Capability Maturity Models
A Capability Maturity Model, or just “maturity model” for short, addresses a common organizational challenge that many business functions, including security, face: how to move from an initial less-established state to a more stable well-established state (no backsliding) that includes ongoing improvement. The concept of a Capability Maturity Model (CMM) was developed at Carnegie Mellon University in its Software Engineering Institute (SEI), and funded by the U.S. Air Force, in response to its need to assess the capabilities of companies developing critical defense systems to consistently deliver a product of acceptable quality on schedule.
Capability maturity models are collections of best practices that help organizations improve their processes. The SEI has taken the process management premise, “the quality of a system or product is highly influenced by the quality of the process used to develop and maintain it,” and has defined CMMs that embody this premise, beginning with a CMM for software development. Since then, several additional CMMs have been developed by the SEI, and several dozen have been developed by other organizations for various domains including architecture, human resources, information security, construction and project management.
The purpose of a maturity model is not to guide your actions (i.e. provide step-by-step instructions), but to guide your thinking in a way that leads to actionable ideas for stable improvement.
Supply Chain Risk Management Maturity Model
Figures 1 and 2 (on page 22) depict the basic elements of the Supply Chain Risk Management Maturity Model: the maturity levels and the key process areas. The maturity levels provide a stepping-stone path to achieving higher supply chain security and resilience, with a resulting higher level of economic viability for your company.
The maturity levels (described below) are general enough to apply to any company, yet specific enough that any company’s position can be clearly identified. Instead of defining specific processes, maturity models identify key process areas to be addressed using processes refined, defined or developed as appropriate for the specific business.
Level 1 — Pre-compliant: Pre-compliant companies are not yet meeting C-TPAT security or other compliance criteria, nor have they established supply chain security prevention or response standards or practices. In some cases, limited prevention measures such as personnel checks and freight protection practices are in place. The firm’s economic viability is at risk. The probability of a business disruption is high, as is the likely impact — and these firms are less competitive than their C-TPAT-compliant rivals.
Level 2 — Compliant: C-TPAT-compliant companies carry out security or other mitigation measures as a response to externally imposed regulations. Aside from being compliant, companies at this level are primarily reactive and see security as a cost of doing business. There is a lower risk of compliance violation, but still high probability and impact of disruptions. These firms may enjoy C-TPAT benefits of lower inspections and shorter border delays, but they are not leveraging their security investment.
Level 3 — Secure: Secure companies see externally imposed security standards as inadequate, and have instituted a more rigorous approach to protect the brand, employees, physical assets and shareholders. At this level, the focus is on preventing a disruption from occurring. Security is seen as part of the business model. These firms are leveraging their C-TPAT investments and are working with suppliers and customers to understand the system risks and vulnerabilities; however, the impact of a disruption is still high.
Level 4 — Resilient: Resilient companies see risk management as an element of a business strategy that changes the way the enterprise operates and increases competitiveness. Recognizing that disruptions are not entirely preventable leads to additional focus on rebounding quickly from incidents. The company adds flexibility and, where necessary, redundancy in the supply chain to detect and respond proactively to potential risks and crises. These firms have reduced their risk of non-compliance, are less prone to security breaches and have mitigated the consequences of disruptions. They are leveraging their security investments, and security plays an integral role in serving the business purpose. As such, these firms have prepared themselves for ultimate economic viability.
Using the Maturity Model
Using the maturity levels, you can identify where your supply chain’s current level of maturity is. No organization’s supply chain is 100-percent at a single level only. Usually, some processes are at a higher or lower level of maturity than others; however, a general determination can be made as to which maturity level best represents the state of supply chain security.
One way to use the maturity model is to identify the gap between the current maturity level and the next level up, for each key process area. For example, this could mean identifying what must be accomplished to move from the Pre-Compliant to the Compliant level.
However, it is important to note that the maturity model is not intended to restrict or limit process improvement to “the next level up” if a critical process belongs at a high maturity level — regardless of the levels of other processes. The value of the model in such an instance is that it provides a perspective by which to understand the relative state of specific processes in relation to others. This facilitates the consideration of related or supporting processes that may also need to be advanced as well. Without such a framework for thinking, capability gaps (and their related vulnerabilities) could remain unseen.
The 2002 West Coast port labor dispute is an example of the economic impact of widespread supply chain delays. While the dispute remained unresolved, cargo ships lined up in the Pacific for as far as the eye could see, unable to offload their goods. The resulting impact to American companies has been estimated to have reached $2 billion a day.
Barry Brandman is president of Danbee Investigations (www.danbeeinv.com), a Midland Park, N.J., company that provides investigative, loss prevention and security consulting services to many of the top names in the logistics industry. He is the author of “Security Best Practices: Protecting Your Distribution Center From Inventory Theft, Fraud, Substance Abuse, Cybercrime and Terrorism.” Danbee’s clients have found that implementing supply chain security — and particularly C-TPAT compliance — has significant financial benefits.
“Many of America’s largest importers have embraced the C-TPAT program and strengthened their supply chain security,” Brandman says. “Not only has this reduced their exposure to smuggling and cargo theft (itself a multi-billion dollar problem annually), but most C-TPAT-certified companies have also reaped significant financial benefits. To begin with, their risk of shipment delays caused by security inspections has dropped drastically. In addition, their participation in C-TPAT makes them eligible for expedited clearance via Customs’ FAST (Free and Secure Trade) program at the Mexican and Canadian borders, and has given them added leverage in negotiating insurance premiums.”
If you haven’t already done so, take a look at the maturity levels in Figure 1 and assess where your supply chain security program currently stands. It shouldn’t take more than a minute or two. Armed with that assessment, what thoughts do you have now about improving the state of your company’s supply chain security?
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), providing security consulting services for public and private facilities. (www.go-rbcs.com). For the rest of Mr. Bernard's bio, please see Convergence Q&A on page 14.
William Tenney is Group Manager of Global Security at Target Corp. He can be reached at William.Tenney@target.com