February 3, 2026
Community Voice
.png)
Maturity models are widely used across industries to assess and improve organizational capability. In configuration management, as in many other disciplines, they promise structure, clarity, and a sense of progress. When used correctly, they can be powerful tools. When used poorly, they can become distractions that consume time, resources, and credibility.
At their core, maturity models are descriptive frameworks, not objectives in themselves. They describe observable behaviors and capabilities across staged levels, offering a way to identify strengths, weaknesses, and areas for improvement. Maturity models are designed to help organizations understand where they are today and what it would take to move toward a more reliable, predictable way of working.
Typical levels you will find in a maturity model:
Level 1: Initial
In corrective action mode, lack of consistency, regularity, or uniformity, deviating from what is ordinary or standard.
Level 2: Enlightened
Aware of the problem. The capability gap and business outcomes/value are defined. There is a plan to escape, and the plan is approved.
Level 3: Repeatable
The process is sufficiently documented that the same steps can be repeated.
Level 4: Predictable
The process is enacted consistently within defined limits across the company and within all product lifecycles. Stability achieved.
Level 5: Excellence
Out of corrective action mode. Improvements are robust. Continuously improving.
The problem with maturity models is not the levels; the problem begins when they are treated as targets rather than instruments.
One of the most persistent pitfalls in using maturity models is the assumption that higher maturity is always better. Organizations often start with the question, “What maturity level should we achieve?” instead of the more important one: “What problems are we trying to solve?”
Maturity levels only have meaning in relation to business outcomes. A higher level of process rigor may be essential in a safety-critical or highly regulated environment, while the same level of rigor may add cost and delay in a different context without delivering additional value. Maturity should therefore be selective, intentional, and justified.
In configuration management, this distinction is critical. CM exists to enable controlled change, protect the integrity of information, and reduce the cost of rework and errors. The appropriate level of maturity is the one that reliably supports those objectives: no more, and no less.
When organizations pursue maturity for its own sake, several predictable problems emerge. Documentation increases without value added. Compliance often falls short of enhancing outcomes. Teams may adhere to untrusted processes, while leadership depends on misleading metrics. This situation can lead to maturity being seen as a formality rather than a pathway to genuine effectiveness.
Interestingly, there is also a semi-serious Capability Immaturity Model. This model addresses the idea that organizations can fall short of even the lowest levels of maturity due to obstructive elements within. In addition to the traditional Capability Maturity Model levels, we can consider several additional levels:
Level 0: Negligent
The organization pretends to adopt processes but lacks the commitment to implement them effectively, often failing to produce any viable product.
Level −1: Obstructive
The organization rigidly enforces ineffective processes, prioritizing compliance over results, making actual product creation incidental.
Level −2: Contemptuous
The organization masks its ineffectiveness through misleading metrics and superficial certifications, while omitting essential components of recognized methods.
Level −3: Undermining
The organization actively sabotages or diverts resources from more effective groups to maintain its own position, harming overall progress.
For this article, I will leave it at that and focus solely on the maturity models.
When used properly, a maturity model functions as a decision-support tool to help answer questions such as:
These questions shift the focus from abstract levels to concrete needs. They also acknowledge that not every capability needs to operate at the same level of maturity. An organization may require highly disciplined change control for product definitions while accepting lighter controls in less critical areas. A single, uniform maturity target rarely makes sense across an enterprise.
This is where many maturity initiatives stall, particularly when they reach the point where enterprise-wide adoption and behavioral change are required. Advancing maturity beyond basic repeatability almost always demands strong governance, consistent decision-making, and visible senior leadership commitment. Without that, maturity models tend to remain theoretical.
CM2 is an enterprise configuration management framework that can support maturity improvement when used within a maturity model. The CM2-500 is a standard that provides requirements for good configuration management.
CM2 begins by defining what must be true for configuration management to function effectively. As a result, CM2 maps naturally to a maturity model. We can then assess each requirement for consistency, completeness, and effectiveness, providing a deeper, more insightful evaluation of capability than mere scores can. Instead of merely verifying the process exists, we must prioritize its impact and outcomes/value to ensure it delivers meaningful results.
This approach aligns well with standards such as SAE-EIA-649, which define what configuration management must achieve without prescribing how an organization must structure itself to do so. CM2 provides that prescription, but only when the organization is prepared to support it.
No maturity model, CM-focused or otherwise, can compensate for weak governance. Configuration management is inherently cross-functional. It touches engineering, manufacturing, supply chain, operations, and support. As a result, it cannot mature through local optimization alone.
Sustainable improvement requires clear ownership, decision authority, and consistent enforcement. It requires senior leaders to treat configuration management as a business capability rather than a nuisance. Without that commitment, maturity assessments tend to produce reports rather than drive change.
Like with any transformation, CM2 relies on active engagement and strong governance. The effectiveness of any system thrives on strong governance that resolves conflicts, upholds standards, and prioritizes overall value. When these elements are lacking, requirements can seem overwhelming. However, with the right structures in place, those same requirements often feel clear and intuitive in hindsight.
Successful organizations embrace maturity models with a practical mindset. They pinpoint the capabilities needed to reach their business goals and concentrate their efforts accordingly. Recognizing that maturity is not a straight path, they understand that various capabilities may align at different levels.
In configuration management, this often means focusing on essential elements such as closed-loop change management, identification, traceability, reliable baselines, and clear visibility into impacts before undertaking extensive optimization efforts. Once these foundational aspects are solidified, advancing to higher maturity levels can unlock even greater value. This approach reflects a thoughtful commitment to maturity models rather than a dismissal of them.
Maturity models are useful when they help organizations make better decisions about the problems they are trying to solve and how to do that in a meaningful progression. They become harmful when they become just another KPI to achieve. In configuration management, the goal is not to be “more mature,” but to be reliably effective in managing change and protecting information integrity.
CM2 offers a requirements-driven way to support that goal, provided the organization is willing to pair it with appropriate governance and senior leadership commitment. Without those, no model, however well designed, will deliver lasting value.
The real question is not where an organization sits on a maturity scale, but whether its configuration management capability is sufficient for the business it is trying to run. It’s not always about the final destination, but the journey of ‘What’ and ‘Why’ that is important.
Use code Martijn10 for 10% off training—and don’t forget to tell them Martijn sent you 😉.
Copyrights by the Institute for Process Excellence
This article was originally published on ipxhq.com & mdux.net.
Known by his blog moniker MDUX—Martijn is a leading voice in enterprise configuration management and product lifecycle strategy. With over two decades of experience, he blends technical depth with practical insight, championing CM2 principles to drive operational excellence across industries. Through his blog MDUX:The Future of CM, his newsletter, and contributions to platforms like IpX, Martijn has cultivated a vibrant community of professionals by demystifying complex topics like baselines, scalability, and traceability. His writing is known for its clarity, relevance, and ability to spark meaningful dialogue around the evolving role of configuration management in Industry 4.0.
