1
The Impact of IT Knowledge on IT Governance
Practices in Hospital Supervisory Boards
University of Groningen
Faculty of Economics and Business
Author:
Jesse Wellenberg
s2539667j.p.wellenberg@student.rug.nl
University of Groningen
June 2018
MSc Thesis
BA Change Management
Under supervision of:
Prof. dr. Egon Berghout
Dr. ir. Ulco Woudstra
Co-assessor:
Dr. Benjamin Mueller
2
The Impact of IT Knowledge on IT Governance Practices in Hospital Supervisory Boards
ABSTRACT
3
Table of Contents
1. Introduction……….. 4
2. Theoretical background……… 6
2.1 IT Governance……… 6
2.2 Board level IT Governance……….. 8
2.3 The board ITG cube………. 11
2.4 ITG Functions of the board………. 12
2.5 ITG Roles of the board……… 12
2.6 ITG Mechanisms of the board……… 15
3. Methodology……… 17
3.1 Research Design……….. 17
3.2 Validity and Reliability……….. 19
3.3 Data Collection……….. 20
4. Findings……… 21
4.1 Overview of Supervisory Board Members……… 21
4.2 Monitoring……….. 22
4.3 Advising……….. 26
4.4 Co-opting……… 28
4.5 Assimilating……… 30
4.6 Stakeholder Management……… 33
5. Cross-case Analysis and Discussion……… 35
6. Conclusion……… 42
7. References……… 43
4
1. Introduction
In the Netherlands, like many western countries, health care is an increasingly important part of public spending. Recent OECD data shows that health care spending in the Netherlands amounts to about 10,5% of the GDP (OECD, 2017), an amount that is likely to continue to grow due to a rapidly ageing population. As a response to this societal trend, insurance firms as well as the Dutch government are putting increasing pressure on health care providers to increase quality of care and reduce costs. Often times, this results in health care organizations increasing their reliance on IT applications by turning to large scale IT solutions such as enterprise resource planning (ERP) or electronic health record (EHR) systems. Health care organizations that are better able to make use of their IT systems have been shown to have better cost efficiency (Smith et al. 2013).
Information Technology Governance (ITG) plays a central role in realising the value of investments in IT, and assits in increasing the performance of a firm through increasing the alignment between IT and business strategy (van Grembergen & de Haes, 2009). The economic value of ITG for organizations has been widely discussed over the past two decades, and some consensus seems to exist about its positive effects on firm performance. Failure to properly govern IT can stop IT from contributing to firm performance (Pang et al., 2014), and may even lead to operational IT failures that have value destructing effects similar to that of a major accounting scandal (Benaroch & Chernobai, 2017). The majority of studies that concern the link between ITG practices and firm performance are based on firms in the for-profit sector (Pang et al., 2014), and only a limited amount of studies have delved into ITG in health care organizations (Wilkin & Riddett, 2009). This is peculiar as the health care sector could benefit from proper governance of IT due to both trends of increasing need for efficiency and the resulting increase in the use of IT within the sector (Smith et al., 2013). Previous research into ITG in the private, for-profit sector cannot easily be applied to non-profit or public sector organizations, like many hospitals in the Netherlands. These organizations have different expectations of results, as well as a larger focus on societal improvement and transparency (Moore 1994, Tonelli et al., 2017; Eeckloo et al. 2004). Additionally, studies on ITG within the public sector have reported contradictory and disparate results between different national contexts (Pang, 2014). This leaves room for more research into public sector ITG.
5 unclear to what extent this relationship is direct, or influenced by several mediators and moderators. The concept of board ITG has so far been defined in a monolithic manner, without much distinction between the underlying constituent elements (Matta et al., 2016). This approach shows that the field of board ITG is still underdeveloped. As a result, IS researchers have repeatedly called for more theoretical inquiries into the subject of board ITG (Bart and Turel 2010; Jewer and McKay 2012; Turel and Bart 2014; Wilkin and Chenhall 2010). To deal with this conceptual ambiguity, Matta et al. (2016) conducted a review of existing board ITG literature. They created a theoretical framework by extensively connecting corporate governance literature to board ITG literature, establishing the board‟s roles, functions, and mechanisms related to the governance of IT. This framework forms a lens to guide research into the topic. This study hopes to extend this framework, and continue to explore the underlying elements and relationships related to board ITG by empirically examining the board ITG practices of several Dutch hospitals.
A potential problem existing with ITG in boards is that boards of directors are not paying enough attention to the governance of IT (Huff et al. 2006; Andriole, 2009; Deloitte, 2006). This is often attributed to the fact that directors have insufficient knowledge of the IT domain (Matta, Cavusoglu & Benbasat, 2016; Mui et al. 2016). The field of IT is widely recognized as complex and constantly moving, thus requiring a vast amount of up-to-date knowledge. It is difficult for directors, given their tight time budgets; to keep up with the body of IT knowledge such that they are able to identify IT related issues and new opportunities. Therefore, it does not always seem viable for directors to perform these tasks (Matta et al., 2016). In the development of an ITG version of the absorptive capacity construct, Ali and colleagues (2013) found that more knowledge absorbing capacity in the board might lead to increased firm efficiency and strategic growth (Ali, Green & Robb, 2013). The lack of sufficient IT related knowledge from directors to govern IT could therefore be a barrier that blocks firms from accessing the performance related improvements that come with the board‟s involvement in ITG (Bart & Turel, 2010).
This study aims to extend current knowledge on the role of an organization‟s board in ITG by considering how directors execute their roles and functions by applying decision making structures, formal processes, and communication approaches. Additionally, this study will examine how board members‟ IT knowledge influences the roles the board plays in ITG. The following research questions will be addressed:
6 Research question 2: how does board member’s IT related knowledge influence the role hospital supervisory boards play in IT governance?
The rest of this paper is structured as follows. First, previous theory on ITG and board level ITG will be reviewed. Next, the methodology and cases will be described, after which the findings will be shared. This paper will conclude with a discussion about the implications of the findings for both theory and practice.
2. Theoretical background
2.1 IT Governance
Central to the origin of the study of ITG is the information productivity paradox (Brynjolfsson, 1998). It was, and remains for a large part, unclear how it is possible that investments in new technology do not necessarily constitute an increase in organizational performance. The concept of ITG describes a set of mechanisms that assist a firm in realizing benefits from IT investments by (1) aligning IT strategy with business strategy, (2) managing IT related risks and (3) making sure IT resources are used responsibly (Turel & Bart, 2014). Especially the question of how to align the business and IT departments of an organization so that they support and drive each other has occupied researchers of the field.
7 De Haes and van Grembergen (2009) distinguish between ITG structures, processes and relational mechanisms. ITG structures refer to the “structural (formal) devices and mechanisms for connecting and enabling horizontal, or liaison, contacts between business and IT management (decision-making) functions” (Peterson, 2003; De Haes & Van Grembergen, 2009). ITG structures specify the formal decision making structures, rights and responsibilities related to the use of IT. These include factors like the roles and responsibilities of managers with regards to IT, the presence of a CIO or similar position and their reporting relationships, whether the CIO serves on the board, and the existence of IT related committees (Jewer & McKay, 2012). Up until recently, researchers in the field of ITG have taken a mostly structure based view of the concept. The application and presence of structures such as IT steering committees, the organization of responsibilities around the position of CIO, and the impact of these structures on firm performance has been widely discussed by researchers. An example of a framework based around ITG structures is the one page ITG framework by Weill and Ross (2004). This framework specifies, for each separate IT domain, several authority structures based on who or which entity has the right to make a decision within that domain.
8 Wilkin and Chenhall (2010) conducted an extensive literature review spanning ITG papers from 1998 to 2008 published in information systems, accounting information systems, and management accounting journals. They developed a taxonomy of ITG based on five core themes. Firstly, strategic alignment considers the delivery of business value through IT by aligning IT plans and strategies with business objectives. This alignment enables the formulation of an IT strategy that is developed synergistically in relation to the business strategy, thus enabling IT to serve as an enabler of the business strategy (Henderson & Venkatraman, 1993). Secondly, risk management is the consideration of top management of events that might interfere with the organization‟s objectives (COSO, 2004; Wilkin & Chenhall, 2010). With issues such as privacy and information security, IT forms a significant source of operational risk (Wilkin & Chenhall, 2010). A strategy for managing IT risks and ensuring regulatory compliance should therefore be on the radar of top management, and should preferably be included into the infrastructure of the organization (COSO, 2004). Thirdly, resource management concerns the “formulation, enactment, and adherence to processes, budgets, and tactical plans for applying IT strategies to support, enhance and complement business strategies” (Wilkin & Chenhall, 2010). This focus area ensures the proper application of organizational resources, such as financial and human resources, to fit business needs that fall within predetermined IT budgets. Fourthly, value delivery builds upon the previously mentioned concepts by ensuring the value of IT investments is delivered over the full life cycle of the investment. Value delivery concerns the strategic evaluation of risks and opportunities, the impact of IT on business processes and the monitoring of defined performance metrics (Gregor et al. 2006; Rivard et al. 2006; Jeffery and Leliveld 2004). Lastly, performance measurement practices measure and evaluate operational IT performance and value delivery, and includes both tangible and intangible assets, which may be hard to measure in financial terms (Wilkin & Chenhall, 2010).
2.2 Board level ITG
9 The extant body of literature on the board‟s involvement in ITG can be roughly divided in two streams of research. The prescriptive and descriptive streams (Jewer & McKay, 2012). Studies in the prescriptive stream relate to the question how boards should govern IT. This is done often by establishing frameworks and checklists that define topic the board should bring up, or activities the board should undertake. Examples of these frameworks are the 27 IT questions boards should ask the firm‟s executive management as developed by the Canadian Institute of Chartered Accountants (CICA, 2004), or the IT Governance Institute‟s framework (2003). Nolan and McFarlane (2005) established a contingency approach to board ITG based on the different ways IT is used in an organization. They distinguished between four modes of IT use within a firm based on their need for reliable and fast (defensive) IT, and their need for new (offensive) IT for gaining strategic advantages (Nolan & McFarlane, 2005). Research in this prescriptive stream is generally over a decade old, and most of these frameworks are lacking in comprehensiveness and are often poorly supported by empirical evidence (Matta et al., 2016; Bart et al., 2010; Wilkin et al., 2010).
Recently, due to the sustained calls of ITG researchers to extend inquiries into board ITG, the descriptive stream of research into board ITG has been gaining more traction. Jewer and McKay (2012) have shown that board level ITG has a strong positive impact on the contribution of IT to firm performance. This indicates that board level ITG may contribute to the alignment between business and IT strategy, through firms being better able to use their IT to achieve organizational goals (Jewer & McKay, 2012). This is consistent with the findings of Turel et al. (2017) who found that the positive effects of board ITG on firm performance are partially mediated by the presence of strategic alignment (Turel et al., 2017). The implication of that finding could be seen as an argument for boards being more involved in strategic decision making, which has remained a controversial subject amongst board researchers. The reason for this is that more strategic involvement by the board might threaten independent monitoring position of boards and lead to an increase in agency costs (Pugliese et al., 2009).
10 board is considered. The construct of IT competency is divided into IT expertise of directors, and to what degree ITG structures, processes and relational mechanisms are implemented in the organization. As they found a very strong significantly positive relationship between IT competency and board ITG, Jewer and McKay (2012) suggest that the application of ITG mechanisms cause organizations to have timely access to relevant information that enables the board to make strategic decisions (Jewer & McKay, 2012). As a primary source of information, the implementation of ITG mechanisms is therefore key to support a board that intends to have more strategic impact in terms of the governance of IT. Additional to board characteristics, Jewer and McKay (2012) found several organizational factors that may influence board ITG. These factors are the age of the organization, as well as the role of IT in the organization (Jewer & McKay, 2012). In conclusion, Jewer and McKay argue that boards should stop ignoring IT and get involved in ITG.
Benaroch and Chernobai (2017) studied an organizations‟ adoption or adoptation of several ITG mechanisms as a response to major operational IT failures. They consider the proportion of internal to external directors, whether or not the CIO (or similar position) serves on the board, and the existence of several board level committees that are occupied with IT. Turel and Bart (2014) adopt the IT use modes by Nolan & McFarlane (2005) to discuss the relationship between board ITG and firm performance, hypothesising that firms that have a higher need for either offensive or defensive IT show higher levels of board ITG. They concluded that boards of organizations with higher need for new IT tend to raise more questions about IT. Additionally, boards of firms that show high operational reliance on IT also tend to be more involved with ITG (Turel & Bart, 2014). However, this contingency based view of board ITG might limit boards from benefiting from practices that may not directly fit with the organizations‟ contingencies. Higher involvement of the board in ITG improves organizational performance regardless of how the organization uses IT (Bart & Turel, 2014).
11 authoritarian a board‟s relationship with top management, the less likely that firm is to gain benefits from board ITG (Turel et al. 2017).
In summary, the potential value of the involvement of boards of directors in ITG is widely recognized by researchers of the field (Van Grembergen & De Haes, 2005; Bart & Turel, 2006; Huff et al, 2006). The existing body of literature on board ITG is lacking conceptual clarity andthere remains a significant gap between normative studies that describe how ITG should be governed by the board, and descriptive research into how boards are actually dealing with ITG (Bart & Turel, 2005; Jewer & McKay, 2012; Matta et al., 2016). Additionally, to the best of my knowledge, no previous inquiries have been done into the role of hospital supervisory boards in ITG.
In the following section, board ITG will be linked to extant corporate governance literature using the board ITG cube by Matta et al. (2016). Based on this framework propositions will be established that will be examined in this study.
2.3 The Board ITG Cube
12
2.4 ITG Functions of the board
The board has the fiduciary duty to protect and represent the interests of shareholders within the company. Corporate governance describes the way rights and responsibilities are structured amongst those that have a stake in the firm (Aoki, 1988). While involving themselves with corporate governance, boards discharge several responsibilities to perform their roles, and make sure shareholders get a return on their investment (Shliefer and Vishny, 1997). At the heart of the responsibilities of the board lies their functions to create shareholder value and wealth by maximizing the business value created from investments, and the management and mitigation of the associated risks (Matta et al., 2016). As just one of many other aspects of the organization, the field of IT also requires the board to be attentive of creating business value with IT investments and manage the extensive risks associated with IT. The importance of risk management became especially clear after the rise in large-scale ransom ware attacks in 2016 and 2017, which create risks to customer privacy and safety that are related to improper security of IT systems. Additionally, the recently implemented General Data Protection Regulation (GDPR) requires many healthcare organizations to give more attention to the way their IT infrastructure is organized.
13 supervisory board are formalized. According to the healthcare governance code the supervisory board fills 4 functions, namely the functions of monitoring, ratifying, being a sounding board and advisor, and serving as the employer of the executive board.
2.5 ITG Roles of the board
The board of directors of an organization has traditionally functioned as a monitor and advisor to the organization‟s top-executives. In both these roles, the board has little to no influence in the earlier stages of determining strategy. However, due to their wide range of expertise, board members can potentially play a large role in the setting of the strategic direction of an organization (Ford-Eickhoff, Plowman & McDaniel, 2011). In a literature review about board of directors‟ contribution to strategy Pugliese et al. (2009) reveal that the topic of strategic involvement of boards has been gaining traction over recent years. However, this topic is rather contentious as the existing and commonly cited theoretical perspectives of corporate governance and board research assign different roles and responsibilities to boards. These perspectives are agency theory (Eisenhardt 1989), stewardship theory (Barney, 1990; Donaldson 1990), resource dependency theory (Pfeffer 1972, 1973), and stakeholder theory (Ayuso, Rodriguez, García-Castro, & Ariño, 2014). Of these perspectives agency and stewardship theory contradict each other in their perspective of the board, and resource dependency theory offers a more complementary and supplementary perspective to the other two (Matta et al., 2016).
In the view of agency theory the board, is supposed to be an independent monitor of the actions of executive management in order to prevent managers from using existing information asymmetries between them and shareholders to act against organizational interests (Pugliese et al., 2009;Eisenhardt, 1989). From this perspective flows that managers cannot be trusted and must be heavily scrutinized on all their actions by the board in order to minimize agency costs (Eisenhardt, 1989). According to agency theory, boards are not in a position to contribute to strategic decision making as it would harm the needed independency of the board from the managers, and therefore jeopardize their ability to monitor manager‟s actions (Pugliese et al., 2009). In hospital governance research, the perspective of agency theory is most often applied when research is done into the consequences of effective board monitoring on financial or quality outcomes (Thiel et al., 2017).
14 Stewardship theory posits that directors and managers are intrinsically motivated to meet the organization‟s goals, so they can jointly contribute to strategic decision making (Sundaramurthy & Lewis, 2003). In stewardship theory, the role of the board goes beyond monitoring and scrutinizing top management. As professional managers are believed to be better able to manage complex organizations than the shareholders themselves, the board takes the role of advisor and counsellor on issues of mission, vision, strategy and organizational policy (Matta et al., 2016).
The resource dependence perspective of the roles of the board states that directors are in perfect position to co-opt new and valuable resources. They can gain resources from their contacts in several organizations and therefore provide a source of valuable information about the environment to executives (Matta et al., 2016; Zahra et al., 1989; Pugliese et al., 2009). According to Bart and Turel (2010), IT knowledge in the board could be seen as a valuable resource in the sense that it might lead to a sustainable competitive advantage for the firm (Bart & Turel, 2010).
Finally, the stakeholder theory perspective considers the development and maintenance of relationships with different groups of stakeholders other than just shareholders (Ayuso, Rodriguez, García-Castro, & Ariño, 2014). Matta et al. (2016) do not include this perspective into their framework of board ITG, however Thiel et al. (2017) argue that this perspective seems particularly relevant within the context of nonprofit organizations, due to the greater need of transparency and management towards both operational and other outside stakeholders (Thiel et al., 2017). Hospitals, as semi-governmental organizations, have to deal with multiple principal-agent relationships where entities such as government regulators, and representative advisory boards such as client councils can also cause agency problems to arise (Wellens & Jegers, 2014). The needs of these several stakeholder groups have to be considered when making IT related investments, and applying structures and processes that relate to the governance of IT.
15 it can be expected that hospital supervisory boards prioritize these two roles. From the above follows:
Proposition 1: hospital supervisory boards govern IT by performing five roles: monitoring,
advising, co-opting, assimilating, and stakeholder management.
Proposition 1a: hospital supervisory boards prioritize the monitoring and advising roles
while governing IT.
Both functional area and firm specific IT knowledge are essential for proper board level ITG. Both types of knowledge need to be considered when making IT related decisions (Matta et al., 2016). When board members do not have sufficient knowledge of IT, it will be harder for boards to monitor and advise on matters that relate to the business value of IT investments and IT risks (Mui et al., 2016; Matta et al., 2016). Board members‟ ability to recognize IT related opportunities and trends will also be influenced by their expertise with IT (Matta et al., 2016). Because of this, IT knowledge of board members might influence their ability to gather new and relevant IT resources by co-optation. Furthermore, by executing board roles and being active in ITG, boards risk exposing their lack of IT knowledge to managers and undermine governance efforts (Matta et al., 2016). In order to prevent this from happening, boards might elect to refrain from performing certain roles.
Proposition 2: Hospital board members‟ IT capability influences the roles the board will
execute when governing IT.
Proposition 3: IT knowledge deficiency inhibits the supervisory board‟s ability to perform
the monitoring, advising and co-opting roles when governing IT.
Proposition 4: IT knowledge deficiency in the supervisory board inhibits the board‟s ability
to perform the value maximization and risk management functions when governing IT.
2.6 ITG Mechanisms of the Board
16
Proposition 5: hospital supervisory boards employ ITG mechanisms to gain firm specific IT
knowledge to support the monitoring and advising roles.
Firstly, decision making structures refer to entities such as formally codified committees and executive teams that are responsible for IT decision-making (Matta et al., 2016). This mechanism is very similar to the conceptualization of de Haes and van Grembergen (2009). Both concepts relate to the presence of IT related committees and other codified positions, such as the CIO, that carry authority over several aspects of decision making related to IT within an organization. Due to the general IT knowledge deficit in boards, applying decision making structures relies heavily on external IT experts that may not be available. This makes the application of decision making structures difficult for consistent monitoring purposes. Therefore decision making structures are more likely to be applied to fill the IT knowledge gap in the board and to collect information to perform the much less consistent and structured advising role (Matta et al., 2016). Thus:
Proposition 6: hospital supervisory boards mainly apply decision making structures while
performing the advising role.
Formal processes relate to “a series of steps or activities involved in decision making, planning, monitoring, evaluating, proposing and reporting on IT matters” (Matta et al., 2016). Formal processes also include the meetings of the board, and the topics that are discussed during these meetings (Matta et al., 2016). Within the context of ITG, formal processes often take the shape of frameworks that specify formal measures to control, monitor, and evaluate IT in an organization. Many of the normative frameworks previously discussed fit in this category. As the monitoring role is concerned with evaluating past performance and making sure the organization is compliant with external and internal governance requirements, it relies on the consistent application of formal processes (Matta et al., 2016). The information gained from formal processes about the state of IT performance and compliance can then be used as input to make IT related decisions or adjust monitoring efforts. Therefore:
Proposition 7: hospital supervisory boards mainly apply formal processes while performing
the monitoring role.
17 amongst boards as they are reliant on creating and maintaining relationships with senior management and other stakeholder groups, which is time consuming and might implicate their ability to govern IT by exposing IT knowledge deficits (Matta et al., 2016). However, communication approaches could allow boards to be in better contact with their senior IT staff and other relevant stakeholders, and keep them up-to date on relevant firm specific IT topics (Matta et al., 2016). Of the three mechanisms, communication approaches might be the most fit to perform the assimilating, co-opting, and stakeholder management roles as these roles require the building and maintaining of relationships to increase IT related knowledge, gain more IT related resources from the external environment, and to make sure important stakeholders are on board with IT decisions and governance efforts. Thus:
Proposition 8: hospital supervisory boards mainly apply communication approaches while
performing the co-opting, assimilating and stakeholder management roles.
18
3. Methodology
3.1 Research Design
Several studies of board ITG exist. However of these studies into board ITG, the majority is prescriptive and quite dated. The descriptive studies that have been conducted have mostly been of quantitative nature. As a result, we are aware of several relationships and factors that are relevant to board ITG. However, much remains unclear about how these relationships are formed, and how social and behavioural phenomena influence the practice of board ITG. Additionally, it was deemed infeasible to adopt a quantitative approach to this topic due to the limited access to board members and senior hospital management within the allotted time frame for this study. Therefore it was improbable that external validity of a quantitative study could be guaranteed by using sampling logic. Because of these reasons it was deemed appropriate to adopt a case study research design that allows for description and further exploration of the topic of board ITG. While the subject of board ITG has not been studied extensively yet, related concepts can be taken from the broader field of corporate governance literature. Several clear relationships of board ITG can be identified from which propositions can be formed, but many gaps remain within this body of literature. Because of this, the gaps and holes approach by Yin (2014), as identified by Ridder (2017) was deemed an appropriate design for this study. Guba and Lincoln (1994) argue for the import of identifying the underlying research paradigm of a study (Guba & Lincoln, 1994). This study adopts the positivist paradigm of research, and takes a deductive approach to qualitative research by establishing and testing propositions based on previous theoretical work. This approach allows for the testing of the principles behind the board ITG cube (Matta et al., 2016) within the specific context of hospital supervisory boards. Hyde (2000) suggests that adopting more deductive measures in qualitative studies can help by increasing the conviction in the findings of the study (Hyde, 2000).
Yin (2014) identifies 5 components of case study designs that need to be considered.
Research questions. Yin (2014) suggests that for a case study to be appropriate, research
19 second question is a result of further literature research and follows from the indication that boards suffer from an IT knowledge deficit.
Propositions. With the research questions in mind, further literature research was
executed to formulate several propositions to guide data collection efforts. The propositions for this study are based on a comprehensive review of board ITG literature executed by Matta et al. (2016). This review is firmly grounded in corporate governance and board research literature and links ITG to concepts from these fields. Additionally, several studies mention a potential lack of knowledge of board members of the IT field, but very little literature was available on how IT knowledge in the board impacts the board‟s IT governance practices. The author considered this to be an appropriate focus for this study.
Definition and bounding of the case. In order to execute a successful case study, Yin
(2014) argues that it is important to properly define and bound the case(s) where the study is going to be executed in. For this study, an embedded multiple case design was chosen. The initial level of analysis for the case is on the level of the organization, the hospital, which will serve as the primary distinction between cases. Each case will evaluate a different hospital. Several embedded levels of analysis can be identified, including the supervisory board and senior management as separate groups, and the members of these groups as individuals. The individuals within the groups are distinct from one another in terms of functional portfolio, experience and field of expertise. Due to the limited time available for this study, and its reliance of the study on several highly positioned individuals in Dutch hospitals, cases will be primarily selected based on accessibility.
Data analysis. As this study makes use of propositions grounded in previous research, the
20
3.2 Validity and Reliability
Yin (2014) discusses several important tests to consider when conducting case study research.
Construct validity. The test of construct validity addresses the degree to which
operational measures and research design are constructed in a way that makes sure the researcher does not make subjective judgements based on their preconceived ideas about the study, to collect and analyse data (Yin, 2014). To address this test, data will be collected using multiple sources of evidence. Namely conducting interviews with board members and senior management, groups that have different perspectives on the research topic at hand. To add to this, data will be triangulated using additional data sources. This additional data concerns the profiles of the supervisory board members (table 1), organizational documents relating to the responsibilities of the supervisory board, and industry wide policy on healthcare governance (BOZ, 2017).
Internal validity. Within case study research the test of internal validity can be addressed
using several approaches such as pattern matching (Campbell, 1975), explanation building, addressing rival explanations and the use of logic models (Yin, 2014). Yin (2014) notes that the test of internal validity is primarily salient for studies that have the goal of explaining a certain causal relationship, the question of why event x led to event y. As this study focuses on description and exploration of the topic of board ITG, this logic is mostly inapplicable to this study (Yin, 2014). However, several propositions consider possible causal relationships, mainly between the IT knowledge of board members and the functions, roles and mechanisms they perform while governing IT. Therefore, the deductive approach of pattern matching, as well as explanation building will be used to systematically analyse the data and come to solid conclusions.
External validity. This test relates to the generalizability of the study‟s results. To address
21 theoretical replication in this study is the addition of another case where the board had IT expertise after concluding that no supervisors in the selected cases had IT experience.
Reliability. The test of reliability indicates whether it is possible to retrace the steps of the
study in a way that a different researcher could come to similar findings when studying the same case again (Yin, 2014). To improve the reliability of the study, a case study protocol was created prior to the collection of case study data. Additionally, a case study database will be developed during the collection of data.
3.3 Data Collection
Data was collected from a total of 4 hospitals in the south of the Netherlands. Respondents were chosen based on their functional position, knowledge of the IT domain within the organization, and relationship with the supervisory board and board of executives. Semi-structured interviews were conducted for each case with the central IT manager, information security officer, a member of the board of executives, and the executive secretary. The executive secretary was chosen because they can serve as a proxy for the supervisory board members themselves. In order to conduct these interviews, a questionnaire was developed based on the previously established case questions contained within the case study protocol. The interviews took, on average, 30 minutes to conduct. The shorter interview format was deliberately chosen to increase accessibility to the respondents. A total of 12 interviews were conducted. An overview of all the respondents, with their function and corresponding case code can be found in appendix B.The questionnaire used can be found in appendix D.
Ethics. Before the interviews were conducted, the respondents were informed of the study‟s
22
4. Findings
4.1 Overview of Supervisory Board Members
As an initial exploratory effort to get an overview of the IT experience of the supervisory board members of the participating hospitals, the profiles and public background information of these supervisors were studied. A summary of the profiles of all the relevant supervisors can be found table 1. Three factors were considered in this overview. First, whether or not the supervisor had previous IT experience in either a previous function or in their educational background. Second, whether their portfolio as a supervisor explicitly mentions IT as a subject. And third, whether they are insiders of the medical world and have a background in healthcare in either their previous function or educational background. From the overview it would seem that IT does not seem play a large role, at least formally, in the positions and portfolios of the supervisory board members. Out of 21 board members, two supervisor‟s profiles mention IT as a subject in their portfolio. Only one of the supervisors, of case Gamma, has an experience with IT. This leads to the conclusion that only one of the four examined hospitals has a supervisory board with IT experience. This overview of supervisors will be used as a backdrop in later sections of this chapter to contrast differences in ITG functions, roles and mechanisms between the different cases. The next section describes how each ITG role is performed by the supervisory boards examined in this study. Case backgrounds can be found in Appendix A.
Table 1: overview of supervisory boards
Case code Member
23
Gamma Chair No No Yes
Gamma 1 No No Yes
Gamma 2 No No Yes
Gamma 3 No No Yes
Gamma 4 Yes Yes Yes
Gamma 5 No No No
Delta Chair No Yes Yes
Delta 1 No No Yes
Delta 2 No No No
Delta 3 No No Yes
Definitions:
IT experience: whether or not the board member has an IT related background in previous functions or education.
IT portfolio: whether or not the board member's portfolio explicitly contains IT.
Healthcare background: whether or not the board member has a background in healthcare.
4.2 Monitoring
Alpha. To fulfil the monitoring role, Alpha‟s supervisory board primarily relies on the
application of formal processes in the form of regular board meetings and meetings with executives. Additionally formal and regular reporting efforts from both the executives and hospital top management are used. In these meetings and reports the state of IT, privacy, and security are discussed. The supervisory board has the opportunity to ask questions about these topics in the same way they have with other issues in the organization. In addition to the application of formal processes, communication approaches are applied to monitor the state of IT in the organization. An example of this is the supervisory board regularly asking senior staff such as the IT manager and the information security officer to give presentations about the state of IT and security:
Nowadays I visit the supervisory board twice a year, once to talk about information security and once about ICT, where the topic of information security is discussed and there they want to experience the interaction between me and the IT manager. Besides that, there is the testing role of the audit committee from the supervisory board. (Alpha information security officer)
24 structure to delegate some of the responsibilities regarding the monitoring of IT. The monitoring role of the audit committee is mostly performed in the ITG function of value maximization as the audit committee primarily focuses on the financial aspects and value of IT investments. However, the supervisory board‟s monitoring efforts go beyond just the financial aspects of IT:
[They discuss IT] more in general, it is about keeping the measures up-to-date, safety, so what about… can it be broken into from the outside? What about the privacy of the patients and the employees [...]. Are there any crazy things that have a lot of impact on society? Recently we had the Barbie case in another hospital, which is more a question of culture, but also ICT, so how many people have access into such a system and how are people handling that? Those are subjects that a supervisory board has attention for. (Alpha executive secretary)
Based on the topics that the supervisory board brings up in their meetings, it becomes clear that the ITG function of risk mitigation is an important point of discussion as well. The supervisory board shows consideration for privacy, security and threats that might lead to incidents with large societal impact.
Beta. Even though the supervisory board of Beta does not have explicit IT experience (table
1), respondents report a decent level of involvement of the supervisory board in IT related matters. Firstly, the supervisory board uses board level ITG decision making structures to formally monitor the organization‟s IT. This is done by delegating these responsibilities to the supervisory board‟s audit committee and the quality and safety committee. The audit committee is primarily concerned with the financial and technical aspects of IT. The quality and safety committee discusses matters where IT impacts the quality and safety of the provided healthcare. The audit committee, and by extension the supervisory board of Beta considers both functions of value maximization and risk management. This is evident from the following statement of one of Beta‟s executives:
Of course the finances are part of [what the audit committee asks about], but especially the factual results are brought up, whether we are reaching what we originally expected. Whether the implementation is succeeding, how many problems the implementation is causing, and whether we are taking enough measures to ensure the continuity of the hospital. And also whether we have considered scenarios that we can apply if we do run into issues. (Beta Executive)
25 function of IT value maximization. The ITG function of IT risk mitigation is considered as well due to the board asking questions about how the continuity of the hospital is being guaranteed and whether scenarios are considered to adequately address potential problems.
Secondly, Beta‟s supervisory board applies formal processes to perform their monitoring role in both value management and risk mitigation. Regular reports from the executive board towards the supervisory boards, including information about IT finances and risks, form the main source of information with regards to IT matters. These reports are then discussed during the regularly scheduled plenary meetings of the supervisory board and the audit committee, which totals roughly ten times a year. The information stream for these reports comes from reports and meetings the executives have with IT personnel of the organization:
Once every 6 weeks, I have a meeting with one of the executives who has information security and privacy in their portfolio, and will also get ICT in their portfolio soon […] I try to use audits, tests and ethical hacks to get things clear and give that to the executive board. Just how things are, where potential risks are, and where no risks are so to say, to show them what they should act on and where things are good. (Beta Information Security Officer)
Outside of the board level Beta is using a permanent IT committee which is made up of members from several places in the organization and is chaired by one of the hospital executives. This committee includes the IT manager, information security officer, health care manager and several doctors. Once a year, the committee reviews investment proposals from different parties by ranking the proposals by priority and value and makes a selection based on the investment budget. This selection is then presented to the executive board to be discussed in a plenary session. The decision of the executive board is then presented to the supervisory board for final approval. This sequence of steps follows the direction specified in the health care governance code, which gives the supervisory board the final authority on investment decisions (BOZ, 2017). Most of the reporting efforts happen in the formally scheduled meetings of the committees and the plenary supervisory board. Outside of that, Beta‟s executive acknowledges that it is important to discuss subjects such as IT in a more informal manner, outside of the scheduled meetings. This reliance on both formal and informal contacts when talking about IT displays a propensity of Beta‟s supervisory board to rely on communication approaches to perform their ITG monitoring role:
26
executive responsible for IT] I have regular contact with the chair of the audit committee to talk about irregularities or whatever. (Beta Executive)
Gamma. Similar to the other two cases, Gamma‟s supervisory board actively monitors IT in
terms of value management and risk management while applying board ITG mechanisms in a comparable way. The responsibility of preparing IT decisions for the plenary supervisory board is divided between the quality commission and the audit commission of the supervisory board. The quality commission addresses IT issues that may have consequences for the quality of healthcare, while the audit commission considers the financial and technical aspects of IT matters. No specific IT committees were used by the supervisory board. This shows the extension of existing governance structures to IT without the creation of specific ITG decision making structures.
The monitoring efforts of Gamma‟s supervisory board relied on the regularly scheduled meetings of the subcommittees and the plenary supervisory board. Reports are prepared by the board of executives and the functional management of the organization to serve as input for the meetings of the supervisory board and its subcommittees. Additional to these formal processes, the supervisory board serves as the final ratification step for investment decisions. An interesting comment by the executive of Gamma illustrates how the supervisory board constantly switches between their roles of monitor and advisor during meetings:
The moment you discuss [risk management] the supervisory board kind of switches the different roles during meetings. Especially with the monitoring and the sounding board role, they put on those hats… the one sentence they wear the one hat and then someone touches on a different subject and then it's a sounding board hat. It switches like that constantly. So while addressing such a subject they constantly take up different roles. (Gamma executive)
This quote indicates that the role of monitor and advisor are executed by the supervisory board using the same information stream, the formal meeting, at the same time.
Delta. The dynamic between the supervisory board and the rest of the Delta organization is
27 manager and information security officer note that the audit committee does not take note of IT related risks. The mitigation of IT risks mainly resides with the executive and the functional IT management, but the supervisory board is well informed of IT risks:
The [IT] portfolio holder was actively functioning as a sounding board, combined with the risk management system the supervisory board was well informed. They trusted that the board‟s portfolio holder and the executive had a good story, supported by the board‟s secretary. She talked about the elements of the risk management system in the board meeting. And that was fine; there was a lot of attention for that. (Delta executive)
So firstly Delta‟s supervisory board does apply formal processes in the form of the steps for ratification of investments and the regularly scheduled meetings. While formal processes are used, Delta‟s supervisory board does not use decision making structures to monitor IT. Instead, Delta‟s supervisory board named a portfolio holder for IT; this portfolio holder would be the primary point of contact for the board of executives when speaking about IT matters:
In the two weeks ahead of the board meeting I would have a consultation with the IT portfolio holder. In this consultation we discussed everything that was happening in that field. The way the portfolios were divided led to the portfolio holder informing the supervisory board well about the developments of IT in the hospital […]. I didn‟t have to explain all that much to the supervisory board in the meetings, because that had already happened beforehand. That was a very good system, it worked excellently. (Delta executive)
The supervisory board has a clear portfolio division between the members, which allows for more direct and focused discussion before the board meetings themselves. This shows an application of a communication approach to facilitate more efficient communication between the supervisory board and the executives.
4.3 Advising
Alpha. The advising role was clearly less prominent than the monitoring role. The executive
secretary described how the supervisory board fills their role as advisor on IT matters:
28 In general, the supervisory board fills their advising role in a very general sense. Alpha‟s executive described it as “process advice about the general outline” and “advice about how to properly monitor”. Why this is the case was mostly argued from the respondents‟ perception about the role the supervisory board should fill. Alpha‟s executive described it as such:
It doesn‟t have to be very in-depth; it‟s always about the general outline. You don‟t need a lot of knowledge that, on the contrary, it would work badly if you have too much knowledge, because then you are going to take the position of the executive or the manager. And that doesn‟t work. (Alpha executive)
Statements such as this imply that specific advice on the topic of IT, or any topic for that matter, is seen as an infraction on the domain of the executive and the functional managers, and would therefore be outside of the role of the supervisory board. Alpha‟s supervisory board does fill the advice role in both functions of value maximization and risk management, but stays on the fringes and general outline of the topic. The supervisory board use their IT management and security specialists to inform themselves in order to be able to fill their role as advisor. They apply a combination of decision making structures and communication approaches by inviting their functional experts to give presentations and leverage those person‟s knowledge of the organization‟s IT.
Beta. Compared to the monitoring role, Beta‟s supervisory board was much less active in the
advising role. This was attributed to the composition of the supervisory board, which does not include members with explicit IT knowledge:
Yes definitely [the supervisory board takes an advisory role], although they do not really do that with IT, because they, in their current composition do not have that much know-how to fill that function. We have economists and jurists, so on those fields and on the governance structure of the organization the supervisory board regularly functions as a sounding board. But not on IT matters. (Beta executive secretary)
29
Gamma. The supervisory board of Gamma performed the role of advisor as more of a
sounding board, but seemed more active in this role compared to the other cases. Advising in of coming with a proposal for a specific action the executive board could take was seen as a transgression of the role of the supervisory board. However, they were very active in their sounding board role, discussing IT trends and possible strategic options with executives:
[Robotics] is such an important trend, you will talk about that in lots of different moments. Like in the strategy meeting, how do we see the hospital in a few years, what kind of trends do we see, and what kind of investments do we want in robotics. If I mention that, the supervisory board will then look into the market, they will ask question about it and that way there is a conversation and formation of opinions. (Gamma executive)
This quote shows the involvement of the supervisory board in discussing potential IT and medical technology related innovations within the context of the strategy of the organization. While they will not give very specific advice, as explained later by Gamma‟s executive, they function as a sounding board with regards to IT investments and risks.
Delta. The advisory role of Delta‟s supervisory board was relatively present. Most of the
advising and sounding board activities of the supervisory board were primarily linked to the IT portfolio holder of the supervisory board. The portfolio holder and the executive would talk out all of the relevant issues regarding investments and risks, and bring the results of that discussion to the plenary meeting. The supervisory board itself focussed their sounding board activities primarily on the formation of strategy and the risks involved with the systems.
4.4 Co-opting
Alpha. The line of reasoning which addresses that the supervisory board should be careful
about overtaking the position of the executive and functional managers continues when it comes to the role of co-opting IT resources, knowledge and personnel. Alpha‟s executive expressed this in no unclear terms:
30 According to the respondents, the supervisory board has to maintain a certain amount of distance to the executives and stay on the general outline of the topic. Because co-opting by the supervisory board can lead to very specific advice or suggestions to the executive board, this would be out of place for the supervisory board. This would explain why the role of co-opting is absent from the ITG behaviour of Alpha‟s supervisory board.
Beta. Similar to advising, co-opting does not seem to be a popular role among the board of
Beta. While the lack of advising was directly linked to the lack of IT knowledge among the board‟s members by respondents, they did not cite this as a reason why the board did not make boundary spanning efforts to gain new IT knowledge, products or personnel for the benefit of the organization. According to the secretary of Beta‟s supervisory board, the lack of co-opting behaviour has more to do with the perceived degree of influence the supervisory board should have:
It is very difficult finding the balance, you have to have a certain amount of distance but also be involved enough. Showing involvement will mostly be in the advising, but the supervisory board will know when they have to put their hands in the air for a bit because they know that is a task for the executive board. (Beta executive secretary)
From the quote above becomes clear that the supervisory board is expected to refrain from taking a position that might infringe on the position of the board of executives. Therefore, the board ITG role of co-optation is largely ignored by the board of Beta. The sentiment that the supervisory board should stick to its role as such is echoed by the other respondents within Beta.
Gamma. The role of co-opting was not executed by Gamma‟s supervisory board. The
primary reason for this is that co-opting is a seen as an overextension by the supervisory board in their advice role:
No, that isn‟t the role of the supervisory board. They are not meant to sit on the chair of the executives, so if they say „you should do this‟ they are going too far in their advice role in my opinion. (Gamma executive secretary)
The opinion of the respondents within Gamma on the supervisory board‟s role of co-opting is in that sense consistent with the view of the respondents from other cases.
Delta. Comparable to the other cases, the role of co-opting was not executed by Delta‟s
31 other cases. It was mentioned by Delta‟s executive that proposals for taking in new IT products or personnel were always done by the executive, and that the supervisory board had no role in co-opting these resources.
4.5 Assimilating
Alpha. The assimilating practices regarding functional area IT knowledge of Alpha‟s
supervisory board can be categorized in two ways. The first way is that members of the supervisory board use their professional networks and other occupations within the sector to educate themselves on IT related topics. There are no structured meetings with external parties like this, and the executive secretary suggests that these assimilation efforts mostly take place in the informal circuit. The second way relates to seminars and information from the Dutch association of supervisors in healthcare (NVTZ):
The NVTZ expects that members of the supervisory board are actively aimed at knowledge development and maintenance, the supervisory board are held accountable for this. They make a yearly report which is sent to the NVTZ, who check it according to a quality standard. But the supervisory board is responsible for its own quality and reflection. (Alpha executive secretary)
Additional to the assimilation of functional area IT knowledge, the supervisory board engages with the functional leadership of the organization directly. The meetings with the information security officer and IT manager as shown in previous quotes serve as a way for the supervisory board to assimilate firm specific IT knowledge, and be informed about the state of IT projects, and risks for privacy and security. The role of assimilator is thus mainly performed by the application of communication approaches by informal contact with external parties, and presentations of functional managers.
Beta. Few cases of Beta‟s supervisory board assimilating IT knowledge were present in the
respondent‟s statements. Some measures of assimilating knowledge Beta‟s board used were making use of their professional network to pick up on topics they could potentially discuss:
They are of course all people with a broad network, a network where they pick up on certain sounds, and which they ask questions about, or can ask questions about. (Beta executive secretary)
32
They have a lot of topics on their plate so yes, not enough attention for the topic, well not enough, there is enough attention for it but it could be more, seeing the growing importance of IT (Beta executive secretary)
While the respondents do not see the current IT knowledge of the supervisory board as hampering their ability to supervise the IT function of the organization, the trend of IT becoming more and more integral to health care organizations is recognized.
Finally, the more informal meetings between the members of the supervisory board and the executive board mentioned previously serve a double role in both the ITG monitoring and assimilating roles of the supervisory board. Increasing the information flow to the supervisory board through the visitations to job sites and regular conversations with organizational members outside of the structured meetings will help the supervisory board to potentially assimilate firm-specific IT knowledge. As Beta‟s executive explains:
We organize all kinds of visitations to job sites where [the supervisory board] come into contact with parts of the organization, see what we do and how we work. For a supervisor it‟s important to inform themselves about the organization, and we as executive board make sure they have a program for that. (Beta executive)
Overall, the assimilation of IT knowledge does get some attention in Beta‟s supervisory board. Mainly in the field of firm specific IT knowledge efforts are being made. However, educating the board on more functional area IT knowledge related to healthcare does not get as much attention. Again, there is a heavy reliance on communication approaches to assimilate knowledge.
Gamma. Gamma‟s supervisory board showed some activity in terms of assimilating,
however no formal education steps were undertaken that directly relate to IT. Gamma‟s supervisory boards‟ assimilation activities primarily come from secondary activities that the members perform beside their function as supervisor:
33
that undoubtedly. But that is something else than the real hard IT, you need to differentiate from that. (Gamma executive)
Gamma‟s executive further added that the interest of the supervisory board in learning initiatives was focused on direct applications of IT on health care processes, such as e-health, as opposed to specific „hard IT‟ topics. Unlike in the other cases, no indication was given that the supervisory board had direct contact with functional IT managers in the organization in the form of meetings or presentations. Therefore their assimilation of firm specific IT knowledge relies primarily on the reports and meetings with hospital executives.
While the current level of IT knowledge within the supervisory board of Gamma is not experienced as an inhibitor at the present moment, respondents do recognize that IT is becoming more and more central to contemporary hospitals. They believe that the supervisory board cannot stand still in its development on this topic.
Delta. Assimilation by Delta‟s supervisory board primarily happened through presentations
where the IT manager would speak to the supervisory board and update them on the state of IT within the organization. Additionally, the IT portfolio holder had the opportunity to ask questions to the IT management directly outside of the scheduled meetings. In terms of more formal education in the field, the executive would sometimes ask the portfolio holder to come with them to events that were of interest to the topic. In general, Delta‟s executive did not expect the supervisory board to follow extensive external education:
It will become very taxing for a job like this. If they have to externally educate themselves. On the other side, between us, I wasn‟t really eager to get new sounds out of the supervisory board in terms of IT. We had that knowledge available in-house. (Delta executive)
Delta‟s IT manager shared a similar sentiment. He believed that the IT department had enough knowledge available to them to make most of the decisions, and that they wouldn‟t need much involvement from the supervisory board. On the topic whether or not it would be good to have an IT specialist in the supervisory board, Delta‟s executive had the following to say:
I‟m not such a proponent of very specific IT specialisations within the supervisory board. But I am for people that have a piece of IT from finance. More like another function of specialism, plus IT because that‟s more useful to a supervisory board. Being able to bridge the gap between other fields, and not very specific IT specialists, because that would make me very nervous. (Delta executive)
34 specific and specialized IT knowledge. Delta‟s executive also stated that while the supervisory board did not have very specific IT experience, their level of knowledge was appropriate to fulfil their duties.
4.6 Stakeholder Management
Alpha. As prescribed by the health care governance code, Alpha‟s supervisory board has
contacts with the advisory councils of the organization several times a year. During these meetings the concerns of these bodies are addressed, which might also be on IT related topics. The supervisory board can then take these concerns and bring them up with the board of executives:
If they are with the client council and that body, I just mentioned the patient portal, the client council gives off an important signal that they have the idea that something doesn‟t happen that should happen, the supervisory board can have a role in that and have a conversation about it with the executive board. (Alpha executive secretary)
Other engagements with stakeholders come from the supervisory board‟s ability to contact functional managers in the organization, or more informal contact with external parties. The stakeholder management role primarily relies on the application of communication approaches, but due to the fact that the internal stakeholders have to be informed and involved in decisions that impact them, they are also part of the formal process of approval for larger IT investments.
Beta. Beta‟s supervisory board follows the health care governance code in informing several
of the hospital‟s advisory councils in regularly scheduled meetings. As a large subject of discussion, IT does make an appearance in these meetings:
The supervisory boards has contact, by the governance rules, a number of times a year with the works council, and also they have a conversation with the representatives of the medical staff. IT can obviously be a subject in those meetings, and that does happen. (Beta Executive)
35 stakeholders such as the advisory councils, the day-to-day management of these stakeholders falls to the executive board, and contact between the supervisory board and the advisory councils is limited to the scheduled meetings.
Gamma. Respondents within Gamma recognize the importance of the involvement of the
hospital‟s internal and external stakeholders. However, like in the other cases, the supervisory board‟s role with the internal stakeholders is limited to the scheduled meetings with the advisory councils:
So with large IT subjects such as the EHR for example, that is in that case one of the large developments, when the supervisory board talks to the advisory councils they will ask what is going on and how they are looking at large subjects. And then of course the larger IT subjects will be discussed. That way it is addressed, but it‟s not like there is a specific IT meeting. It will be addressed when there are important subjects related to IT, and then it will be automatically talked about in the regular conversation with the councils. (Gamma executive)
This shows that the supervisory board involves stakeholders in the larger IT related decisions that have an impact on the specific body and the individuals they represent. This is done by bringing up these topics during the formally scheduled and required meetings with the advisory councils.
Delta. The supervisory board of Delta has contact with stakeholder in similar ways to the
other cases. Large IT topics generally make it to meetings with the medical staff, client council and employee council when they are relevant to these bodies. Delta‟s executive did take an extra action to ensure the involvement of the stakeholders:
Yes the patients, the employees and the medical specialists have representatives. I always asked the chairman of the medical staff to come to the supervisory board meetings. That way the contact between the supervisory board and the medical staff was ensured. Several times a year we had meetings with the employee council and the client council. (Delta executive)
36
