 Hello and welcome to the session in which we will discuss information technology or IT governance focus area. Now we need to know first what is governance because we learn this term when we talked about corporate governance. We also learn about this term when we discuss data governance. So what is governance in general? Well it's a system of policies and procedure to make sure we are directing, controlling, managing the company in the right direction, holding everyone accountable through those policies and procedures. So the people on the top are making sure they are ethical, they are following the rules, so on and so forth. Now how do we do so? How do we have corporate governance? Well we have external auditors part of the corporate governance making sure we are doing things properly from an accounting or financial perspective. We have internal auditors that's making sure we are following the procedures that the company is supposed to follow. We have board of directors who oversees this process. We have management, we have line of supervision, so on and so forth. So this is what corporate governance is. So because IT is very important we're going to have IT governance focus areas. So what is the purpose of this? Well IT governance focus areas are the areas of focus for an organization to ensure what? That the IT systems and processes are aligned with the overall business goals and objective. You're going to see this theme again and again and again as we look at those focus areas. What does that mean? It means your IT system, your information technology, software, hardware, people, your network has to be aligned. What does has to be aligned means? It means it's serving the overall purpose of your business, goals and objectives. So IT and business should be going in the same direction. The IT should support the business and not the other way around. Now how do we know this is happening? Well we have some common IT governance focus areas. Now I'm going to list eight of them in your CPR view course, in your CISA course, in your CMA course. They could have seven, they could have five. Some of them are combined, some of them are not. But here are some common IT governance focus areas. Risk management, compliance, strategic alignment, performance measurement, resource management, continual improvement, stakeholder management, business continuity and disaster recovery. Once again in your course it might look a little bit different, but I believe those are common IT governance focus areas. Simply put, your IT system should focus on these eight components to make sure you have a proper IT governance. And if you know anything about FARHAT, once I have a list, I'm going to go over each item of this list separately, explaining what risk management is, compliance, so on and so forth, starting with risk management. Before we proceed any further, I have a public announcement about my company, FARHATlectures.com. FARHAT Accounting Lectures is a supplemental educational tool that's going to help you with your CPA exam preparation, as well as your accounting courses. My CPA material is aligned with your CPA review course, such as Becker, Roger, Wiley, Gleam, Miles. My accounting courses are aligned with your accounting courses, broken down by chapter and topics. My resources consist of lectures, multiple choice questions, true-false questions, as well as exercises. Go ahead, start your free trial today, no obligation, no credit card required. Risk management, one of eight. What is risk management? When we say risk management, what is risk? Risk is something that's going to be threatening us, threatening the company. Well, the first thing you have to do, risk management is to identify those risks. Just tell us, what are those risks? Are you aware of them? Identify them, point to them. Now, the worst risk is the risk that you don't see, that you cannot identify, but that's beyond the scope of what we are doing. But the first thing in risk management, you need to know, what is my risk? Is it cyber security? Is it someone's going to breach my firewall, get my data? Will they turn my system off? What is my risk? Will they steal my information? Identify the risk, assess the risk, and how to mitigate the risk. I'm going to talk about identifying, assessing and mitigating in a moment, but this is what risk management is. That's associated specifically with IT system, because you could also have risk management from a business perspective, not IT perspective. So the whole risk, the whole goal of risk management is to minimize the impact of negative events. So if something happened, we hopefully we can even eliminate that negative event. If we cannot eliminate it, we can at least mitigate its effect. Mitigate means reduce its negative effect. So what is identifying the risk? Well, simply identifying, knowing what you are exposed to, involve identifying potential risk that could have an impact, obviously negative impact on the organizational IT system and processes. Could include what? What are some examples? Data breaches, you have to know, you have that risk. System failures, natural disasters, now you identify them. The next thing you want to do is assess the likelihood of that happening. Well, I know I have a data breach risk. What is the likelihood of that happening? Is it 5%, 15%, 80%, 90%? What is the likelihood? This involves evaluating the likelihood and the impact of the identified risk. And if that happened, what are my losses? What could happen? This help prioritize the risk. Why you want to do this? Because you want to have your risk. This is the most important. This is the second most important, third most important, so on and so forth. So this way you can allocate resources and pay attention to that risk, determine which risk require the most attention. Which one? It's the one that are most important and if they are likely to occur, that's definitely they need your attention. Then what you have to do, you have to have a plan to mitigate this risk. Well, how do you mitigate the risk? Well, you can transfer the risk by insurance, deal with it, so on and so forth. This involves taking action to reduce the likelihood or the impact. So first, you want to reduce the likelihood of that happening. If it happened, you want to reduce the impact. So it's not affecting you as negatively. What can you do? This could include implementing security measures to prevent data breaches. If that's your risk, implement a disaster recovery plan to minimize the impact of system failure. So if somebody brought your system down, do you have a backup plan? We're going to talk about the backup plan later. Or purchase insurance to mitigate the financial impact or negative events. Let's assume somebody hacked your system and they will not release it unless you pay a certain amount of money, ransom. Well, do you have insurance against that? So bear in mind also that risk management, it's not just a one time process. So you don't just do it. It's an ongoing one because technology is constantly changing. And as the organization and its system process change over time, the new risks arise as technology changes, new risk arise. So this is what risk management, you have to constantly evaluate this. You want to make sure the people that are working with the company are up to date on this. The second item is compliance as far as IT governs. Compliance. What is compliance? Well, making sure we are following relevant laws, regulation, and industry standard. We have to do that. Otherwise, we'll get into trouble. This ensures that the organization IT system meets the requirement set forth by regulatory bodies and industry standards because depending on which industry you work in, certain industries are heavily regulated. So you want to make sure your IT system is complying with this. Example will be, for example, data privacy laws, such as the general data protection regulation, GDPR. Well, this is going to be tested more and more on the CPA exam and other professional organization. Are you protecting the data of your client? Could be HIPAA, the Health Insurance Portability and Accountability Act HIPAA, as well as industry standards such as the PSI, DSS for organization handling credit card information. You want to make sure you are protecting this information. The banking industry will have even more regulation. The question is, is your IT compliant with those rules and regulation? Why? Because compliance help the organization to protect sensitive information and avoid penalties and non-compliance. It's not only about penalties and non-compliance. If you are not in compliance, the most important thing that you're going to lose, it's not only you're going to have to pay fees, it is your reputation. So your IT system should help you with this. The third item of IT governs is strategic alignment. What does that mean? Alignment means going in the same direction, aligning your IT system with your organizational overall goal. Remember, this is an overall theme. Making sure that your IT system is ensuring that supporting your business, supporting the business and not the other way around. You could have the best IT system, but if it's not supporting your business, it's not good because it's not aligned with your business. You want to make sure the IT is aligned with your business, not your business aligned with your IT. What does that mean? This could include implementing an IT system that support the organizational growth strategy. So if you have a growth strategy, you want to make sure your IT system can support this. If you have some different strategy, your IT system should support this as well. If you want to be in a niche, you don't want growth. You want maybe, you want to have a premium product and your IT system should be able to support this. Or ensuring that the IT system are designed to support the organization, customer service goals. So if that's your goal, you want to make sure your IT system, you have a system that's up to date, can respond to the customer on time, so on and so forth. How would that help? Well, it optimize IT investments because you want your IT to be, you don't invest in IT unless it's helping your business. And knowing that your IT is aligned with your business, you optimize, you make the most out of your investment and ensure that the IT system are being used that support the overall business objective and not for anything else. You don't want the IT to be treated as toys. You want the IT to be treated as an asset that's helping achieve your business goals. Performance measure, what is that? Well, refer to the process of monitoring, you want to monitor and measure IT systems. Why? Why do you want to measure what's happening? Well, to ensure that the system is operating efficiently and effectively. What is efficiently means at the lowest cost possible and effectively means you are reaching your goal. And why do you want to do that? Because you might want to identify areas to improve. Now, how do you monitor the process? How to measure performance? Well, you would use various matrix, like what? Operational matrix. Well, these matrix measure the performance of a specific IT system in process. Like what? Well, you can measure the response time of a website. How long it's taking to respond to customers when they click from when you first log in or when you click from one page to the other? Or the number of transaction process by a system. How many number of transactions are being processed efficiently and in time? Two, you could have business matrix. These matrix measure the performance of IT system in relation to business objective. Like what? For example, the number of customers served by a system or the revenue generated by an e-commerce website. This is your looking at overall business matrix, matrix is not specific IT process. You could also have service level. These matrixes measured measure the performance of IT system in relation to some sort of a service level agreement SLA established with customers or stakeholder. Sometime you might have a relationship with your vendors because your system is connected to them. Well, you want to make sure your system is in compliance and how fast it's processing that information. You could have compliance matrix. You remember we talked about compliance. Well, this measure the compliance of IT system and process with relevant laws, regulation and industry standards. For example, one way is to determine the number of violations. You should be always in compliance while the matrix may be showing you how many violations are you having. Then, well, you have to work on reducing those violations. So, performance matrix are collected and analyzed to identify trends. If we haven't, for example, industry standards violation, we have to know what's going on. Any pattern and bottlenecks, especially bottlenecks. If the response time of our website is not doing good, that's going to affect everything else. It's going to affect the experienced customers and to make informed decision to improve the performance of IT system. Basically, if we measure the process, we can make improvement. And this can include identifying and addressing technical issues because, again, any problem with the IT, it's a technical issue or making changes to the IT system and process because if we find a bottleneck, we want to change this. Let's talk about resource management. What are resources? Resources are your assets, but we're talking about IT here. Resources refer to the process of managing and utilizing IT resources effectively and efficiently. Again, we always use this word effectively, efficiently aligned with the business objective. But what are resources? Specifically, what are our IT resources? Well, your IT resources are your hardware, software, network, people to ensure all of them are being used in a way to support the organization over all objective. How do we do that? Well, for example, starting with hardware, asset management, we want to make sure we are keeping track of all our IT assets such as hardware, software, network to ensure they are being used in a way to support the business organization. We could have what's called software management. How do we making sure our software is good? Well, making sure we are maintaining the software license. If there's any upgrade, software always through upgrades, are we upgrading? Are we in compliance with vendor agreements? Again, sometime we're going to be connected to the vendor or the vendor connected to us. There's going to be a compliance. Well, we can do this, we cannot do that. Are we in compliance? IT personnel management. At the end of the day, people are running all of this. People are running IT. Well, we want to make sure we are managing those people properly because they are responsible for maintaining and administering the IT systems. And IT personnel management starts with recruiting, hiring, training, performance management. You want to make sure you have a system that follow people all from the way to hiring, all the way till the end when they are either let go or fired or whatever. Capacity management. Well, also you want to make sure you are managing your resources from a capacity management perspective because you want to look ahead. This involves forecasting future IT resources need and ensuring that the resources are available to them, either in terms of people or hardware or software. This includes the future demand for hardware, software, people, network and making sure that the organization have the resources needed to meet its demand, which is resources means at the end of the day money. Also part of resource management, the vendor management. This involves managing relationship with vendors such as software vendors, hardware vendors, service providers to ensure that the IT resources are used in a way to do what to support the overall business objective. All in all, you want to ensure that your IT resources are using effectively and efficiently and to minimize the risks of IT system and processes becoming bottleneck to the organization overall growth success. Number six, continual improvement. What does that mean? It means there's an ongoing process of evaluating and improving IT processes and systems. Everything that we talk about is subject to continual improvement. The goal of continual improvement is to ensure that the IT system are operating at the highest level of efficiency and effectiveness. Notice again, efficiency and effectiveness. And to make sure changes will help optimize the performance of IT system. Now, how do we make continual improvement? Let's look at a specific step. Well, one is performance measurement. We talked about this, making sure we are continually monitoring the system to identify areas that can improve on. And that's why I told you at the beginning, dose, for example, continual improvement could be part of performance measurement. I said in some textbook in some courses, they combine them, that's fine. I just have them separately because I want to give as much information as possible. Identifying root causes for any problem, investigating and underlying causes of problems or any efficiencies in IT system to identify the best solution or improvement. This is part of continual improvement. Change management. What is change management? And we're going to talk about change management, change management much, much more later on. What it's when you make a change to your IT system, that change has to be controlled and structured. And we'll talk about that much, much later on. It means it has to be supervised, controlled. We are aware of who's doing what. There's proper internal control to minimize disruption and ensure that the changes are implemented effectively. Benchmarking. What's benchmarking? Comparing your performance to maybe the industry standard. You may not be able to compare it to the competitors. They're not going to give you this information, but there should be some industry standard and best practices to improve IT. Well, how do you do that? You ask your people to read the latest about IT systems in the industry in which you are operating. Now, technology and business environment changes rapidly. So it's crucial to review and improve the IT system. And as I just said, your people has to stay up to date of what's going on in the industry, attending seminars, reading the latest research, and to ensure that they are aligned with the organization over all business objective. We cannot forget about this. Everything that you do has to be aligned, has to be efficient, effective, and aligned with the business objective, right? Now, we're also going to have stakeholder management. What is a stakeholder? It refer to the process of managing relationship and expectation of stakeholder in relationship to the IT system and processes. First, who are the stakeholders? The stakeholders, basically, if I have to tell you this, the easiest way is everyone else except your competitors. They could include your customers, shareholders. So shareholders are part of stakeholders. Some people think stakeholders are shareholders. No, stakeholders is everyone else other than your competitor that you, not that you care about that are part of your business. Customers, shareholders, employees, or other groups or individual who have interest in the organization IT system, except your competitors, of course, they're not your stakeholders. You don't care about them, right? Now, how do you make sure you are managing the stakeholders' expectation? First, we have to identify them. Who are your stakeholders? Or who are the most important stakeholders, identifying and understanding the different groups and individual who have interest in the organization IT system? Then you have to communicate effectively with the stakeholders to understand their needs and expectation and keep them informed of any changes or issues related to the IT system. For example, if they are your vendors, well, if there's any changes in your system, you want to make sure you communicate this information to them. Do you have a venue? Do you have a system that you do that? Let's assume shareholders, the owners, they have a way to access information. Well, if there's any changes, you want to communicate this information to them. Of course, employees, they have to know what's going on within the system. They are the most important in terms of managing the system itself. Also, you have to meet their expectation, meeting the needs of expectation by ensuring that IT system are designed and operated in a way to support their need, whatever their need is. Different stakeholders will have different needs. For example, customers, they want to log in and make sure they can place an order. Employees, they want to go in, make sure they can log into the system. The system is working properly. And you have to also manage conflict between different stakeholders. For example, you don't want to give customers access to financial information, but shareholders, they want to have access to financial information. And the most important is you want to collect feedback to have improvement, continuously gathering feedback. Do you have a system to do that? To identify areas for improvement and making changes. Collecting feedback could be as simple as on certain pages have a place where you allow the user to submit feedback or rate the page. And from rating the page, you could tell them, you know, what is your opinion about this? And they can give you the feedback immediately about this page. The feedback is sent to someone and it's specifically on that page. This helps ensure that IT system and processes are designed and operated in that way to keep stakeholders informed and engage in the process, ensure that IT system are aligned with the organizational business objective. This is maybe the fifth time we say this and help build trust and confidence in the organization IT processes. Number eight, business continuity and disaster recovery. And we're going to talk much more about this later on, but this has to be part of your IT governance. You have to have some sort of a backup plan, okay, referred to the process to ensuring that an organizational system can continue in case of a disaster or some sort of a crisis. So the goal of the BCDR, the business continuity and the disaster recovery is to minimize the impact of negative events. Negative events could happen all the time. It could be as big as 9-11 or it could be as small as someone hacking your system and to ensure that the organization can quickly and efficiently recover from a disaster. How? Well, you could have a business impact analysis. What is that? Identifying the critical system that are essential to the organization's operation. What are the most important hardware and software for me in case something happened and assessing the potential impact of a disruption on those systems? Just like when you identify risk. You say, which risk is the most important? What's the likelihood of that happening? Risk assessment, identifying the risk associated with this disruption of IT system and assessing the likelihood and impact. What could happen if the worst happened? You have to have the disaster recovery plan. We'll talk about this later on. Basically developing a plan to respond and recover from a disaster. Well, this could include procedures for restoring IT system and processes and identifying resources required for recovery. Do you have the resources in case something happened to recover? Also, business continuity plan, which is BCP, developing a plan to make sure you will be in business to continue operation during and after disaster. This may include alternative means of conducting business, such as working remotely, utilizing a backup facility. In case one facility goes down, you could move your employees to another facility or you can send them home and you can have access to the cloud. You have to have testing and maintenance. You could have those plans, disaster recovery plan, business continuity plan, but you want to test them to make sure that they are working. Regularly testing and maintaining this business continuity and recovery plan because to make sure that they're working, you test them. They're up to date, effective, they are working, nothing wrong. Now, this is a critical step. The business continuity and disaster recovery is a critical step in operating a business, especially during and after a disaster. Why? Because you want to minimize the negative impact on the organization. And this helps ensure that the organization can continue to deliver products and services to its customer, even an event of a crisis or at least minimize the impact on the overall business. Again, we're going to talk about this much, much more and it's going to have its own separate session. What should you do now? Go to Farhat Lectures, whether you are a CPA candidate, CMA candidate, CISA candidate, studying for your course and look at additional resources, MCQs, additional lectures that's going to help you understand this IT governance idea. Study hard, invest in yourself, good luck everyone and stay safe.