SA directors unclear of IT governance responsibilities

“Technology risks should form an integral part of a company's overall risk management strategy,” says Richard Dewing, CEO of automated data backup and recovery solutions company Cibecs.

“Legislation, like the Protection of Personal Information Bill in South Africa, makes it imperative for companies to carefully manage the kind of information they have, how it is used, how it is stored and how it is secured.

“Managing the security of company data requires the implementation of effective control and management systems, as well as the ability to report on the success or failure of those systems,” says Dewing. “It is crucial that organisations remember they are ultimately responsible for their data. Many of them are not taking this responsibility seriously.”

Implementing the guidelines set out in King III should greatly benefit any organisation in terms of operational efficiency and business continuity. The King III report has a greater focus on IT governance - separating the 'information' and 'technology' components to assist companies in managing this critical business component.

According to the report: “The board should understand the strategic importance of IT, assume responsibility for the governance of IT, and place IT governance on the board agenda.”

King III strongly emphasises the point that, when it comes to governance, risk and compliance, a company's board of directors can delegate responsibilities and functions of it, but ultimately, they are accountable for it.

The King III Report discusses key IT governance responsibilities of directors across seven principles, some of which are:

1. The board is responsible for information technology (IT) governance.
2. IT should be aligned with the performance and sustainability objectives of the company.
3. IT should form an integral part of the company's risk management.
4. A risk committee and audit committee should assist the board in carrying out its IT responsibilities.

According to the report, all boards of directors have to prove that they have an IT governance framework in place, that they employ sound information security practices, and have effectively planned for business and disaster recovery.

King III sets clear guidelines for the management of company data.

1. A company needs to be able to prove its ability to recover from a disaster. Its mechanisms to do this should be regularly tested and demonstrated to the board so it can satisfy any interested parties, and itself, of the company's capacity to effectively continue its operations in the event of a disaster.
2. The board needs to be fully aware of the legal risks associated with non-compliance to all relevant legislation governing IT - especially those affecting the “information” part of the IT function.
3. Information is subject to a range of risks that need to be managed, such as theft of intellectual property, internal risks posed by disgruntled employees and a host of other concerns that could have a damaging effect on the company's image and its operations.