Risk management is a process that identifies, assess and control threats to a company’s capital and earnings. The risks and threats of an organization emanate from a broad variety of sources such as legal liabilities, accidents, strategic management errors, natural disasters and financial uncertainty. Data-related risks, information security threats and risk management strategies to prevent them have become the utmost priority for digitized companies. Risk management is an integral component in organizations because it permits businesses and organizations to prepare for the unexpected by reducing extra costs and risks before they happen.
Additionally, risk management establishes a safe and secure environment for all staffs and customers, heightens business operations stability while reducing legal liability and further prevents businesses from events that are detrimental to the company and the environment. In dealing with risks and threats, there are various risks management models that are involved. Some of these risk management models used in risk management include MSRAM, CCPM, MRM and CMMI. This paper seeks to discuss the Capability Maturity Model Integration (CMMI).
Delegate your assignment to our experts and they will do the rest.
Capability Maturity Model Integration (CMMI)
Capability Maturity Model Integration (CMMI) is a capability enhancement model that can be used by an organization to solve performance concern at any organizational level in any industry. The CMMI model assists organization in finding problems, solving them and improving their performance. For instance, CMMI is utilized to improve processes that are used to develop software in an organization. The model follows different levels which include capability levels or maturity levels.
There exist two types of levels in the CMMI model. One of the levels in the CMMI model is maturity level. Maturity levels offer a staging of processes for improvement across a business ranging from maturity level 1 to maturity level 5. Each level comprises a group of process areas. The maturity level has five different sections. The first section of the maturity level is the initial section or level 1. In the initial section, processes are described as chaotic, undocumented and unordered. For instance, if an organization tries to develop an application, it is at level 1. The application is in a state of dynamic transformation because of the unstable environment in that organization.
The second section of the maturity level is the managed section or level 2. In level 2, processes are repeatable and may result in a consistent outcome. Organization at managed section employs skilled individuals and processes are planned and performed in an ordered manner. The projects of the organizations are well-documented and existing processes are maintained during times of stress. The defined section is another section of maturity. At this level, the organization has well-defined standards, and its processes are well-documented.
Apart from the defined section, the quantitatively managed section is another section of maturity level. In this section, quantitative objectives are collected and assessed based on the needs of the customers, end-users, process implementers and organization. Optimizing is the last section of maturity level ( Agenjo et al., 2018 ). At this section, the organization concentrates on progressive process improvement that is based on assessment and quantitative understanding of performance needs and business objectives. This assessment contributes to quality process performance results utilized in the project management.
Another type of CMMI level is capability levels. Capability levels enable an organization to concentrate its efforts of process improvement process area by process area from capability level 0 to capability level 5. Each level builds on the previous levels by adding new functionality that result in increased capability. The capability level o involves an incomplete approach to meet practice area intent. This level may or may not meet the intent of the practice. Another level of the capability level is the capability level 1 or initial. Capability level 1 involves the initial approach to meet the practice area intent. It does not have a complete set of intent to meet the full intent of the practice area. Capability level 1 addresses performance issues.
The capability level also involves capability level 2 or managed. The capability level 2 subsumes level 1 practice. It involves a simple but complete set of practices that addresses the full intent of the practice area. This level does not require organizational assets use. Capability level 2 identifies and monitors progress toward project performance objectives. The last level of the capability level is capability level 3. Capability level 3 builds on level2 practices. It uses organizational standards and tailored to address work and project characteristics. The capability level 3 concentrates on achieving both projects as well as organizational performance objectives.
The United States Department of Homeland Security (DHS) and the Federal Crop Insurance Corporation (FCIC) are entities that were chosen. The United States Department of Homeland Security is a government agency that is responsible for public security. The department is also responsible for border security, anti-terrorism, cybersecurity, immigration and customs and disaster prevention and management. On the other hand, the Federal Crop Insurance Corporation is a public sector entity that promotes the economic stability of agriculture through an appropriate system of crop insurance. It also promotes the means for research and experience that are important in designing and developing such insurance.
The United States Department of Homeland security and the Federal Crop Insurance Corporation are faced with numerous risks. The department is threatened by a series of risks that include acts of terrorism, humanmade accidents, and malicious activities in cyberspace, natural disasters and transnational crime. The department also faces risks associated with workforce management, project costs and acquisitions operations. These internal and external risks can cause loss of life, negative psychosocial impact, injuries, environmental degradation, loss of confidence in government capabilities, loss of economic activity and reduction of the department ability to execute mission essential functions. The DHS and its partners ought to understand and manage the various homeland security risks for the achievement of critical national objectives.
Terrorism is an intentional act that seriously damages a country. It is committed with the aim of intimidating a population or unduly compelling the government to perform or abstain from conducting any act. Terrorism acts involve attacks upon the life of a person that may cause death, attacks upon the physical integrity of a person, hostage-taking, aircraft, ship or other means of transport seizure or interfering with the supply of power, water and any critical natural resource. The 9/11 attack is one of the notable incidents of terrorist attacks in the United States. The act of terrorism can cause direct economic destruction. The immediate and measurable consequences of terrorism are physical destruction. Physical destruction involves the destruction of plants, transportation systems, machines and workers. Terrorism also results in increased uncertainty in the markets and heightened nationalism and foreign scepticism.
Apart from terrorism, humanmade accidents are also risks that the Department of Homeland Security faces. Humanmade accidents include groundwater contamination, hazardous material spills, structure failures, transportation accidents and fires. Humanmade accidents destroy properties and lives. Additionally, malicious activities in the cyberspace are another risk faced the DHS. As indicated by Chaudhary and Chopra (2017), malicious activities in cyberspace seek to damage data or disrupt digital life. Cyberspace attacks involve data breaches, denial of service and computer viruses. Cyberspace attacks cause electrical blackouts, breaches of national security secrets and military equipment failure. The attacks can also cause theft of valuable and sensitive data, paralyzing systems and making data unavailable.
Another risk faced by the DHS and FCIC is natural disasters. Natural disasters include hurricane, flood, earthquakes, tornado and wildfires. These natural disasters cause physical injury and death. The severity of exposure to natural disasters can also risk of future mental problem. Natural disasters also displace the population. After the occurrence of natural disasters such as earthquakes and hurricane, many people abandon their home and seek shelters in other areas. Likewise, natural disasters also cause health risks. Natural disasters such as flooding can result in stagnant water that acts as a breeding site for waterborne bacteria.
Recommendations
Implementing the CMMI model in organizations such as DHS and FCIC is not an easy task. Some activities need to be considered to ensure success or somewhat stress-free implementation. Ten actions can increase the likelihood of success when implementing CMMI model in the DHS and FCIC organization. Implementing the CMMI model for the right reason is one of the actions that should be considered. DHS and FCIC will achieve this by making their operations efficient, effective and profitable. Another action that ensures successful implementation is establishing realistic implementation goals. CMMI model implementation and institutionalization takes a considerable amount of time. According to the Software Engineering Institute, implementing CMMI model takes between 12 and 18 months to shift from one maturity level to another. However, the timing will depend on the time an organization takes to document, deploy, train and institutionalize their processes. Understanding each step will help an organization to set achievable goals.
Additionally, demonstrating senior management full support is another action that ought to be taken by DHS and FCIC. The management should show support by providing personnel time to work on process enhancement, provide funding and follow processes. If the process is disregarded, the CMMI model implementation will be destroyed. The management should communicate why the implementation is being conducted and the importance of the CMMI model implementation to the organization. The management should also describe how the CMMI will affect everyone in the organization. They should also let everyone know what the CMMI is and how it will affect them.
Apart from letting everyone know what the CMMI is and how it will affect the organization, assigning the CMMI implementation responsibility to the right person is another action to be taken. The organization should assign a person that has interest or time required to ensure successful implementation. More so, the organization needs to define where the company is regarding the documented processes. Before implementing the CMMI model or make any changes, the organization need to know the existing processes that relate to the CMMI model. The best way to do this is to hire a CMMI specialist to conduct a gap analysis. Another action to be taken is documenting the processes of the organization. Based on the outcome of the gap analysis, the processes of the organization can be documented. Finally, the organization should engage the CMMI Institute certified lead appraiser to assist and direct the organization along the way. Involving the lead appraiser at early stages of CMMI implementation process saves time and money of the organization.
The DHS and the FCIC should use the CMMI model to mitigate their risks, threats and vulnerabilities. This is because the CMMI plays a significant role in identifying potential issues before they occur so that risk handling activities can be planned and invoked across project or product life to mitigate adverse impacts on achieving objectives. The DHS and FCIC should use CMMI to address issues that can endanger critical objectives achievement. Effective risk management involves early and aggressive risk identification through the use of the CMMI to develop an environment for free and open disclosure and discussion of risk. The organization should also broadcast the CMMI program. The DHS and the FCIC should broadcast the CMMI model to the relevant members in the organization to ensure the success of the implementation. Broadcasting the model develops belongingness and involvement among stakeholders.
There are various steps that the security representatives and leaders of the Department of Homeland Security and Federal Crop Insurance Corporation follow to monitor and review risk management assessment and model plans. One of the steps they follow in identifying the risk that impacts organizational performance. The identified risks may be external or internal. The second step that can be used to monitor and review risk management and model plans is analyzing the risks to determine the impact of the risk. Analyzing risks have a significant impact on the performance of the organization as compared to others. Analyzing risks involve separating minor acceptable risk from significant risks that require immediate action. Another step that the leadership and security representative can follow is evaluating the risks to prioritize their management.
The security representative and leadership should compare the impact and likelihood of each risk on the organizational performance to evaluate and prioritize the resources they have prepared to treat the risks. The result of this step is to prioritize a list of risks that require further actions. Apart from evaluating the risks, leadership should treat the risks to minimize the impact. To achieve this, the organization will need to work out which risks they consider acceptable to be left untreated and which risk need to be treated. Once the risks have been identified, strategies to enhance organizational performance will be developed (Liberato et al., 2016). Lastly, the leadership and security representative will develop and review the risk management plan. The risk management plan will show the identified risks, level of risks, planned strategy, resources required and the staff responsible for ensuring that the strategy is executed.
The CMMI model influenced the risk management of DHS and FCIC positively. The model ensured consistency in risk management. It offered a proven approach that enabled the DHS and the FCIC to drive out real benefits in terms of project predictability and consistency. The implementation of the model also saved costs for the organizations. It saved costs through earlier and effective error detection. It also reduced the costs of remediation and encouraged effective management of change.
Additionally, CMMI implementation resulted in the self-improvement of the organizations. By using the CMMI, organizations differentiated themselves locally and achieved a level of CMMI that naturally improved the processes making them more competitive. CMMI implementation also improved performance demand. It helped organizations to improve on their capability to consistently deliver the services, products and sourced goods customers want at the price they are willing to pay. The CMMI implementation also ensured that the organization’s best practices are captured, shared and adopted among the staff.
The implementation of the CMMI risk model was successful because it provided a common language and framework to help people communicate in both the DHS and FCIC organization. The risk model also provided a standard to help solve disagreements and further helped members to maintain the big picture in mind while focusing on improvement. The limiting factors of CMMI implementation are misaligned SPI goals and objectives, insufficient planning, lack of management commitment and imposed partner. For effective implementation of the CMMI, organizations should define their SPI goals and objectives, ensure management commitment and involve staffs in the implementation.
References
Agenjo, E., Martín-Cruz, N., Ruiz-Martin, C., & López-Paredes, A. (2018). Does CMMI implementation affect the performance of the firm? An evaluation from a dynamic capabilities approach. International Journal of Production Management and Engineering, 6(2), 57-64.
Chaudhary, M., & Chopra, A. (2017). Planning CMMI Implementation. In CMMI for Development (pp. 71-80). Apress, Berkeley, CA.
Liberato, M., Varajão, J., & Martins, P. (2016). CMMI implementation and results: the case of a Software Company. In Project Management: Concepts, Methodologies, Tools, and Applications (pp. 958-974). IGI Global.
