Information Technology (IT) is an essential element of all organizations across the healthcare continuum, interacting in myriad and evolving ways. As we know, the organizational experiences and results with IT projects vary widely. A project’s risk profile can be correlated to major factors including its size, the number of people involved and impacted, the complexity of the project, and its budget. Managing and mitigating risks for IT projects is a critical success factor for improving the chances of success, for realizing the benefits, and for serving the best interests of all stakeholders.
Many large projects involve the familiar SDLC (System Development Life Cycle). What can be done by organizations to reduce these risks and optimize chances for success throughout the SDLC? While optional, the Independent Verification & Validation (IV&V) methodology has stood the test of time and proven its value throughout the SDLC. Robert O. Lewis reported in his 1992 publication “Independent Verification & Validation: A Life Cycle Engineering Process for Quality Software” that the US Army first used in the early 1970’s for its Safeguard Anti-Ballistic Missile (ABM) Software. Whether for ABM or EHR deployment, an organization must do everything manageable to minimize or eliminate risks.
According to Wikipedia, IV&V consists of “independent procedures that are used together for checking that a product, service, or system meets requirements and specifications and that it fulfills its intended purpose.” IV&V is an important form of quality control for projects, more simply stated, an audit process.
In healthcare organizations contemplating larger, high-risk, complex system or software investments and associated projects, IV&V should always be considered during the planning process. It should be accounted for like any other important activity in the project. Frequently, the value brought to such projects by the independent or external party requires the availability of experienced and unbiased resources with proven, readily available, and customizable tools and processes. Once a decision is made to incorporate IV&V, these tools and processes should be incorporated into project plans early on for maximum impact.
StarBridge Advisors has the experience, resources, and a proprietary IV&V methodology based on Boehm’s popular Software Engineering Economics to assist healthcare organizations with the most challenging software or system projects regardless of vendor or application. The SBA IV&V methodology based on Boehm’s established software engineering methodology suggests formal periodic assessments, typically 3 times prior to go-live for an 18-month project, and once post go-live to assess benefits realization. SBA’s experiences provide evidence that IV&V improves the chances for success. SBA personalizes each IV&V plan based on an organization’s culture and the goals and objectives of the IT project.
IV&V includes following activities:
- Data Gathering & Analysis – Work products, deliverables, plans, schedules, budgets, and other relevant information are gathered.
- Interviews – Interviews are conducted with a diverse group of stakeholders including executive leaders, members of audit and compliance, managers, project personnel (managers and staff), clinical leaders, vendor personnel, and others as required.
- Surveys, Questionnaires, Focus Groups, and Benchmarking – These vary by project and organization.
- Scoring, Reporting, and Recommending – Each assessment includes a detailed and summary report that provides a risk score and mitigation plan for each area which is reviewed. The reports are designed for use by the organization’s Internal Audit area and for presentation to the Executive team and Board.
SBA’s IV&V periodic assessment typically focuses on details associated with the following 11 key areas but can be customized based on need and desired outcome:
- Project Governance
- Project Definition and Scope
- Objectives, Approach and Budget
- Implementation Timeline and Schedule
- Human Resources
- Planning and Controls
- Risk and Issue Management
- System Testing and QA Processes
- Training / User Education
- Production Readiness
Prior to the first assessment, the impact and importance of desired observations for each area are assigned a rating based on discussions with the project governing body and the audit representative and recorded in an Excel spreadsheet. For each periodic assessment, risk scores are assigned. Measurable and actionable findings and recommendations are developed and documented for each area and the subcategories and shared with the internal auditor.
The draft report is shared with the project leader and CIO (and other project champions) to ensure there are no factual errors. The report is then presented to leadership as appropriate for further action. These findings and recommendations are weighted and scored based on impact to project success and further depict lifecycle progress from launch to go-live. The IV&V supports and promotes unbiased, meaningful, and informed executive decision-making throughout the SDLC and associated systems and systems-related projects.
All IT projects have some associated risks that must be managed. Well-managed projects will favorably impact satisfaction, quality, safety, and the financial status of an organization. To increase their chances for success with IT projects, organizations should use an IV&V process or equivalent framework. Patients and families and all your organization’s other stakeholders will benefit from the rigor of such a process.