PERFORMANCE MANAGEMENT AND PROMOTION FRAMEWORK

Evaluation Cadence · Calibration · Promotion Process · Documentation Standards

Table of Contents

1. Purpose and Scope
2. Design Principles
3. Performance Management Cadence
4. Evaluation Dimensions
5. The Performance Conversation
6. Calibration Process
7. Promotion Process
8. Performance Improvement Process
9. Documentation Standards
10. Integration with Other CERG Instruments
11. Document Control

1. Purpose and Scope

The Job Architecture and Grade Framework (CERG-GOV-JA-001) defines the grade structure. The Competency Model (CERG-GOV-CMP-001) defines what good looks like at each grade. What neither defines is the mechanism: how a manager evaluates performance, how often, with what documentation, and how that evaluation leads to a promotion decision that is consistent across pillars.

This document defines that mechanism. It establishes the performance management cadence, the evaluation dimensions, the calibration process that prevents pillar-to-pillar inconsistency, the promotion process from initiation through approval, and the documentation standard that makes every decision defensible. It is designed to be lightweight enough for a 5-person CERG team and rigorous enough for a 60-person organization facing a regulatory audit of its personnel practices.

It applies to every CERG team member, manager, and pillar leader. It does not apply to the CISO, whose performance management is governed by the executive evaluation framework of the organization, or to Adjacent Incident Response roles, which belong to the standing IR team.

A Grade Framework Without a Performance Framework Is a Parking Lot

JA-001 says “progression is earned, not tenured.” That sentence is aspirational until there is a defined mechanism for evaluating whether it has been earned, a consistent process for making the judgment, and documentation that survives the departure of the manager who made it. This document is that mechanism.

2. Design Principles

1. Evaluate against defined expectations, not against peers. A person’s performance is measured against the grade-level expectations in JA-001 §4-5 and the competency anchors in CMP-001. It is not measured against the highest-performing person at the same grade.

2. Calibration prevents drift. Two managers evaluating the same person against the same criteria should reach similar conclusions. The calibration process exists to make that true.

3. Promotion is a decision, not an event. A promotion is the conclusion of a sustained demonstration of capability at the next level. It is not a reward for tenure, a retention counter-offer, or a response to an external offer.

4. Documentation is evidence, not bureaucracy. The performance record exists so that a decision can be explained to the person, to a calibration panel, to HR, and to a regulator or auditor if challenged. It should be thorough enough to survive those audiences and no longer.

5. Scales without breaking. A 5-person CERG with no Managers and a 60-person CERG with a full management hierarchy both use the same framework. The forms are the same; the number of people in the calibration room changes.

3. Performance Management Cadence

3.1 The Annual Cycle

CERG performance management runs on a semi-annual cycle aligned to the CERG operating rhythm. This is twice as frequent as typical corporate annual review cycles because cybersecurity team members operate in a field where six months is a material span: a Detection Engineer can demonstrate a full cycle of rule authorship, tuning, and measurement in that time; a Cloud Security Engineer can take several projects from intake to go-live.

Align to the Existing Cadence, Do Not Add Meetings

The mid-year and year-end reviews use the existing CISO Risk & Posture Review as an anchor point. The CERG Leadership Sync (weekly) is the forum for raising performance concerns between cycles. Do not create a new standing meeting for performance management; integrate it into the meetings that already exist.

3.2 Quarterly Check-Ins

Between formal reviews, managers conduct quarterly check-ins with each direct report. These are 30-minute conversations, not formal evaluations. The agenda:

1. What has gone well since the last check-in?
2. What is blocked or unclear?
3. What development activity has been completed?
4. Is there anything the person wants to flag that has not come up in regular 1:1s?

The manager records one to three sentences per check-in in the performance record. The purpose is continuity: the year-end review should summarize a year of documented observations, not reconstruct a year from memory.

3.3 Ongoing Feedback

Performance feedback should never be a surprise at review time. A manager who waits six months to tell someone their work is not meeting expectations has failed at the most basic responsibility of people leadership. Significant feedback, positive or corrective, should be delivered within days of the observation and documented in the performance record.

The “No Surprises” Rule

If a person reads something in their year-end review that they have not heard before, the performance management system has failed regardless of whether the review is accurate. The review is a summary of a year of documented conversations, not the first conversation.

4. Evaluation Dimensions

Per-Role Evaluation Criteria: Each role’s evaluation criteria are now embedded in its per-role JD document under roles/. The dimensions below define the evaluation framework; the per-role documents define the role-specific expectations at each grade. See JD-001 for the complete per-role index.

4.1 SME Track Dimensions

SME performance is evaluated along six dimensions. The first five align to the grade-level definitions in JA-001 §4 and §6. The sixth (Outcomes) grounds the evaluation in what the person actually delivered.

4.2 Management Track Dimensions

Management performance adds three dimensions to the SME evaluation. A Manager is evaluated on their SME-family competencies at S2 or above plus the management dimensions below.

4.3 Rating Scale

CERG uses a four-point rating scale. The scale is deliberately simple: more gradations create more arguments about the difference between a 3 and a 4 than insight about the person.

Most People Are “Meets Expectations”

“Meets Expectations” is not a consolation prize. A Cloud Security Engineer who consistently delivers secure architectures, meets their SLAs, mentors junior engineers, and contributes to cross-pillar working groups is meeting expectations at a high bar. “Exceeds” is reserved for people who are observably operating at the next grade. If everyone is “Exceeds,” the rating scale has collapsed and the calibration session needs to reset it.

5. The Performance Conversation

5.1 Preparation

Before the review conversation, the manager prepares a written performance summary using the documentation standard in §9. The summary addresses each evaluation dimension with specific, dated examples. It does not rely on adjectives (“great communicator”) without evidence (“presented the cloud security posture review to the CIO in October; the CIO followed up with a specific question answered in the deck, indicating understanding”).

The team member prepares a self-assessment using the same dimensions. The manager reads the self-assessment before the conversation. Disagreements between the self-assessment and the manager’s assessment are not problems to be resolved in the room; they are signals that evidence needs to be examined together.

5.2 The Conversation

The performance conversation follows a structured agenda:

1. Review the period. What were the person’s stated objectives? What changed?
2. Walk through each dimension. For each: the manager’s assessment with evidence, the team member’s perspective, discussion of any gap between the two.
3. Discuss the overall rating. Explain the rationale. If it is not what the person expected, spend the time to ensure they understand why before moving on.
4. Look forward. Development priorities for the next period. If promotion is a goal, what specific demonstrations are needed? By when?
5. The person speaks last. After the manager has presented the assessment and the forward plan, the person has uninterrupted time to respond, ask questions, or raise concerns.

5.3 After the Conversation

The manager finalizes the written summary, incorporating any adjustments from the conversation (a fact the person raised that the manager had not considered, a disagreement the manager committed to investigate). The final summary is shared with the team member and stored in the performance record. Both the manager and the team member acknowledge receipt; acknowledgment is not necessarily agreement.

6. Calibration Process

Calibration is the mechanism that prevents the single biggest failure mode of any performance system: two managers applying different standards, producing ratings that reflect the manager’s leniency rather than the person’s performance.

6.1 Calibration Session

Within two weeks of year-end reviews, pillar leaders convene a calibration session with the CISO. In a small CERG (fewer than 10 people), the session is all-hands with the CISO facilitating. In a larger CERG, it is pillar leaders plus the CISO, with Managers presenting their teams’ ratings.

The session proceeds role by role, not person by person. For each role (e.g., Cloud Security Engineer, Vendor Risk Analyst):

1. Every person in that role is listed by pillar, grade, and proposed rating.
2. The managers present the evidence for any “Exceeds” or “Below Expectations” rating.
3. The group discusses: does the evidence support the rating relative to the other people in the same role at the same grade?
4. Ratings may be adjusted by consensus. A rating adjusted downward is not a failure of the manager; it is the calibration process working as designed.

Calibrate Against the Standard, Not the Curve

The goal is not to produce a bell curve. If every Cloud Security Engineer is demonstrably exceeding expectations, the standard may be too low for the grade, or the team may be genuinely exceptional. Either conclusion is more honest than forcing a distribution. The test is: can the manager point to specific behaviors at the next-grade level for every “Exceeds” rating?

6.2 Calibration Principles

1. Evidence rules. A rating without dated, specific evidence is not a rating; it is an opinion. Opinions are not calibrated.
2. Cross-pillar perspective matters. An Engineering manager who has never seen a Governance person’s work cannot calibrate an Engineering rating. The calibration session brings cross-pillar visibility: a Risk pillar leader may recognize that an Engineer’s “Exceeds” rating in Cross-Pillar Fluency is actually standard behavior for the grade.
3. The CISO is the tiebreaker. If the calibration group cannot reach consensus on a rating, the CISO decides. The CISO’s decision is final and documented with rationale.
4. Calibration is about ratings, not compensation. Compensation decisions follow after ratings are calibrated, not during calibration. Mixing the two conversations produces ratings that are negotiated to fit within budget rather than honest assessments of performance.

7. Promotion Process

Level Progression Gates: The job-family-specific level progression gates (L1→L2, L2→L3, L3→L4) are defined in JF-001 §8. Promotion cases should demonstrate satisfaction of the relevant gate conditions in addition to the grade criteria defined in JA-001.

7.1 Initiation

A promotion case may be initiated by:

1. The manager, who has observed sustained next-grade performance and documented it over at least one review cycle.
2. The team member, who may request that their manager initiate a promotion review. The manager is not obligated to agree but must provide a written rationale if they decline, identifying the specific dimensions where next-grade performance is not yet demonstrated.
3. A pillar leader or the CISO, who may direct a manager to evaluate a team member for promotion based on their own observation.

7.2 The Promotion Case

The manager prepares a promotion case document addressing:

1. Current grade and target grade.
2. Evidence by dimension. For each of the six SME dimensions (or nine management dimensions): specific examples of next-grade behavior with dates and context. The evidence should span at least six months and include both routine excellence (consistent at-grade performance) and stretch demonstrations (next-grade behavior).
3. Cross-pillar input. At least one person from a different pillar who has worked with the candidate provides a written perspective. This is not a reference check; it is a specific observation of the candidate’s cross-pillar engagement.
4. Development plan for remaining gaps. Honest acknowledgment of dimensions where the candidate is not yet demonstrating next-grade behavior and how they will develop those capabilities in the new grade.

7.3 Approval

The promotion case is presented at the calibration session following the year-end review. The approval sequence:

1. Manager presents the promotion case to the calibration group.
2. Calibration group discusses whether the evidence supports the case. The discussion follows the same calibration principles as ratings: evidence, cross-pillar perspective, and the standard for the target grade.
3. Pillar leader concurs or defers. If the pillar leader concurs, the case proceeds to the CISO. If the pillar leader defers, the case is returned with specific feedback on what additional evidence is needed.
4. CISO approves or defers. The CISO makes the final decision. A deferral includes written rationale that the manager and the candidate can act on for the next cycle.

The Promotion Standard

The question is not “is this person ready to try the next grade?” It is “has this person already demonstrated sustained performance at the next grade?” The first question promotes people into roles they grow into, sometimes successfully, sometimes at the team’s expense. The second question promotes people who have already proven they can do the work. CERG uses the second question.

7.4 Time-in-Grade Expectations

JA-001 defines “typical experience” ranges for each grade. These are inputs to placement, not guarantees of progression. That said, the following minimum time-in-grade guidelines ensure that a promotion case has sufficient evidence:

Exceptional candidates with extraordinary demonstrated capability may be considered before the minimum. “My last company promoted me faster” is not extraordinary capability. “This person rebuilt our cloud security architecture, mentored three engineers to promotion, and is recognized by our regulators as an authority” may be.

7.5 Promotion Panel Composition

Every promotion case is reviewed by a cross-pillar promotion panel that ensures fairness, consistency, and breadth of perspective.

The panel must include at least three voting members. The cross-pillar reviewer and the SME must not be the same person. No panel member may evaluate a candidate they directly manage (to prevent conflict of interest), except the panel chair whose role is to present, not to evaluate in isolation.

7.6 Promotion Timeline and Communication

The promotion cycle follows a defined calendar aligned to the performance management cadence:

Communication principles:

1. The candidate hears first, before any other team member. No one learns of a promotion from a colleague before the candidate hears it from their manager.
2. Deferred promotions include a development plan. A deferral is not a denial. It identifies specific competency gaps and the timeline and resources to close them. The candidate and manager agree on a development plan within 2 weeks of the deferral.
3. Communicated promotions are celebrated. The promotion is announced at the next CERG All-Hands or pillar meeting. The announcement includes what the candidate accomplished to earn the promotion, reinforcing the standard for others.
4. External communication is coordinated. If the promotion is part of a broader organizational announcement (e.g., pillar leader hire), coordinate with HR and Communications per organizational policy.

8. Performance Improvement Process

A “Below Expectations” rating triggers the performance improvement process. This is not punitive; it is a structured attempt to close the gap. It is also a documentation trail that supports a separation decision if the gap does not close.

8.1 Performance Improvement Plan (PIP)

Within two weeks of a “Below Expectations” rating, the manager and the team member agree on a Performance Improvement Plan:

1. Specific dimensions where performance does not meet expectations, with examples.
2. Specific, measurable improvement targets for each dimension, with a timeline (typically 60-90 days).
3. Support the organization will provide: training, mentoring, reduced scope, or other resources.
4. Check-in cadence: typically weekly, with written progress notes.
5. Outcomes: success (rating moves to “Meets Expectations” or “Developing”), extension (progress but targets not met; PIP extended by 30-60 days), or separation (targets not met and no credible path to meeting them).

8.2 PIP Principles

1. The PIP is not a surprise. A person who receives a “Below Expectations” rating should have received feedback on the performance gap throughout the review period. The PIP is a formalization of an ongoing conversation, not the start of one.
2. The PIP is written, not verbal. Both parties sign it. It is stored in the performance record.
3. HR is informed at initiation, not at separation. HR should know a PIP exists from day one, not day ninety.
4. Success is celebrated, not held against the person. A person who completes a PIP successfully and sustains the improvement is not “the person who was on a PIP.” The PIP closes and the record reflects the improved performance.

9. Documentation Standards

9.1 The Performance Record

Every CERG team member has a performance record maintained by their manager. The record contains:

9.2 The Performance Summary Format

The semi-annual performance summary follows a consistent structure designed to be thorough and concise:

Team Member: [Name] Role: [Canonical role from OM-001 §6.1] Grade: [Current grade] Review Period: [Mid-Year YYYY / Year-End YYYY] Manager: [Name]

Outcomes Delivered: [Bulleted list of 3-7 significant outcomes delivered in the period. Each outcome is specific: what was delivered, on what timeline, with what impact. “Improved cloud security posture” is not an outcome. “Reduced CSPM critical alerts from 47 to 3 across 120 AWS accounts through policy-as-code and engineering-team enablement (March-October)” is an outcome.]

Dimension Assessment:

• Craft Mastery: [Evidence-based assessment with examples]
• Scope and Autonomy: [Evidence-based assessment with examples]
• Influence and Mentorship: [Evidence-based assessment with examples]
• Cross-Pillar Fluency: [Evidence-based assessment with examples]
• Operational Discipline: [Evidence-based assessment with examples]

For management-track roles, add: - People Leadership: [Evidence-based assessment with examples] - Team Delivery: [Evidence-based assessment with examples] - Strategic Contribution: [Evidence-based assessment with examples]

Overall Rating: [Exceeds / Meets / Developing / Below Expectations]

Forward Development Priorities: [2-4 specific development actions for the next period. Each action has a target dimension, a concrete activity, and a timeline.]

9.3 Storage and Access

Performance records are stored in the organization’s HR system of record. If the organization does not have an HR system that supports structured performance documentation, records are maintained as documents in a controlled access location (e.g., a restricted SharePoint folder, a secure HR drive). Access is limited to:

• The team member (their own record)
• Their manager
• Their manager’s manager (pillar leader or above)
• The CISO
• HR business partner
• Legal, when relevant to employment actions

Performance records are retained per the organization’s record retention policy, typically for the duration of employment plus a defined post-employment period.

10. Integration with Other CERG Instruments

10.1 Competency Model (CMP-001)

The performance review dimensions map directly to CMP-001 competency domains. The CMP-001 behavioral anchors provide the “what good looks like” reference for each dimension at each grade. A manager evaluating a Detection Engineer at S2 should have CMP-001 §5 open and reference specific anchors.

10.2 Job Architecture (JA-001)

The JA-001 grade definitions (§4-5) and leveling dimensions (§6) are the authoritative source for what each grade expects. This document operationalizes those expectations into a recurring process. Where this document and JA-001 conflict, JA-001 governs.

10.3 Succession Planning (SUCC-001)

The talent review process in CERG-GOV-SUCC-001 consumes calibrated performance ratings and promotion decisions as its primary input. Succession planning cannot begin until at least one performance cycle has produced calibrated ratings.

10.4 Training and Certification (TRN-001)

Development plans produced through this process inform individual training needs. The CERG-GOV-TRN-001 training curriculum is the primary resource for closing competency gaps identified in performance reviews.

11. Document Control

Revision History

Review Triggers

• Change to the grade definitions in CERG-GOV-JA-001
• Feedback from calibration sessions indicating dimensions or ratings need refinement
• Material change to organizational structure or management hierarchy
• Regulatory requirement for personnel evaluation documentation
• Direction from the CISO

Related Documents

Governance owns this document. The Governance Pillar Leader (Policy & Standards) is responsible for initiating reviews, managing the revision cycle, and obtaining CISO endorsement for all changes.

Source: governance/CERG-GOV-PERF-001_Performance_Management_and_Promotion_Framework.md · Download .md · View on GitHub