The failure of companies to roll out adequate governance procedures and policies could result in shareholder prejudice, according to the King III report.
This is the view of Jeff Jack, GM of network integration at Dimension Data Middle East and Africa.
For the first time, King III, which came into effect at the end of last year, includes frameworks in both corporate and IT governance focusing on risk, business value and security. According to Jack, this means the board of directors will become more accountable in relation to IT governance, rather than pushing responsibility onto the CIO alone.
Good governance
“Companies that do not comply with King III are not breaking any laws,” explains Jack, “But they are breaking the code of good governance, and will need to explain why they did not follow King III. This will change the way shareholders view them and the market views them. It's not legislation, but it is seen as good practice.”
Jack says IT has become more important to business, and devices have become more connected. This means an increased reliance on systems will force enterprises to address security vulnerabilities in order to comply with King III.
According to Dimension Data's 'secure network infrastructure assessment', 71% of enterprise network devices have at least one software vulnerability identified by Cisco's Product Security Incident Response Team. However, nearly 100% of smaller organisations carry at least one security vulnerability.
Changing times
Jack says attitudes to IT have changed since the Institute of Directors released the first Code of Governance Principles for SA in 1994, known as the King report.
The first King report served as a source of reference, but was not widely adopted. In 2002, the King II report was released and legislated as a requirement for any JSE-listed company. King II was recognised internationally and was incorporated in the creation of the Sarbanes-Oxley report.
Jack points out: “Where financial risks are concerned, managers look to various tools and structures to provide the necessary overview and insights. It should be no different with IT; managers, and even those who are not IT managers, should be equipped to see where and how risks may be presented, and provide the capability to address such risks.”
Share