As our company received a CMMI level 3. Experience of implementation and obtaining a certificate

Hello!
Some time ago on Habré there was an introductory article in CMMI ( CMMI Model ).
I was lucky to personally participate in the process of getting the organization 3 levels of this model. I want to talk about how this happens in practice.


')

For those who are not in the subject, a couple of words about what CMMI is.

CMMI is a model that describes the criteria by which an organization (its business processes) can be attributed to one of 5 levels of maturity (maturity level). The higher the level, the better. In order to confirm one of the levels (usually organizations start with confirmation of level 3), a certification or assessment process is conducted, which I want to tell about.

What can we do with CMMI in an organization?

Usually this:

• The introduction of a quality system based on this model
• Officially confirm the compliance of the organization with one of the levels (get a certificate)
• Gain useful practices and try them out.

The very introduction of this model puts the company's business processes in order, pulling them up to one of the levels. If the goal is to introduce a quality system based on the CMMI methodology, then this can be done by the company itself, using publicly available literature. The model description is available free of charge in the library on the SEI website . There you can find a lot of instructions, descriptions and tips. The same applies to useful things. which can be found in the literature and try to apply in the company.

Why do we need to receive official confirmation of compliance with one of the levels?

Usually - to participate in tenders, to get new customers, projects, to enter a more serious market. It's hard for me to imagine a company that gets it just like that, because it is an expensive pleasure. Those firms that already have a proven level of maturity and want to receive the next (usually 3, but I want 5) usually also receive a certificate.

Why lately all the talk about CMMI?

In recent years, the ISO 2001: 2008 certificate begins to lose customer confidence (especially in Europe). The relative ease and cheapness of obtaining such a certificate allowed it to be received by companies in which the level of quality management does not correspond to it.
Cause:

1. non-specific description of the requirements under which you can bring anything,
2. lack of examples
3. the relatively simple process of obtaining a certificate
4. an audit that lasts only two days, during which the auditor can only dig in a pile of documents that are dumped on him,
5. A large number of certification companies that want to get more money for the certification / re-certification process and are able to close their eyes to many things that do not meet the requirements.

As a result, in Europe, state organizations, banks, in tenders began to require CMMI at least 3 levels, and usually - 4th. Prior to this, CMMI was required mainly in America, Canada, and Asia.

CMMI implementation experience

purpose

In our company (the company is located in Latvia, the size is about 150 employees, the sphere is IT, customers are from Europe) the reason for receiving CMMI was not original. The company had the capacity and resources to take on serious projects outside the local market (Europe, America, Canada), but a certificate was needed to participate in tenders.
The goal was set - level 4 CMMI.

Beginning of work

We began by studying the available information. All available books from the SEI website were downloaded, something was bought on Amazon (there are books by independent authors who write about the implementation and certification process). A number of internal audits were conducted to assess the level of maturity of each of the processes. This was done by a small group of people responsible for the quality of the organization (Quality Manager and internal auditors - only 4 people).

A great help was obtained before the ISO 2001: 2008 certificate. Or rather - the implemented quality system for its receipt. We have done everything conscientiously; therefore, most of the business processes have already been put in order and the organization has worked on them. We can say that we were somewhere between 2 and 3 levels of maturity.

Then we tried to tighten some processes by our own efforts. I will not describe in this post the preparation and bringing to mind specific business processes, since each of the CMMI process areas is worth what to pay close attention to. I can only say that for us the most of the problems for us were collecting metrics and planning using the collected data (in CMMI for development 1.2 this is QPM: Quantitative Project Project Management).

Leadership support was of great importance. Given the large resources invested in the preparation process, and then even more - in the certification process itself, all organizations were involved in the CMMI race. All projects were instructed to go to a meeting with internal auditors and to apply the changes made by the quality department in practice.

Consultants

After internal preparation for the further process, it was decided to involve a consulting firm, which will help us in the preparation and conduct the certification process. A tender was drafted in which we described the situation in our company and our goals. A Google search engine helped us select 5-6 consulting firms that later received our requirements. As a result, we have chosen a more suitable offer. Consultants were located in India. We were assigned a specialist, who then led us to receive a certificate.

Unfortunately in Latvia (and it happened there) there is no company that would provide such services. I know nothing about consulting firms in Russia, I only know that there is only one Lead Assessor, which has the right to appropriate the CMMI level.

In the process of certification a lot of draft, preparatory work. It is necessary not only to tighten all the processes, but also to assemble the Practice Evidence Database (PIID), it consists of documents, each of which describes its own process. What is this evidence? For example, if CMMI requires that internal employee training is planned for several months ahead, then the document should write how we implement this practice (for example, that we have a training plan that is regularly revised) and give a link to the artifact and so on. requirements.

An example of a document template from the database

During each of his visits, the consultant conducted an internal audit in the organization (type of audit - SCAMPI (Standard CMMI Appraisal Method for Process Improvement) B or C). In the end, he provided us with a list of shortcomings, told us how to fix them, which was necessary to satisfy one or another requirement, and left.
During the next visit, the next audit was conducted, in which we checked how we fixed the found flaws, found new problems. It should be noted that the audits were carried out only in focus projects - the most revealing ones, so that you could touch on all the processes that CMMI requires, but this does not mean that you can pull up only a part of the projects, and score on the rest. During the preparation, everything is being combed, just usually it is the artifacts from these projects that are indicated in the evidence base and the interview is conducted with the leaders of these projects.

We needed 4 arrivals. It is the consultant who says if the organization is ready for certification.

Certification

After the consultant says “good”, preparation for the certification process itself (Appraisal) begins. 6-10 people are selected from the company's employees who take the official SEI courses - “Introduction to CMMI”. These people then participate in the certification process.
The certification process lasts 2 weeks (does not compare with 2 days for ISO).
In the illustration below you can see what the audit schedule looks like.

Appraisal timetable

During Appraisal (SCAMPI A type), internal audits, interviews with employees are conducted, the evidence base (PIID) is reviewed, and compared with the requirements. For each requirement a certain number of points is put up and at the last meeting they are counted and a decision is made - yes or no. The decision is made by Lead Assessor - in our case it was the head of our consultant.
We wanted to get level 4, but as a result, pulled only 3.

Costs

We paid for:

1. Consultant services - for each day of his work.
2. Airplane tickets, consultant’s accommodation in Latvia (he came 4 times, his work with us on site took about a week).
3. For internal resources that were used to rework and improve business processes - the work of internal auditors, projects that reworked their documentation, the introduction of improved processes.
4. For the arrival at the very certification of the chief auditor (Lead Assessor) from the same India, plus a consultant came with him.
5. Training of internal auditors 6-10 people (special courses “Introduction to CMMI”), which will participate in the certification process along with external auditors.
6. For the certification process itself.
7. For the recertification process every 3 years.
8. <maybe something else that I, as a simple at that time, internal auditor is not aware of>

Total amount - ? . Lots of. I can assume that it is tens of thousands of euros. Roughly counting - only about 10 euros were spent on the payment of the road / residence of consultants and auditors (if the consultants office is located in your own city - these expenses disappear). Unfortunately, I cannot name the exact amount of the whole process, nobody called it to me - confidential information. I will be very happy if someone shares real numbers. I think that the amount also depends on the size of the company.

Preparation before the invitation of the consultant lasted for 3 months, after the invitation and before receiving the certificate for about half a year.

Certificate example (googled) - level 3. CMMI version 1.1

And lastly - interesting statistics (taken from reports from the SEI website)

1. confirmed CMMI level of total received organizations from 67 countries.
2. The most certificates in 2009 were obtained in the USA, China, Spain, Japan, India, Mexico and Brazil.
3. Europe received the most certificates in 2009 in Spain (the year before last - in France).
4. In general, in Europe (here they count Russia) in 2009 692 companies were certified. In Russia - less than 10 firms (they do not write a more accurate figure). For comparison - in Asia - 2218, in North America - 1528.
5. it takes about 17 months to go from level 3 to level 4.
6. firms receiving CMMI by number of employees were divided as follows: 1-100 - 53.5%, 101-200 - 19.6%, 201-2000 - 26.9%.
7. The CMMI-DEV 1.2 document consists of approximately 600 pages, for comparison, ISO 2001: 2008 is only 24x.
8. CMMI-DEV 1.2 is free, and approximately 50 dead American presidents will have to pay for ISO 2001: 2008.
9. A list of all firms for all the years that have received the CMMI level . Here you can play around with queries and see the reports in different sections.

A new report is expected at the end of September of this year.

findings

1. CMMI is expensive. Need human and financial resources
2. There should be comprehensive leadership support.
3. Employees should be interested in this idea, since everyone will have to work
4. It is interesting. In any case, our team enjoyed the whole process.
5. It is not always possible to get the desired level, even if you really, really want, and the bosses press. The company may simply not be ready for this (“Not Immature”)

PS: After some time, the company received the desired level. A project from a German bank was received.

I’m really looking forward to commenting stories about similar experiences, about what I forgot to mention, about real numbers, interesting points and problems.