Consulting
LLP
Back to Insights
IT Advisory April 2026 9 min read

IT Governance for Hospitals: Structuring Your Technology Decision-Making

How hospitals can build IT governance structures that improve technology decisions, manage risk, and align IT investment with clinical and operational strategy.

IT governance in healthcare is often described as a process problem, but it is more accurately a clarity problem. Organisations that struggle with IT governance are usually unclear about who has authority to make which decisions, how competing priorities are resolved, and what accountability exists for technology investment outcomes. The result is a pattern familiar to anyone who has worked in healthcare IT: projects approved without adequate scrutiny, infrastructure decisions made in isolation from clinical strategy, and IT budgets consumed by reactive spending rather than strategic investment. This guide explains how to build governance structures that address these problems.

What IT Governance Is and Why It Matters

IT governance is the system by which technology-related decisions are made, implemented, and monitored in an organisation. It defines:

  • Who has authority to make which categories of technology decision
  • How new technology investments are evaluated and approved
  • How risks associated with technology are identified and managed
  • How IT performance is measured and reported to leadership

In healthcare, IT governance matters more than in most other industries. Technology failures have patient safety consequences. Cybersecurity incidents can disrupt clinical operations entirely. Poorly chosen systems generate years of workflow problems and remediation costs. The stakes are too high for technology decisions to be made informally or without appropriate oversight.

Governance Frameworks

Two frameworks are most commonly referenced in healthcare IT governance:

COBIT (Control Objectives for Information and Related Technology), published by ISACA, provides a comprehensive framework for IT governance and management. COBIT 2019 organises governance around six principles and provides detailed guidance on governance objectives, management objectives, and performance indicators. It is particularly useful for organisations seeking a systematic approach to IT risk management and compliance.

ISO 38500 is an international standard for corporate governance of IT. It describes six principles — responsibility, strategy, acquisition, performance, conformance, and human behaviour — and defines the respective roles of governing bodies and management in IT governance. ISO 38500 is less prescriptive than COBIT and works well as a high-level framework that an organisation can interpret for its own context.

Healthcare organisations do not need to implement these frameworks wholesale. The value is in using them as references to identify gaps in existing governance arrangements and to structure improvement efforts.

Governance Structures

Effective IT governance in a hospital or health system typically involves several distinct bodies with defined, non-overlapping roles.

IT Steering Committee

The IT steering committee (ITSC) is the primary governance body for technology investment and strategy. Its membership should include the Chief Executive (or designate), Chief Financial Officer, Chief Medical Officer or equivalent clinical lead, Chief Nursing Officer, Chief Operating Officer, and the CIO or Head of IT. It typically meets monthly or quarterly.

The ITSC's responsibilities include approving the IT budget and major capital investments, endorsing the IT strategy and roadmap, reviewing significant risks with IT implications, and resolving cross-functional conflicts about IT priorities. It does not manage projects or make operational IT decisions — those sit with management.

Architecture Review Board

The architecture review board (ARB) provides technical oversight of system selection and design decisions. It ensures that new technology investments are compatible with the organisation's existing architecture, integration standards, and security requirements. The ARB is typically staffed by senior IT professionals and may include clinical informatics leadership. It reviews major technology proposals before they go to the ITSC for approval, providing a technical quality gate.

Clinical Informatics Committee

A clinical informatics committee — variously named across organisations — brings together clinical leaders (doctors, nurses, pharmacists, allied health) to participate in decisions about clinical systems. This committee ensures that clinical requirements drive technology choices, that workflow implications are understood before systems are selected, and that clinical adoption issues are identified and addressed. It is the bridge between clinical operations and IT governance.

Decision Rights: Who Decides What

The most common governance failure in healthcare IT is not the absence of committees — it is the absence of clarity about which decisions belong to which body. Decision rights frameworks clarify this.

A simple decision rights model for healthcare IT might specify:

  • IT steering committee decides: IT strategy, annual IT budget, major system investments (above a defined threshold), significant changes to IT operating model
  • CIO/Head of IT decides: Operational IT budget allocation within approved limits, staffing within approved headcount, standard technology refresh, vendor management
  • Architecture review board decides (recommends): Technology standards, architecture patterns, integration approaches
  • Clinical informatics committee decides (recommends): Clinical system configuration, workflow design, clinical data standards
  • Department managers decide: Local IT requests within approved request catalogue, local training scheduling

When decision rights are unclear, two failure modes emerge: decisions get escalated unnecessarily (slowing everything down), or decisions get made at the wrong level without adequate scrutiny (creating risk).

Policy Framework

Governance is supported by a policy framework that specifies the rules all technology decisions must follow. Essential policies for a healthcare organisation include:

  • Information Security Policy (aligned to the organisation's security posture and regulatory requirements)
  • Acceptable Use Policy for IT systems
  • Data Classification and Handling Policy
  • Software Asset Management Policy
  • Vendor and Third-Party Management Policy
  • IT Change Management Policy

Policies should be reviewed annually and whenever significant changes in the operating environment (regulatory changes, new threats, major system changes) make a review necessary.

Risk Management Integration

IT governance and risk management are inseparable. IT-related risks — cybersecurity threats, system availability failures, data integrity problems, compliance gaps — should appear on the organisation's corporate risk register and be reported to the board or its audit committee.

The IT risk register should document each identified risk, its likelihood and impact, current controls, and residual risk. It should be maintained by the IT security or compliance function and reviewed quarterly by the ITSC. Risks above a defined threshold should be escalated to board or audit committee level.

Investment Portfolio Management

Healthcare IT budgets are portfolios of investment, not just lists of approved projects. Portfolio management asks: across all current and proposed IT investments, are we allocating resources in a way that best serves the organisation's strategic priorities?

Portfolio management disciplines include:

  • Categorising investments (run the business, grow the business, transform the business)
  • Tracking realised value against the business case approved at investment approval
  • Managing the balance between sustaining existing systems and investing in new capability
  • Identifying and addressing over-allocation of internal IT capacity

Governance at Different Organisational Sizes

A 50-bed hospital cannot operate the same governance structure as a 500-bed tertiary centre or a multi-site health network. Governance should be proportionate.

For smaller organisations, a single governance committee combining ITSC and clinical informatics functions may be sufficient. The CIO function may be part-time or shared with another role. The key requirements — clear decision rights, regular leadership engagement with IT decisions, documented policies — apply regardless of size.

For larger organisations, the full committee structure described above is appropriate, with formal terms of reference, minuted meetings, and annual reviews of governance effectiveness. Health networks with multiple facilities need a governance model that balances network-level standards and investment decisions with appropriate facility-level autonomy.

Good IT governance is not bureaucracy for its own sake. It is the mechanism by which an organisation ensures that its technology investments deliver value, that risks are managed, and that the people most affected by technology decisions — clinicians, patients, and operational staff — have an appropriate voice in those decisions.

FZ Consulting LLP helps healthcare organisations design and improve their IT governance structures. Contact us to discuss governance assessment or design for your organisation.