Introduction
With increased adoption of IT in many organizations, cases concerning irregularities in the acquisition process or the use of these systems have been on the rise. This is the whole importance of ISO/IEC 38500:2015 standards in IT governance; these standards should guide the whole process of IT governance from acquisition to full implementation (Debreceny, 2013 p.130). This paper uses the events of the Defense electronic Health System (DeHS) in Australia to demonstrate the issues which can arise in the governance of IT projects and the relation of these issues to the ISO/IEC 38500:2015 regulations. The paper starts by giving a little background on the case of DeHS and the general ISO/IEC regulations; the paper will then provide a detailed analysis of the identified issues based on ISO/IEC regulations before a conclusion.
Background of DeHS
The preparation for this system started in 2009. The system was to aid health practitioners in providing health services to defense personnel and help the organization of defense in planning various activities in which the health of the various personnel was important. The initial budget for the project amounted to $23.3 million. Due to inadequate detail in the initial budget, the actual budget for the project rose to $133.3 million. Moreover, the initial plan lacked other key details about the implementation of the project; for instance, it omitted the fact that the project would need an external host and further funds would be required to train the users of the system. These problems delayed the inception of the project by more than three years. Part of the causes of the aforementioned issues was the lack of IT experience among the people in the department of defense who were spearheading the project. Furthermore, the defense department did not follow all statutory regulations for setting up a project of that magnitude.
Overview of ISO 38500
The ISO/IEC 38500:2015 specifies five major principles which should guide the governance of IT projects in organizations. The first principle is responsibility. The principle demands that the project management team identify the capabilities of the members of the implementation committee and give each member a responsibility that is commensurate with their capabilities (Calder, 2008 p.67). In terms of this IT project, therefore, individuals with a level of expertise in IT should have been appointed to lead the project. The standards require that the individuals leading the project should be business managers and should be assisted by IT specialists. The governing body should give further directions to ensure that the project managers can do their work effectively. They should also evaluate the work of the project managers periodically.
The second principle is strategy. Here, the ISO requires that the proposed IT project should be able to fulfill future business needs. Moreover, the IT project should be aligned with the business the objectives of the requirements and the requirements of all stakeholders. It is also important for the governing bodies to subject the project to appropriate risk management procedures (Racz et al., 2010 p.163).
Proper acquisition is the third principle. Here, the governing body should evaluate all available options so as to settle on an effective IT project. This can be done by reviewing all available proposals and choosing the one that best suits the needs of the organization. The risks associated with each proposal should also be evaluated. This step is meant to ensure that the organization gets good value for their money; the organization only pays what is worth paying for (Hammond, 2014 p.94). In the context of DeHS, the defense department should account for every part of the amount of money they want to pay and show that it is their best option.
The fourth principle is performance. Here, the governing body should only approve a project which will improve the business functions of the organization and improve its overall effectiveness (Hammond, 2014 p.94). It is here that the mechanisms by which the organization intends to treat the various risks that could come with implementing the project. Moreover, the governing body should look to protect IT assets including intellectual property. Options for assuring effective and timely decisions should also be made clear.
The fifth principle is conformance. It is important for the governing body to ascertain the project’s satisfaction of regulatory, legislative, and contractual. The project should also satisfy the organization’s internal guidelines, professional guidelines, and standards (Bin-Abbas and Bakri, 2014 p.264). Moreover, the governing body should ensure strict adherence to the framework for the implementation of the project. These assessments should be done from time to time.
The last principle in governance of IT projects is human behavior. Here, the governing body should look to predict the possible effects of implementing the IT project on human behavior (Bin-Abbas and Bakri, 2014 p.265). After identifying these possible changes in human behavior, the governing bodies should consider them in the plan. The consideration looks to correct any problems arising and strengthening or rewarding positive responses. This will ensure high acceptability of the IT service being launched among the users.
Critical Analysis with ISO 38500
The two issues about DeHS which this paper will analyze are – its failure to conform to all statutory and organizational requirements and its poor performance. The principle of conformance requires all IT projects to follow all regulations that are set both within and outside the organization. There are many such requirements that were not observed duly in the implementation of DeHS. First, the defense department did not use the PRINCE2 methodology which is the approved and proposed methodology of project management in Australia. This contributed heavily to the poor planning, reporting, documentation, budgeting, coordination, and risk management as Chadli (2008 p.73) suggested. Second, this project did not complete a statutory requirement for a project of its magnitude of going through the Gateway Review Process. Thirdly, it is government policy in Australia that such a project should be approved by the ministry before it starts; however, this project started before it received approval from the government.
In addition, the DeHS did not fulfill the ISO/IEC 38500:2015 principle of effectiveness. This principle requires that only IT projects which have proven to be highly useful in enhancing the business activities of an organization should be implemented; a concept that Hammond (2016 p.94) and Chaudhuri (2011 p.10) agree with. However, the DeHS project was not taken up by many health practitioners as they preferred to continue doing business in past mechanisms. Considering the fact the health practitioners were the main targets of the system, it failed totally and thus was largely ineffective. In other words, it does not justify the amount of money spent on it.
Conclusion
Poor planning led to an extreme delay in the beginning on the DeHS project in Australia; the project started in 2014 despite its inception in 2014. The project has since faced many problems. Considering the details of the principles of ISO regulations on governance of IT projects, the DeHS did not conform to several principles. The principles with conspicuous failure to conform to were that of performance and that of conformance. As seen above, conformation to these principles would have saved the project from the numerous projects it encountered.
Bibliography
Bin-Abbas, H. and Bakry, S.H., 2014. Assessment of IT governance in organizations: A simple integrated approach. Computers in Human Behavior, 32, pp.261-267.
Calder, A. (2008). ISO/IEC 38500: the IT Governance Standard. Ely, IT Governance Pub.
Chaudhuri, A., 2011. Enabling effective IT governance: Leveraging ISO/IEC 38500: 2008 and COBIT to achieve business–IT alignment. Edpacs, 44(2), pp.1-18.
Debreceny, R.S., 2013. Research on IT governance, risk, and value: Challenges and opportunities. Journal of Information Systems, 27(1), pp.129-135.
Hammond, W.E., 2016. Standards for Global Health Information Systems. Global Health Informatics: How Information Technology Can Change Our Lives in a Globalized World, p.94.
Racz, N., Weippl, E. and Seufert, A., 2010, July. A process model for integrated IT governance, risk, and compliance management. In Proceedings of the Ninth Baltic Conference on Databases and Information Systems (DB&IS 2010) (pp. 155-170).
