Moving towards a risk-intelligent enterprise cannot be achieved unless if an organisation measures the maturity of IT governance using maturity assessment models appropriate to them.
So said John Cato, consultant at IACT, speaking yesterday during the ITWeb Governance, Risk and Compliance 2014 Summit at The Forum, Bryanston.
According to Cato, assessing maturity levels is a useful way of gauging an organisation's overall risk status; and allows an enterprise to plan for attaining desired levels.
He noted that there are several methods that organisations can use to measure their maturity levels. First, he said, is gap analysis. However, he noted that gap analysis is not a maturity model, but is useful for starting an IT governance initiative.
"Gap analysis is a technique that businesses use to determine what steps need to be taken in order to move from its current state to its desired, future state. Gap analysis is useful at the beginning of a project when developing a business case; and it's essential when you're identifying the tasks that you need to complete to deliver your project. However, it should not to be confused with GAP (Good, Average, Poor model from OGC)," he explained.
Gap analysis techniques can be useful for starting King III-based IT governance initiatives and establishing a foundation, Cato pointed out.
"By using a slightly enhanced gap analysis tool with scores for each principle and recommendation, an overall score can be provided, not quite a maturity level but useful."
The other model is the Capability Maturity Model Integration (CMMI), which is a well-established maturity model from the CMMI Institute, he said.
"CMMI is a proven approach to performance management with decades of results showing it works," said Cato. "CMMI is built with practices and goals seen in thousands of real organisations worldwide. Use these practices and goals to evaluate your own performance and decide what to improve for your own business reasons."
He also pointed to the Gartner ITScore, which, he said, is a valuable maturity assessment and improvement model for Gartner clients.
"The Gartner ITScore is an online diagnostic tool that quantifies the maturity of both the IT organisation as a provider and the enterprise as a consumer of information technology development," said Cato.
The other maturity model is the ISO15504-2 process capability assessment model, said Cato, adding that other proprietary models exist, for example, the IOD SA model for King III.
He explained that ISO/IEC 15504-1 provides overall information on the concepts of process assessment and its use in the two contexts of process improvement and process capability determination.
ISO/IEC 15504-2 defines the requirements for performing process assessment as a basis for use in process improvement and capability determination, he added.
According to Cato, large consulting firms have their assessment models as well and, although not a maturity assessment model, IS29100 is a privacy framework standard with the potential for assessing organisations' readiness for the POPI Act.
"Maturity assessments have their origins in the quality movement of the 1950s and later," said Cato. "They gained ground with the Software Engineering Institute at Carnegie Mellon University in the late 1980s/1990s. Assessments are often based on 'as is' and 'to be' performances using a number of attributes, indicators and levels," he added.
He also believes that maturity assessments can provide a powerful tool to help improve performance.