Operations+Risk

Operations Risk While an eHealth project will end, the eHealth program will extend through time until the program is eventually replaced or retired. The operations phase is the phase in which identified benefits will materialize. During this phase threats to the continuing success of the program may materialize.

One of the limitations of the literature concerning operations and operations risk is that it tends to focus on the management and maintenance of IT systems. Recognizing that eHealth is multi-faceted from an operations point of view, care must be taken to ensure that the same due diligence applied to IT operations is also applied to other business and clinical processes and functions.

Two well-established standards for IT operations are available for eHealth programs: the Control Objectives for Information and related Technology (COBIT) ; and the Information Technology Infrastructure Library (ITIL). COBIT has been selected as the base for the Report Card, but ITIL would be equally acceptable.

COBIT divides operational controls into four groups. Note that some of these controls overlap with other areas of the Report Card:

• Plan and Organize o Are IT and business strategy aligned? o Is the enterprise achieving optimum use of its resources? o Does everyone in the organization understand the IT objectives? o Are IT risks understood and being managed? o Is the quality of IT systems appropriate for business needs?

• Acquire and Implement o Are new projects likely to deliver solutions that meet business needs? o Are new projects likely to be delivered on time and within budget? o Will the new systems work when implemented? o Will changes be made without upsetting current business operations?

• Deliver and Support o Are IT services being delivered in line with business priorities? o Are IT costs optimized? o Is the workforce able to use the IT systems productively and safely? o Are adequate confidentiality, integrity and availability in place?

• Monitor and Evaluate o Is IT’s performance measured to detect problems before it is too late? o Does management ensure that internal controls are effective and efficient? o Can IT performance be linked to business goals? o Are risk, control, compliance and performance measured and reported?