Align IT with business strategy

King III recommends that IT should be integrated with company strategy, according to Judge Mervyn King, chairman of the King Committee.

During his keynote address at the ITWeb IT Governance, Risk and Compliance conference in Johannesburg, yesterday, King pointed out that companies no longer look at business in silos.

“It is crucial for IT to be built into the business plan, as its main role is to facilitate the achievement of business strategy and add value.”

He said the King III report recommends that all departments within organisations be aligned to strategy, so performance and sustainability can be achieved. “For this to be effective, there should be proper management in place for all the structures, processes, and mechanisms,” King added.

Management needs to execute the IT frameworks and make sure IT is on track to achieve its objective, as well as check if it is resilient enough to adapt to the strategy, he advised. “When management is in place, it is usually easy to see if IT is adequately protecting the business from the risks it faces, and if opportunities can be proactively recognised and acted upon.”

King also urged delegates to develop an information security management system (ISMS) for their businesses. “This ISMS should ensure the confidentiality of information, the integrity of information, and the availability of information, as well as information systems, in a timely manner,” he stressed.

“The risks involved in IT governance have become significant, as IT systems have become integral to a company's strategy and business,” King stated. Risk also includes the involvement of outside parties, such as service providers, so this makes IT risks form part of the company's risk management.

King suggested that organisations form a risk committee, to ensure IT risks are adequately addressed and, if necessary, call on expert advice. “The committee or the expert hired should understand the overall exposure to IT risks from a strategic and business perspective, ensuring that controls are in place to address IT risks.”

The report suggests that a company's management, or even the board, should be directly involved in IT governance. King pointed out that company boards that have had little understanding of IT systems, and their associated costs, have had to rely on expert advisors, who are now being appointed as CIOs.

“It is crucial that these CIOs sit on the board, like other directors, as they have a better understanding of IT.”

He said the report stresses that CIOs understand the long-term strategy of the business, so they can align it with efficient and effective IT solutions. “This will eventually strategically integrate IT into the business strategy.” CIOs will be able to see to it that the amount spent on IT is being measured and managed at all times, he added.

At all times, an organisation should see to it that there is independent assurance on the quality of outsourced IT, King said. “They should also see to it that there are effective review processes by independent experts.”

In 1994, the King committee issued its report on corporate governance. King I, as it is now known, incorporated a code of corporate practices and conduct that looked beyond the corporation itself, taking into account its impact on the larger community.

A second King Committee report - King II - was issued in 2002, taking this inclusive approach considerably further. The review of King II was prompted by changes in international governance trends and the reform of SA's company laws with the promulgation of the new Companies Act, 2008, expected to come into effect on 1 July 2010.

The revised King Code and Report on Governance for SA (King III) was unveiled on 1 September, 2009. It will come into effect and replace the existing King II Code and Report on Corporate Governance on 1 March 2010.