Tuesday, May 22, 2007

Can CMMI apply to a Document Production company?

Hi Jeff,
My name is Renuka from Bangalore India, working as a Quality Executive. I have been in the domain for more than 2+ years and have actively participated in CMMI L3 implementation mainly for the Process area SAM.
Current I'm with a company whose main business is Technical communication for Major development companies in bangalore. We have a tailored QMS in place for the document development lifecyle model. Is it possible that a Document development company could be appraised for CMMI? The QA team here also is an internal development team, which supports for software development eg: online applications internally (who would like be be a revenue generating team instead of only support function).
We have tailored the SDLC to DDLC & use the QMS for the process compliance.

Interesting application of the model! Does your company produce a product? Does it take requirements in, manage them, have a plan, measure performance, design and build, and verify? If so, then I see no reason why you couldn't successfully use the CMMI to benchmark your performance.

Two hints I would give you though. First, spend some time with your selected Lead Appraiser to make sure he/she REALLY understands your business. If you select one with only a systems background he/she MAY not be able to logically make the transition to apply the model to your business. Secondly, take a look at the Continuous Representation of the model. You may discover that it is more appropriate for your situation. Just a thought!


How do we measure CMMI Compliance?

Our Company is growing organization having 500+ software developers and test engineers in the embedded and ASIC division. I am head of SEPG department and implement CMMi level 3. Currently, we are doing self appraisal.
I am looking for standard compliance matrix for CMMi level 2 and 3 process areas for my organization. If you do not mind, then kindly please send me the template for measuring CMMi Compliance Index. Also, please share the document / templates for AgileCMMi for all CMMi level 3 process areas.

Congratulations on performing your self appraisal. Let me ask you this, what are you using to "self-appraise?" This may be the only tool you need. There is no "standard compliance matrix" unless you consider the practices in the model to be one. The way to measure CMMI Compliance is to engage with an authorized SEI SCAMPI Lead Appraiser (either in your area or one that will travel to you) to conduct an objective SCAMPI Appraisal. SCAMPI is the method we use to evaluate CMMI performance and it does not include an standard forms or matrices - although it is a robust methodology.

As a SCAMPI Lead Appraiser, it's my job to evaluate process performance across your organization against the required components of the model (the Goals) and the expected components (the Practices). For a self assessment you could do the same by opening the book and going through it practice by practice Have fun!

Is there a difference between Risks and Risk Sources?

Hello Jeff,
Thank you for your blog which is very instructive and useful for all of us.
I’m part of a quality team as a trainee in an IT company in France, and working on a risk management tool.
After having studied risk sources and risks categories in both CMMI - RSKM and SEI risk taxonomy, I found that most of the time, a given risk may also be a source of risk.
Lack of Human resources may be a risk, but also a source for the risk “Product not delivered on time”;
The element “Uncertain requirements” is present in both RSKM risks sources and risk taxonomy categories.
My question is: "is there a distinction between risks and sources possible, and is it useful to build a risk management tool or plan?"

First of all, let me congratulate you on your obvious level of knowledge about Risks, as well as your knowledge of the CMMI model. Excellent for a trainee! I'll be looking forward to YOUR Blog in the future!

Second, let's step back for a second and try to view the CMMI as a set of guidelines, and the examples in the model as a set of suggestions. In doing that, we see that identifying risk sources is a neat way to ensure that we capture most of the important risks, by providing us with "memory joggers" to help us identify the important ones. You have done so with great clarity.

As to a distinction between risks and sources, you're right! Some risks and sources are related, and some risks can become sources themselves. Should you treat these things differently? I would say "no" and here's why. It's very difficult to get people to adopt a process of any kind, primarily due to the culture change. Add to that the complexity of tailoring guidelines (which force the Project Manager to interpret the process and make decisions about what is appropriate) and it becomes, in some cases, nearly impossible.

As I always am conscious to keep my "Agile" hat on (I believe "Agile" is a philosophy as well as a family of methods) I am always looking for simplicity and an opportunity to streamline as much as possible. In the spirit of this philosophy, I would argue that it would be better for the organization as a whole to deploy a simple set of "risk sources" and not muddy the waters with the maddening and circular discussion that would inevitably take place once you introduce the "source or risk?" conversation. Believe me, I've been tortured through many a similar discussion.
That's what I think anyway. Others may (and probably will!) disagree.

Monday, May 14, 2007

Dear Jeff

I’d like to ask what CANNOT be tailored out from a CMMI perspective. For example, if a tailoring request will result in not meeting an SG or GG in one of the projects, should the request be approved?
I understand that we should determine which parts of our processes must be done, but, from an appraisal viewpoint, what would be considered improper tailoring?

Great question. I think you’ve answered part of it already.
If the tailoring results in not meeting and SG or a GG then it shouldn’t be approved (assuming CMMI compliance is one of your goals of course). But the story doesn’t end there. Remember that the Goals are required, but the practices (SPs and GPs) OR AN ALTERNATIVE are expected. By expected the CMMI means that they need to be satisfied in order to satisfy the goals. I’d be hard pressed to come up with an example of a goal that didn’t require the SPs to actually be satisfied (although there are alternatives – especially in the Agile world).
For instance, it would be pretty tough to “Manage Requirements” (REQM.SG1) without understanding them, obtaining commitment, managing traceability, etc… You get the picture.

One way to handle this is to identify all of the “must have” work products and processes, and then the “should have” work products and processes. Like the practices, the “should” really are “must” unless the project has a good reason for tailoring it out – and has some alternative for it.


Tuesday, May 8, 2007

Can we just have our software department appraised?

Dear Jeff,

We're an ISO9001-2000 certified company working towards CMMI ML 3. Can we be certified in our software department only?

There is a concept in the SCAMPI Appraisal process called the "organizational unit," or "OU." The OU is the targeted organization to be appraised and must be a logical entity or grouping of some kind. This could include: All Web Development Teams, The Project Management Office, and yes, the Software Department. You will need to discuss this with your Lead Appraiser to ensure his/her understanding of your request, but I see no reason that you could not appraise just this part of your company.


Tuesday, May 1, 2007

Can we get to Level Three in 12 months?

Dear Jeff,

I represent a privately held software firm. We were assessed as a CMMI Level 2 organization the first week of April, 2007, and the executive team has challenged the Development organization to achieve CMMI Level 3 within a year. We have had an SEPG in place for over a year, and presently the only full-time person committed to this effort is myself. I have extensive CMM experience from Motorola, as well as leading our CMMI effort here the last 18 months. I know 12 months from CMMI Level 2 to CMMI Level 3 is a challenge, but I truly believe we are capable of obtaining this goal, but to be truthful, the amount of time the Development staff has to dedicate to quality initiatives is minimal. How realistic is it for a software company who has essentially one product that has developed over the course of 10-15 years to achieve CMMI Level 3 within a year after achieving CMMI Level 2?

What are the unforeseen challenges in your opinion?

Level Two to Three in one year is possible . . . but extremely challenging. It comes down to a question of resources and commitment. The SEI expects it to take 18-24 months to make this transition but I believe that is primarily a guideline that assumes that no mature ML 3 process are in place and that you just went from zero to ML 2. That doesn't sound like your situation. Your experience with Motorola, a premier player in the CMMI, will help you here.

Having your SEPG in place will help, but you're going to have to figure out how to get work done. There will more than likely be a large amount of work to do over the first few months and, since you're a lone ranger, that will be difficult, if not impossible.

I advocate a "virtual team" approach that allocates 5% of all participants time (2 hours per week) in which they focus, under your direction on three components: process design, communication, and education. Once you scope this out, plan it, and make task assignments you become a project leader for the development of a large process "product."

To learn more about this you can download my white paper "Agile CMMI" at www.broadswordsolutions.com/resources.php. The second half of the document explains this technique in detail.

The first test is management's commitment. Tell them about your plan to harness the power and brains of all of your software engineering colleagues to make this real (and to aid in adoption) and gauge their reaction. If you sense enthusiasm and PUBLIC support, then jump in. If not, run away as fast as you can.


Short question gets short answer

Dear Jeff,

CMMI overkill?



Is our Appraisal Team over-reaching?

Dear Jeff,

We are a small organization; only about 20 people support the software projects. We recently completed a SCAMPI B in our quest to reach CMMI-SWML3.

I have a question about the numbers of direct artifacts required for each practice. When we look at Generic practices such as “Identify and Involve RelevantStakeholders,” I understand where it might require 2 direct artifacts to show that we do indeed first identify them, then involve them. But in other cases, how many examples do we need to show? For instance, SAM SP.1.1 wants a list of the acquisition types for each product orproduct component to be acquired. So, say we have 3 products we are acquiring, one CFE, one COTS, and one via subcontract. Now my question is, for all the rest of the SAM SP’s, do we need to show 3 differentdirect artifacts, one for each of the 3 products??

Our SCAMPI B observations revealed that some of the mini-teams repeatedly wanted to see “more such examples to show that the process is an ongoing activity.” I was surprised; I thought the SCAMPI way was to show one good direct and one indirect.

Finally, another thing surprised me from this appraisal team. I know the definition of an Indirect artifact: They are artifacts that are either a consequence of performing the practice, or that substantiate the practice. When we provided them a Direct artifact that they thought was strong, they wanted the Indirect artifact to be linked to that particular Direct artifact. So, if we showed, say, meeting minutes for the Direct artifact, they wanted the Indirect to be something associated with those particular meeting minutes, e.g., an action item that was generated from the meeting, relating to the practice. Is this normal? It presents a challenge for us, because, sometimes it was the case that the meeting minutes were discussing the issue related to the SP, but no action items were generated.

I would appreciate your opinions on any/all of my questions!!

Jeff Says: Whew! I'm tired just thinking about answering this question!

The minimum requirement for evidence in a SCAMPI A Appraisal is OneDirect + (one indirect OR one affirmation). More than the minimum could be required, if the artifacts were incomplete, but if that’s not the case it could easily create an appraisal that has an unreasonable scope. You may drive yourself nuts trying to map one artifact to one practice. In your example, ID and Involve Stakeholders, you might use a RASIC chart to ID the stakeholders, but your evidence of involving them could be partially in your workplan, partially in meeting minutes, meeting logs, emails, or calendar entries. Sometimes the evidence “lives”within another artifact that was meant to satisfy a totally different practice. This type of “synthesis” will greatly reduce the amount of artifacts you need to produce.

Ultimately it’s the Appraisal Team’s responsibility to ferret out that evidence, not your job to create a document for each and every practice. The evidence is out there . . .they just need to be creative in finding it. Of course, you can help them by creating a mapping to the model.

An appraisal is not a “QA Audit.” The team should not be auditing that“the correct stakeholders were identified for the project and that everyone of them was involved appropriately.” The CMMI isn’t magic – it doesn’t automatically create high performing clients that don’t show upf or meetings. They should be looking for the “infrastructure” you’ve put in place and some evidence that the process was indeed performed. But a functional audit may be too much.

You are correct in your definitions of Direct and Indirect, and your description of the Appraisal Team’s demands for more data seem to be overreaching to me (without knowing the details of course . . . ). There is no requirement that the indirect provided be linked to the direct in the way you’ve described, and there is no requirement that more than one direct be provided to show “ongoing” process performance. Of course, it depends what’s in the direct you’ve provided, but that’s another issue :-). For most cases, if the artifact is complete, one is enough.

That said, if the Appraisal Team (and LA) believe that an artifact or affirmation was fabricated for the Appraisal, or that is has significant weakness they are within their rights to ask for additional information, but that is not as common as you might think.

In the appraisals I lead I do not often see this – although I have heard of it happening. In your example for SAM you should be providing the direct artifact thatdescribes the types of products you would need to acquire, and one or more examples of how the acquisition was managed.

On the face of it, it sounds like your appraisal team may need some additional training.