What is a Capability Maturity Model?

The Capability Maturity Model is a model for improving organisational processes such as software development, and has practical applications for business continuity management and organisational resilience.

Download our guide to BS 65000 Organisational Resilience.

The US Department of Defence originally funded research into the optimisation of software development processes, and created the Capability Maturity Model (CMM) as a tool for assessing the ability of their contracted software developers to deliver and implement projects. The model has since become common outside the software and tech space, and become an effective means of assessing the maturity of almost any organisational process.

The Levels of Capability Maturity

The five traditional levels of capability maturity represent the steps that an organisation must work through in order to become truly effective at performing a process.

  1. Initial (also called ‘Chaotic’) – At this early stage processes will typically not be documented and could be changing to reflect the environment. This can cause instability, but the ‘trial and error’ approach should eventually lead to the next stage.
  2. Repeatable – Fairly self-explanatory, but at this stage processes are becoming repeatable, and are beginning to achieve consistent results. They may not be rigorous, but it’s important to ensure that they’re maintained under pressure.
  3. Defined – At this stage, processes are documented and being used to establish a precedent of consistent performance throughout the organisation.
  4. Managed – By this point, management has access to methods of measurement that enable them to identify areas for improvement within the process, or adapt the process to the needs of specific projects without undermining the quality or completion of work to specification.
  5. OptimizingProcesses established to this level would be focussed on continual improvement and refinement.

Depending on the context, the naming of the levels might differ. For example, in assessing resilience we might refer to a capability as being ‘fragile’ rather than ‘chaotic’, but the principles still apply. By the third stage, a capability has been communicated as a standard to the organisation, and by the fifth, it has reached a continual cycle of improvement.

Capability Maturity Models in Practice

One of the major criticisms levelled at CMM is that an organisation does not need to have achieved level 5, or even level 4 in order to be able to complete its processes effectively. In this sense, it is perhaps a more useful model for assessing internal teams than it is for its initial purpose of assessing contractors. A process can be effective even at level 1, while it is still in the process of being established, but the risk of it not being effective decreases as it progresses through the levels.

In business continuity and risk assessment, this distinction is vital: if there’s only a chance that your business continuity plan can support your organisation in the event of a crisis it’s of very little value. Capability Maturity Models can thus form a vital part of a business impact analysis, or of testing your organisational resilience. They go further, testing the depth to which resilience has become an ingrained organizational property, hunting down the superficial and highlighting the thoroughly capable.