• Bookmark

Governing Digital Transformation Using COBIT 2019
An Ehealth Case Study

By Aqel M. Aqel, CISA, CRISC, CGEIT, COBIT 5 Foundation, CSSGB, SMP

COBIT Focus | 20 May 2019

Many countries have launched ehealth initiatives as a response to public-sector transformation. It is one of the business sectors impacted by the vertical digitization movement that has become the trend in the last decade along with eeducation, ebanking, egovernment and more. A key indicator that summarizes ehealth maturity could be the centralized health records and access to patients’ medical histories anytime and anywhere.

This particular case study is an ehealth initiative that faced many challenges from both the business and technical perspectives. Those challenges include:

  • A vast health sector that includes 300 hospitals, thousands of primary healthcare centers and other facilities (e.g., blood banks and specialty labs). There are also approximately 500,000 healthcare staff at different levels who serve 20 million constituents living in several urban cities and many rural areas scattered over 2 million square kilometers.
  • Many business changes were taking place, including the implementation of new healthcare models and gradual privatization of the sector, supported by a new financing model based on actual service delivered rather than bulk budget. The rapid and continuous refinement of the future model made the transition a challenge to the ehealth team.

A centralized information and communications technology (ICT) function with heavy demands on services including developing new applications, eservices and mobile applications, as well as supporting numerous legacy applications. Designing effective processes becomes challenging to the team with limited capabilities tasked to serve millions of users located in a huge area.

These challenged were exacerbated by:

  • The lack of capable ICT infrastructures in many health service facilities, adequately skilled technology staff and stable Internet connectivity in many rural areas
  • The lack of clear ownership: The ehealth initiative as a strategic endeavor was owned by the planning department then shifted to the ICT department. The plan was for ICT itself to be corporatized and transformed to provide shared ICT services across healthcare sectors. Both factors created confusion among ICT leaders and staff.
  • Limited standardized data sets and protocols to facilitate information exchange and consolidation, with various levels of maturity for the implemented cases

It is obvious that governing such complicated transformations while coordinating many programs and involving many intersected sets of stakeholders is a serious challenge.

A Framework to Govern Ehealth

Players in the ehealth initiative used numerous diverse standards and frameworks to control clinical and managerial change in their respective domains. The governance team proposed a model that is based on COBIT 2019 to provide an overarching model to achieve governance over the ehealth initiative. COBIT’s governance perspective—ensuring benefit realization, risk optimization and resource utilization—is simple, yet broad enough to guide implementation of several integrated enablers. COBIT’s ready-to-go processes established a reasonable starting point to bring control to sporadic governance and management efforts.

Figure 1 was derived from the COBIT 2019 framework to establish a simple reference to build and expand governance. The hypothesis behind it includes establishing a combined transformation office for ICT and ehealth after it was determined that ehealth would be owned or merged with the ICT function.

Figure 1—Ehealth and ICT Governance Framework


Figure 1 illustrates the 3 layers governance architecture proposed for senior management. It consists of the following:

  1. Corporate governance—Ehealth and ICT were reporting directly to the head of planning and, after merging the ehealth initiative with the ICT department, the new unit became subject to many corporate governance mandates. It was also responsible for maintaining compliance with several external regulatory bodies such as those responsible for national ICT policies, cybersecurity policies and clinical standards related to healthcare information, e.g., health level standard 7 (HL7),1 International Classification of Diseases Rel. 10 (ICD10)2 and Systematized Nomenclature of Medicine (SNOMED).3
  2. Ehealth initiative governance—Ehealth is a unique amalgamation of healthcare and information technology. It includes much more than automating clinical and administrative processes in the healthcare industry. Ehealth leverages modern ICT trends and healthcare pathways together, including, for example, the Internet of Things (IoT), artificial intelligence (AI), machine learning, big data and blockchain, all of which hold incredible promise for the healthcare sector. The proposed ehealth initiative governance is comprised of 5 aspects that will be discussed herein.
  3. Generic ICT governance—Ehealth is highly dependent on known ICT technologies needed for governance more than any time before. This includes infrastructure, applications, service delivery, capabilities and much more. COBIT 2019 provides an assortment of objectives that aim to identify and rectify gaps in governance.

Governing the eHealth Initiative

The second layer (i.e., the ehealth initiative layer) is further illustrated in figure 2. The current situation included challenges such as:

  • The ehealth strategy chased fast-moving targets due to rapid changes in healthcare structures and approaches; for example, moving from a reactive to preventive healthcare approach, i.e., formerly, patients would visit clinics when they felt sick. The new healthcare model works to prevent sickness and, thus, illustrates how ehealth can move healthcare beyond a purely reactive posture.
  • No defined steering committee for ehealth that brings all concerned parties around one table and ensures their involvement in decision-making. Meanwhile, ehealth cannot pursue changes in clinical processes without full coordination with business owners (e.g., implementing teleradiology projects to facilitate access to radiology experts remotely, implementing a unified disease coding scheme across all hospitals).
  • Limited communication across related parties, foggy roles and responsibilities, the absence of risk management, and low performing project delivery. Hence, the governance initiative prioritized maturing the strategic management processes and the project management office (PMO) as cornerstones to implementing good governance.

Figure 2—Ehealth Governance Framework Inspired by COBIT 2019

View Large Graphic.


The team mapped COBIT 2019 objectives with the governance needs, and the result was the 5 themes illustrated in figure 2. They are:

1. Empowerment and Accountability

Effective governance starts by ensuring that the ehealth mandate states a clear scope for ehealth and grants enough power to lead this major change. Positioning the ICT function and ehealth organizationally is the cornerstone of empowerment. The mandate should document clear objectives that are measurable by key performance indicators (KPIs), design the internal organizational structure of the ehealth initiative and clarify relationships with others while describing and continuously revising clear roles and responsibilities for ehealth staff and other stakeholders.

COBIT 2019 objectives EDM01 Ensured governance framework setting and maintenance in addition to APO01 Managed IT management framework were among the references in this domain.

2. Alignment and Communication

The project team’s analysis revealed the need to ensure continuous alignment with internal and external strategies. These were constantly changing at the strategic and operational levels. Under this domain, the team raised 2 major concerns:

  • Are ehealth programs and projects as well as other activities working to support targeted business transformation? The controls included involving e-health executives and leaders within other business units using one-to-one interviews and adopting a periodic activity (process) to map ehealth strategic projects and programs to organizational and national strategies supported by evaluation and prioritization criteria. This mapping resulted in identifying objectives that lack enablers (e.g., projects, processes with clear roles and responsibilities), and highlighting redundant and pointless projects.
  • Are different segments of stakeholders aware of the latest updates of ehealth strategic directions and their expected roles? Enabling controls included publications about ehealth strategy, awareness campaigns addressing various segments of stakeholders, periodic meetings and alignment workshops, and a monthly newsletter and a weekly report. A process to address stakeholder concerns, answer their questions, supply policies to ensure motivation and incentivize performance were also suggested.

The COBIT 2019 objectives that proved helpful to guide these efforts included APO08 Managed relationships and APO02 Managed strategy.

3. Ensure Benefit Realization

Meeting stakeholder expectations and continuously enhancing satisfaction were key priorities, reinforced by raising 2 questions:

  • Are ehealth programs delivering promised value? The team designed several controls including ensuring developing business cases that reasonably linked initiatives to objectives and that business case objectives would later be measured via a post-implementation review to verify achievement.
  • Are ehealth programs best utilizing the resources? This is an organizational performance perspective. Controls included studying cost-effectiveness, adopting a costing and charge back model and benchmarking against similar initiatives, announcing results (part of the dashboard) and, most importantly, rewarding effectiveness, and integrating performance to financing.

This domain referenced EDM02 Ensured benefits delivery, APO06 Managed budget and cost, along with others.

4. Risk, Issues and Escalation

The ehealth governance effort was aimed at maintaining risk at acceptable levels to protect investment and sustain the ehealth mission, which raised 2 questions:

  • Are risk factors associated with ehealth at both strategic and operational perspectives identified, evaluated and addressed? Controls included assigning risk responsibility and then agreeing on a risk appetite measured by impacts on programs’ constraints (i.e., scope, time, cost, quality). In addition, teams should facilitate periodic strategic risk assessment exercises and ensure that risk analysis is part of the initial business case and then continues during the program life cycle.
  • Are road-blocking issues addressed clearly, assigned to an owner and acted upon until resolution? Controls included establishing a risk and issues register, assigning action owners and creating a tracker with due dates to resolve issues. The team also designed an escalation process comprised of several levels with service level agreements (SLAs) to resolve issues systematically.

The COBIT process APO12 Managed risk, along with its associated management practices, provided explicit guidance to address ehealth risk. BAI01 Managed programs and BAI11 Managed projects were both helpful to establish control while delivering the ehealth strategy.

5. Performance Monitoring

The governance team is responsible for ensuring that expected performance is achieved. This was approached by asking 2 questions:

  • Are ehealth responsible parties sharing enough information with various stakeholders? Informing stakeholders about both strategic initiatives content and execution progress is essential to keep the work progressing. The controls used included leveraging team collaboration solutions, documenting management with distribution lists, and reviewing and approving roles.
  • Are there minimum touch points and communication to establish responsibility and accountability? The team designed set of periodic reports and meetings. Meeting dates were set with stakeholders’ consensus in order to confirm participation. In urgent situations, the team followed the war room concept to secure enough commitment for accelerating projects delivery and problem-solve emergent issues.

The objective MEA01 Managed performance and conformance monitoring was referenced in this domain.

ICT Governance

The governance team followed a COBIT approach to pinpoint several ICT aspects that needed to be matured. For example, the team reviewed the system development life cycle resulting in the discovery of more than 50 findings and 38 risk scenarios. The team helped the ICT department to set a comprehensive plan using COBIT objectives as control guidelines including BAI02 Managed requirements definition, BAI03 Managed solutions identification and build, BAI06 Managed IT changes and APO10 Managed vendors.

Lessons Learned

There were many lessons learned and they are summarized here:

  • Transformation leaders should ensure collaboration between various stakeholders. The more stakeholders there are, the more time should be dedicated to communication. Communication should be designed to keep concerned stakeholders informed and accountable. Teams should balance the mix of progress/follow up meetings with content discussions and problem solving. This will ensure needed levels of stakeholders’ engagement.
  • Stakeholders should avoid the risk of losing the strategic direction. In large-scale transformations, teams usually rush to do assigned tasks and become extremely busy in perfecting their outputs, while devoting limited time to communicating with other teams to discuss interdependencies, understand other teams’ priorities and get feedback. Gradually, teams begin working in many tactical silos and lose unity and harmony. Chinese general, military strategist, writer and philosopher Sun Tzu accurately described what the team learned when he wrote, “Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.”4
  • The gradually and intentionally prioritized implementation of controls in the proposed governance framework is essential for success. Teams may design a comprehensive model for governance, but when it comes to implementation, it should be done carefully and incrementally. Adjustments can be considered while closely monitoring performance.
  • The team should be prepared, at certain times, to drop part of its agenda as the proposed team model is based on assumptions as much as facts and observations. The team should be transparent and ready to abandon any ideas that seem not to be working. Insisting on controls that are not well designed or have been introduced earlier than needed can interfere with the whole governance effort.
  • Alignment with top management is a crucial factor. Understanding senior management attitudes and cultural differences presented a continuous learning curve. Involving local staff and coordinating efforts with different levels of management helped the team gain acceptance for what it proposed and helped refine strategies before moving forward with implementation.

Aqel M. Aqel, CISA, CRISC, CGEIT, COBIT 5 Foundation, CSSGB, SMP

Is a consultant with more than 28 years of expertise in technology and management consulting. He is a researcher, trainer and author in the fields of strategic management and organizational development. He has extensive experience in governance and risk management. Aqel helps clients design better futures and gain control over rapidly changing business environments by building strategic management capabilities and leadership excellence. He has been leading egovernment and digital transformation in several organizations since 2004. He can be reached at aqel.aqel@gmail.com or www.linkedin.com/in/aqelmaqel.


1 HL7 International, Introduction to HL7 Standards
2 World Health Organization, International Classification of Diseases (ICD) Information Sheet
3 SNOWMED International, What Is SNOMED CT
4 Sun Tzu, The Art of War, Filiquarian, USA, 2007