Risk management in hospitals with CoBIT 5

Information is a key resource for all enterprises, and from the time that information is created to the moment that it is destroyed, technology plays a significant role. Information technology is increasingly advanced, has become pervasive and is at the forefront of technology adoption for providing highest level of patient care and safety, for healthcare delivery – seamless information flow to patients and all connected external partners or internal players.

Today, more than ever, in healthcare organisations, information is in silos and making they are striving to:

• Maintain high-quality information to support business decisions.
• Generate healthcare delivery value from IT-enabled investments, i.e., achieve strategic goals and realise healthcare delivery benefits through effective and innovative use of IT
• Achieve operational excellence through the reliable and efficient application of technology.
• Maintain IT-related risk at an acceptable level.
• Optimise the cost of IT services and technology.
• Comply with ever increasing relevant laws, regulations, contractual agreements and policies

IT risk is a component of the healthcare organisation’s overall risk universe. Information technologies and systems are a major part of the healthcare organisation’s infrastructure. Integration and alignment of IT risk and enterprise or business risk is a necessity. IT risk is business risk—specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. It consists of IT-related events and conditions that could potentially impact the healthcare delivery functioning.

Madhav Chablani

The primary view of IT is that it supports healthcare delivery operations or service delivery organisation. In this capacity, IT risk addresses the ability to deliver IT services that enable the enterprise to perform day-to-day operational processes. However, IT risk also addresses system development, acquisition and maintenance processes. This relates to ensuring the selection, development and maintenance of healthcare delivery processes that facilitate revenue generation and fulfillment of the organisation, and address healthcare delivery needs in a cost-effective manner. Finally, IT risk addresses the ability for IT to provide value and/or benefit to the enterprise through automation.

Of course, IT can mitigate risks, such as interdependency check of diseases, contraindication of medicines, customer/patient satisfaction, medical mistakes, and tracking of wrong medicines and operating costs.

The Institute of Medicine (IOM) released its report titled ‘To Err Is Human: Building a Safer Health Care System,’ which cited some startling data regarding the number of preventable medical errors that occur within the US healthcare system every year. The report cited many reasons for this, which included a punitive culture that punishes individuals when they are involved in mistakes, a level of complexity (regarding the patients receiving care and the environment in which care is provided) that is now the norm in healthcare and which make errors more likely to occur, and the fact that we fail to learn from our errors or to openly discuss the systemic vulnerabilities that manifest every day and predispose individuals to err.

For me as a risk manager, the points raised in the report was not a surprise, but it was, in my mind, an accurate statement about the lack of sustainable success that we have been able to achieve as healthcare risk managers, clinicians, and healthcare administrators.

Much has changed since the release of the IOM report. Many risk managers have been courageous enough to acknowledge specific aspects of the traditional risk management approach that were flawed and not yielding the desired results, and to embrace a new way of thinking about risk, error, transparency, and safety. The most successful risk managers realise that incorporating patient safety principles into risk management is about more than just changing the name of the department or adding an additional job responsibility to their business card. In fact, in many cases, it requires a reassessment of the long-held practices.

Risk managers often find it difficult to reconcile traditional principles of risk management which frequently focused on protecting the financial assets of the organisation through vigorous defense of all claims asserted against it and limiting the sharing of information so that it could be shielded from discovery. The traditional principles also focused more on the aftermath of a claim than on the development of why the claim occurred in the first place and, more importantly, how it might have been prevented. There was lack of synergy between departments that often resulted in duplicate or fragmented work, or work that never achieved its potential. In addition, even when results seemed positive, they were often isolated to the area where the problem arose and not applied across the organisation.

Healthcare risk management professionals are now witnessing a revolution in health information technology that is expected to transform the delivery of healthcare and the work processes of healthcare risk management professionals.

Risk scenario that is relevant and inherently likely…	..under given negative examples…	…how Cobit 5 guidance helps in improvement of process capabilities Note: In this column, next to each process number is an example from the process to consider. These are not the process names
Architectural agility and flexibility	Complex and inflexible IT architecture obstructing further evolution and expansion	APO01 Efficient and defined business and IT-related processes EDM04 Governance over resource optimisation APO02 Responsive strategic planning APO03 Maintenance of enterprise architecture APO04 Innovation and initiation of change APO05 Portfolio management decision taking BAI02,03 Agile development life cycle methods APO13 Maintaining security in an agile and flexible environment
Integration of IT within business processes	Extensive dependency and use of end-user computing and ad hoc solutions for important information needs Separate and non-integrated IT solutions to support business processes	EDM01 GEIT policies, organisation structures and roles APO01 Business and IT-related roles and responsibilities APO02 Alignment of business and IT strategies APO03 Architectural designs and decisions APO08 Business and IT relations BAI02 Definition and understanding of business requirements BAI03 Adaptation of business processes to new IT solutions BAI05 Managing organisational changes with regards to IT
Software implementation	Operational glitches when new software is made operational Users not prepared to use and exploit new application software	APO11 Consistent and effective quality management activities BAI01 Project management BAI02 Requirements definitions BAI03 Solution development BAI05 Managing organisational changes with regards to software implementation BAI06 Change management BAI07 Extensive solution testing BAI08 Knowledge support.

Risk management programmes today require more data more frequently and from more sources than ever before. The core need of the risk management professional is to review the right information at the right time to make the best decision.

The risk management professionals need tools to automate common processes, a established framework and knowledge bank of credible information on which sound risk reduction strategies can be based, and ways to automate the gathering of intelligence, for in – depth analysis in real time.

Many health information systems have demonstrated that they can reduce errors and thereby have a positive effect on the quality of care, patient safety initiatives, and medical professional liability.

IT risk management is responsible for the implementation of a risk management process that is in alignment with and supports the healthcare delivery risk model.

Failure to design and manage effective IT risk management function could result in:

• Failure to identify material risk or low probability risk with catastrophic impact (black swan)
• Excessive costs by using IT resources on mitigating less strategic risks
• Business exposure to losses due to unidentified or improperly classified risk/s
• Identified risk not remediated due to lack of follow-up and/or lack of monitoring of mitigation projects
• Misaligned risk efforts due to use of differing metrics for probability, cost and impact by different healthcare delivery groups
• Unavailable healthcare delivery functions or processes dependent on IT

Can patient safety, clinical and IT risk management functions be operated singularly?

Many departments and individuals in healthcare organisations have tried to claim patient safety as their singular responsibility, artificially segmenting the activities in ways that make little sense and yielding diminished results.

It is obvious that risk management ends and patient safety begins, even more so if decentralisation of risk management and patient safety is attempted, and while non-dissociating IT risks from mainstream healthcare delivery risks. When this happens, the role of the risk manager is not diminished, but certainly it does change.

Healthcare organisations need to clearly distinguish patient safety, clinical and IT risk management subjects/ objectives, define appropriate system requirements and new healthcare delivery processes, clearly identify performance indices, and establish appropriate new healthcare delivery and IT management/control processes. Risk management subjects (e.g., doctors, nurses, medical staff, IT department staff) responsible for risk management at the point where their roles come into play (e.g., planning phase, design phase, development phase, implementation phase, operation phase) need to be identified. In order to illustrate, let’s walk-through an example on selection of framework, which is derived from actual situations, it is not a reflection of a specific existing healthcare organisation or hospital.

Why was COBIT used?

The hospital’s risk management maturity was at level 1, ad hoc. In almost all cases, the hospital and its staff reacted to incidents in firefighting risk-response manner. While they realised the importance of IT risk management, their management style was not planned. Establishment of appropriate, well-organised, effective and efficient risk management was a critical issue for the hospital, because its information systems were very complicated and critical to its operation. The hospital staff was short on time and lacked knowledge of risk management; therefore, it needed to quickly understand the esentials for establishing IT risk management. In a quest to have a single comprehensive framework that assists healthcare delivery organisation in achieving their objectives for governance and management of enterprise IT which could align with healthcare delivery business processes, COBIT 5 was chosen and proved to be very useful when considering which IT-related risk management /controls to establish for this hospital within a limited time span. The hospital’s team examined COBIT carefully to identify steps to establish appropriate IT-related risk management. – it helped the hospital create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5 enabled IT is to be governed and managed in a holistic manner for the entire hospital, taking in the full end-to-end business and IT functional areas of responsibility, and considering the IT-related interests of internal and external stakeholders as delivering enterprise stakeholder value requires good governance and management of IT assets. Enterprise boards, executives and management have to embrace IT like any other significant part of the business. External legal, regulatory and contractual compliance requirements related to enterprise use of information and technology are increasing, threatening value if breached.

COBIT 5 provided a comprehensive framework that assisted the hospital to achieve its goals and deliver value through effective governance and management of enterprise IT:

• Governance – ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM).
• Management – plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise’s objectives (PBRM).

COBIT 5 brought together the five principles (meeting stakeholder needs, covering the enterprise end-to-end, applying a single, integrated framework, enabling a holistic approach, separating governance from management) that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers (principles, policies and frameworks; processes; organisational structures; culture, ethics and behaviour; information; services, infrastructure and applications; people, skills and competencies) optimises IT investment and use it for the benefit of stakeholders.

It focuses on risk optimisation, addressing the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. IT-related business risk consists of IT-related events that could potentially impact the business. While value delivery focuses on creation of value, risk management focuses on the preservation of value. The management of IT-related risk should be integrated within the enterprise’s risk management approach to ensure a focus on IT and be measured in a way that transparently shows the impacts and contribution of IT-related business’s risk optimisation in preserving value.

From governance point of view – EDM02 Ensure Risk Optimization process ensures that IT-related enterprise risk does not exceed risk appetite and risk tolerance, impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised. It ensures that:

• Risk thresholds are defined and communicated and key IT-related risk is known.
• The enterprise is managing critical IT-related enterprise risk effectively and efficiently
• IT-related enterprise risk does not exceed risk appetite and the impact of IT risk to enterprise value is identified and managed.

From management point of view – APO12 Manage Risk process integrates management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk. It ensures that:

• IT-related risk is identified, analysed, managed and reported
• A current and complete risk profile exists
• All significant risk management actions are managed and under control
• Risk management actions are implemented effectively

The table above demonstrates how Cobit 5 guidance helps in improvement of process capabilities

Detailed process-related content for the COBIT 5 governance and management processes, can be referred to in the guide, “Cobit 5 – Enabling Processes”.

Where to start?

Work with the board to define the enterprise’s appetite for IT risk, obtain assurance that IT risk management practices are appropriate and to ensure that the actual IT risk does not exceed the board’s risk appetite. Embed risk management responsibilities into the organisation to ensure that the business and IT regularly assess and report IT-related risks and their impact. Ensure that the enterprise’s IT risk position is transparent to stakeholders.

Understand value drivers:

• Risks identified before they materialise
• Increased awareness of risk exposures
• Clear accountability and responsibility for managing critical risks
• Effective approach for managing IT risks
• IT risk profile aligned with management’s expectations
• Minimised potential for compliance failures

Understand risk drivers:

• Risks identified or managed ineffectively
• Increased expenses and costs incurred to manage unanticipated risks
• Critical IT applications and services failure
• Lack of ownership of IT risks

Establish control practices:

• Provide the board with information on IT risk exposures and the measures in place dealing with risk containment and associated costs. Confirm the appropriateness of the risk management plan and its alignment with the appetite for risk.
• Monitor risk management practices to ensure that risk management is operating as required, responsibilities for risk management are appropriately and unambiguously assigned, and management has resources in place to ensure proper management of IT risks.
• Evaluate the effectiveness of management’s monitoring of IT risks.
• Review the outcome of management’s evaluation of the risk of IT activities. Confirm that the total risk exposure does not exceed the defined risk appetite, considering mitigating controls in place.
• Oversee the implementation of additional mitigating controls to reduce the overall risk exposure as needed.

Conclusion

In healthcare organisations, IT can be a double-edged sword: it can mitigate risks and yet be a big risk factor. Without appropriate risk management, it will fail. Ensure that adequate governance structures are in place and to increase the level of capability and adequacy of the relevant IT processes, with the expectation that as the capability of an IT process increases, the associated risk will proportionally decrease and efficiencies and quality will increase. If a sound risk management environment is established, value will be created. Separating risk and value is impossible. Creation of value and its preservation also has to go in tandem hence risk optimisation and its management is need of the hour and it means addressing the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.