2012 45th Hawaii International Conference on System Sciences
Approach to the Evaluation of a Method for the Adoption of Information
Technology Governance, Risk Management and Compliance in the Swiss Hospital
Environment
Mike Krey and Steven Furnell
Centre for Security, Communications & Network
Research
University of Plymouth, Plymouth, United Kingdom
krey@zhaw.ch; S.Furnell@plymouth.ac.uk
Abstract The issues, opportunities and challenges of
effectively governing an organisation's Information
Technology (IT) demands and resources have become a major
concern of the Board and executive management in many
organisations today. The Swiss health care is currently
searching for methods and practices for the solution of
operational planning and optimisation of IT processes. To
make sure that the corporate hospital strategy leads to
adequate business decisions an IT Governance, Risk and
Compliance (GRC) Framework for Health Care will be
needed. This paper presents a practically validation method
for this approach. After the discussion of the challenges to the
development of a validation method, the concept of
triangulation as the basis for the method development will be
applied to the given health care context. The proposed
validation framework consists of different validation types
which enables the evaluation of the research result compared
to the cognizance goal and to the conditions of the real world.
Keywords- Governance; Risk; Compliance; Health Care;
Evaluation; Method Enineering; Triangulation; Validation.
I. INTRODUCTION
In many industry sectors information technology (IT) and its
usage are enablers for increasing effectivity and efficiency
in production processes for goods and services. In health
care the effect of IT is especially on medical service
provisions and administrative support processes. In that
way, IT can be a driver for diversification in competition
and creation of innovative strategic competitive advantages.
However, for years IT has been viewed as an overhead in
the health care sector and hence run as a cost centre. Now,
pressure is on IT executives to transform into a service
organization, run their organisation like a business,
increase the credibility of IT and achieve realisation of the
fiscal value. Moreover, hospitals are often funded by
government and not driven by profit and therefore impacted
by politics. This means that some funding opportunities are
driven by the political priorities of the day, rather than
alignment with the best organisational returns. Public
administrations, health care organisations and private
entities have obtained value by implementing IT
978-0-7695-4525-7/12 $26.00 2012 IEEE
DOI 10.1109/HICSS.2012.118
Bettina Harriehausen and Matthias Knoll
Department of Computer Sciences; Faculty of
Economics and Business Administration
Darmstadt University of Applied Sciences
Darmstadt, Germany
B.Harriehausen@fbi.h-da.de; Matthias.Knoll@h-da.de
governance, which is the term used to describe how those
persons entrusted with governance of an entity will consider
IT in their supervision, monitoring, control and direction of
the entity [24]. The real question is not in principle the
agreement to such governance issues, but rather the practical
issues in doing so, and the related benefits. This is due to
increased IT applications landscapes and demands for more
efficient and cost-effective service delivery. This
dependency on IT in such an environment like a hospital
with wider accountability, more bureaucracy, lower
managerial autonomy [37] and a complex mix of political,
organisational, technical and cultural concerns [3] requires
far-sighted management of IT. This calls for effective IT
governance. Governance, Risk Management and
Compliance (GRC) is an executive level concern in many
enterprises today [47]. It is an approach that addresses not
only the establishment of business rules but more
importantly how those rules are integrated into sensible
organisational structures, embedded into the day-to-day
business processes of the organisation, communicated
(including on-going training) and monitored for compliance.
In this research work the GRC context governance means IT
related governance and describes the topics that the
executive management needs to address to govern IT within
their health care organisation (cf. Section 2).
Cost pressure, reforms and quality requirements are three
keywords which are mentioned in the current debate about
the Swiss health care it is facing a radical change.
The Swiss health care system is based on a federal and
decentralized structure at the same time. The federal
government is responsible for the definition, regulation and
controlling of the health care issues. The decentralised part
is represented by its 26 cantons each with its own particular
regulation, distinct organisations and infrastructures.
Nonetheless, they all have one common feature, i.e., billing
is calculated on a per diem basis, which means that medical
insurers simply pay an agreed amount per day spent in
hospital independent of a patients diagnosis. Any further
costs are covered by the hospital, meaning the state or
private hospital operators pay.
2810
By the end of 2012 the billing by Diagnosis Related Groups
(DRGs) will have been introduced. That means that the
hospital is going to be paid, e.g., for an appendix operation
with a fix amount and it has to cover their costs. The
primary objective of the DRG introduction in 2012 is not
cost saving in the Swiss tariff structure. Cost savings cannot
be expected because of the required additional
administrative work for every hospital to implement the
DRG system. The introduction of DRG case-based lump
sums is to achieve two things:
More transparency of all medical services offered
and provided in a hospital and ideally
A performance-related kind of payment.
In the Swiss federal structure, the DRGs will provide a
prerequisite for more competition between the service
providers (e.g., hospitals, health centres, general
practitioners) because services and products can be
compared, regarding cost as well as quality. For the affected
hospitals it is necessary to develop concepts and reforms to
save costs and to work more efficiently. Apart from the
treatment costs, hospitals also have to undertake
investments to keep up to date and remain competitive.
Therefore, an integrated and comprehensive approach to the
governance of IT and its resources is becoming critical to
more effectively align, invest, measure, deploy and sustain
the strategic and tactical direction and value proposition of
IT in support of the business. In this context, IT as a
business enabler can play an important role in Swiss
hospitals, but it also has the potential for many risks, which
may disrupt operations and have unintended consequences.
However, how are adoptions of IT GRC can be validated in
such a highly meshed and organisational complex
environment like a hospital? Do all hospitals agree on what
the application of an IT GRC Framework for Health Care
proposes? Is the practicability and use of the methods within
the framework congruent with the hospitals expectations?
These are some of the important questions for those who
have derived requirements for an IT GRC Framework for
Health Care, mapped those to existing ones, identified
explicitly gaps where health care specific requirements
cannot be fulfilled with functionalities provided and
proposed approaches to close the identified gaps. The
development of a health care specific IT GRC framework
consists of three main steps. (1) Classification of existing IT
GRC frameworks. With the help of a classification scheme
users as well as framework developers were provided with
an overview of the framework, e.g., related to its addressed
GRC area, framework design or framework application [27].
(2) Exploration and systematisation of the factors
influencing IT GRC structures, processes and outcome and
the requirements and expectations within the health care
sector (cf. Section 2). To enhance the future reusability of
such a framework, detailed information about the
application method, requirements from the health care
processes (business and IT), accessibility and levels of
mutability were required. (3) Mapping of the existing IT
2811
GRC frameworks and the derived requirements within the
health care sector. This identified a requirements overlap
which could be fully or partly covered by the existing
frameworks and made approaches how to fill the gaps
possible. This actual research work corresponds on the third
step, the development of an IT GRC Framework for Health
Care and proposes therefore a practically validation method
for this approach (cf. Figure 1).
Figure 1. Research framework, according to Hevner [21]
The present paper already provides a brief introduction into
the key concepts of IT governance and the current debate
about the DRGs within the Swiss health care sector. It
shows the drivers and benefits of both and leads to the
research objective, i.e., the application of IT governance to
the field of health care. In the next sections the focus areas
of the IT GRC Framework will be briefly discussed. After a
summary of the challenging factors which influence an
effective and sustainable adoption within the health care
environment the concept of a validation method and its
application methods will be explained. The paper ends with
some remarks about the future research in this field.
II. IT GRC FRAMEWORK FOR HEALTH CARE
In recent years, a range of best practice models (IT
Infrastructure Library (ITIL) or Control Objectives for IT
and related Technologies (CobiT)) as well as proprietary
frameworks have been developed (Microsoft Operations
Framework (MOF), IT-Service-Management (ITSM) of
Hewlett-Packard, or the IBM IT Process Model (ITPM)).
These frameworks, which are also summarised under the
topic of IT governance, describe goals, processes and
organizational aspects of IT management and control [18].
Best practice models like CobiT have been developed based
on the practical experiences from the business world. The
experiences have been consolidated and aimed in generally
accepted rules, processes, and characteristics. The approach
of these frameworks is very generic and should fulfil the
needs of different industries, enterprise sizes and scenarios
at the same time. CobiT provides corporate managers,
external auditors and IT users with a set of relevant
processes, measures and indicators to facilitate the adoption
of appropriate IT governance and control in an organisation.
According to Knahl, ITIL primarily addresses IT efficiency
that relates to the effective operation of IT (e.g., measured
by a comparison of production with cost as in time and
money). On the other hand, CobiT is primarily addressing
effectiveness and strategy of IT in the context of an
organization. Effectiveness relates to producing a decided,
decisive, or desired effect. Strategy relates to the strategic
planning and adaptation (e.g., of structure or behaviour) that
serves the core function of IT to contribute to desired
business outcomes [26]. As stated by Johannsen and
Goeken [25] (cf. Figure 2) a lot of these frameworks are
interrelated and some of their aspects overlap. However, it is
important to identify the appropriate standard to provide
support at the right level of governance needs, for example:
For achieving governance standards and to develop a
code of practice,
To provide managers with decision support,
To define and regulate processes in service
management,
To deploy these processes and the required
procedures, working instructions and monitoring
functions.
From an academic point of view these best practice
frameworks can be seen as an interesting object of research,
not only because the models are widely spread but also
because they incorporate a huge amount of consolidated
knowledge.
Figure 2. Classification of best practice standards and proprietary IT
governance frameworks, according to Knahl [26]
As ascertained by a survey with several Swiss hospital CIOs
in 2009, the majority (64%) replied, that the health care
sector is a complex and heterogeneous economic sector and
cannot be compared to other industry sectors, where CobiT
and other IT governance framework have been successfully
applied. Organisational structures, legal restraints and over
the years increased heterogeneous IT systems are just a few
aspects, which make the health care sector a sensible field
for the implementation of IT governance. It is pleasing to
see, that hospitals appear to be taking IT governance as a
part of their governance realm and that 45% of the hospitals
surveyed, adopt ITIL as an IT governance framework, while
about 8% of hospitals have or will adopt CobiT, IS0-17799
or a proprietary framework. The majority believed, that their
2812
ITIL approach is repeatable but intuitive, whilst no one
thought their ITIL approach is fully optimised and the
processes have been refined to a level of good practice,
based on the results of continuous improvement and
maturity modelling with other hospitals [28]. Based on these
findings, the following six focus areas for IT governance are
building the basis for the IT GRC Health Care Framework
(cf. Section A) and are influenced by health care specific
characteristics (cf. Section B).
A. Governance, Risk Management and Compliance
1. Strategic alignment (Business-IT-Alignment)
focuses on ensuring the linkage of business and IT
plans; defining, maintaining and validating the IT
value proposition; and aligning IT operations with
enterprise operations.
2. Value delivery is about executing the value
proposition throughout the delivery cycle, ensuring
that IT delivers the promised benefits against the
strategy, concentrating on optimising costs and
proving the intrinsic value of IT.
3. Resource management is about the optimal
investment in, and the proper management of,
critical IT resources: applications, information,
infrastructure and people. Key issues relate to the
optimisation of knowledge and infrastructure.
4. Performance measurement tracks and monitors
strategy implementation, project completion,
resource usage, process performance and service
delivery, using, for example, balanced scorecards
that translate strategy into action to achieve goals
measurable beyond conventional accounting.
5. Risk management requires risk awareness by
senior corporate officers, a clear understanding of
the hospitals appetite for risk, understanding of
compliance requirements, transparency about the
significant risks to the hospital and embedding of
risk management responsibilities into the
organisation.
6. Compliance is not directly covered by the CobiT
framework and its classification into the focus areas.
The Swiss health care system is based on a federal
and decentralized structure at the same time. The
decentralized part of the Swiss health care system is
represented by its 26 cantons each with its own
particular regulation, distinct organisations and
infrastructures. For that reason, the health care
sector in Switzerland needs to confirm compliance
of, e.g., IT policies, standards, procedures and
methodologies with legal and regulatory
requirements.
Ensured compliance with external requirements leads to:
Identification of good practices for dealing with laws
and regulations
Improved personnel awareness for regulatory
requirements
 Increasing process performance and compliance with
laws and regulations and improved corporate
performance.
The compliance lays more emphasis to the fact that by the
end of 2012 the Swiss DRG will be introduced to the Swiss
health care sector and 105 of the 141 general hospitals are
public or subsidized private systems [4]. From this point of
view, compliance means to be conform to a specification or
policy, standard or law that has been clearly defined for the
health care sector by the canton or the federal government to
achieve more transparency of all medical services offered
and provided in a hospital and ideally a performance-related
kind of payment.
Figure 3. IT GRC approach
B. Characteristics of IT GRC Approaches for Health Care
The reviewed characteristics are building the basis, which
might help to understand the challenges that a sustainable IT
GRC adoption has to meet within health care organisations.
It has to be mention that not all health care related
characteristics apply to each environment. E.g., the
specialisation, division of labour and the shared know-how
are significantly depending on the quantitative workload
(e.g., number of cases per year) of the health care
institution. Institution with a lower number of cases might
aggregate functional responsibilities to a single person
however institutions with higher number of cases might
have a more remarkable division of labour. In addition
within lager institutions (e.g., university hospitals) processes
could be found with a lower complexity. The degree of
collaboration (and therefore indirectly the complexity of
processes) relates to the degree of specialisation, which
means that this characteristics could be formed individually
for the same process. The particular characteristics of health
care organisations and their impact to an IT GRC adoption
allow the derivation of concrete requirements. These
requirements allow on the one hand the substantial analysis
of existing IT GRC approaches with regard to their
applicability to the health care sector und on the other hand
the adaptation of existing ones or the development of new
concepts. The following list of characteristics is not
exhausted but helps to understand the specific challenges.
2813
TABLE I. CHARACTERISTICS OF IT GRC APPROACHES
FOR HEALTH CARE
Characteristic
Description
(C.xx)
The specialisation of health care organisations is
based on the complexity of provided services, e.g.,
internal medicine, ENT medicine, surgery, radiology,
nursing, in-patient, outpatient, etc.) and the
consequential specialised (qualitative) division of
C.01
Specialisation
labour. The division of labour is one of the basic
principles of health care organisations and is
and Division
implemented not only between but also within
of Labour
organisations by hierarchical organisational
structure. The hierarchical coordination of tasks
leads to organisational units which are often working
independently, because of the lack of cross-
organisational functions.
A life of its own can be found in different
organisational units within health care organisations,
as a result of the specialisation and division of
labour, which are based on the complexity of
medical services provided by physicians (e.g.,
internal medicine, surgery, radiology, etc.). The
C.02 autonomy of organisational units lead consequently
Autonomy to decentralised decision-making, management of
structures, information and authorities. The wide-
spread of knowhow within the different (specialised)
organisational units and the complexity of internal
structures within a health care organisation
additionally promote the decentralised decision
making.
Any kind of division of labour needs specific
mechanisms for a vertical and horizontal but
furthermore branches internal and cross-
organisational coordination of involved
stakeholders. Especially health care organisations, in
C.03
their role as a health provider, are characterised by a
Collaboration
comprehensive collaboration within their service
provision process (e.g., treatment process incl. post-
surgical care). The network of actors involved in
processes includes not only health care professionals
but also managed care organizations and patients.
The self-contained organisational responsibility, the
complexity of the supported processes and the
missing cross-organisational coordination make an
overall comparable approach to management of
assets, information and IT difficult. A hospital
consists of various organisational units with differing
tasks for various types of health care professionals.
Since integrated care should be the aim, a high
degree of interoperability has been reached, the
significance of painstakingly thorough patient data
collection, accurate and meticulous documentation,
and extensive reporting has led to an increased
C.04 Role of deployment of information technology [48].
IT This requires intensive internal communication
among organisational units and health care
professionals as well as external communication
(e.g., to insurance organisations, general
practitioners, etc.). The IT department has to exert its
limited influence toward maintaining an integrated
IT architecture as an organisational directive and
escalate IT development issues and their
consequences to top management for arbitration. The
CIO position within the organization must develop a
trusted relationship with top management to succeed
in this responsibility. The health care organisation is
a political arena. An IT department has relatively
 little influence compared to other (medical)
organisational units within the organisation. With
limited organisational influence, the IT department
with the CIO must educate management on the
necessity of an integrated IT architecture to avoid
bounded rationality during IT development
III. DEVELOPMENT OF A VALIDATION METHOD
The development of the validation method is part of the 2nd
phase (research and evaluation phase) of the overall
research framework (cf. Figure 1), where the previous
mentioned three steps (classification, exploration and
mapping) are taking place. The validation method allows a
profound evaluation of the value proposition of the
proposed IT GRC framework for health care based on
different validation criteria and is therefore an important
part of the overall research framework. In this section the
challenges to a validation with a small statistical population,
to be applied methods and the overall validation framework
will be discussed.
A. Challenges to the development of a validation method
Although the importance and benefits of a validation are
widely perceived in the field of computer science, different
definitions, understandings and emphases still can be found
in literature. Stufflebeam and Shinkfield [46] made an
approach to the definition of a validation and defined it as a
process of delineating, obtaining, and providing useful
information for judging decision alternatives. Guba and
Lincoln [19] made a more generalised approach and defined
validation as the process of describing an evaluand (the
entity being evaluated) and judging its merit and worth.
Alkin [1] on the other hand describes an evaluation as the
process of ascertain the decision areas of concern, selecting
appropriate information, and collecting and analysing
information in order to report summary data useful to
decision-makers in selecting among alternatives. Cronbach
[12] defines evaluation simply as the collection and use of
information to make decisions about an educational
program. It becomes obvious, that a common definition of
validation cannot be found in literature. However, some
common aspects of the above given definitions can be
underlined.
1. Validation has to generate information (valid and
clear);
2. This information has to be defensible;
3. Defined method used for collection and
4. Validation has the be an organized process
Therefore, a valid definition for the actual work is needed.
Referring to Sanders [42], validation is understood as a
systematic and target-oriented research and assessment
method. Target-oriented within this research work refers not
only to a single result but moreover to the overall developed
IT GRC framework for health care and is therefore subject
of the validation process. Results of the evaluation
determine on the one hand the suitability and contribution of
the developed framework to the given context [35] and
2814
allow on the other hand statements on its benefits and
practical usability [21].
In addition, other validation criteria for a more sophisticated
validation of the framework could be used (e.g., sensitivity,
understanding, effort, etc.). The evaluation results are thus
indicative for the potential use and required qualifications of
the IT GRC framework and point out where possible
options for further developments and improvements are.
In this respect the validation should be ideally iterative to
the development of the IT GRC framework (cf. Figure 1).
Thus, findings of the validation can directly flow back into
the framework development. The validation of the IT GRC
framework faces three challenges:
1. The lack of dissemination of innovative IT GRC
approaches in the given context hampered their wide
validation.
2. The variety and complexity of IT GRC approaches
require the participation of experts with
methodological skills. These specific skills are often
not available in health care organisations [29].
3. Results of the validation should be as objective as
possible.
IT GRC frameworks, which have been developed
application-oriented should solve or improve existing
problems within a defined domain (e.g., Business-IT-
Alignment). They therefore can be defined as innovative. In
contrast to many theories of explanation-oriented research,
innovative IT GRC approaches could not always be
evaluated with large numbers of cases, since they are often
up to the validation (still) not divulged. Even in the present
work, the developed IT GRC framework for health care is
not actively applied at the time of its validation. It therefore
constitutes a "potential future scenario. A validation of the
developed framework with a large statistical population, as
often required for the evaluation of theories to empirically
evidence the truth, is based on a potential future scenario,
not possible. It raises the question, how the validity,
plausibility, flexibility and richness of the validation results
even with a small statistical population can be maximised.
B. Concept of triangulation
One possibility to meet the above mentioned challenges is
the concept of triangulation. Triangulation is an approach
that in contrast to the sequential application of research
methods seek the simultaneous use of various resources
(e.g., methods, data, people or theories) to gain perception
[15] [38]. Triangulation is a research method that facilitates
validation of data through cross verification from more than
two sources. In particular, it refers to the application and
combination of several research methodologies in the study
of the same phenomenon [6]. The idea is that one can be
more confident with a result if different methods lead to the
same result. If a researcher uses only one method, the
temptation is strong to believe in the findings. If a
researcher uses two methods, the results may well clash. By
using three methods to get an answer to a question, the hope
is, that two of the three will produce similar answers, or if
three clashing answers are produced, the researcher knows private: the home care services to which one may
that the question needs to be reframed, methods have recourse in case of a difficult pregnancy, after
reconsidered, or both. The purpose of triangulation in childbirth, illness, accident, handicap or old age;
qualitative research is to increase the credibility and validity 36 fully private: hospitals, specialised clinics, health
of the results. Several researchers have aimed to define centres, general practitioners, insurance companies,
triangulation throughout the years. Cohen and Manion [9] service providers;
defined triangulation as an "attempt to map out, or explain
TABLE II. GENERAL HOSPITALS CLASSIFICATION AND
more fully, the richness and complexity of human behaviour NUMBER OF GENERAL HOSPITALS IN S WITZERLAND BY
by studying it from more than one standpoint". Altrichter et TYPOLOGY AND REGAL REGULATION
al. [2] contended, that triangulation "gives a more detailed
and balanced picture of the situation. According to Guba
and Lincoln [39], triangulation is a method of cross- Number of Number
checking data from multiple sources to search for Categories/
hospitals- of
Number
regularities in the research data. However, Denzin [13] Typology Code public/ hospitals-
Description of beds
subsidized fully
extended the idea of triangulation beyond its conventional private private
association with research methods and designs. He
distinguished four types of triangulation:
Data triangulation: gathers data at different times, 1 K111
Centralised care
level 1 (university 5 0 4440
social situations, as well as on a variety of people hospital)
Investigator triangulation: refers to the use of Centralised care
multiple researchers in an investigation process 2 K112 level 2 (regional 23 2 8113
Theory triangulation: refers to the use of more than hospital)

one theoretical scheme in the interpretation of the Basic-care hospital

3 K121 level 3 (relatively 19 5 3812
phenomenon large/specialised)
Methodological triangulation: refers to the use of Basic-care hospital
more than one method to gather data, such as 4 K122 level 4 (moderate 30 13 3418
size/ specialised)
interviews, observations, and questionnaires. Basic-care hospital
In doing so, triangulation should enhance the validity, 5 K123 level 5 (small size/ 28 16 1224
plausibility and credibility of the research results [11]. This low specialisation)
plausibility and richness are in a validation process with a Total: 105 36 21007

small statistical population questionable. The purpose of the

current validation approach for IT GRC frameworks is
therefore according to the principles of data triangulation
[13] to involve as different institutions as possible from
the Swiss health care sector. The data used for the
classification of different hospitals has been extracted from
the annual data reported by Swiss general hospitals to the
Federal Statistical Office in 2006 [4]. In Switzerland,
general hospitals are classified into five typologies based on
size, number of departments and level of specialisation. A
brief description of each hospital type is given in Table 2.
Typology 1 includes only the five largest hospitals, which
are affiliated to universities and provide a wide variety of
services in a large number of specialisations. At the other
extreme, typology 5 includes small general hospitals
(mostly less than 100 beds), which provide basic medical
care with few a specialisations. Table 2 also lists the number
of general hospitals in 2006 by hospital typology, their legal
regulation and number of beds.
The Swiss health care system is a combination of public,
subsidised private and fully private systems:
105 public or subsidised private hospitals: regional
hospitals or university hospitals, e.g., the University
of Geneva Hospital (HUG) with 936 beds, 9,600
staff and 100,000 patients per year; subsidised
For the actual research work, a minimum of three health
care institutions for a validation process will be proposed.
As the five university hospitals (K111) in Switzerland
provide nearly one fifths of all beds one of the validation
partners should be out of this group. The other two health
care institutions should regional hospitals (K112). One of
these regional hospitals should be private.
With this selection of health care organisations different
scenarios can be integrated (data variation). In doing so, the
richness of the results could be increased and thus a critical
discussion of different perspectives is possible (multi-
perspectives). When it comes to the validation through the
users, the second of the above mentioned challenges (cf.
Section 2.A) the participation of experts becomes
evident. This challenge results from the variety and
complexity of the IT GRC approaches. For a substantiated
assessment of the results, of the benefits and possibly other
validation criteria, a basic understanding of the
methodology how to apply the developed framework is
required. A common research method is to support the IT
GRC adoption with case studies [17]. Here, however, the
problem becomes clear, that for the application of the
approach appropriate expertise (responsibility of experts) is
necessary, which is (still) not one of the core competencies
of health care organisations. This addresses the need that the

2815
IT GRC adoption should be supported by a researcher as
foreseen by the action research approach [10]. Action
research is an interactive inquiry process that balances
problem solving actions implemented in a collaborative
context with data-driven collaborative analysis or research
to understand underlying causes enabling future predictions
about personal and organisational change [41]. Lewin first
coined the term and described action research as a
comparative research on the conditions and effects of
various forms of social action and research leading to social
action that uses a spiral of steps, each of which is
composed of a circle of planning, action, and fact-finding
about the result of the action [34]. Since action research
involves explicitly a researcher, the third of the above
mentioned challenges is obvious. The involvement of the IT
GRC framework developer can influence the results of the
validation, so that an objective assessment of the framework
and its application within the given context is questionable.
The endeavour for objectivity is "an essential guidance for
validation approaches" [16].
Therefore, in the present research work the assessment of
the validation criteria is not done by the researcher himself,
but by the user of the IT GRC framework within the
selected health care institutions. Because of the necessary
knowledge about how to apply the IT GRC framework in
the given context and with regard to the action research
approach, the institutions are therefore suitable. Based on
their experience gained in this context, it is now possible, to
review the assessments as well with research methods,
where the scope of influence through the researcher is
possibly lower. This includes the methods of structured
interviews and questionnaires.
The application of different research methods can improve
the plausibility and credibility of the validation findings. In
addition to the action research approach, therefore, other
methods (variation of methods) should be applied.
C. Validation framework
To structure the validation and its various research methods
different frameworks exist (e.g., [16], [14], [40], [44]). The
framework proposed by Gomm et al. [14] uses a
classification of validation methods based on the chosen
research method and the derivation of used quality criteria.
Here, the research methods can be classified into
"empirical" and "analytical", while in the derivation process
of the quality criteria they differentiate between "ad hoc"
and "theory-based". In the work by Reason and Bradbury
[40], a matrix can be found which refers to the comparison
of these artefact types and related quality aspects.
Additionally to Gomm et al., Reason and Bradbury
introduce the evaluation dimensions "structure of the
artefact", "evaluation criteria" and "evaluation approach".
Furthermore, Siau and Rossi [44] differentiate in their study
of evaluation methods between empirical and non-
empirical methods and provide guidance at what time
different methods are suitable.
2816
It becomes obvious, that the selection of relevant validation
criteria and the use of an appropriate validation method are
crucial for the result. On the other hand the validation
framework should not only include the review of the
validity of the IT GRC framework but furthermore evaluate
the previous identified research gap and its correctness [29].
As stated by Cole et al. [10], the evaluation should prove the
utility of the research results as a whole.
The development of the IT GRC framework refers to an
identified problem in the real world, in addition to [10] the
proof of its utility can therefore be brought through its
application in the real world. To cover a maximum of the
entire research process with the validation, the applied
validation methods in this research work have been selected
on the basis of validation types which belong to the
individual steps of the development process of the
framework (cf. Figure 4). Thus, the framework can be
validated from different perspectives.
Figure 4. Classification of validation types into the research process,
according to Bucher et al. [8]
Although the discipline of information systems (IS) is been
affected by different sciences there is until today no common
opinion about adequate research methods to be used. Two
research paradigms are currently discussed in IS:
Behaviour-oriented research and
Design-oriented research.
In the German-language IS community a clear dominance of
design-oriented research can be noticed, while behaviour-
oriented research plays a minor role. Rooted in the fields of
natural and social sciences behaviour-oriented research
aims at the description and prediction of phenomena
through the application of appropriate theories, it therefore
seeks to develop and justify theories (i.e., principles and
laws) that explain or predict organisational and human
phenomena surrounding the analysis, design,
implementation, management and use of information
systems [21]. Design-oriented research seeks for utility
through the development of innovative artifacts (i.e.,
concepts, models, methods, instantiations, etc.) in order to
extend the boundaries of human and organisational
capabilities [21]. While behaviour-oriented research aims
basically at the understanding of the truth in relation to a
natural object of observation, design-oriented research
causes artificial changes on the research object itself. Based
on the approach by Bucher et al. [8] the validation process is
sequentially organised and differs between a cognisance
goal and a design goal. The sequence underlines that the
cognisance goal of a research work is logically prior to
the design goal [49]. The IT GRC framework, as a design-
oriented artifact, can therefore on the one hand be evaluated
compared to the cognisance goal (requirements analysis IT
GRC, research gap) and on the other hand compared to the
real world (environment acceptance).
In this work, the lack of dissemination of frameworks in the
health care sector is the initial problem. The research gap is
characterised by the lack of methods and practices that meet
the identified characteristics and requirements. The interim
results of the research processes can be objects of the
validation process (cf. Figure 4) [8]:
Validation type 1 rated the developed framework to
the research gap. This can be done by an analytical
evaluation, in which the solution proposal is been
assessed regarding the requirements. The research
gap itself is not been assessed, as little as the use and
application of the framework under real world
conditions.
Validation type 2 analysis the framework with regard
to its contribution to the problem solving and its
benefits. The framework is been used under real
world conditions (empirical evaluation).
Validation type 3 assesses the identified research gap
compared to the realised problem of the real world
[29].
That raises the question how the various validation types
could be methodologically supported. For the validation
type 2, the framework application is focused. Therefore as
already mentioned the action research approach shall be
used [20]. Whether the framework could meet the defined
requirements (validation type 1), can only be assessed after
its application by the involved health care institutions. In
addition, the review of the research gap (validation type 3)
with regard to the realised problem shall also be undertaken
by the involved institutions. For this purpose, the relevance
of the identified characteristics and verbalised requirements
should be assessed based on their own institution. As for
this review an application of the framework is not required,
validation type 3 shall be done before validation type 2.
Structured interviews are used as an appropriate research
method to prevent any kind of misunderstandings
concerning the characteristics and requirements of IT GRC
frameworks.
After the application of the framework by means of the
action research approach (validation type 3), the involved
health care institutions have a comprehensive knowledge
(cf. Section 4). Therefore, while validating the framework
(validation type 1) the influence of the researcher should be
further reduced. For this purpose, the questionnaires should
be filled out by the institutions. The results arising from the
application of the different validation methods should be
documented similar to the case study technique. Thereby
different case studies arise, which will be structured
according to the order of the validation types [5]. As criteria
for the validation type 1 the derived requirements for an IT
2817
GRC approach in the health care sector will be used. These
criteria will be supplemented by requirements that -
regardless of the context of this work - can be made to
framework approaches. These domain-independent
requirements are summarised in Table 3 (e.g., [7], [22],
[45]).
TABLE III. DOMAIN-INDEPENDENT REQUIREMENTS
Requirement Description
Genericity To ensure maximum genericity of the framework and a wide
applicability in different situations
Minimality Minimum level of description of framework components to
avoid unnecessary expense
Integrity Maximum level of completeness of framework to ensure its
applicability
Granularity Reasonable level of detail in order to achieve a sufficient
accuracy with a good understanding
Complexity Reasonable range of complexity to ensure applicability
Perceivability Maximum level of understanding to secure transparency,
comprehensibility and applicability of the framework
Utility Maximum level of contribution compared to the current stage
Implementation Maximum level of applicability of the framework
(organisational)
Implementation Maximum level of tool support of the framework
(technical)
IV. APPLICATION METHDODS
As ascertained by Krey [28] (cf. Section 2.B) the self-
contained organisational responsibility, the complexity of
the processes and the lack of cross-organisational
coordination make an overall comparable approach to
management of assets, information and IT difficult. A great
variety of responsibilities, notations, level of abstractions,
tools and terminologies are the result. The health care
organisation is a political arena. An IT department has
relatively little influence compared to other (medical)
organisational units within the organisation. With limited
organisational influence, the IT department with the CIO
must educate management on the necessity of an integrated
IT architecture to avoid bounded rationality during IT
development. As Krey [28] stated, fifty-seven per cent of
the hospitals surveyed, believed that their IT systems,
processes and services still do not deliver the value expected
by the business. The findings indicated that 84% of
respondents are unable to provide the business and IT
executives with real-time quantifiable metrics demonstrating
the value of IT services and assets. As budgets come under
close scrutiny, nearly the half (47%) claimed that business
decision makers still do not understand the value IT brings
to the business. According to the interviews, 83% of the
hospitals surveyed are focused on cost reduction as the
principal driver for IT projects over the next 18 months; the
next most common focuses are the consolidation of existing
IT infrastructure and applications and optimisation of the
compliance processes regarding the Swiss DRG 2012. The
actual situation within the Swiss health care sector makes
the selection of practical and flexible methods obvious. The
involvement of hospital practitioners into the validation
process is needed and therefore requires flexibility to the
proposed application methods. It is often the case that those
who apply this approach are practitioners, who wish to
improve understanding of their practice, social change
activists trying to mount an action campaign, or, more
likely, academics who have been invited into an
organisation (or other domain) by decision-makers aware of
a problem requiring action research, but lacking the
requisite methodological knowledge to deal with it. Thus, it
allows for several different research tools to be used as the
project is conducted. These various methods, which are
generally common to the qualitative research paradigm,
include: keeping a research journal, document collection
and analysis, participant observation recordings,
questionnaire surveys, structured and unstructured
interviews, and case studies.
V. CONCLUSION
The present paper provides a brief introduction into the key
concepts of IT governance and the current debate about the
DRGs within the Swiss health care sector. It shows the
drivers and benefits of both and leads to the research
objective, i.e., the application of IT governance to the field
of health care. Furthermore, an overview of the different
focus areas of GRC and the challenges which have to be met
for an effective and sustainable adoption is provided. Finally
the validation method and tools for its application have been
discussed. The proposed systematisation to the validation of
IT GRC frameworks revealed that the evaluation of artefacts
so far largely focused on the comparison between the
identified a research gap and the proposed research results.
The validation against the real world to prove the validity of
the design and development process is given less
importance by the majority of authors. Possible
justifications for this approach can be demonstrated by the
following explanations:
1. Evaluation as an integral part of design-oriented IS
and is a relatively new challenge. Due to the lack of
"best practices" in dealing with methods of
evaluation, the distinctions between the two
approaches have not been made explicitly.
2. For the research process there are only limited
resources available in most cases. The time factor is
of particular importance, as the evaluation against
the real world claims more time than the evaluation
against the identified research gap. This means that
researchers can hardly be motivated to conduct the
evaluation against the real world, since in this case;
potential publication opportunities can only be
limited perceived [23].
2818
3. The evaluation of an IT GRC framework from the
real world perspective requires that a health care
institution is accessible for the application of the
results, and that organisations participate as a partner
throughout the evaluation process of the research.
Despite the current low penetration of evaluation methods
which are focusing on the real world comparison, the
consideration of both approaches to evaluation appears to be
desirable. It allows the differentiated consideration of the
cognizance and design goals of the research work.
REFERENCES
[1] Alkin, Marvin C. A guide for evaluation decision makers. Beverly
Hills, Calif: Sage Publications, 1985.
http://catdir.loc.gov/catdir/enhancements/fy0654/85001805-d.html.
[2] Altrichter, H., Feldman, A., Posch, P. and Somekh, B., Teachers
investigate their work; An introduction to action research across the
professions. Routledge.p. 147.(2nd edition). 2008.
[3] Bakari, J. B. A Holistic Approach for Managing ICT Security in
Non-Commercial Organizations: A case in a developing country. In
Doctoral Thesis. Stockholm, 2007.
[4] BFS, 2009. Statistiken zur Krankenversicherung. Kennzahlen der
Schweizer Spitler 2006. Bundesamt fr Gesundheit Sektion Statistik
und Mathematik. 2009.
[5] Bhola, Harbans Singh: Evaluating "Literacy for development"
projects, programs and campaigns: Evaluation planning, design and
implementation, and utilization of evaluation results. UNESCO
Institute for Education, German Foundation for International
Development (DSE), Hamburg, 1990.
[6] Bogdan, R. C. and Biklen, S. K., Qualitative research in (validation)
and qualitative (inquiry) studies. It is a method-appropriate education:
An introduction to theory and methods. Allyn & Bacon, 2006
[7] Brinkkemper, S., Method Engineering - Engineering of Information
Systems Development Methods and Tools, in: Information and
Software Technology, 38. Jg., Nr. 4, 1996, pp. 275-280
[8] Bucher, Tobias; Riege, Christian; Saat, Jan: Evaluation in der
gestaltungsorientierten Wirtschaftsinformatik - Systematisierung nach
Erkenntnisziel und Gestaltungsziel. In: Wissenschaftstheorie und
gestaltungsorientierte Wirtschaftsinformatik, Multikonferenz
Wirtschaftsinformatik 2008 (MKWI 2008), Mnchen, 2008, pp.69-
86.
[9] Cohen, L., and Manion, L., Research methods in education.
Routledge.p. 254.(5th edition). 2000
[10] Cole, Robert; Purao, Sandeep; Rossi, Matti; Sein, Maung: Being
Proactive: Where Action Research Meets Design Research. In:
Proceedings of the International Conference on Information Systems
(ICIS2005), Las Vegas, Association for In-formation Systems, 2005.
[11] Creswell, John W.; Miller, Dana L.: Determining Validity in
Qualitative Inquiry. In: Theory into Practice, 29. Jg., Heft 3, 2000,
pp.124-130.
[12] Cronbach, Lee J. Course improvement through evaluation. In
Evaluation models: Viewpoints on educational and human services
evaluation, edited by Georges F. Madaus, Michael S. Scriven and
Daniel L. Stufflebeam. Boston ;, Dordrecht [etc.]: Kluwer-Nijhoff,
1986.
[13] Denzin, Norman K.: The Research Act in Sociology: A Theoretical
Introduction to Sociological Methods. Aldine, Chicago, 1970.
[14] Fettke, Peter, and Loos, Peter. Classification of reference models - a
methodology and its application. In Information Systems and E-
Business Management, edited by Springer. Berlin /
Heidelberg: Springer, 2003.
[15] Flick, Uwe: Triangulation: Eine Einfhrung. VS Verlag, Wiesbaden,
2008.
[16] Frank, Ulrich: Evaluation of Reference Models. In: Fettke, Peter;
Loos, Peter (Hrsg.): Reference Modeling for Business Systems
Analysis. Idea Group Publishing, Hershey, 2007, pp. 118-140.
[17] Gomm, Roger; Hammersley, Martyn; Foster, Peter (Hrsg.): Case
Study Method. Sage Publications, London, Thousand Oaks, New
Delhi, 2000.
[18] Goeken, M., and Alter S., IT Governance Frameworks as Methods,
Proceedings of the 10th International Conference on Enterprise
Information Systems, ICEIS 2008, Barcelona, Spain, 2008.
[19] Guba, E.G. and Lincoln, Yvonna S., Naturalistic Inquiry. Newbury
Park, CA: Sage Publications (1985).
[20] Heinrich, Lutz J.: Bedeutung von Evaluation und
Evaluationsforschung fr die Wirtschaftsinformatik. In: Heinrich,
Lutz J.; Hntschel, Irene (Hrsg.): Evaluation und
Evaluationsforschung in der Wirtschaftsinformatik. Oldenbourg,
Mnchen; Wien, 2000, pp. 7-22.
[21] Hevner, Alan R.; March, Salvatore T.; Park, Jinsoo; Ram, Sudha:
Design Science in Information System Research. In: MIS Quarterly,
28. Jg., Heft 1, 2004, pp. 75-101.
[22] Hillegersberg, Jos Van; Kumar, Kuldeep: Using Metamodeling to
Integrate Ob-ject-Oriented Analysis, Design and Programming
Concepts. In: Information Systems, 24. Jg., Heft 2, 1999, pp.113-129.
[23] House, Ernest R.: Professional Evaluation - Social Impact and
Political Consequences. SAGE Publications, Newbury Park, 1993.
[24] ITGI, ed. Board Briefing on IT Governance. 2nd ed., 2003.
www.itgi.org, accessed May 2011.
[25] Johannsen, W., Goeken, M., 2007. Referenzmodelle fr IT-
Governance. dpunkt.verlag, Heidelberg. 2007 [in German]
[26] Knahl, M., 2009.A Conceptual Framework for the Integration of IT
Infrastructure Management, IT Service Management and IT
Governance.In Proceedings of the world academy of science,
engineering and technology. Volume 40. April, 2009
[27] Krey, Mike: Approach to the Classification of Information
Technology Governance, Risk and Compliance Frameworks: 2011
UKSim 13th International Conference on Modelling and Simulation.
In: Industry, Business, Management, Human Factors and Social
Issues / David Al-Dabass (Hrsg.) - Cambridge: IEEE, 2011, pp.350
ff.
[28] Krey, Mike: Information Technology Governanace, Risk and
Compliance in Health Care - A Management Approach. In:
International Conference on Developments in eSystems Engineering /
Hissam Tawfik (Hrsg.) - Washington: Conference Publishing
Services, 2010, pp. 7 ff.
(IEEE Computer Socienty)
[29] Krey, Mike: RELEVANCE OF IT GOVERNANCE FOR THE
SWISS HEALTHCARE. In: PROCEEDINGS OF THE IADIS
INTERNATIONAL CONFERENCE APPLIED COMPUTING 2009:
IADIS International Association for Development of the Information
Society / Hans Weghorn (Hrsg.) - ROME, ITALY: IADIS Press,
2009.
[30] Kitchenham, Barbara; Pickard, Lesley; Pfleeger, Shari Lawrence:
Case Studies for Method and Tool Evaluation. In: IEEE Software, 12.
Jg., Heft 4, 1995, pp.52-62.
[31] Kock, Ned (Hrsg.): Information Systems Action Research - An
Applied View of Emerging Concepts and Methods. Springer, New
York, 2007.
[32] Krey, Mike, ed. IT Governance in the Swiss Healthcare
Sector: Closing the Innovation Gap: Theory and Practice.
Proceedings of the 4th European Conference on Management of
Technology. Paisley, Scotland, 2009.
[33] Krey, Mike, Bettina Harriehausen, Matthias Knoll, and Steven
Furnell, eds. Governance, Risk Management and Compliance in
Swiss Healthcare: Proceedings of the UKSim 12th International
Conference on Computer Modelling and Simulation. pp.340-345.
Washington, USA: IEEE Computer Socienty, 2010.
2819
[34] Lewin, Kurt: Group Decision and Social Change. In: Maccoby, E. E.;
Newcomb, T. M.; Hartley, E. L. (Hrsg.): Readings in Social
Psychology. Readings in Social Psychology, 1958, pp. 197-211.
[35] March, Salvatore T.; Smith, Gerald G.: Design and natural science
research on information technology. In: Decision Support Systems,
15. Jg., Heft 4, 1995, pp.251-266.
[36] Menzies, Christof, ed. Sarbanes-Oxley und Corporate
Compliance: Nachhaltigkeit, Optimierung, Integration. Stuttgart:
Schffer-Poeschel, 2006. http://deposit.ddb.de/cgi-
bin/dokserv?id=2749173&prov=M&dok_var=1&dok_ext=htm /
http://www.gbv.de/dms/bsz/toc/bsz250745674inh.pdf.
[37] Nicoll, P. What lies ahead for public sector governance. In Keeping
Good Companies, 2005.
[38] Olson, Wendy K.: Triangulation in Social Research: Qualitative and
Quantitative Methods Can Really be Mixed. In: Developments in
Sociology, 20. 2004, pp.103-121.
[39] O'Donoghue, T., and Punch K., Qualitative Educational Research in
Action: Doing and Reflecting. Routledge, pp.78. 2003.
[40] Pfeiffer, Daniel; Niehaves, Bjrn: Evaluation of Conceptual Models
A Structuralist Approach. In: Proceedings of the 13th European
Conference on Informa-tion Systems (ECIS 2005), Regensburg,
2005.
[41] Reason, P. and Bradbury, H., (Ed.) The SAGE Handbook of Action
Research. Participative Inquiry and Practice.1st Edition. London:
Sage, 2001.
[42] Sanders, James R., Handbuch der Evaluationsstandards - Die
Standards des "Joint Committee on Standards for Educational
Evaluation". Leske + Budrich, Opladen, 1999.
[43] Scriven, Michael: The New Science of Evaluation. In: International
Journal of Social Welfare, 7. Jg., Heft 2, 1998, pp.79-86.
[44] Siau, Keng; Rossi, Matti: Evaluation techniques for systems analysis
and design modelling methods - a review and comparative analysis.
In: Information Sys-tems Journal, 49. Jg., Heft 5, 2007, pp. 455-474.
[45] Sinz, Elmar J.: Modellierung betrieblicher Informationssysteme:
Gegenstand, Anforderungen und Lsungsanstze. In: Proceedings
Modellierung 1998, Bericht Nr. 6/98-I, Angewandte Mathematik und
Informatik, Universitt Mnster, Mnster, 1998, pp. 27-28.
[46] Stufflebeam, Daniel L., and Shinkfield, Anthony J. Systematic
evaluation: A self-instructional guide to theory and practice. 2nd ed.
Boston, MA: Kluwe Academic Publishers, 1984
[47] Tarantino, A., ed. Governance, Risk, and Compliance Handbook:
Technology, Finance, Environmental, and International Guidance and
Best Practices. New Jersey: John Wiley and Sons, 2008.
[48] Tyler, Jill L. The Healthcare Information Technology Context: A
Framework for Viewing Legal Aspects of Telemedicine and
Teleradiology. In Proceedings of the 34th Annual Hawaii
International Conference on System Sciences: Abstracts and CD-
ROM of full papers : January 3-6, 2001, Maui, Hawaii, edited by
Ralph H. Sprague. Los Alamitos, Calif: IEEE Computer Society
Press, 2001.
[49] vom Brocke, J., Referenzmodellierung - Gestaltung und Verteilung
von Konstruktionsprozessen, Logos, Berlin 2003