Process Maturity—in the previous post we defined it as “the degree in which a process meets the value creation needs of its customers.”
Let me clarify in more depth the difference between IT process compliance and IT process maturity.
The Difference between Compliance and Maturity
Think of the IT department in a leading banking corporation. They are perhaps the type of organization (other than government or military) with the highest requirements for compliance to the standards that regulate them, either being enforced by an external body or internally adopted in order to be competitive in the industry. Banks deal with money and detailed personal information of their customers, so the impact of them loosing information or any other sensitive asset is higher than for, for example, a retail organization. And the gatekeepers of these assets in the digital era is, of course, IT.
So the bank (their IT) will have many standards and rules to follow, which will move them to a compliant environment, where everything looks (or seems to look) as it is supposed to be. But does this mean that the practices implemented, which are normally organized in processes, are mature? Not necessarily.
What Does IT Compliance Look Like?
Just as in the example mentioned above. People follow rules and there is a checklist that has a lot of marks on it, demonstrating that the practices that should be followed are followed. Of course there is evidence that these requirements are met. But what is missing here? Let me give you now an example of process maturity.
What Does IT Maturity Look Like?
Now think of a medium size retail corporation that is relatively new and is competing against the giants in the industry. They strive for excellence, and have done a good job positioning themselves in the market, yet they have much to do. They are strongly focused on online sales, since they know this is the future of their business, and they have implemented processes based on different IT Service Management frameworks and standards, which they are adapting to their needs. The organization overall knows the importance of these processes, and they don’t ignore how critical the role of IT is for business success.
Therefore, the business managers regularly meet with the IT managers to discuss how the strategy of IT can support the strategy of the business, and how IT can enable the different business functions. The focus is not on the processes they have, or on demonstrating compliance to some kind of regulation. The focus is on managing the services that IT provides to the business in the best way possible in order to meet the end customers' needs and expectations.
IT has quality and innovation as a top priority, and they have a strong measurement framework that gives both IT and business areas a clear picture of the current situation of their services, and even trends. The people working in IT are well trained on the processes they have adopted and they have developed a culture of communication, customer service and focus on service and value.
How Does the Outcome of Maturity Differ from the Outcome of Compliance?
You may say: Well, I bet that in the bank they have much of that same environment as in the retail store. That’s possible; but what drives the bank is compliance—what they have in place are controls which naturally force the organization to work in a more mature way. (That’s possibly one of the reasons why banks commonly have high-performing mature IT organizations.) But what if they didn’t have all those regulations? What if they could do it their own way?
The retail corporation in the example doesn’t have all those requirements, and they are not forced to comply with a complete set of practices from a framework or standard. They do what they do because they are committed to quality and value creation, and they believe that IT is critical for the success of the business.
So what will their outcome look like? The bank will certainly be ready to go through an audit and get an ISO certification or some other kind of badge that will prove their compliance to the relevant regulation, hence they can assure to some level that their customers’ needs for value creation (remember the definition of maturity?) are met.
The retail organization, on the other hand, will not be as compliant to a specific regulation as the bank, because they don’t need it! They have mature processes; they use what they need and they manage it in a way that they get the highest value out of every single best practice they adopt. Probably they don’t work as hard as the bank, because they are obviously a smaller organization with less resources, but their services deliver as much value to their customers as the services of the banking corporation's IT, which will allow them to rapidly position themselves in the first places among their competitors.
Should an Organization Pursue IT Compliance or IT Maturity?
So now the question is: What’s better then, being compliant or being mature? Well, if you try to be compliant, unless you are a very big and organized company similar to that of a bank, being compliant to a full standard or best practice framework will be exhaustive. It will take a long time to meet all the requirements in the list, and you will end up doing things that are of little value to your organization and your customers, just for the sake of being compliant.
If you focus on being mature instead, you will just use what your organization needs, and you will get the highest value of the practices you adopt, because you have the right focus, and your IT processes successfully support the business goals and you will be able to demonstrate that. All this, without having to comply with the full set of items on a checklist.
Are all Compliant IT Organizations Mature?
Most of them, but not all. There are many compliant IT organizations that spend too much time and effort (which is money for the business) working on fulfilling requirements that are of little or no value for their customers. They normally tend to be process-driven, instead of service or value-driven.
Are all Mature IT Organizations Compliant?
Not necessarily. A mature IT organization is just as compliant as it has to be in order to deliver the highest value to their customers. They are driven by value and focus on managing their services through the processes they have implemented based on the frameworks and standards that make more sense to them.
How would you describe your IT organization in terms of compliance and maturity? Which one is it primarily focused on?