GA

Saturday, April 10, 2010

better than eSCM

t" href="http://www.isaca.org/Styles/Styles.css" type="text/css">


Capability Maturity Models and Outsourcing:
A Case for Sourcing Risk Management

By Charles McKinney, CBCP, Six Sigma Black Belt
Volume 5, 2005

.

Moving information technology (IT) functions to offshore providers is popular and controversial. With 74 percent of buyers satisfied with their outsourcing efforts and 64 percent expected to increase their use of service providers in the future, according to a 2004 DiamondCluster International survey, IT outsourcing is here to stay.1 Consequently, organizations need to invest in managing sourcing risk across the life cycle of their relationships with their external service providers (ESPs).

Sourcing risk refers to an organization's exposure to its ESPs' performing at a level below what is required and suffering consequences that could include unplanned costs, lost productivity, dissatisfied customers, brand deterioration, accounting errors, and failure to comply with laws and regulations. Recent regulatory developments heighten the need. For example, the US Sarbanes-Oxley Act's requirements to design and maintain processes with effective internal controls extend to ESPs performing critical operations on behalf of a company.

Organizations manage sourcing risk by developing a clear understanding of their needs, designing steps to standardize and monitor vendors' performance, and integrating these controls with their IT governance and management practices. Being proactive at the vendor selection stage is a critical success factor that determines the effectiveness of the sourcing risk management program, the value of outsourcing deals and the likelihood of unforeseen problems arising. Trends in ESPs' adoption of capability maturity models, a popular category of best practices, provide a useful illustration—showcasing contributions that IT auditors can make and highlighting practical steps that organizations can take to be successful.

Offshoring, Software Factories and Best Practices

An immediate benefit of moving application development to an offshore ESP is lower labor costs. Outsourcing can also improve flexibility by reducing headcount and linking contractor compensation to projects with deliverables. Over the next five years, comparatively high wage inflation for IT professionals will diminish the labor cost advantage that popular offshore locations enjoy today. Furthermore, language barriers, travel costs, higher-than-planned overhead to manage outsourcing relationships and other factors can unexpectedly increase outsourcing costs.

While many ESPs use their labor cost advantage as a door opener, they tend to promote sustainable advantages associated with provisioning application development from a software factory serving a large client base. Demonstrating superior capabilities helps ESPs overcome skepticism that moving offshore is a long-term risk. Very often their marketing strategies emphasize quality, and an increasing number of ESPs are establishing internal quality management programs, basing them on best practices and assessing their internal controls with a goal of passing a critical benchmark that the marketplace will recognize and trust.

For any organization, a commitment to quality can have a positive impact beyond contributing to brand equity. GE's adoption of Six Sigma and its contribution to top- and bottom-line performance are legendary.2 The Software Engineering Institute at Carnegie Mellon University (Pennsylvania, USA) reports that investment in adopting software development best practices can pay dividends. It reports that many organizations experience productivity gains of 35 percent, defect rate reductions as high as 90 percent and positive return on investment.3 Realizing these benefits depends on how adoption of best practices is carried out (see figure 1).

Figure 1—Critical Success Factors When Adopting IT Best Practices

With a cornucopia of frameworks to choose from and pressure to deliver results quickly, adopting IT best practices can be a risky business. It can pay off with strong commitment and attention to five critical success factors: leadership, acceptance, learning, empowerment and ongoing governance.

Leadership—Tone at the top sets the context for how an organization embraces best practices. Official messages, off-the-record comments, nonverbal signals, and the actions of the CEO, CFO, CIO and senior IT managers signify to middle-level IT managers, technology professionals and end users how serious they are about improving IT performance. Consistent leadership in establishing a program to improve quality, selecting best practices and aligning organizational processes with the chosen framework significantly raise the odds of success.

Acceptance—Leadership combined with having a compelling reason to improve IT performance facilitates organizational readiness to adopt best practices. Commitment to change by key stakeholders—IT managers, engineering staff, software development groups, infrastructure groups, user support personnel, project managers and customers impacted by IT—determines the fate of software process improvement efforts, no matter how compelling the need or elegant the solution. Successful organizations invest in change management, particularly communications, training and collecting feedback to manage expectations.

Learning—Organizations known for pioneering best practices recognize that continuous improvement goes beyond reaching quarterly and yearly targets. It depends on personal awareness of how individual habits affect growth and how improving performance is an inner journey beyond applying new tools and technical knowledge. Leaders foster growth through a culture of learning—investing in training programs and promoting the importance of collaborative, on-the-job education in building critical skills, attitudes and habits.

Empowerment—Achieving high maturity levels depends on key stakeholders being empowered to control outcomes beyond complying with policies. Too often, organizations charter process improvement teams and task IT professionals to accomplish milestones without relinquishing the authority necessary to achieve full-potential results. Many organizations that report high return on investment in adopting best practices attribute their success to finding ways to empower people by making them "process owners" without circumventing internal control.

Ongoing governance—The adoption of best practices can be expensive. One organization recently spent more than US $10,000 per person in its applications groups on capability maturity model implementation. The costs and the stakes require ongoing governance—oversight by an executive sponsor, coordination by a dedicated project manager, and scrutiny through performance measures that quantify costs, measure benefits and support risk management.

Source: Author

Adoption of best practices is complicated by the lack of a de facto standard. In the systems engineering realm, there are numerous models from which to choose. Best practices with significant traction include:

  • COBIT—Familiar to IT auditors, Control Objectives for Information and related Technology (COBIT) adoption has grown rapidly since the Sarbanes-Oxley Act took effect in the US. COBIT defines 34 high-level control objectives and more than 300 detailed objectives that assist organizations with evaluating and improving the maturity of their managerial, operational and technical controls over IT assets.4 COBIT adoption is supported by a suite of product materials from the IT Governance Institute (ITGI), including framework criteria, implementation guidelines and audit criteria. COBIT incorporates capability maturity model concepts, and IT Control Objectives for Sarbanes-Oxley, based on COBIT, was released to support compliance.
  • ITIL—Sponsored by the UK's Office of Government Commerce, the IT Infrastructure Library (ITIL) is a compendium of best practices for managing IT service delivery and service support. ITIL adoption is common in Europe, and many independent software vendors engage third parties to certify that their products are ITIL-compliant.5
  • ISO 9000—The International Organization of Standardization (ISO) publishes the ISO 9000 series of standards, which many organizations adopt as a basis for their internal quality management systems governing IT and non-IT functions. Organizations that comply with ISO 9000 standards can obtain a certification from an ISO-registered third-party auditor.6
  • Six Sigma—Pioneered by Motorola, widely associated with GE and enhanced by organizations around the world, Six Sigma is a general-purpose approach to reducing cost and improving customer satisfaction through quality. It provides statistical methods to measure performance and techniques to improve processes and change organizational behavior. Six Sigma has roots in manufacturing, but its use is spreading to most corporate functions, including IT.7
  • ISO/IEC 15504—The lack of a "framework of frameworks" is not lost on best practices organizations. Development of ISO/IEC began in June 1993 under the direction of ISO and the International Electrotechnical Commission (ISO/IEC). ISO/IEC 15504 is a metamodel that harmonizes several best practice frameworks, such as ISO 9001, and capability maturity models.8

Capability maturity models are also well known, widely used and especially popular with ESPs. Many ESPs factor capability maturity model adoption into their marketing communications to give the marketplace assurance that their organizational capabilities are reliable from a quality standpoint.

An Overview of Capability Maturity Models

Capability maturity models date back to the 1980s when the US Department of Defense contracted with Carnegie Mellon University to establish the Software Engineering Institute (SEI) as a means of improving applications developed for defense work. The Software Engineering Institute published the Capability Maturity Model for Software (CMM-SW) in 1991 and various models since then, culminating in the release of the first version of the Capability Maturity Model Integration (CMMI) framework in 2002. CMM-SW is the most popular capability maturity model today, but many organizations will transition to CMMI over the next few years because it is the standard that the Software Engineering Institute will support in the future.9

Capability maturity models support process benchmarking and continuous improvement by defining five levels of process maturity:

  • Level 1: Initial—Application development is ad hoc or chaotic. Processes are poorly defined and undocumented. Project success is a result of individual efforts.
  • Level 2: Managed—Projects employ basic processes to track costs, schedules and functionality with processes institutionalized across software groups. Formal adoption of techniques to measure performance has occurred and is an input to managerial activities.
  • Level 3: Defined—Application development and other IT processes are documented, standardized and integrated organizationwide with projects always employing a version of these standard processes.
  • Level 4: Quantitatively managed—Application development projects and processes are measured quantitatively, and managers employ statistical process control techniques to achieve and maintain high levels of quality.
  • Level 5: Optimizing—Quantitative management tools and techniques enable continuous improvement of processes and innovation in the delivery of application development services to the business.

Each maturity level has a set of performance criteria (see figure 2). At the highest level, there are key process areas. A key process area encompasses a broad set of internal control criteria that are critical to quality. For example, the second maturity level in CMMI and CMM-SW has key process areas for requirements management, project planning and configuration management. Each key process area has a set of goals that is specific to a type of internal control or a general characteristic of having mature processes. For example, the CMMI requirements management key process area has a specific goal for managing requirements and identifying inconsistencies with project plans and work products.10 A generic goal for the second maturity level to ensure processes are institutionalized as a managed process applies to requirements management and all other key process areas.11 Each goal has practices associated with it, and most practices further break down to subpractices and typical work products.

Image

To stand up to a maturity level, an organization's performance must satisfy all of the goals and key process areas of the level. This is accomplished when processes are auditable through the accumulation of project documentation, and their performance complies with each goal's practices or equally acceptable alternative criteria. Since maturity levels build on one another, an organization wishing to stand up to the third level must comply fully with the second level, and so forth.

SEI has well-defined standards for how to assess IT processes against CMMI, CMM-SW and its other capability maturity models. For example, it published the Standard CMMI Appraisal Method for Process Improvement (SCAMPI) and the Appraisal Requirements for CMMI (ARC) for organizations employing CMMI.12, 13 These guidelines define three classes of appraisals. Organizations that successfully complete a class A appraisal obtain a maturity level rating, and many of them (particularly ESPs) promote their rating as evidence of their ability to deliver high-quality software. Class B and C appraisals are less rigorous, and many organizations use them to audit projects and conduct in-flight reviews of process improvement initiatives. Figure 3 compares these three appraisal classes.

Image

To appraise its application development processes, an organization selects projects that it will evaluate. An executive sponsor assigns a team of trained professionals to carry out the appraisal. SEI offers a robust training program to support professional development of appraisal team members, and it licenses qualified individuals to serve as authorized lead appraisers. Lead appraisers must complete an extensive training program, meet eligibility requirements based on their experience and education, and undergo an observation where their performance leading an appraisal team is monitored. An appraisal team reviews a project by:

  • Developing an appraisal method and documenting an appraisal plan, which is similar to an audit program guide
  • Holding a kickoff meeting with the project team and collecting preliminary information about the project
  • Gathering facts about the project by requesting and reviewing documentation, administering a questionnaire or conducting a survey, interviewing project stakeholders, and using other audit techniques, such as inspection and corroborative inquiry
  • Using a common rating system and agreed-upon consensus-building procedures for the appraisal team to conclude if a project reaches the desired maturity level
  • Reviewing appraisal findings and recommendations with the project team, the executive sponsor and others with a stake in the outcome
  • Reporting the results to the project team and executive sponsor in the form of a final findings report with transmittal letter or in another format specified in the appraisal plan; a final findings report documents the outcome of an appraisal and provides any recommendations for improving processes

To determine if application development within a business unit, division or an entire entity stands up to a maturity level, an organization must appraise a valid, sufficient and representative set of projects. An organization's business model, its size, a project's value, strategic and operational risks, and how it intends to use the outcome of appraisals should influence project selection.

Capability Maturity Model Adoption Trends

SEI tracks capability maturity model adoption through its membership. For example, it requires lead appraisers to report information about the appraisals they conduct. Using these data, SEI publishes annual profiles of CMM-SW and CMMI adoption. These profiles tabulate capability maturity model adoption by region, industry, company size and other variables. Capability maturity models were initially popular with government organizations and defense contractors. During the 1990s, organizations in many industries began using them, resulting in cross-industry adoption today.14

In 2002, 42 percent of organizations using capability maturity models were non-US companies, and between the late 1990s and 2003, the number of non-US firms reporting successful appraisals at maturity levels four and five grew at twice the rate of US firms, according to SEI data.15 India-based ESPs were early adopters of CMM-SW to differentiate themselves in the marketplace. Since the 1990s, government and industry groups in China, Hong Kong, Malaysia, the Philippines and other countries vying for ESP marketshare have actively sponsored professional organizations, conferences and training events to raise awareness of capability maturity models. Adoption of capability maturity models and commitment to obtaining maturity level four and five ratings are on the rise as a result, and also because firms in these countries want to develop credibility with Fortune 1000 buyers and overcome a perception that India-based ESPs have superior capabilities.

When outsourcing application development outside of the US, a minority of companies inquire about ESPs' use of capability maturity models and maturity level assessments, according to Gartner Group.16 Those that do often fall into critical customer segments, and many offshoring pioneers on the buy side require ESPs to have a high maturity level rating. A recent CIO magazine article reported that many financial services firms refuse to do business with ESPs that are not at maturity level five.17 Some government agencies are setting strict standards, too. The US Department of Defense routinely uses maturity level three as a cutoff for contracting opportunities, and recently proposed legislation that would make maturity level three certification a requirement for certain types of firms doing business with the federal government.18

Digging Deeper Into Appraisals

Asking ESPs about their adoption of best practices and the results of their capability maturity model appraisals is a useful way to learn about potential service providers' approaches to quality. Organizations ought to be skeptical, however, when relying on capability maturity model ratings because of ambiguity about standards for the professional independence of appraisers and professional oversight of appraisals used to communicate assurance to the marketplace.

In addition to employing strict criteria when licensing lead appraisers (including a nascent, promising code of conduct), SEI requires organizations completing appraisals to report the results and provide information that will assist in reviewing the outcome for irregularities. CMMI strengthens these requirements over CMM-SW. Nevertheless, lead appraisers licensed by SEI are not subject to black-and-white standards for professional independence covering:

  • Independence from management—Standards such as ARC and SCAMPI encourage appraisal teams to act independently and objectively in their duties. However, SEI has not released and publicized criteria mandating technical and managerial independence of appraisal teams. Many organizations conduct their own assessments and self-report the outcomes of appraisals. One company, whose identity is being kept anonymous, promoted a business unit's CMM-SW maturity level four rating and published a letter from the organization's lead appraiser on its web site. The letter described how appraisals within the business unit were conducted, disclosed which projects were reviewed and concluded that a maturity level four rating was warranted based on the results. Curiously, the letter did not have any corporate letterhead. Only by reading the e-mail address of the lead appraiser did it become evident that he/she was an employee of the company.
  • Independence as an attesting entity—Self-reporting achievement of performance benchmarks is a popular marketing tactic. In the context of using reported information to rely on a third party's internal controls, organizational independence of the entity providing an opinion about the organization having its internal controls evaluated is a critical success factor. Standards for conducting appraisals do not clearly address situations when independence as an attesting entity is necessary—such as when an organization might promote its maturity level rating on its web site in the same way it would provide a link to information about its Systrust® seal.19 The lack of standards is exacerbated by the absence of a strong oversight body to enforce professional ethics in the use of capability maturity models as an assurance tool.

The behavior of ESPs in general is not being questioned, but the temptation of some firms to cut corners or misrepresent their capabilities cannot be dismissed, since pressure to expedite the certification process and reduce compliance costs can take a toll. Very often, for example, it takes seven years to institutionalize maturity level five application development processes. A Class A CMMI appraisal typically costs about US $70,000 per line of business, according to the Robert Francis Group.20 These shortcomings and pressures point out the risk of relying on maturity level ratings as a form of assurance and the importance of investing in due diligence during vendor selection.

A Life Cycle Approach to Managing Sourcing Risks

Many organizations treat due diligence as a one-time activity to be conducted when engaging an ESP for the first time. Others—particularly large companies with a portfolio of outsourced projects and functions—employ a life-cycle-based process that integrates due diligence with other vendor selection, performance monitoring and risk management activities. Leading life cycle approaches have four stages: vendor selection strategy, vendor evaluation, performance measures implementation and ongoing performance monitoring.

A vendor selection strategy frames what an organization wants to acquire from outsourcing and how it will select its service providers. Many organizations delegate the work of crafting a vendor selection strategy to a cross-functional team, and they involve senior executives on the IT steering committee in monitoring progress, reviewing recommendations and making key decisions. The team's activities involve defining or validating requirements for outsourcing; reviewing market data about service providers and geographic locations; analyzing the feasibility of alternative outsourcing models; reverse-engineering outsourcing costs to develop fair-pricing assumptions; and designing a process to evaluate vendors, select a service provider, transition an ESP's services into the IT portfolio and institute service level agreement-based control of ESP performance. A key vendor selection strategy deliverable is a set of documents to guide execution of due diligence and other downstream activities, such as contract negotiation.

Determining how to factor adoption of capability maturity models and other best practices into decision making is a key consideration in the vendor selection strategy. Organizations need to decide which best practice certifications they will require or accept as evidence of an ESP's capabilities. Organizations that choose capability maturity models should be precise when identifying which capability model they care about (see figure 4), and they should devise a mechanism for validating vendors' claims. Some require ESPs to demonstrate compliance with another best practice with stricter oversight of the certification process (e.g., ISO 9000). Others make disclosure of proprietary information about how appraisals are conducted and which projects are reviewed a condition of bidding. Organizational requirements and deal characteristics should dictate the choice of methods, including the level of effort invested in following up on information provided by ESPs in the vendor evaluation phase.

Image

Vendor evaluation encompasses the activities that lead to selection of an ESP. Various laws, regulations and industry customs constrain how companies evaluate prospective vendors. For example, in Europe it is common to use an invitation-to-tender process. Government entities in the US have controls to ensure fair and open competition, and many other industries are subject to procurement regulations as well as purchasing policy enhancements that are necessary for effective internal control. It is common to use a request for proposal (RFP) to gather information from prospective ESPs that will be used to evaluate them, select a winner and award a contract after negotiations are concluded. An RFP gives ESPs instructions for submitting a proposal that describes their business model, services, corporate size, locations, human resources, organizational structure, management practices, technical methodologies and experience serving other firms.

Organizations spend a significant amount of time reviewing proposals, following up on information that is provided and recommending finalists to senior management decision makers. Vendor evaluation activities should employ criteria from the vendor selection strategy and use a common set of templates. Often, organizations use a quantitative scoring algorithm to compare proposals and select finalists that will be evaluated in depth. The time spent validating maturity level ratings should correspond to the importance of this factor in the decision-making equation. Techniques that work well are reviewing final findings reports and other documentation about appraisals, inquiring about quality of work with client references, and possibly assigning an internal team or independent third party to conduct a formal due diligence review of finalists' application development practices and facilities. If a formal review is warranted, integrating capability maturity model criteria into the due diligence audit program guide is one way to validate ESPs' reported maturity level and benchmark their capabilities.

Negotiating and executing a contract with a well-crafted service level agreement is a foundation for ensuring ongoing quality from an ESP, as long as there is attention to monitoring performance in a constructive, rational way. Best practice organizations implement performance measures as part of service level agreements with their ESPs. These key performance indicators ideally cover financial performance, project efficiency, defect rates, requirements traceability and other dimensions that are critical to quality. Instituting performance measures offers several advantages, such as relating performance to IT strategies, providing visibility to total outsourcing costs and establishing triggers to facilitate timely escalation of risks to the attention of key stakeholders. Performance measurement data can also assist in allocating quality assurance and internal audit resources dedicated to reviewing projects outsourced to ESPs.

After performance measures are implemented, performance monitoring becomes an ongoing activity. Typically, an ESP reports performance data in compliance with its service level agreement, and an organization has staff responsible for monitoring ESP performance, reporting metrics to senior management, responding to issues and supporting the resolution of problems. Some organizations—especially organizations with a strategic dependence on their ESPs, a large portfolio of outsourced application development projects or both—budget for a number of project reviews each year to gain added assurance that processes are operating at the desired maturity level. The mix of activities to monitor performance becomes the repeatable process for sustaining the benefits of due diligence and ensuring the reliability of ESPs' performance for as long as application development is outsourced.

Lessons Learned for IT Auditors

IT auditors can play a unique and valuable role in educating application development stakeholders about best practices and promoting the benefits of sourcing risk management when outsourcing is on the management agenda. In particular, IT auditors can add value by:

  • Serving as an objective, independent risk advisor to audit stakeholders and senior management (e.g., members of the IT steering committee)
  • Working through internal audit processes and with IT managers to help ensure that outsourcing plans are sensitive to risks inherent in outsourcing and mitigated through a sound vendor selection strategy, due diligence and ongoing performance monitoring
  • Performing independent verification and validation of the vendor selection strategy that will guide the process of choosing an ESP and the criteria for relying on maturity level ratings disclosed by potential service providers in their proposals
  • Participating in the vendor evaluation process in a way that provides assurance to key stakeholders that due diligence is well executed, controlled and comprehensive, and the overall vendor selection process is disciplined
  • Factoring outsourced application development functions and projects into the annual risk assessment and audit plan that guides IT audit activities
  • Reviewing and providing feedback on performance measures and processes to monitor ESP performance, so that sourcing risk management continues to be effective
  • Integrating capability maturity models into the IT audit methods used to review projects and processes

Even more than any other group of IT professionals, IT auditors have a unique perspective on the importance of process discipline, the value of best practices and the need for professional skepticism when ESPs market compliance with best practices as evidence of their ability to deliver high-quality services. Speaking generally, the role of the IT audit function is critical to quality, and its value will grow in the future as enterprises come to depend more on technology while being subject to stricter requirements for internal control, quality and cost-effectiveness.

Endnotes

1 Weakland, Tom; "2004 Global IT Outsourcing Survey," DiamondCluster International, 2004

2 Harry, Mikel; Richard Schroeder; Six Sigma: The Breakthrough Management Strategy Revolutionizing the World's Top Corporations, New York, Doubleday, 2000

3 Software Engineering Institute, Carnegie Mellon University, "CMMI for Systems Engineering, Software Engineering, Integrated Product and Process Development, and Supplier Sourcing, Version 1.1: Staged Representation," March 2002

4 IT Governance Institute, COBIT 3rd Edition, 2000

5 van Bon, Jan; IT Service Management: An Introduction Based on ITIL, Amsterdam, The Netherlands, Van Haren Publishing, April 2005

6 Goetsch, David L.; Stanley Davis; Understanding and Implementing ISO 9000 and Other ISO Standards, Englewood Cliffs, NJ, Prentice Hall, 2001

7 Op. cit., Harry, Mikel; et al.

8 Van Loon, H.; ISO/IEC 15504 Process Assessment Standard: A Reference Book, New York, Springer Verlag, 2005

9 For more information about Software Engineering Institute's decision to sunset CMM-SW and support CMMI, see www.sei.cmu.edu/cmmi/adoption/sunset.html (accessed 2 January 2005).

10 Op. cit., SEI

11 Ibid.

12 Software Engineering Institute, Carnegie Mellon University, "Standard CMMI Appraisal Method for Process Improvement, Version 1.1: Method Definition Document," December 2001

13 Software Engineering Institute, Carnegie Mellon University, "Appraisal Requirements for CMMI, Version 1.1," December 2001

14 Software Engineering Institute, Carnegie Mellon University, "Process Maturity Profile: Software CMM 2003 Year End Update," March 2002

15 Ibid.

16 Jester, Rolf; Partha Iyungar; Dion Wiggins; "CMM in Asia/Pacific: Rapidly Changing Competitive Environment," Gartner Group, June 2003

17 Koch, Christopher; "Bursting the CMM Hype,"CIO Magazine, 1 March 2004, p. 48-54

18 Ibid.

19 For information about the AICPA/CICA Systrust product and standards for issuance and promotion of a Systrust seal, see www.aicpa.org/assurance/trustservices/index.asp (accessed 31 December 2004).

20 Bowles, Adrian; "Metrics for Application Development: Building the Right Systems Right Can't be Left to Chance," Robert Francis Group, January 2003

Charles McKinney, CBCP, Six Sigma Black Belt
is senior manager with SecureIT Consulting Group. He formerly was a senior manager at KPMG LLP in the firm's risk advisory services practice. He leads teams that deliver IT audit and advisory services to public sector, nonprofit and financial services clients. He has expertise in planning IT strategies, designing IT architectures, reviewing information systems and IT projects, and improving cost-effectiveness and quality within the IT function. For the last three years, McKinney has focused on helping CIOs adopt IT governance, Six Sigma, capability maturity models and other best practices to improve IT performance.


Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 5




SOURCE


more


Who needs another framework?

January 19, 2009

Carnegie Mellon – the brand behind the global CMM standard for software providers,- or rather another part of Carnegie Mellon called the ITSQC -has another model available specifically for e-sourcing: the eSCM-SP and eSCM-CL or eSourcing Capability Model for Service Providers and Client Organizations respectively. Wikipedia link here. ITSQC homepage here.

I’ve had a read of the eSCM-SP and am struggling to see what value it adds, certainly in terms of how I understand sourcing and eSourcing. Two things to bear in mind with this model:

  1. The acknowledgements list includes contributers from Satyam, IBM, HP, Accenture, Deloitte etc. No mention of an Ariba or a Freemarkets (let alone anyone else in the space). No long list of CPOs from major organisations. No mention even of any organisations that track and analyse the space. Yet the ITSqc says in its description of the ITSqc research consortium that Our members consist of international industry leaders in eSourcing on both the Client Organization and Service Provider Sides of the relationship, including clients, service providers, advisors or consultants, and the standards community.
  2. I’m dubious about the value of their definition of sourcing vs e-sourcing. You’ll have to download the documents yourself to see the graphic I’m referring to – in the meantime here are the definitions:
  • IT Sourcing contains Applications Development & Management, Desktop Maintenance, Application Service Provider, Data Center Support, Telecommunications Network Support
  • Task & Business Process Outsourcing contains everything from IT Sourcing and also includes Finance & Accounting, Engineering Services, Human Resources, Data Capture, Integration & Analysis, Call Center, Medical/Legal Transcription, Purchasing
  • eSourcing covers IT Sourcing and also Task & Business Process Outsourcing
  • Sourcing contains everything in IT Sourcing and Task & Business Processing Outsourcing and also the likes of Janitorial Services, Lines Services

Clear? Like I said – you’ll need to look at the graphic in their documentation to get a better understanding. In the meantime here is my interpretation:

According to the model the core of sourcing is the sourcing of IT-related services, e.g. Desktop Maintenance, Applications Development, Data Center support.

The next level up in the sourcing definition brings in the sourcing of what has become known as BPO (Business Process Outsourcing), e.g. the sourcing of Accouting services, the sourcing of Legal Transcription services, the sourcing of HR services, putting together call centers.

Both of these levels are covered by the model’s eSourcing definition. The sourcing stuff that is outside of scope of the model is, for example, Janitorial Services and Linen Services.

There is a pattern in all of this: The model defines eSourcing as the stuff you can outsource to a 3rd party offshore provider. It excludes from scope the stuff that needs people onsite, or transportaton of physical goods.

Now – if you look back at the list of the contributors of companies to the definition of the model you’ll see that, surprise surprise, they tend to be the providers of the outsourced services that can be provided offshore (e.g. legal transcription, application development services).

But when someone tells me that they are looking for eSourcing or IT-enabled sourcing, to me that means using IT to help make sourcing better. This can mean anything from using SAP to using Excel templates (or anything in between) and can certainly by used to source Janitorial Services better just as it can be used to source Desktop Maintenance better. The definitions used by the eSCM suggest that they see eSourcing as the procurement of services that can be provided remotely using the internet.

So is the model going to help you decide whether to go Ariba or SAP, or whether to outsource the whole of your sourcing function to China? Probably not. But will the model help you decide whether Accenture or Wipro will be best to run your 400 person call center? Possibly yes.

So tread carefully – and beware that just because people are using the same words doesn’t mean they are talking about the same thing.

While I’m on the subject of the eSCM here are a few more thoughts:

The eSCM shares the same brand as the CMMI that has become very popular with IT service providers over the past decade. But it doesn’t follow that just because the CMMI is a de facto standard in the IT industry that the eSCM will become a standard in the procurement space. In fact CMMI level 5 certification is not in itself a guarantee of a stable, quality provider: Satyam (coincidentally one of the contributors to the eSCM) are CMMI level 5 certified (check their awards page and scroll down to 2005-2006 for CMMI and pre-2001 for SEI-CMM, the predecessor of CMMI) and yet its leaders are at the centre of a fraud probe.

As far as 5-level maturity models go in the sourcing space I am quite taken with Hackett’s one. Incidentally my post on the subject is one of the most popular pages on this blog.

Till next time.

Ads by Google
New Paradigm Outsourcing
Cost Effective, Quality, Fast Sales Solutions with Guaranteed Results.
www.NPSalesTraining.com/Sales
SD Best Practices Guide
Read Chapt 1 of new book – Learn to control defects, schedules, costs
www.parasoft.com
Offshore Sourcing
Huge Network of China Suppliers & Manufacturers. Get Connected Today!
Made-in-China.com
Post your Resume Here
Be a part of India's Largest Salary Survey & Benchmark your salary!
Shine.com/India_Jobs


Entry Filed under: CPO, e-sourcing software, sourcing. Tags: , ,, , .

2 Comments Add your own

  • 1. Business Process Management | February 7, 2009 at 12:18 pm

    well i am sure it will atrract lot of people.

    Reply
    • 2. alanbuxton | February 9, 2009 at 8:05 am

      Thanks for dropping by, Teraeon.

      I, too, am sure it will attract a lot of people. But many will come for the wrong reasons. For example my interest in it was piqued when I saw it as a framework that offered to improve eSourcing. However what the framework means by eSourcing is different to the buyers and vendors I have known. People can use the same words but mean very different things!

      If you are looking to improve your e-sourcing activitie then this framework is unlikely to help. If you’re looking at outsourcing a 400-seat call centre then it probably will.

      Reply

Leave a Comment

Required

Required, hidden




source


Satyam BPO, becomes World’s First eSCM Level 5 Company

Quality standard instituted and measured by Carnegie Mellon University’s prestigious ITSqc

Bangalore (India), August 8, 2007: Satyam BPO Ltd., the Business Process Outsourcing (BPO) arm of Satyam (NYSE:SAY), announced today that it has been certified at Capability Level 5.0 of the eSourcing Capability Model for Service Providers (eSCM-SP v2.0) – the highest rating. The certification was granted by the prestigious IT Services Qualification Center (ITSqc) at Carnegie Mellon University in Pittsburgh, PA. Satyam BPO is the world’s first company to achieve eSCM Level 5, just as it was the first to reach Level 4 in September 2005.

The eSCM-SP is a quality model that addresses critical issues related to BPO. It enables ITES industry organizations to evaluate, select, and monitor service providers based on their level of certification.

"Being the first global Company to achieve eSCM’s highest level of certification is a great honor for Satyam BPO, and a reflection of the talented and dedicated people who work here. eSCM Level 5 certification is a global recognition of our belief in a robust organizational framework and innovation in service delivery," said Venkatesh Roddam, Satyam BPO’s Chief Executive Officer. "The certification also demonstrates Satyam BPO’s commitment to operational excellence and to setting the standard for BPO service delivery. In addition, it reaffirms our ability to bring exceptional business value to customers."

eSCM Level 5 certification will enable Satyam BPO to differentiate itself in the marketplace. By achieving the highest level, Satyam BPO, according to ITSqc, has demonstrated measurable, sustained, and consistent performance and improvement for two years – these attributes are very attractive to customers and prospects.

"Satyam BPO’s exceptional achievement of becoming world’s first consecutively demonstrates its excellent delivery capability and process adherence across Transaction Processing, Customer Care, and Engineering Services. This certification against the eSourcing Capability Model for Service Providers (eSCM-SP) provides a testimony to Satyam BPO's capabilities, and should provide enhanced confidence to global clients doing business with Satyam BPO,” commented Jane Siegel, Director – IT Services Qualification Center (ITSqc) at Carnegie Mellon University.

About Carnegie Mellon University
Carnegie Mellon is a private research university with a distinctive mix of programs in engineering, computer science, robotics, business, public policy, fine arts and the humanities. More than 10,000 undergraduate and graduate students receive an education characterized by its focus on creating and implementing solutions for real problems, interdisciplinary collaboration and innovation. A small student-to-faculty ratio provides an opportunity for close interaction between students and professors. In addition to its 144-acre campus in Pittsburgh, Carnegie Mellon has branch campuses in Silicon Valley, Calif.; Doha, Qatar; and Adelaide, Australia. It has also established educational and research partnerships with institutions around the world, including programs in Brazil, England, Germany, Greece, India, Korea, Mexico, Singapore, South Africa, Switzerland and Taiwan. While technology is pervasive at Carnegie Mellon, the university is also distinctive among leading research universities for the world-renowned programs in its College of Fine Arts. For more, see www.cmu.edu.

About the ITSqc
The Information Technology Services Qualification Centre was founded in 2001 to develop disciplined structures best practices models for rating sourcing firms and clients, as well as providing certification of their capabilities. The eSCM Models and methodologies developed by ITSqc researchers enable sourcing providers to differentiate themselves and reduce risks. Currently, the Centre has 16 member companies in the ITSqc's Research Consortium. For more information on the ITSqc, the eSCM models, and eSCM certification processes, see www.itsqc.cmu.edu.

For more information, please contact :

Abhishek Saxena




source




Latest Updates on Satyam's Fraud

Govt. To Provide Help To CBI In Satyam Scam Case

Govt. To Provide Help To CBI In Satyam Scam Case

The Andhra Pradesh government on Wednesday promised to render all possible assistance to the Central Bureau of Investigation (CBI) in probing the massive fraud in Satyam Computer Services after the High Court expressed its displeasure over the lack of cooperation with the investigating team. On a direction from the court, the government filed a report within two and half hours, detailing the steps... [Read more]

Satyam Board Finalises Sales Process Details

Satyam Board Finalises Sales Process Details

It is heard from sources that the Satyam board has finally arrived at a decision on the sale process. The board may not need to meet again to discuss sale process. Lawyers are working on regulatory issues and proposal may soon be sent to the Sebi and the CLB. Details of the Satyam sale process will be made public over the next few days. [Read more] Read More →

Satyam’s Market Price Can Not Be Used For Valuation Of Satyam : Modi

Satyam’s Market Price Can Not Be Used For Valuation Of Satyam : Modi

Industrialist B K Modi, whose Modi group is interested in acquiring Satyam Computer, said on Saturday that the stock market valuation could not be the basis for putting a reserve price for the sale of troubled IT firm. Asserting that only action could determine the sale price for Satyam, Modi said that stock market price could not be considered a benchmark in this case, as the market was not fully... [Read more]

Fraud Hit Satyam Keen On Buy Out By Strategic Investor

Fraud Hit Satyam Keen On Buy Out By Strategic Investor

The six-member Satyam Computer Services board is on a war-footing to find a strategic investor to buy out the fraud hit Indian software outsourcer, said Prem Chand Gupta, Corporate Affairs Minister, on the sidelines of a press conference on Sunday. “The board will carry out the bidding process in the most transparent manner and any company bid for Satyam subject to the proceedings being laid down... [Read more]

Satyam Stock Rises By 7%

Satyam Stock Rises By 7%

Post, Ramalinga Raju’s Satyam scam, the company is seeing some signs of solidarity and encouragement as stocks of Satyam rose by almost 7% on Monday. Though still at a miserable rate of Rs. 25.45, the Satyam stock rose by 7% as most of Satyam’s clients showed faith in Satyam and stated that all deliverables were delivered as per timelines and requirements. According to a stock exchange... [Read more]




source

7 comments:

Anonymous said...

Pretty portion of content. I simply stumbled upon your blog and in accession capital to assert that I get actually enjoyed
account your blog posts. Anyway I'll be subscribing for your augment or even I fulfillment you get admission to persistently rapidly.

Have a look at my blog: billige kinderschuhe online kaufen
my webpage :: Check This Out

Anonymous said...

Heya i am for the first time here. I came across this
board and I find It truly useful & it helped me out a lot.

I hope to give something back and aid others like you helped me.



Feel free to visit my web page; Mlm affiliate
Also see my web site - card consolidation credit debt free

Anonymous said...

I'm gone to say to my little brother, that he should also pay a visit this website on regular basis to take updated from most recent gossip.

My web site ... commercial checking

Anonymous said...

Keep this going please, great job!

My page; outlet store online shop

vvarun said...



tax filing We also offer Corporate Training to support your own in-house accountant, bookkeeper or computer accounting system. We can outsource accounting professionals.accounting outsourcing

Anonymous said...

like this replica gucci bags see this site review browse around this web-site click to find out more

Anonymous said...

kd 12
yeezy boost 350
curry 8
air jordan shoes
golden goose sneakers
bape sta
hermes birkin bag
moncler
curry 6
supreme clothing