Why process maturity is a useless metric for ITSM improvement

Process/practice maturity is a metric that should be of little interest when deciding where to focus your improvement efforts, or for measuring the results of those efforts. And CMM process management maturity is even more useless than execution maturity.

Risk and value should be the primary metrics for planning and assessing your improvement.

Nobody in ITSM asks why are you assessing maturity? Beware of the fixation on maturity. This fixation has been driven into ITSM since the beginning, through Deming, CMM/CMMI, Six Sigma etc... and of course ITIL.

The interesting metrics for each practice (I hate "process") when deciding where to improve are business value and business risk (customer satisfaction is a positive sub-metric of value and cost is a negative sub-metric of value).

Or you might expand out to four key metrics (KPIs) in a balanced scorecard, including perhaps the potential value that could be contributed by each practice. But none of those KPIs would include maturity, because:

If a practice is low maturity but high value (or low potential value) and low risk, who cares? It can stay low maturity.
If a practice is high maturity but still delivering low value and/or presenting high risk, it better have more attention.

Maturity is not an indicator of which areas need improvement. Maturity doesn't measure whether you actually deliver. Value and risk do. IT exists "to protect and serve". It is our job to help the organisation balance risk and value for our organisation's information investments: the data, and the systems to manipulate the data.

Maturity is a misleading - no, useless - metric for planning your improvement efforts. Use it later as a mildly interesting input when assessing current state, when deciding what needs to be done, but only after deciding where to focus attention.

Also be very clear whether you are assessing actual maturity of execution (e.g. ISO 15504 PAM) or CMM-style maturity of process management. CMM is even further removed from measuring whether you actually deliver. Maturity of execution is a second-order measure of whether you are actually delivering value and controlling risk - it is only loosely coupled to those outcomes. CMM is even further removed by only measuring process management not execution, and hence is a third-order indicator of how well you actually perform. (I've flagged this as an issue with the new COBIT 5)

Nor should you use maturity to benchmark your progress with improvement, for the same reasons. Measure progress through changes in outcomes: i.e. changes to risk levels and value delivered.

[Update: So why do we use maturity? Why do the consulting vendors propose it? Because it is easy. We can compare to a generic CMM model that is the same everywhere. We can ask simple questions to make that comparison. To understand the levels of risk and value for each practice is hard. It requires actually understanding the assessee organisation. I use subjective surveys to get an initial read. People are uncomfortable with this, especially those who haven't read How to Measure Anything. But I think it is still more useful that chasing after the maturity will-o-the-wisp.

Our industry's fixation on maturity as the primary measure of ITSM performance is inside-out, self-absorbed, esoteric navel-gazing. I've said before that most maturity assessments are useless because of the way they are presented but I'll go further here and say the whole metric itself is daft. There's a whole ITSM assessment industry built on a dumb idea: that we should start by measuring maturity, and benchmark our progress over time by measuring maturity. Don't.

Syndicate content