In my previous posts in the Digital Accessibility Maturity Model (DAMM) Series I introduced DAMM, its 10 core dimensions, and the five levels of maturity each dimension can be measured against. This post will discuss in more detail DAMM Dimension #1 – Governance, Risk Management, and Compliance (GRC) – including the related Aspects and Artifacts, and what each of the 5 maturity levels look like for this dimension.
The implementation of a well-defined GRC program defines the extent to which accessibility implementations are actively evaluated, monitored, and validated in the component lifecycle.
The degree of design and operational implementation of an accessibility program’s governance model. This includes:
- Definition of the core governance model, including sponsorship and establishing working groups;
- Approach as well as operational conformance to the core governance model;
- Documentation of operationalization of the core governance model; and
- Executive accessibility program support, which includes:
- Obtaining and maintaining a Level 5 maturity rating requires CEO or appointee level support.
- To achieve a higher level of maturity, a higher level of executive sponsorship is required:
- A Level 3 maturity rating can be obtained with support at the VP level.
- A Level 4 maturity rating requires some “C level” support.
- LoB accessibility program support:
- Support for the accessibility Passive Line of Business (LoB) governance support by the Accessibility Program Office.
- Active LoB governance includes submission of accessibility records to Accessibility Program Office.
- Active central governance and required checkpoints and Independent Verification and Validation (IVV) for programs.
The presence and degree of development of an ICT accessibility risk model. This is a measure of the maturity of identifying and prioritizing risks from inaccessible systems currently in place, or being put into production. Risk management includes three primary dimensions:
- Systemic – Management of risk and prioritization of activities across all organizational ICT. This includes measuring the relative risk of assets, classifying asset risk levels and prioritizing accessibility efforts based on risk level of assets.
- Asset – Management of risk and prioritization of activities within specific organizational assets. This focuses on determining the specific portions of the asset that face the highest risk (e.g. public facing components) and then prioritizing those items for remediation or replacement.
- Requirements – Management of risk and prioritization of activities at the level of specific accessibility requirements and best practices. This focuses on determining which specific accessibility requirements should be fixed and the relative timing of those fixes as compared against other development priorities.
A comprehensive, interdisciplinary program which addresses the maturity of the following areas:
- Implementing written policies, procedures and standards of conduct. This will be described in detail in the Policies and Standards Dimension;
- Organizational Ownership, including designating a compliance officer and compliance committee and establishing an Accessibility Program Office – The degree to which the ownership and executive sponsorship of the accessibility program is defined and operationally implemented. This includes having a clear and appropriate location, staffing, and visibility for the Accessibility Program Office and executive sponsorship of the program. This is described in detail in this dimension;
- Conducting effective training and education. This will be described in detail in the Training Dimension;
- Developing and utilizing effective lines of communication. This will be described in detail in the Communications Dimension;
- Enforcing standards through well-publicized guidelines. This is a joint project between the Communications and the Policies and Standards Dimension;
- The maturity of a monitoring program for compliance with the accessibility policy. This is described in detail in this dimension; and
- A dispute resolution process for responding promptly to detected offenses. This is a joint project between the Communications and the Policies and Standards Dimension.
Additional compliance components include the following processes throughout the seven elements defined above:
- Reporting – The maturity of the accessibility policy compliance reporting generation, distribution, and action item process. This includes defining and capturing metrics that define the level of accessibility for specific systems. Expected reporting includes:
- Organization level reporting on the overall conformance status of the ICT against the accessibility policy;
- System level reporting on the level of compliance of specific ICT;
- Requirement level reporting to direct the efforts of specific development teams; and
- Reporting on the status of the following items:
- Remediation plan implementation;
- Corrective Action Plan execution; and
- Alternative Format creation and distribution.
- Recordkeeping – The level of maturity of an organization in keeping records on the implementation of accessibility throughout all DAMM dimensions.
- Organization Chart – Clearly defined organization chart defining where Accessibility Program Office is housed.
- Accessibility Monitoring Plan – A monitoring plan for tracking accessibility implementations.
- Accessibility Program Roles and Responsibilities – The definition of the roles and responsibilities of the Accessibility Program Office.
- Accessibility Compliance Plan – The plan for measuring and enforcing compliance with the Accessibility Policy and Accessibility Standards for all ICT.
- Accessibility Project Management Plan – The plan for rolling out the accessibility compliance program, risk management plan, and governance plan
- Risk Prioritization Model – A well-defined, organization-wide prioritization model covering ICT specific risks and the prioritization of accessibility remediation plans.
- Accessibility Coverage Questionnaire – Questionnaire for determining a piece of ICT’s level of accessibility. The completed questionnaire is used to determine the risk associated with inaccessible ICT, and inform the RoI for the cost of accessibility implementation.
Level 1 – Initial
- There is no accessibility organizational ownership or executive sponsorship.
- There are minimal governance, risk management, or compliance processes in place.
- Independent, reactive silos respond to accessibility in the organization.
- No clear work has been done to implement organization wide governance or risk management models.
- There is poor organizational understanding of disability related legal requirements / issues.
Level 2 – Managed
- An organizational unit that owns accessibility has been defined.
- Core governance and risk management artifacts have been defined and published.
- Governance processes for enforcing standards, development lifecycle are documented.
- Non-compliance and escalation routes documented, including steps for recording, managing and monitoring remediation.
- Risk management processes are documented, stakeholders are identified, roles and responsibilities are specified.
- There is minimal actual governance with non-compliant systems and deployed projects.
- Accessibility policy is signed off on and reviewed at a senior level in the organization.
Level 3 – Defined
- Active governance, risk management, and compliance models are in place and are being conformed to on an ongoing basis.
- The organizational unit that owns accessibility is well defined and points where they should be consulted with are widely known.
- Commitment to accessibility from the organization’s “C level”.
- Senior management is actively engaged in overseeing the delivery of accessible ICT.
- An accessibility executive sponsor has been identified.
- Consistent, documented processes have been operationalized — records / examples of decisions, action logs, Corrective Action Plans (CAPs), approvals, issue resolutions, non-compliance management, root cause analysis, escalations, etc.
- Accessibility standards staff regularly consulted e.g. by project staff, program management, legal, etc.
- A public commitment has been made by senior management to comply with accessibility standards.
- Specific accessibility targets have been included in published product and project roadmaps.
- There is a specific, named manager for the Accessibility Program Office.
- The Accessibility Program Office has an appropriate set of specialized staff to allow successful delivery of the organizational accessibility mission.
- The organization has established periodic automated self-audits to monitor accessibility compliance.
Level 4 – Quantitatively Managed
- Organizational units that own accessibility have active monitoring programs, and are held accountable when accessibility is not properly implemented.
- The Accessibility Program Office has well defined success metrics defining an appropriate target level of accessibility and organizational authority to ensure business units achieve those targets.
- Processes operationalized at all organization levels, refined where necessary e.g. new systems and system changes, small change and major releases, infrastructure upgrades plus staff / customer facing systems, telecoms, office tools, content, etc.
- Clear examples and success stories from new systems being built in an accessible fashion.
- Records / examples of changes to shared ICT, HR and other business unit processes resulting from user consultation / involvement results.
- Integration and coordination between all components of an organization engaged in implementing and delivering accessibility.
- A well-defined governance process mandates and enforces the accessibility policy throughout the organization.
- There is active reporting against business objectives, leading to data analysis that be performed from the organizational and product levels down to the individual level.
- There are records / examples of active monitoring leading to:
- Clear assessment of adherence to standards;
- Compliance rating of ICT accessibility and usability;
- ICT accessibility trends;
- Continuous process improvement cycles focusing on standards, processes etc. derived from lessons learned; and
- Review of user consultation / involvement results e.g. satisfaction surveys and subsequent action(s).
Level 5 – Optimizing
- All new projects always have accessibility built in.
- Organizational components that own accessibility are actively managed, and their organizational mandate and scope is updated as on the ground accessibility of systems and issues dictate.
- The Accessibility Program Office conducts routine post sprint and release accessibility retrospectives with teams to define what worked, what didn’t and update all organizational components accordingly.
- The organization is active in public accessibility forums and is recognized as and learning from other thought leaders it its industry.
- Influencer / early adopter of new standards
In my next post I’ll discuss Dimension #2 of DAMM – Communications – which encompasses all public facing communication activities relating to an organization’s digital accessibility program.