CERT-RMM Capability Appraisal FAQ
One of the features of the CERT Resilience Management Model (CERT-RMM) is the CERT-RMM capability appraisal for process improvement (CERT-RMM appraisal). The CERT-RMM appraisal is designed to objectively review an organization against the benchmark of the model's processes and practices. It can be used internally by an organization to improve its processes for managing operational resilience, or it can applied externally to determine the capability of a third-party organization. Either way, the appraisal provides a foundation for long-term process improvement.
What distinguishes a CERT-RMM appraisal?
Unlike assessments, audits, or evaluations in the security, business continuity, or IT domains, the CERT-RMM appraisal is designed to help an organization understand its level of capability through an examination of process maturity. In other words, the CERT-RMM appraisal determines not only whether an organization is doing the right things right now, but whether it is capable of sustaining an acceptable level of performance during times of stress and over the long run as risk environments continue to evolve and change. In contrast, most practice-based assessments focus on how well the organization meets the prescribed practice at a point in time, which fails to tell the organization whether it can sustain an adequate level of performance after the assessment is over.
Why should an organization have a CERT-RMM appraisal?
Managing operational resilience is a challenge because it involves managing operational risk in complex environments. Because of technology and other factors, these environments (and corresponding threats and vulnerabilities) are continuously changing. An organization must be prepared to not only address the events it knows about, but also unforeseen events that might occur in the future. By considering the organization's process capability and maturity, the CERT-RMM appraisal tells the organization how well it is prepared to manage a changing risk environment.
Why is it important for an organization to know its level of process capability and maturity?
Organizations with lower levels of process capability and maturity tend to do things in an ad-hoc way and to depend on heroics and fortunate circumstances. As process capability and maturity improves, the organization moves away from "getting lucky" to performing with an emphasis on predictable, repeatable, and consistent results. In other words, organizations with higher levels of process capability and maturity do things in a way that improves their potential for managing operational resilience regardless of the risk environment. Knowing the organization's current level of process capability and maturity is a way to determine where on this scale the organization fits.
What will an organization learn in a CERT-RMM appraisal?
The CERT-RMM appraisal provides the organization insight into
- the current state of its processes for managing operational resilience
- its process strengths and weaknesses
- opportunities for improvement relative to the CERT-RMM
- the potential value of improvements
- ways to prioritize improvement activities
What is the scope of a CERT-RMM appraisal?
Because CERT-RMM allows for appraisals of individual process areas, the scope of the appraisal involves determining
- which CERT-RMM process areas will be included in the appraisal—the model scope
- which parts or levels of the organization will be appraised (the enterprise, a line of business, one or more operating units, a specific project, etc.)—the organizational scope
Both the model and the organizational scopes are determined during an appraisal workshop activity that considers criteria such as the organization's objectives for performing the appraisal, process improvement objectives, the resilience strategy, the regulatory and compliance environment, and specific threats or risks that may be of concern.
What and who are involved in a CERT-RMM appraisal?
The appraisal is performed by SEI-authorized appraisers who have been trained in CERT-RMM and its appraisal methodology. How involved the organization's personnel will be in the appraisal depends on the appraisal's scope. The organization's personnel will assist in the appraisal by participating in interviews, supplying process artifacts (such as documents), facilitating process observations, analyzing findings, and drawing conclusions. Because the organization owns the appraisal results, they can be a valuable learning tool for those involved in the appraisal and responsible for process improvement.
What can an organization do with the results of a CERT-RMM appraisal?
In addition to using the results to improve processes and set performance targets, the results of a CERT-RMM appraisal can be used to convey the organization's competency for managing operational resilience. For the organization's customers, this may communicate confidence in creating a resilient partnership that can survive business and operational events. And as appraisals are performed throughout the organization's core industry, the appraisal results can be used to benchmark the organization's performance against peers.
How can an organization make a business case for investing in a CERT-RMM appraisal?
The organization's personnel will assist in the appraisal by participating in interviews, supplying process artifacts (such as documents), facilitating process observations, analyzing findings, and drawing conclusions. Because the organization owns the appraisal results, they can be a valuable learning tool for those involved in the appraisal and responsible for process improvement. In addition, improving processes can eliminate redundancies, streamline compliance activities, and increase efficiency in other ways. Some organizations may even be able to convince their insurers to reduce rates because of their demonstrated ability to manage risk. If the organization is a service provider to other organizations, the appraisal may help the organization increase its business and ability to secure contracts because it has an objective means of communicating its process capability and maturity with respect to resilience.
Are there other options for CERT-RMM appraisals?
Organizations new to the concept of model-based process improvement may find a less formal assessment activity to be more appropriate for determining where to start gap assessment and improvement activities. We have more lightweight and agile appraisal methods available upon request, depending on an organization's specific objective.
How does an organization initiate a CERT-RMM appraisal?
The SEI has authorized CERT-RMM appraisers who can work with you to establish an appraisal scope, perform the appraisal, and document and present appraisal results. They can even help you prioritize process improvement areas, develop action and implementation plans, and embark on an improvement process.
To learn more about CERT-RMM appraisals, become a licensed CERT-RMM appraiser, or arrange for a CERT Division appraiser to perform a CERT-RMM appraisal in your organization contact us.