- About Us
- Services
- Results
- Case Studies
- White Papers
- How to Fast-Track Your Meaningful Use Effort
- EMR Dress Rehearsal Best Practices
- How to Achieve an ROI for Healthcare BI
- EMR Adoption Best Practices
- IT Governance Best Practices
- Optimizing the Business and IT Relationship
- Meaningful Use Security Risk Analysis
- User Provisioning Best Practices
- Great Project Management = IT Success
- Three Steps IT Should Take in Response to Healthcare Reform
- iPad: A Tablet Computing Renaissance in Healthcare?
- A Field Guide to Online Personal Health Records
- Using SSO to Streamline Security and the Clinical Experience
- Guidelines for IT Planning for Healthcare Construction Projects
- Cloud Computing in Healthcare: Is there a Silver Lining?
- Careers
IT Governance Best Practices
June 2011
By Daniel Herman, Founder and Managing Principal, Aspen Advisors,
Guy Scalzi, Principal, Aspen Advisors, and
Roger Kropf, Professor in the Health Policy and Management Program, New York University’s Robert F. Wagner Graduate School of Public Service
IT governance has been topic of interest for many years, and even though the concept has been embraced within the healthcare industry, the reality is that it’s still not operationally working well within most healthcare organizations. According to the 22nd Annual HIMSS Leadership Survey released in March 2011, the metrics regarding IT governance look strong. The majority of respondents (87 percent) reported that there is a strong level of integration between the IT strategic plan and the organization’s overall strategic plan. In addition, nearly three-quarters of senior IT executives reported that they sit on the executive committee at their organization.
Respondents were asked to what extent IT is integrated into their organization’s strategic operating, clinical, and capital plans. The majority of respondents (87 percent) indicated that there is a strong level of integration between IT strategies and overall organizational strategy. Specifically, more than half of respondents (51 percent) noted that the IT plan is a component of the organization’s overall strategic plan. In addition, nearly three-quarters of senior IT respondents (72 percent) noted that they are a member of their organization’s executive committee, which is defined in this research as the leadership team that drives overall organization strategy and direction. This is consistent with the 70 percent of respondents who reported this to be the case in the 2010 survey.
However, this information doesn’t show the entire picture that we are seeing among the clients of Aspen Advisors. In the past three years Aspen Advisors has assisted over 30 clients with their IT strategic planning efforts. In 80 percent of the cases, enhancing existing IT governance, decision-making, executive sponsorship, and project prioritization processes have been a key focus of the planning effort. In fact, in the case of one academic medical center, an executive governance process surrounding overall organizational capital and operating budgeting and prioritization was totally absent.
IT governance remains one of the biggest challenges in healthcare IS. Organizations continue to battle with the dilemma of having much more demand for IS services than supply and budget to service. Requests for new projects arrive with typically no effective mechanism to control how projects get prioritized, funded, and resources allocated. IS then gets put in the position where they’re overwhelmed, under-budgeted, and under-delivering.
There is a finite set of variables to control: funding, resources, and scope. It’s important to focus on a limited set of projects that support the organization’s strategic goals. Appropriate alignment of IS resources ensures that IS is spending the organization’s money prudently, and effective IT governance is essential to making that a reality.
Definitions and Background
IT governance is the creation of a formal structure that includes defined roles, responsibilities, and accountability for decisions.
In a 2007 article in “CIO Magazine”, IT governance was described as “putting structure around how organizations align IT strategy with business strategy, ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT performance. It makes sure that all stakeholders’ interests are taken into account and that processes provide measurable results.”
Included is a set of committees to involve stakeholders and defined processes for approving and managing IT projects.
Why Governance is Important
Governance is as important for information technology for a healthcare provider as it is for any discipline or organization. Without governance, some form of anarchy eventually results. In hospital IT departments this takes the form of staff moving from crisis to crisis, only capable of responding to the loudest, most powerful voice or the most serious emergency. There is no structure that sets priorities and plans workflow to allow the majority of staff to function in a stable and productive manner rather than just respond to emergencies. It becomes difficult to measure and track progress over time. The rest of the organization tends to view IT as "out of control".
A governance structure leads IT planning efforts by setting priorities that are aligned with those of the organization. A senior level IT Governance Committee, including a broad spectrum of the leadership team of a hospital or group of hospitals, becomes the focal point for all major IT requests. Proposals are vetted here and prioritized and then sent to the Budget Committee for funding approval. IT leadership reports back to the Governance Committee with progress and an issues list for all funded projects. Working closely with the project management team, areas that require help in the form of funding, people, and senior management attention, for example, are addressed. Successful organizations have found that through this process, it is possible to maintain more than 90 percent of projects on time and on budget.
Saint Luke’s Health System in Kansas City has an effective IT governance model that has evolved through the years. The organization holds an annual half day executive planning retreat that is attended by all business unit operating executive officers (hospitals, medical group, and alternative care businesses) and corporate leaders (CEO, CFO, CMO, CIO, HR, Planning, etc. The session is chaired by the corporate CEO, Sr. VP of Strategic Planning, and CFO; and its objective is to set priorities for the year, determine available capital and operating funding, provide education on industry developments, and define which major initiatives will receive funding. Subsequent to the system strategic plan development the CIO leads an effort to update the IT 5 year strategic plan. Two committees appointed by the Management Committee evaluate project requests, rank the requests, and present recommendations to the Management Committee along with the updated IT 5 year plan and budget. Three additional quarterly two-hour sessions are held throughout the year (as part of a regularly scheduled Management Committee session) to gauge progress, discuss issues, and make course corrections as needed related to funding, resources, or scope of IT initiatives. Saint Luke’s Management Committee is the leadership body of the organization that also serves as the senior governance body for IT. This group is supported by clinical and operational prioritization groups that are responsible for determining what top initiatives should be. The Management Committee determines the allocation of funding between the two groups. Given the emphasis on quality, patient safety, customer satisfaction, financial stability, and meaningful use incentives, most of the funding over the past several years has been allocated to clinical IT initiatives. Saint Luke’s also uses a dashboard to report quarterly status of project execution as well as a Balanced Score Card (BSC) for reporting IT operating goals. The IT BSC is consistent with five overall organizational strategic goals. Saint Luke’s, a Baldrige award recipient, has tied performance improvement principals with managing the IT function. Saint Luke’s also assigns management committee members as executive sponsors to key IT strategic initiatives. These executives along with the CIO have accountability for meeting project deliverables and share communication responsibilities.
As evident in the Saint Luke’s example, the governance process shapes expectations, so that the clinical or business sponsors of an IT project understand what benefits should be achieved, assume accountability for benefits realization, and are clear of the role and responsibilities each party (including IT and other constituents) has for project completion. The governance process confers legitimacy on decisions, so that project selection, for example, is not viewed as reflecting just personal relationships. Governance standardizes processes that otherwise would vary widely, resulting in inconsistent performance across projects. A governance process that requires project sponsors to report on actual benefits received can greatly increase the likelihood of achieving those benefit.
What IT Governance Covers
According to the Information Systems Audit and Control Association (ISACA), IT governance is fundamentally concerned about two things: IT’s delivery of value to the business and mitigation of IT risks. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise. Both need to be supported by adequate resources and measured to ensure that the results are obtained.
This leads to the five main focus areas for IT governance, all driven by stakeholder value. Two of them are outcomes: value delivery and risk management. Three of them are drivers: strategic alignment, resource management (which overlays them all), and performance measurement.
IT projects are undertaken for many reasons, not all of them related to pursuing the strategy of an organization. Some are undertaken to meet the demands of influential stakeholders (unfortunately, a common occurrence in many healthcare provider organizations). Others are pursued to acquire “cutting edge” technology for its own sake. IT governance seeks to focus on achieving value in relation to the strategy of an organization. For example, if clinical excellence in a medical specialty is considered highly important, then IT projects that help achieve that goal should be given high priority.
Even if such projects are undertaken, they may not deliver value unless the sponsors and IT staff are supported and held accountable. For example, when adequate training doesn’t occur, existing workflow is not reviewed and redesigned to improve operational processes, or applications are “down” repeatedly, value isn’t received. Such risks need to be managed through monitoring and a defined risk mitigation process. Resources need to be allocated and their availability assured. IT governance must be interfaced to the project and portfolio management process.
Keys to Successful IT Governance
Critical success factors for effective IT governance include the careful definition of who is responsible and accountable for decisions. Executive involvement is critically important for holding the clinical and business sponsors, as well as IT leaders, accountable for project success. Executive involvement is also vital for assuring that resources are actually available until projects are completed. IT should not be the primary sponsors of projects, so clinical and management sponsors must be involved from the beginning, as well as the clinicians who will actually use the systems implemented. Executives must also assure adherence to the governance process, so that the benefits of governance are received.
Sentara Healthcare in Southeastern Virginia is comprised of eight hospitals, a 400-physician multi-specialty medical group, six outpatient campuses, and 10 long-term care facilities. The organization has realized significant financial, patient safety, and quality benefits from the implementation of an electronic health record (EHR) across its care delivery sites.3 Several of many benefits include $9.4 million in savings due to length-of-stay reductions resulting from streamlined care processes; $3.9 million in savings from migrating to paperless medical record environment; $4.4 million in increased outpatient revenue due to improved patient service and increased procedure volume; reductions in scheduling call center answer time (10 seconds from 71 seconds) and call abandonment rate (three percent from nine percent); reduction in medication order entry to administration time (four minutes from 59 minutes); and the avoidance of over 88,000 potential medication errors due to bar code scanning alerts. Clear IT governance and executive and medical staff leadership accountability were critical obtaining these outcomes and included:
- A rigorous EHR vendor selection, implementation planning, and benefits identification process;
- An Executive Design Committee responsible for EHR design and implementation decisions (comprised of senior leaders across Sentara hospitals and physician practices);
- A Physician Advisory Group responsible for vendor selection, software design, EHR implementation, and ongoing optimization (comprised of community physician leaders from the Sentara’s major inpatient and ambulatory specialties who were compensated for their time);
- A medical director at each hospital and physician practice that provided leadership and worked with the medical staff, hospital Physician IT Steering Committees, and Medical Staff Officers Council to provide oversight;
- Developing and gaining commitment on how the EHR initiative would be instrumental in supporting a compelling and common vision of the future; and
- Mapping benefits to operational processes and holding process owners accountable for results by embedding benefits in operational leaders’ performance goals and budgets.
Executive and Board Roles and Responsibilities
While executive and board involvement is always cited as important in IT governance, translating that into specific roles and responsibilities isn’t easy or obvious. C-suite executives and board members have many other issues to deal with. The task is to define roles and responsibilities that result in the effective allocation of resources and in successful projects. For example, CEOs should be involved in project prioritization, while senior executives should be project sponsors monitoring the achievement of major project milestones (with the assistance of project managers). Roles and responsibilities are usually defined by creating a simple series of committees with defined charters and outcomes that can be measured.
Committee Structure
There are a number of considerations in determining committee structure. Authority, time, and expertise are important considerations. In a hierarchy of committees, the most important is an IT Governance Committee consisting of the most senior managers and clinicians, including the CEO, COO, CIO, and key operational executives. This committee prioritizes projects and holds others accountable for project success. Since the members often lack detailed knowledge of day-to-day operations in the clinical or business areas affected, advisory committees are needed. For example, a Clinical Systems Committee would advise on all proposed clinical IT projects. That committee, however, would not have the time to oversee the implementation of more than a few projects, so a clear project governance structure is needed for each major project that includes the executive sponsor, the clinical or business sponsor most affected, and IT staff.
Another consideration is avoiding “meeting fatigue” from multiple committees with overlapping membership.4 For example, it would seem reasonable to put a physician leader on all three levels of committees: strategy, clinical advisory, and multiple clinical project implementation committees. Yet, that person may be less effective because of the time commitment required. Dealing with “meeting fatigue” requires careful consideration of the need for multiple committees and how much overlap there should be in membership.
East Jefferson General Hospital in Metairie, Louisiana is an excellent example of effective committee structures. Prior to being reorganized over the past year, there existed multiple governance committees that reported up to various levels of leadership by functional area. There was little communication between the various silos and the proceedings of these committees were not broadly distributed.
After reviewing best practices for IT governance in healthcare, the leadership team at East Jefferson decided to reorganize their IT governance model. They created four standing committees with broad representation. These standing committees report up to an Information Management Steering Committee (IMSC), are chaired by the CIO but with the CEO as the executive sponsor, and include the senior leadership of the hospital. The first committee to organize under the IMSC was the EMR and Clinical Systems Group, which is chaired by the CMIO and includes the Chief Nursing Officer, the Medical Director, the Chief of Staff, Nursing Vice Presidents, other physicians, and IT staff. The next committee organized was the Business Systems Committee, which is chaired by the CFO and includes representatives from materials management, human resources, accounting, marketing, legal, and IT. There is a Revenue Cycle Committee which is chaired by the CFO and includes Revenue Cycle Directors, as well as a HIPAA Steering Committee, which is chaired by the CIO and includes representation from compliance, legal, nursing, physicians and IT.
Each committee works on issues that are brought to them or arise through their membership including project and budget decisions. Once they are in agreement as to a resolution or direction or if they can’t agree, the issue is brought to the IMSC for disposition. This is where the coordination takes place that allows them to bring resources to bear and make timely decisions to get a resolution that keeps them on schedule and budget. Capital and operating budget priorities are set by the IMSC.
Governance Processes and Workflows
IT governance requires the definition of a process for project proposal, consideration, approval, and management. This process is often closely related to or integrated with the capital budgeting process, especially in terms of the timeline for project approval. A workflow is defined for the involved committees. For example, project sponsors may be required to submit proposals at specific times to allow consideration by advisory committees in order to provide recommendations to the IT Governance Committee mandated to propose projects for the capital budgeting process by a specific date.
Frameworks have been developed that are widely used to define the necessary steps and procedures for effective IT governance. Two of them are CoBIT 5 and ITIL6. CoBIT (Control Objectives for Information and related Technology) was developed by ISACA. It defines processes and standards for IT governance. For example, it requires the creation of a RACI chart that identifies who is Responsible, Accountable, Consulted, and/or Informed about IT processes.
For example, if the task is managing project and service portfolios, the RACI framework suggests that the CEO would be Consulted, the CFO and senior business executives Informed, while the CIO is Accountable. The business process owners (e.g., head of radiology for a project in that department) are Responsible along with relevant IT staff. The purpose of the RACI framework is to assure the consistent application of “decision rights” policies and clarity of expectations.
The Information Technology Infrastructure Library (ITIL) is another framework for IT governance and service management. ITIL was developed by the Office of Government Commerce (OGC), a part of the Efficiency and Reform Group of the Cabinet Office, a department of the Government of the United Kingdom. The ITIL best practices are detailed within five core guidance publications.
IT Governance and Project Portfolio Management
IT governance will not result in successful projects unless effective project management is in place. A Project Management Office (PMO) can assist the governance process in project prioritization by reporting on the entire portfolio of projects both in progress and proposed. Project managers can help define the project risks that must be considered in the governance process and help in mitigating them. Project managers and a PMO often take on the task of reporting progress to project sponsors and those responsible for governance. Often a “closed loop” process is put in place which requires that project sponsors report to those responsible for governance on what the costs and realized benefits were for approved projects. The PMO can assist in assembling data for this process.
Effective project management requires integration with the governance process. IT governance defines who is responsible and accountable for the success of a project, which is necessary information for project managers. Governance sets the priority of a project, which is needed for the management of resources. Effective IT governance and project management are both necessary for completing projects that deliver benefits and are completed on-time and on-budget. Early in the process, governance procedures establish project priorities so that resources will be available for those that are decided to be most important. The next most important will be held until the next cycle begins thus insuring that priorities are met. Project management works well when priorities are set, adequate resources are allocated, and accountabilities are clearly defined. Without this discipline many projects go over budget, stretch beyond the planned completion date, don’t achieve their intended business value, or fail entirely and are abandoned.
Conclusion
With the number of competing initiatives on the priority lists of hospital executive teams such as Meaningful Use, ICD-10, and Accountable Care Organization structures and their IT implications, it’s even more essential that a strong governance model be deployed to prioritize initiatives, align projects and capital spend with key organizational priorities, establish the appropriate champions and sponsors to successfully drive the top priorities forward, and define ways to measure results.
IT governance should be looked at holistically and not merely whether the IT plan is integrated with the organization’s business plan and whether the CIO sits on the executive team. Strategic alignment is definitely an important element of IT governance, but having effective committee structures, well defined roles and responsibilities, specific processes and workflows, and a project portfolio management structure to drive value delivery, measure performance, and manage risk and resources are critical success factors for IS to help the organization achieve its objectives.