• Reduce reliance on batch processing, update data
  warehouse more frequently
• Interfaces from any financial system must be
  documented and controlled
• IT activities must be aligned with the companys
  governance and risk policies