PhilHealth Part 2: Questioning the Qualifications of the Current PhilHealth’s Senior Vice President (SVP) for I.T. & Chief Information Officer (CIO), (Dr. Atty. Noel G. Ramiscal)

In the August-September 2020 Senate and Congress hearings on the PhilHealth scandals, its SVP for I.T. and CIO, Jovita Aragona (Aragona) had been the subject of examination by legislators due to exposes of whistleblowers on I.T. procurement. But the legislators have not actually scrutinized her qualifications and supposed achievements within PhilHealth, in the same manner they have grilled the SVP for Legal, Atty. Del Rosario, on his alleged lack of qualifications, incompetence and dubious actions. And she was not one of the 11 PhilHealth officials who were placed in preventive suspension due to their actuations, malfeasance, misfeasance and nonfeasance.

In the interest of the public, specifically all the PhilHealth members, I deem it necessary to scrutinize her competence and actuations as SVP for I.T. and CIO, based on the public documents that have surfaced so far. I desire to disclose that I do not know this person in any way, professionally or personally.

SVP I.T. Aragona’s Qualifications

According to her bio in the WHO International, she “graduated from the University of Santo Tomas with the degree of Bachelor of Science in Industrial Engineering (BS I.E.) and finished her Masters in Information System (M.I.S.) from the University of the Philippines Open University. She has over 27 years of experience in the field of information technology, and is at present the Senior Vice President - Chief Information Officer of the Philippine Health Insurance Corporation. She is a COBIT5 Foundation certified and TOGAF9 certified” (https://www.who.int/health-topics/digital-health/dh-tag-biographies, accessed August 31, 2020). Her WHO bio also stated that she previously worked with the Department of Health and “has successfully implemented several health information exchange platforms” (https://www.who.int/health-topics/digital-health/dh-tag-doi). In her appearance at the Congressional hearing last August 20, 2020, she also said she taught computer programming and even mentioned an institute called “DataPro”.

ARE THESE SUFFICIENT?

The B.S.I.E. Degree: Is Aragona a truly Certified or Professional Industrial Engineer?

A short description of B.S.I.E. from the UST website states that the “Bachelor of Science in Industrial Engineering (IE) program is designed to prepare the student for professional work in the design, improvement, installation, and maintenance of integrated systems of people, materials, information, equipment, methods, and energy.” (http://www.ust.edu.ph/academics/programs/bachelor-of-science-in-industrial-engineering/)

This primary degree is quite relevant to the educational qualifications of a CIO. However, a graduate of the B.S.I.E. is not actually required to pass a certification exam comparable to the board exam of doctors or the bar exam for lawyers. But in order for the graduate to present himself or herself as a professional Industrial Engineer, the Industrial Engineering Certification Board (IECB) under the direct supervision of the Philippine Institute of Industrial Engineers (PIIE), administers two types of examination:

1. Certified Industrial Engineering Examination - this is intended for fresh graduates of Industrial Engineering as well as those who have relevant experience. Those who passed the exam is given a CIE Certification and a designation for associate practice.

2. Professional Industrial Engineering Examination (PIE) – To qualify for this exam, one must be a CIE examination passer, a master’s degree holder, and have a total of 7 years of work experience. Those who pass the PIE exam are given a certification and a designation for professional practice.

Both the PIIE and the IECB encourage graduates of Industrial Engineering programs to take these exams for their professional status and development.

Another professional recognition of one’s abilities as an engineer is the registration of one’s name and details as an ASEAN Engineer with the ASEAN ENGINEERING REGISTER SECRETARIAT, located in Malaysia. Entry to the register is governed by the payment of a fee and a scrupulous examination of one’s work as an engineer.

Engineers who have passed the PIE, and qualified to be included in the ASEAN Engineering Register place “Engr” before their names, and place “PIE” and “ASEAN Eng” after their surnames to indicate their certified professional status.

In the case of SVP Aragona, her WHO bio does not even place “Engr” but “Ms” prior to her name, while some of the other professionals in the same list indicate the abbreviated form of their professional titles, like “Dr.” She never referred to herself as “engineer” during the past legislative hearings. In her LinkedIn account, she only placed “Industrial Engineer” in her first job for a few months, and then made no mention of it.

While it is noted that Aragona has a Master of Information Systems (MIS) degree, from UPOU, it is the status of her primary degree that should have been examined by the legislators, to establish her credibility and to ascertain if and how such vocation could have helped in protecting the PhilHealth’s I.T. systems. This should have been verified. But no legislator had asked her if she has a certified or professional status as an industrial engineer.

Aragona’s COBIT 5 Foundation Certification?

One thing I have noticed over the years, is that most people who are not familiar with I.T. qualifications do not ask what they exactly are, like the legislators. Now Aragona’s bio stated she is COBIT 5 Foundation certified.

COBIT 5 (Control Objectives for Information and Related Technology) is a framework owned and supported by Information Systems Audit and Control Association (ISACA). It was created to support the governance and management of enterprise I.T., and help the practitioner understand how to tie business goals to I.T. objectives. There are five separate COBIT 5 qualifications or certifications available – Foundation, Implementation, Assessment, NIST Standards using COBIT 5 (INCS) and COBIT Assessor for Security (AS).

A COBIT 5 Foundation certification, supposedly enables the certified professional to demonstrate the requisite knowledge and understanding of the COBIT 5 guidance to be able to understand the governance and management of enterprise IT, assess the condition of an organization’s enterprise IT, and determine which elements of COBIT 5 would be suitable to implement. It is the starting basic course, which does not impose any special requirements on those taking the exam. In other words, anyone interested can study the course and take the exam.

Since the PhilHealth is an organization that handles P 200 billion (US$ 4.081 billion) annually, it would have been better if Aragona obtained and/or upgraded her COBIT 5 Foundation certification to COBIT 5 Implementation certification. In this level, she would have learned how to effectively apply COBIT 5 to address the specific business problems, risks and trigger events within the PhilHealth systems, and be versatile in applying and implementing COBIT 5 as necessitated by a variety of organizational or client scenarios. By having this Implementation certification, one is supposed to understand the implementation challenges and potential implementation pitfalls in enterprise IT systems, determine and assess current process capability, and analyze enterprise drivers to determine best practices.

COBIT 5 AS DEFICIENT AND OUTDATED

COBIT 5 has been criticized by some, including the research firm Gartner Inc, for ignoring the blurring boundary between IT and operational technology which impact the management of risks, delivery of value and may require additional controls.

Furthermore, and most importantly, COBIT 5 began in 2012, and the passage of over 7 years comprise several lifetimes in the I.T. world, particularly with the proliferation of the Internet of Things (IoT) and distributed ledger technologies. What SVP Aragona was certified to when she went to PhilHealth is no longer viable. It is for this reason that COBIT 2019 was approved and deployed by ISACA to correct the deficiencies of COBIT 5. There is now a COBIT 2019 Foundation certification.

So, the question that should be posed is this: how useful and relevant is Aragona’s COBIT 5 Foundation certification for fixing the PhilHealth IT systems?

In the 5 years she spent in PhilHealth, the IT systems she was in charge of, had not been able to prevent the different types of computerized frauds that had been exposed in the legislative hearings, which are the type of implementation pitfalls that the COBIT 5/COBIT 2019 Implementation certification would address, which was not part of the obsolete COBIT 5 Foundation certification she has.

Aragona’s TOGAF 9 Certification?

Again, the legislators did not look at this matter.

The Open Group Architecture Framework (TOGAF) provides an approach for designing, planning, implementing, and governing an enterprise information technology architecture. It is typically modeled at four levels: Business, Application, Data, and Technology. It relies heavily on modularization, standardization, and already existing, proven technologies and products. In 1995, the first version of TOGAF (TOGAF 1.0) came out. It was mainly based on the Technical Architecture Framework for Information Management (TAFIM), developed, and then discarded by the US Department of Defense. Since then TOGAF had evolved into different versions. The Architecture Development Method (ADM) which is the core of TOGAF supposedly helps businesses establish a process around the lifecycle of enterprise architecture in a step by step process. It can be adapted and customized to a specific organizational need to address the corporation’s information architecture.

Anyone with, or without, the requisite knowledge of information management, data architecture, etc., but with the passion to learn, can self-study or enlist with training companies to know about TOGAF and pass the exams.

The certifications overseen by the Open Group for this framework comprise of two levels. The Foundation (Level I) guarantees that an individual understands Enterprise Architecture along with core concepts and terminology of TOGAF. The Certified (Level II) confirms that the passer has a working knowledge of TOGAF and all the relevant technology and tools, and is able to critically apply such knowledge to actual business concerns.

TOGAF 9 AS IRRELEVANT AND OBSOLETE

Now, SVP Aragona’s WHO bio stated that she is only certified to TOGAF 9. It did not say what Level. But her certification is only for version 9, which came out in 2009. TOGAF 9.1 was released in 2011. The latest version is TOGAF 9.2 which was unveiled in 2018.

As it is, SVP Aragona’s TOGAF 9 Foundation certification only proved her understanding of the TOGAF principles and Enterprise Architecture way back in 2009. It is therefore outdated by 11 years! That is the reason why enterprise architects, or those who have earlier certifications are encouraged to be certified again in the latest version to assure their current understanding of the TOGAF principles (What is TOGAF? [https://www.cio.com/article/3251707/what-is-togaf-an-enterprise-architecture-methodology-for-business.html]).

Apart from these, there have been various criticisms over the years regarding the relevance and practical application of TOGAF to actual I.T. enterprises, such as the PhilHealth I.T. system (see “Enterprise Architecture: Don't Be a Fool with a Tool“, Jason Bloomberg, August 7, 2014 [https://www.forbes.com/sites/jasonbloomberg/2014/08/07/enterprise-architecture-dont-be-a-fool-with-a-tool/#2559c90c7860]).

An enterprise architecture expert, and one of TOGAF’s prominent critics, Syvatoslav Kotusev had written that its value is purely symbolic ("Enterprise architecture is not TOGAF", Kotusev, S., January 2016 [http://www.bcs.org/content/conWebDoc/55547]); that it did not contain any practical or sensible detailed method that could be reiterated as a project progressed and could therefore be seen merely as a set of supporting tools; and it could not, and should not, be seen as even best practice, because it was based on TAFIM, a failed US DoD experiment, that required huge amounts of time and money which resulted in enterprise architectures that became obsolete before they were competed, and were inscrutable to the business stakeholders ("The critical scrutiny of TOGAF", Kotusev, S., April 2016 [http://www.bcs.org/content/conWebDoc/55892]).

Kotusev also condemned the recent TOGAF 9.2 as sharing the innate defect of all its prior versions, in that this latest version still follows the rigid step by step architectural deliverables approach, pioneered in the Business Systems Planning way back in the 1960s that imitated traditional engineering methods, which does not work with organization wide planning ("TOGAF Version 9.2: What's New?", Kotusev, S., June 2018 [https://www.bcs.org/content-hub/togaf-version-92-whats-new/]).

After parsing through all these, the question that needed to be asked is: how pertinent and practical is SVP Aragona’s TOGAF 9 certification to fixing the PhilHealth’s fraud filled IT system?

Aside from her certification being passé, Kotusev’s critical study of TOGAF also raises the concern that any certification in this field, can be futile or perilous for individuals and enterprises that adopt the step by step approach of its ADM.