COBIT Case Study: Sunnybrook Health Sciences Centre 


Come join the discussionCome join the discussion! Jeff Curtis will respond to questions in the discussion area of the COBIT (4.1 and earlier)—Use It Effectively topic beginning 22 April 2013.


Sunnybrook Health Sciences Centre (Toronto, Ontario, Canada) is one of the largest academic teaching hospitals in Canada. Its 10,000 staff, physicians and volunteers provide care to more than one million patients each year. Over the past 60 years, Sunnybrook has evolved from its original role as a veterans’ hospital into a centre for acute patient care, education and research. Today, it specialises in caring for Canada’s war veterans; high-risk pregnancies; critically ill newborns, adults and elderly; and treating and preventing cancer, cardiovascular disease, neurological disorders, orthopaedic and arthritic conditions, and traumatic injuries. Sunnybrook is fully affiliated with the University of Toronto and provides learning opportunities for more than 2,000 students annually. As a research-focused hospital, each year Sunnybrook’s 600-plus scientists conduct CAN $100 million of breakthrough research.

Sunnybrook’s Need for IT Governance

IT governance is an integral part of enterprise governance and consists of the leadership, organisational structures and processes that ensure that Sunnybrook’s information services group sustains and extends Sunnybrook’s enterprise strategies and objectives. At an annual IT planning retreat, Sunnybrook’s chief information officer (CIO) expressed the need for increased focus on technical and process risk management within the IT management team following several years of increasing operations, project incidents and disruptions. At the same time, the CIO was being asked to present IT value and risk management activities to the audit committee of the board.

The audit committee had been previously unaware that a standards-based governance framework existed specifically for IT and was, therefore, immediately supportive of the IT governance programme proposal because it aligned with the emerging corporate enterprise risk management (ERM) and value-focusing efforts for hospital clinical care delivery. Members of IT management also appreciated the opportunity to structure, define and measure value and risk considerations within their respective IT strategic programmes, recognising that they could not commit to every project request going forward and were increasingly managing and competing for limited development resources.

An IT governance programme was, therefore, formally introduced as one of five IT strategic goals in Sunnybrook’s 2012 IT Strategic Plan (figure 1).

Figure 1—Sunnybrook Information Services Strategic Goals

Goal 1: Sunnybrook will be the national leader in the development of personal health records through expansion of the MyChart™ programme.1

Goal 2: Sunnybrook will lead in the design and build of innovative health care solutions.

Goal 3: Sunnybrook will use information systems and technologies to improve the integration of care across health care providers.

Goal 4: Sunnybrook will lead in the development of real-time information management tools and implement clinical data warehouses for health services research.

Goal 5: Sunnybrook will implement an IT governance framework.

The strategic goals correspond to three resulting IT strategic programmes, with director accountability for each programme’s value and risk performance: MyChart (Sunnybrook’s personal health record), SunnyCare (its next generation, in-house developed clinical management system) and the information management programme (providing real-time data management dashboards and reporting). Each of these programmes is required to account for corporate value and risk management within Sunnybrook’s IT balanced scorecard.

Sunnybrook’s IT governance framework is based on COBIT 4.1, a core set of managerial-level IT process controls, combined with two complementary enterprise-level IT governance frameworks:

  • COBIT 4.1 provides the essential managerial process control framework for day-to-day IT service creation and delivery.
  • Risk IT provides risk assessment and risk mitigation across all IT services.
  • Val IT provides IT project, programme and portfolio value management objectives and controls.

These three ISACA frameworks2 combine to provide an overall IT governance programme that is fully complementary with existing best practices for IT service delivery and provides both managerial and board-level visibility and control over the performance of Sunnybrook’s IT strategic programmes.

Sunnybrook’s IT Governance Areas of Focus and Balanced Scorecard Development

Whether at the management or board level, IT governance is fundamentally concerned with two primary outcomes: IT value delivery and the mitigation of IT-related risk. These are enabled by ensuring the strategic alignment of IT services with Sunnybrook’s business goals, the availability and management of appropriate IT resources, and the measurement and management of IT process performance. The resulting IT governance programme is focused on the application of five governance areas that are common to all enterprise governance frameworks and are applied to Sunnybrook’s IT management, specifically:

  1. Strategic alignment—Ensuring linkage between Sunnybrook’s corporate and IT strategic plans
  2. Value delivery—Ensuring information services’ value proposition throughout the IT delivery cycle and across IT programmes, projects and operational areas
  3. Risk management—Ensuring risk awareness and active mitigation of risk by senior corporate officers and IT management
  4. Resource management—Ensuring optimal investment in, and the proper management of, critical IT resources
  5. Performance measurement—Monitoring the achievement of IT strategic goals and objectives including value and risk management, project completion and success, IT resource usage, and IT process performance and service delivery, using balanced scorecards that translate strategy into action

For performance reporting purposes, these areas of focus have been translated into a four-quadrant IT balanced scorecard that is reportable to the board and is composed of selected IT objectives and associated process and outcome measures, which reflect the IT governance goals for each quadrant:

  1. Corporate perspective: Delivering value and managing risk
  2. Learning and growth perspective: Ensuring IT sustainability
  3. Internal (operations) perspective: Achieving operational excellence
  4. Customer perspective: Exceeding customer expectations

The measurement and management of the associated IT balanced scorecard indicators ensure visibility and accountability for both the IT strategic programme and the operational goals and objectives.

One of the most challenging issues in developing the balanced scorecard has been selecting indicators for quadrant 1, the corporate perspective, where value and risk indicators should be reflective of enterprise health care delivery goals and objectives. In consultation with senior clinicians and information systems directors, for example, work has begun on a number of indicators that reflect value delivery in terms of clinical management system access, efficiency, effectiveness, client centredness and safety.3 These clinical value dimensions are appropriate in a hospital setting where IT’s core purpose is to ensure that IT systems deliver information to patients, clinicians and managers where and when it matters most.

The following are samples of the resultant value indicators applicable to SunnyCare. Management discussion is underway regarding the best way to measure certain indicators where, for example, clinical effectiveness or efficiency outcomes may not be directly observable without significant commitment and support for data gathering. Other value indicators reflective of patient and administrative value dimensions are also in development for both the MyChart and information management programmes, respectively.

SunnyCare clinical value dimensions are:

  • Access: Reducing waits and sometimes harmful delays for both those who receive and those who give care; key indicators: number of unique users; number of clinical programmes with active users
  • Efficiency:4 Minimising waste, including waste of time, equipment, supplies, ideas and energy; key indicators: user survey results reflecting clinician efficiency improvements
  • Effectiveness: Providing services based on scientific knowledge to all who can benefit, and refraining from providing services to those not likely to benefit; key indicators: in development
  • Client centredness: Providing a product that is respectful of and responsive to client preferences, needs and values, and ensuring that client values guide all design decisions; key indicators: client usability and satisfaction scores
  • Safety: Avoiding injuries to patients from the care that is intended to help them (Safety value can be realized by reducing errors that have the potential to cause harm.); key indicators: in development

Sunnybrook is committed to developing and measuring these indicators for the next year of its IT governance programme implementation in order to assess the feasibility of further refining and building similar measures for all IT strategic programmes and services going forward. As noted, the need for value and risk measurement has prompted much discussion regarding the feasibility of measurement and the meaningfulness of the resulting indicators. These are ongoing discussions that are continuing to refine Sunnybrook’s balanced scorecard as the organisation goes forward. Through the promotion and use of an IT balanced scorecard, the audit committee has commended the IT group for its introduction of the COBIT framework and for, thereby, putting IT on the measurement track to ensure value and risk visibility for both the board and management.

Jeff Curtis, CISSP
Is the chief privacy officer (CPO) for Sunnybrook Health Sciences Centre (, a 10,000-plus employee acute care, research and teaching hospital in Toronto, Ontario, Canada. Curtis is a director in the hospital’s information services group responsible for information privacy assurance, freedom of information compliance, IT risk management and corporate strategic planning activities. He has worked in the information technology sector for the past 20 years and is a doctoral candidate undertaking his DBA in information security research at the Henley Business School, University of Reading, UK.


2 In 2012, ISACA released COBIT 5, in which the Risk IT and Val IT frameworks are now included.
3 Adopted from National Research Council, ‘Crossing the Quality Chasm: A New Health System for the 21st Century’, The National Academies Press, USA, 2001
4 Etchells, E.; M. Slessarev; T. MacMillan; The Effects of Duplication of Redundant Information Between Paper and Electronic Records on Efficiency, Document Completeness, Safety and User Satisfaction of General Internal Medicine Admission and Discharge Processes, working paper, 2012