Chapter 5. Institutionalizing Operational Resilience Management Processes
5.1 Overview
This chapter describes the process institutionalization aspects of CERT-RMM. It describes the “continuous representation” of CERT-RMM, the resultant capability levels, and the associated generic goals and generic practices of CERT-RMM, which have been sourced intact from CMMI. These model components directly address process institutionalization.
The capability dimension of CERT-RMM sets it apart from other models in the operational resilience space because this dimension determines the degree to which
• a process (or a practice) has been ingrained in the way work is defined, executed, and managed
• there is commitment and consistency to performing the process
Higher degrees of process institutionalization often equate to more stable processes that produce consistent results over time. Highly institutionalized operational resilience management processes should help the organization to improve service resilience not only because the process is stable but also because institutionalized processes are more likely to be retained during times of stress. Because the operational resilience of an organization is fundamentally tied to how well it performs during times of stress, the capability dimension of CERT-RMM is foundationally important to any organization that wants to improve its operational resilience.
5.2 Understanding Capability Levels
CERT-RMM is not a prescriptive model; that is, there is no guidance provided to adopt the model in any sequential or prescriptive path. Process improvement is unique to each organization; thus, CERT-RMM provides the basic structure to allow organizations to chart their own specific improvement path using the model as the basis.
The ability to incrementally improve processes in an individual process area (or a group of process areas) is embedded in the model’s continuous representation.1 The improvement path in a continuous representation is defined by capability levels. Levels characterize improvement from an ill-defined state to a state where processes are characterized and used consistently across organizational units. This concept is an important enabler of the principle of convergence, particularly in large, distributed organizations.
To reach a particular level, an organization must satisfy all of the appropriate goals of the process area (or a set of process areas), as well as the generic goals that apply to the specific capability level. The structure of the continuous representation for CERT-RMM is provided in Figure 5.1.
Figure 5.1. Structure of the CERT-RMM Continuous Representation
Because there is no staged representation in CERT-RMM, technically the concept of organizational maturity for managing operational resilience processes doesn’t exist. However, it could be argued that an organization that reaches higher capability levels in each process area is exhibiting a higher degree of organizational maturity.
The capability dimension of CERT-RMM is also used for process improvement appraisal activities. Appraisal activities are described in Section 6.4.
CERT-RMM currently defines four capability levels, designated by the numbers 0 through 3, as shown in Table 5.1.
Table 5.1. Capability Levels in CERT-RMM
A capability level for a process area is achieved when all of the generic goals are satisfied up to that level. By design, capability level 2 is defined by generic goal 2 and capability level 3 is defined by generic goal 3. Thus, the generic goals and practices at each level define the meaning of the capability levels. Because capability is cumulative, reaching capability level 3 means that the organization is also performing the goals and practices at capability levels 1 and 2. (See Section 5.4 for more information about generic goals and practices.)
5.3 Connecting Capability Levels to Process Institutionalization
Capability levels describe the degree to which a process has been institutionalized. Likewise, the degree to which a process is institutionalized is defined by the generic goals and practices. Table 5.2 links capability levels to the progression of processes and generic goals.
Table 5.2. Capability Levels Related to Goals and Process Progression
The progression of capability levels and the degree of process institutionalization are characterized in the following descriptions.
5.3.1 Capability Level 0: Incomplete
An incomplete process is a process that either is not performed or is partially performed. One or more of the specific goals of the process area are not satisfied. No generic goals exist for this level since there is no reason to institutionalize a partially performed process [CMMI Product Team 2006].
5.3.2 Capability Level 1: Performed
Capability level 1 characterizes a performed process. A performed process is a process that satisfies all of the specific goals of the process area.2 It supports and enables the work needed to perform operational resilience practices as defined by the specific goals.
Although achieving capability level 1 results in important improvements, those improvements can be lost over time if they are not institutionalized. The application of institutionalization through the generic goals at levels 2 and 3 helps to ensure that improvements are maintained [CMMI Product Team 2006].
When organizations perform a compliance review against a code of practice, they are in essence evaluating whether a process is performed. However, because operational resilience management processes are critically important during times of stress, simply verifying that a process is performed does not provide any indication or predictability about how the organization will perform in the future. In CERT-RMM, two additional and important levels of capability can be evaluated—managed and defined—which provide a better indicator of an organization’s ability to predict performance.
5.3.3 Capability Level 2: Managed
A capability level 2 process is characterized as a managed process. Because capability levels are cumulative, a managed process is a performed process that has the basic infrastructure in place to support the process. At capability level 2, the process
• is planned and executed in accordance with policy
• employs skilled people who have adequate resources to produce controlled outputs
• involves relevant stakeholders
• is monitored, controlled, and reviewed
• is evaluated for adherence to the organization’s process description
A critical distinction between a performed and a managed process is that a managed process is planned and the performance of the process is managed against the plan. Corrective actions are taken when the actual results and performance deviate significantly from the plan. A managed process achieves the objectives of the plan and is institutionalized for consistent performance [CMMI Product Team 2006].
The process discipline reflected by capability level 2 helps to ensure that existing practices are retained during times of stress [CMMI Product Team 2006]. From an operational resilience management perspective, it is at capability level 2 where the organization can begin to answer some vital questions about its viability in a complex, risk-evolving environment, such as these:
• Are we able to achieve consistent results from our processes today and tomorrow, and are we committed to doing so?
• Can we repeat our current successes consistently over time?
• Can we achieve the same results from our processes during times of stress and when we don’t have access to our best employees and other resources?
• Can we obtain consistent results from our processes across organizational units and lines of business?
Organizations operating at capability level 2 should begin to know with some degree of certainty that they can achieve and sustain operational resilience goals regardless of changes in risk environments or when faced with new and emerging threats. Thus, instead of shifting its planning and practices for security and business continuity to address the next new and sensational threat, the organization stays on course and defines and refines its processes to address whatever risk comes its way. This indicates that the organization has invested in and nurtured its capabilities for sustaining these practices through sponsorship, ability and commitment, institutionalization, and measurement.
5.3.4 Capability Level 3: Defined
A capability level 3 process is characterized as a defined process. A defined process is a managed process (capability level 2) that is tailored from the organization’s set of standard processes according to the organization’s tailoring guidelines. The process also contributes work products, measures, and other process improvement information as organizational process assets for use by all organizational units [CMMI Product Team 2006].
What does this ultimately mean to the organization? One of the principal challenges for effective operational resilience management is the ability to get all parts of the organization to coalesce around common goals and objectives. When different parts of the organization operate with different goals, assumptions, and practices, it is difficult if not impossible to ensure that the organization’s collective goals and objectives can be reached. This is particularly true with crosscutting concerns such as operational risk management. If the organization’s risk assumptions are not reflected consistently in security, continuity, and IT operations activities, the organization’s risk management process will be less than effective and perhaps significantly detrimental to overall operational resilience.
At capability level 3, alignment begins to occur because the standards, process descriptions, and procedures used for operational resilience management at the organizational unit level are tailored from the organization’s standard set of operational resilience management processes. At capability level 2, each organizational unit may be improving the degree to which processes are institutionalized for that unit, but the organization is not necessarily reaping improvement benefits as a whole. At capability level 3, this begins to occur because there is more consistency across units, and improvements made by each organizational unit can be accessed and used by the organization through an organization-level improvement infrastructure.
Another critical distinction at capability level 3 is that processes are typically described more rigorously than at capability level 2. A defined process clearly states the purpose, inputs, entry criteria, activities, roles, measures, verification steps, outputs, and exit criteria. At capability level 3, processes are managed more proactively using an understanding of the interrelationships of the process activities and details [CMMI Product Team 2006].
5.3.5 Other Capability Levels
If your organization uses the CMMI models, you are likely to be familiar with two other capability levels—capability level 4 (quantitatively managed) and capability level 5 (optimized). Both levels address the use of statistical and other quantitative techniques to control and improve processes. Beginning at capability level 4, process quality and performance are understood in statistical terms, and at capability level 5, common causes of process variation are understood and used for improving the range of process performance.
In CERT-RMM, it is unclear at this point whether these capability levels exist for operational resilience management or, more specifically, whether they have meaning. In other words, should an organization strive for some level of quantitatively managed operational resilience processes, and if so, what benefits would this bring to the organization? Thus, these additional levels are not defined in the model.
5.4 CERT-RMM Generic Goals and Practices
Generic goals and practices are common to all process areas. They are the roadmap for helping the organization raise its performance of each process area to the next capability level. The degree of process institutionalization is embodied in the generic goals and practices and expressed in the names of the generic goals, except for goal 1, “Achieve Specific Goals,” which refers to the achievement of all of the specific goals and the performance of all of the specific practices of a process area.
The generic goals and practices used in CERT-RMM have been sourced from CMMI models. Thus, if you are a current user of CMMI models, you will be able to use the same process institutionalization features of CMMI in your CERT-RMM process improvement effort. However, there are a few differences, mostly in wording:
• Generic practice 2.1 in CMMI models is “Establish an Organizational Policy,” while in CERT-RMM, the corresponding practice is “Establish Process Governance.” In CERT-RMM, policy is an artifact of effective governance, which is required for all processes to reach capability level 2.
• In CMMI, generic practice 2.3, “Provide Resources,” is similar between the models, but CERT-RMM expands the definition of “resources” to include financial resources.
• Generic practice 2.6 in CMMI is “Manage Configurations,” but in CERT-RMM, it is retitled as “Manage Work Product Configurations” to avoid confusion with traditional configuration management activities as defined in IT operations.
• CERT-RMM includes subpractices in its articulation of generic goals and practices, which were eliminated in current versions of CMMI models.
Remember, only the generic goals for capability levels 1, 2, and 3 from CMMI are included in CERT-RMM. The CERT-RMM Generic Goals and Practices are included in Appendix A.
5.4.1 CERT-RMM Elaborated Generic Goals and Practices
Since generic goals and practices apply to each process area, naturally there is variation in how each generic goal and practice affects the core subject matter of a process area. For example, generic practice 2.1, which calls for governance over the process, will differ widely depending on whether the process deals with incident management or organizational training and awareness. Thus, in each process area, the CERT-RMM model includes customized examples of the generic goals and practices. These customized examples are called elaborations, and therefore each process area has a unique set of elaborated generic goals and practices associated with it.
Elaborated generic goals and practices are included with each process area, beginning in Part Three of this book.
5.5 Applying Generic Practices
Applying the generic practices in CERT-RMM is mostly straightforward but can be confusing. It is easiest to start with a simple example.
When you are achieving the specific goals of the Asset Definition and Management process area, you are formally identifying, documenting, and managing the assets that the organization depends on to ensure that high-value services meet their missions. Consider generic practice GG2.GP2, “Establish and maintain the plan for performing the process.” In this context, generic practice GG2.GP2 reminds you that you need to plan the activities related to identifying, documenting, and managing assets throughout their life cycle. Thus, the application of this generic practice improves the institutionalization of the Asset Definition and Management process area by instilling a planning discipline.
In some cases, the application of a generic practice to the specific goals in a process area will seem recursive. For example, consider the application of generic practice GG2.GP2 to a process area that already includes a specific goal directed at planning. In the Incident Management and Control process area, planning for incident management is a major aspect of the process. The application of generic practice GG2.GP2 in this case reminds you that you must plan the activities involved in creating the plan for managing incidents.
5.6 Process Areas That Support Generic Practices
While generic goals and generic practices are the model components that directly address process institutionalization, some process areas also address institutionalization by supporting the implementation of the generic practices. Thus, implementing the specific practices in some process areas may also help with the implementation of a generic practice.
Table 5.3 shows the relationship between CERT-RMM process areas and generic practices.
Table 5.3. CERT-RMM Generic Practices Supported by Process Areas
