Going as far back as 2002, I was imploring ISO to adopt a modular system of “plug-in” standards that would allow for the adoption of a “maturity model” concept. My vision suggested ISO adopt the best of the then-nascent Capability Maturity Model Integration (CMMI) which had just recently evolved from its prior incarnation, the Capability Maturity Model. CMMI was aimed largely at software developers and IT service companies, but the writing was on the wall: the CMMI Institute wouldn’t sit back for too long and let entire industries — like manufacturing — go unnoticed. I suggested ISO get in front of that train.

My plan would have a single common management system standard apply to every type of management system, with “common core text” for the shared concepts such as management review, document control, record control, etc. From that, “module standards” could be developed to plug on top of the common core standard, such as a quality module (ISO 9001), environmental module (ISO 14001), etc. By doing so, companies could have truly integrated management systems, and could add new modules as they saw fit, without touching the common core requirements. It would be easier to develop, cheaper to implement, and easier to audit.

ISO rejected this idea, but then later the concept of “common core text” appeared in the much-loathed Annex SL (now “Annex L”), which ISO bungled entirely. I may have inspired a portion of Annex SL, but only because they did a poor job of ripping off my original concept, rather than engage me directly on how to implement it. I now want nothing to do with Annex L.

The second part of my plan, however, was to create a tiered system of both standards and certifications. The lowest tier — the easiest to obtain — could be adopted by companies with relatively new or immature management systems. They would adopt the entirety of the common core text, and then each “module” would have three levels. The quality module (ISO 9001) would have some easy requirements such as inspections, tests, calibrations, etc. at Tier 1, similar to the old MIL-Q-9858. The Tier 2 module would add more advanced concepts such as preventive action, management review, internal audits, etc. — this would be closer to what we now know as ISO 9001. A final Tier 3 would adopt some of the excellence model requirements of Baldridge and CMMI, and be very difficult to obtain; unlike Baldridge, however, it wouldn’t be an annual contest with only one winner.

Original slide from 2002 Oxebridge presentation urging ISO to adopt a “Management Maturity Model” (M3) schema for its standards.

The similar three-tier structure would be used to break up ISO 14001 and other management system standards, too.

Companies could thus enter into ISO 9001 (or whatever standard) at the level they felt most comfortable. Customer could also mandate the level of maturity they wanted from their ISO 9001 certified suppliers, depending on risk. Boeing might, for example, demand that a distributor of non-critical parts only obtain ISO 9001 Tier 1, while a manufacturer of its flight hardware be ISO 9001 Tier 2.

A system of simple logos would be used so that companies clearly advertised what modules, at what levels, there were certified to.

I even formed a company at one point — The Management Maturity Model (M3) Development Council — to try and lobby ISO to take on this concept.

ISO rejected this idea for two reasons: first, it sounded unwieldy, and would have forced ISO to rethink how it developed and published standards. Not really — they’d still do everything the same way, just split standards into different “chapters” for different tiers — but in those days, they were still struggling to get ISO 9001 and ISO 14001 “aligned.”

The second reason was that the folks at ISO couldn’t wrap their head around the idea; it was way too complicated for their simple minds. They knew nothing of CMMI, and became confused whenever the subject came up. Throwing in modularizaiton at the same time as suggesting a “maturity model” caused them to explode. These are not smart people, and any idea that comes from outside of their insulated echo chamber gets automatically rejected, even if it could earn them a fortune.

I remember giving a presentation on “M3” to the US TAG 176, speaking directly to Paul Palmes who would later become Chair of that group. Palmes and the others simply didn’t get it, and they knew nothing about CMMI nor grasped the concept of a maturity model. They sniffed and dismissed the suggestion as something alien, and went on to accomplish exactly nothing thereafter. Palmes would later write a book about Annex SL, which was created by other people, rather than have the foresight to actually create something himself. He quit after only one term as Chair.

The idea fell flat with the usual ISO gods as well, including the ever-present Charles Corrie. He was also totally baffled by the maturity model idea, and ran to the usual excuse of “we can’t communicate with parties outside of ISO official channels” to reject the idea. I pitched it to Nigel Croft, too, albeit in truncated form, and never heard back on the subject.

Instead, some “maturity” language was added to ISO 9004, which no one reads and isn’t linked to any certification scheme. At one meeting where I raised CMMI as a competitor, the US TAG instead voted to create an “ISO 9001 / CMMI Crosswalk Document.” It took them four years to write the thing, and I quit after the first meeting.

Chickens Circling, Sharks Come Home to Roost

So now the sharks are circling. As CMMI grows in popularity and the CMMI Institute flexes its muscles to expand it already-healthy foundation to include manufacturing and aerospace, the usual suspects are panicking. Certification Bodies and Accreditation Bodies are wondering how they can get in on the CMMI gravy train and, of course, they can’t: CMMI has a monopoly, and they weren’t invited.

So the ABs and CBs will do what they usually do, and try to make their own gravy train. (Remember what ANAB did to create the bullshit “SN9001” scheme for snow plow operators?)

Now comes word that the IAQG — which is already posturing to take over as either a single accreditation body or certification body (or both) in the AS9100 scheme — is working on “AIMM” for the Aerospace Improvement Maturity Model. This will, of course, be yet another thing that Boeing forces on its suppliers while ignoring itself, even as it crashes airplanes because it designs flight software that engages in to-the-death arm wrestling with pilots.

IAQG’s AIMM intends to include “assessment criteria,” so you know there will be certifications — lots of them — and because it’s a maturity model, that means they will be (coff) “tiered.”

Just like I told them back in 2002.

The CBs and ABs probably think they are going to get a piece of that pie, but why would they? Why would IAQG — who already controls all their data through OASIS — hand over a newly minted money printing machine to ANAB or UKAS and their attendant gangs of auditors? No, AIMM will be assessed and managed by IAQG, and ANAB is going to be shunned.

But it’s not just aerospace.  The US Federal Government has just figured out that its own efforts en insuring cybersecurity and those it has offloaded to those endless ISO 27001 registrars hasn’t worked, so now they want in on the maturity model craze, too. The Office of the Under Secretary of Defense for Acquisition and Sustainment is launching a new program called the Cybersecurity Maturity Model Certification (CMMC) scheme, which will apparently rate defense contractors on their level of cybersecurity protections, etc.  They claim they want these certifications to be “cost-effective and affordable for small businesses,” which runs counter to most maturity model certification programs (they’re ghastly expensive.) Given the lack of success the government has had getting small companies to comply with ITAR or NIST 800, this doesn’t seem likely to succeed.

Absent from the discussion is, of course, ISO. In fact, the DoD isn’t even inviting the usual AB/CB players, apparently, saying only that “the intent is for certified independent 3rd party organizations to conduct audits and inform risk.” Whether ANAB — which is already a DoD contractor — is involved in this scheme is yet to be seen, but my spider-sense says no.

But wait, there’s more. The Association of Records Managers and Administrators (ARMA) has launched the “Information Governance Maturity Model” (IGMM) to rank a company’s maturity related to records management. The Association of Corporate Council (ACC) has likewise announced the “Legal Operations Maturity Model” (LOMM). The market is flooding: there is a “Learning Business Maturity Model,” a “Digital Accessibility Maturity Model,” and many more.

And, of course, the automotive industry is working on their own, although at this point it’s deeply buried in committee.

Again, ISO isn’t part of any of these. Not one.

ISO’s absence at the table of so many new maturity model certification schemes surrounding standards that ISO will never have publishing rights for is damning, as well as a major drag on its already dwindling revenue. Especially since ISO was invited to this table — by me — over fifteen years ago.

They really have no excuse for what’s coming.



About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.