An analysis of organisational immaturity

Published by Juan Mosso on

Assigned with the responsibility of designing and delivering a strategy for resolving (im)maturity issues for an information security services consulting company, having experience working with related management standards and best practices such like, my first actions were toward recognising some common operational symptoms of the problematic. Following, a high level analysis of some of root causes and symptoms of immaturity are presented.

Business case: An information security consulting services company

Due to the lack of organisational formal structure and organization, a key phase to support the effort involved the recognition of the different value chains involved in services delivery to give some initial structure to the analysis. While the activities linked to core business operational rapidly manifested themselves, many governance, management, and supporting activities remained unrecognised at a first glance.

From a management perspective, an inconsistent set of measuring and metrics as well as an incorrect framework for analysis and evaluation made the problematic even worst. While each of the value delivery links were clear from the operational perspective, none of the metrics were linked to them. Moreover, some of the measures constituted a subset of the company KPIs on which decisions were made.

Value link 1Value link 1Value link 1Value link 1Value support 1Value support 1
KPI 1xx
KPI 2xxx
KPI 3xx
KPI 4xxxx

The above matrix shows a gap between current operational practices (Value link columns) and current selected maturity KPI. Results show a poor link between value chain and management understanding of maturity. The gap is due to KPI have been selected from management informal activities, not straight from delivery value links.

Some key findings in trying to explain immaturity’s root causes

Complexity and uncertainty are the best way to describe current businesses. At the heart of current limitations regarding maturity strategies is the lack of proper organisation, resources, structure, and policies. In practical terms, there are not enough management instruments orienting the creation of an objective basis for judging service quality and benchmarking against desired objectives and expectations. The result is service maturity being difficult to measure, track and predict.

Some immaturity root causes

Following, a set of common issues with the potential to negatively affect maturity. In general, these problems tend to be related with organisation culture and so tend to be systemic. Despite their apparent complexity, it is not unusual for them to be linked to only a few root causes. Some key problems linked to immaturity are:

  • Not recognising the problem: Due to the complexity and high-throughput dynamics of current service-oriented business models, it is not unusual for management to focus efforts on operations and forget about management or supporting resources. It is particularly dangerous when, even knowing about the necessity of management, managers decide to ignore the requirements.
  • Skills: Different organisational development phases require diverse sets of skills that allows a company going from point A to point B. As it is in life, there may be individuals that simply lack the experience or skills necessary to support organizational maturity.
  • Lack of specialization: In current service companies, especially in information security consulting business where new challenges arise on a daily basis not only from threats but also form legal and regulatory frameworks, employees are asked to do different things all the time. This ever going change on context has a profound impact on many different domains related to good performance. People need time to focus on the tasks and to grow on their skills and desired career plans.
  • Inexperience. Organizational maturity is akin to actual maturity – there may be individuals that simply do not have the experience or skills necessary to operate at the organization’s current level.
  • Wrong processes: As a company needs to deliver outcomes faster and faster, procedures tend to get informal. In worst case scenarios, the lack of processes forces each employee doing things his own way!

While four of the five causes of immaturity can be tied to the human factor, processes, or the lack of them are at the core of organisation immaturity. Key maturity and management standards help identify some of the main causes of immaturity due to processes:

  • Governance: Lacking a clear strategy and policies with guiding principles towards well established quality practices.
  • Management:
    • Although organization believe in following defined procedures, it is not always so clear for team members What to do? and How to do it?
    • Neither roles nor responsibilities are defined, it is not so clear how to assign tasks
    • Working on inappropriate measuring schemes for effectiveness (KPI), (e.g., measures of activity instead of measures of productivity)
  • Process informality:
    • Processes neither planned nor well designed,
    • Processes improvised by team members during tasks (best-effort background),
    • Informal processes are inconsistent with desired outcomes
  • Operations:
    • Even if a process has been planned, it is not rigorously followed,
    • No shared criteria within processes for service delivery,
    • No shared criteria within processes to support decision making,

Some immaturity symptoms

  • Team members are too busy: Beyond the expected ones, there are many unplanned, undesired tasks requiring time and energy happening at multiple levels. It tends not to be a “good busy”, not a day goes by without some task or issue emerging somewhere.
  • Too many meetings: It is frequent for team members to meet more when things are beyond control or in the worst case, when things start breaking and falling. Ironically, these unproductive efforts end up resolving less.
  • Management gets tactical: Immature organizations tend to focus on short-term efforts leaving aside time to look ahead. By not looking ahead, organisations limit their ability for finding solutions, it gets a vicious cycle. Here is where strategic planning and delivery is key.
  • Aversion to change: Due to the different root causes identified adopting change is often extremely difficult, despite it is recognised as necessary.
  • Inefficient initiatives and efforts: It is common to see people not really understanding some of the proposed initiatives and it is even more frequent for team members doing the same thing once and again, and/or to have critical issues affecting them daily.
  • Outcomes quality: It is common in immature organisations to find team members not feeling so happy with the quality of their outcomes (best-effort dynamic).

What to do?

To start with, maturity is a governance and management issue. Not being able to create a clear north to follow nor to define a clear strategy and policies is the first thing to work on. Beyond big decisions, looking in the right place by deeply understanding immaturity root causes is key for success in any organisation. Any effort towards being more mature starts with a good diagnose and planning. For example, in some cases in information security consultancy services, it is common for customers to blame consultants for the poor outcome quality when the real problem could have been created upstream (i.e., Have enough efforts been made to create a high-quality consultancy team?). Thus, honesty is a key value to look for and discover issues affecting the organisation maturity

Conclusion

To sum up, maturing involves a high degree of understanding regarding weaknesses are strengths which tends to be hard to see if not enough time and resources are dedicated to the cause. Knowing and recognising you have a problem is the first and tough step towards improvement, and you may be there now. The next step is to take a hard and honest look at your organisation to try to analyse and evaluate weaknesses are strengths by recognising and engaging talented and capable staff, in terms of experience and skills, in the initiative and assigning them enough power and resources.

Credits

The be able to identify core limitations in the determination of maturity in the organization, the following standards and best-practices have been considered:

  • ISO 9001
  • The Capability Maturity Model (CMM)   
  • CMMI maturity
  • The Enterprise Architecture Assessment Framework (EAAF)        
  • People Capability Maturity Model (People CMM, PCMM, P-CMM)             
  • The Service Integration Maturity Model (SIMM)
  • The Open Group Service Integration Maturity Model (OSIMM) Version 2           
  • ISO 20000
  • ITIL (maturity)
  • ISO/IEC 15504-7
Categories: GovernanceManagementResearch
Tags:

0 Comments

Leave a Reply

Avatar placeholder

Related Posts

Information Security Operations Policy Red Teams Research

Red teaming for lifeline infrastructures

From supporting societies’ most basic human needs to enabling its most ambitious endeavors in commerce, science, and technology, lifeline services and critical infrastructures underpin modern civilization’s well-being and development. Without them, it would not be Read more…

Governance Management Privacy

An advice to technology C-Class, a matter of double responsibility.

The COVID-19 pandemic allows governments to employ “extraordinary measures” in favour of the public good, measure that could have significant effects in information policies (Cornelius, 2010). Government agencies around the world, along with private companies, are Read more…

Analysis Management Research Servoces Value

Enterprise Service Model Canvas (ESMC)

I developed the Corporate Service Model Canvas (ESMC) to help address some major issues linked to the lack of maturity recognised in relation to both how to define services and innovate on new value proposals. Read more…