CMMi e IT Governance

Presentation by, Chandrima Das (07030241006) Raveesh Goswami (07030241024) Sampreeth Agara (07030241029) Sourabh Soni (07030241032) Surbhit Bansal (07030241033) Vijay Chakule (07030241035)

What is CMMI??

IT Governance & Benefits:

How CMMI bridges gap

Decision Rights, Communication and Accountability:
1. 2. 3. 4.

IT Governance at its essence is about decision-making and communications. The need stems from need of organizations to make good decisions and communicate them effectively. Poor outcomes force org. to review the decisions made and place structures supporting better decisions. The decisions can be: 1. Whether to invest in a new initiative. 2. Approve an annual report 3. Provide access to sensitive data
4.
5. 6.

Include software code in a release.
Project funding, project content management, architecture content. Quality management that are made in the course of executing the processes.

How CMMI helps:
€

Possible to establish enforceable governance decisions within the processes of an organization. Helps in demonstrating to the business what is working and what is not, How those processes may be changed to create greater benefit to the business. Briefly, we say the governance process is applied to the governed processes. Example : - Operation metrics specifications daily basis for exerting control on the business processes. An example: - daily average response time. For the developing organizations, code churn -- the frequency of changes in program source code -- would be an operational measure but without proper methods that would lead to improper decision making about company¶s growth.

€ €

€

€

€

Benefits to the Organization:
1.

Process Improvement- monitored against historical data, creation of a viable, improvable process infrastructure, focus on defining and following its processes. Quality products/Services- Quality products are a result of quality processes. Value for Stakeholders- Quality products, predictable schedules, and effective measures to support management in making accurate and defensible forecasts. Employer of Choice- Emphasizes training, both in disciplines and in process, Engg. Comfortable. Enhanced Customer Satisfaction- Meeting cost and schedule targets with high-quality products. Increase in market share- Improves estimation reducing variability to enable better & accurate bids. Meeting of quality goals. Cost Savings- Historical data collected to support project estimation

2.

3.

4.

5.

6.

7.

Examples of CMMI impact-ROI
1. 2. 3.

Accenture- 5:1 ROI for quality activities. Raytheon: Avoided $3.72M in costs due to better cost performance. Siemens: 2:1 ROI over 3 years with benefits amortized over less than 6 months. Northrop Grumann: 13:1 for defects avoided per hour spent in training and defect prevention. $3.9 B Estimated 2003 Sales after CMMI 5 certification. Northrop Grumman Mission Systems focused on the long-term culture change: 1. 2. 3. 4. 5. 6. 7.

4.

More data-driven decision making Identifying and meeting the customers¶ needs Disciplined project management Improved engineering first-time quality to reduce re-work Efficient organizational infrastructure Use of industry best-practices Capturing of internal best-practices

Costs and Benefits of CMMI:

CMMI and COBIT:
CMMI is the perfect complement to COBIT. € COBIT pinpoints the need for certain controls and CMMI puts them into place. € CMMI is very detailed and geared mostly to software development.
€
y Focuses on continuous improvement. y Can be used for self-assessment.

COBIT and CMMI: contd..
COBIT Processes addressed by CMMI are
1. 2. 3. 4.

Plan and Organize (3 out of 10 C Objectives) Acquire and Implement (3 out of 7 C Objectives) Deliver and Support (4 out of 13 C Objectives) Monitor and Evaluate (1 out of 4 C Objectives)

COBIT
Plan and Organize

Relationship with CMMI
Provides better support for objectives with greater project focus such as requirements, risks, quality and project Management Provides excellent coverage for achieving and implementation objectives Project Management processes can be translated to support management of service levels, third parties, capacity, problems and data Continuous operation and user support services are not well covered

Acquire and Implement Delivery and Support

Monitor

Provides for monitoring functions at the project level. Does not involve audit controls at the organization level

10 Threats to Sarbanes-Oxley Compliance (* According to Deloitte) :
1.Lack of an enterprise-wide, executive-driven internal control management program 2. Lack of a formal enterprise risk management program 3. Inadequate controls associated with the recording of non-routine, complex, and unusual transactions 4. Ineffectively controlled post-merger integration 5. Lack of effective controls over the IT environment 6.Ineffective financial reporting and disclosure preparation process 7. Lack of formal controls over the financial closing processes 8. Lack of current, consistent, complete and documented accounting policies and procedures 9. Inability to evaluate and test controls over outsourced processes 10. Inadequate board and audit committee understanding of risk and Control

How CMMi helps in the aligning of business goals and IT goals:

€

Where RM, PP, PMC, SAM, M&A, PPQA, OT, DAR, OID, CM, RD, TS, PI, Ver, Val, IPM, OPP, OID, CAR are the process areas of CMMi.

CMMI and ITIL:
€

Implementing CMMI and ITIL improves the Software Development Process and Software Quality and reduces the Cost Of Quality (COQ). Time to market reduced and precision in estimation of effort and cost enhanced. CMMi is the de facto quality standard for SDLC. ITIL for many is the tool of choice for the operations and infrastructure side of IT CMMI doesn't address IT operations issues (security, change and configuration management, capacity planning, troubleshooting and service desk functions). This is why ITIL is used.

€

€ €

€

CMMI and ITIL : A case
€

Digite¶s case: With their CMMI implementation, they also answered the questions regarding the scope of mapping between ITIL & CMMI practices. Thus ,CMMI to ITIL is a obvious graduation.
CMMI processes areas ITIL processes that CMMI maps

Project Planning Project Monitoring and Control Integrated Project Management Measurement & Analysis Configuration Management Requirement Management/Development Risk Management

Problem Management Helpdesk Incident Management Change Management Configuration Management Service Level Management Planning and Control Contingency Planning

Validation Security Management Product Integration etc

Synergy b/w ITIL CMMi & 6 sigma:

CMMI Vs ISO 27000
CMMI ISO 27000
€Organizations can be ISO 27000 certified. €It is for a family of information security € Organizations cannot be CMMI certified. €An organization is appraised and is

awarded a 1-5 level rating. € (CMMI) is a process improvement approach. €Covers practices for planning, engineering, and managing software development and maintenance € CMMI best practices are published in documents called models. € Each model address a different area of interest. €These key practices improve the ability of organizations to meet goals for cost, schedule, functionality, and product quality. € Adapted to each individual organization according to its business objectives.

management standards. €In series of 27001 ± 27000+. €Provides uniformity and consistency throughout the ISMS family. €Provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS.

Gap still prevails even after applying standards like CMMI
1.

Process:
1. 2.

Process inconsistency is the key driver of waste in development. CMMI do not address other sources of waste such as availability of right resources at right time and complexity of architecture.

2.

Metrics:
1. 2. 3.

Focuses on measuring key performance indicators in development same as business measure productivity. Helpful in environments with mature and well documented frameworks. Do not measure the waste that may occur in early stages of development.

3.

Technology:
1. 2.

Technology used in development primarily focuses on automation such as code generation, documentation and version control. Does not address the fundamental behavioral and cultural aspects that are necessary to improve the productivity.

THANK YOU