The draft Code of Governance Principles for South Africa 2009 and the draft Report on Governance for South Africa 2009 - collectively known as King III - were released for public comment in February, for two months. The final version of both will be released in September.
King III differs substantially from its predecessor, King II, on several fronts, most pertinently as far as IT governance is concerned. Says Escrow Europe director Andrew Stekhoven: “There are some very important aspects of King III for CIOs to consider. The first question, however, is 'which CIOs?' King II was about listed entities; King III is all-inclusive. So if you are the CIO of a company, large or small, listed or not, King III will affect your life.”
But, and it's a big but, as Stekhoven notes: “King III isn't prescriptive. It doesn't say 'thou shalt and here are the tick boxes'. It says 'thou shalt have a duty of care', and whatever that means. There are no tick boxes.”
King III emphasises leadership and sustainability in the broadest senses, Stekhoven adds. “And the biggie is the emphasis on the role of the audit committee. King III recommends that all members of the audit committee be independent, non-executive directors. In II it said the majority. In III it says the committee must have three members, II didn't address that. King III says the audit committee, as a whole, needs to have [an understanding] of financial risks, financial and sustainability reporting and internal controls. King II says the majority should be financially literate. King III prescribes the frequency of meetings - at least twice a year - King II didn't address it at all.”
From an IT governance perspective, King III gets serious. “The King III report, while currently still broad in its definitions of what is required, places a lot of emphasis on the need for a robust IT governance framework that focuses on risk, value and security. Additionally, the report notes the importance of making IT governance a board responsibility, rather than holding the CIO or IT manager accountable - and not soon enough,” says KPMG IT Advisory director Frank Rizzo.
“We need to get IT governance sorted out in the public and private sectors,” he reiterates. “It is important. We have to have alignment between business and IT. We've been saying this for ages. Thank goodness for King III - it puts it in there and says IT is part of our lives, and companies should have IT governance principles in place.”
Comply with this
King III is not a law, and there are no penalties for not complying with it. Not in the 'comply or face a fine or imprisonment' manner anyway.
Says Amir Lubashevsky, sales director at Magix Integration: “First of all - is it going to work at all? If you look at the first and second versions, and the practical recommendations in terms of 'what is governance', how much was implemented and how much ignored? How many companies changed the way they operate to adopt these recommendations? And the problem is, if it doesn't have teeth behind it - either strong legislation or an enforcement authority to look after it - then it is nothing more than a very good recommendation.”
King III isn't prescriptive.
Andrew Stekhoven, director, Escrow Europe
Some commentators aren't even convinced that it's a good recommendation. Says Avi Eyal, CEO of global governance, risk, compliance and performance management software company Cura: “If you look at Chapter Four, the risk management section, it is poorly drafted, uses bad terms, the vocabulary is not consistent with that used in international standards, there are 10 definitions for risk, 10 definitions for control.” The fundamentals are badly written, he asserts: “They will just confuse people and introduce risk into the business as people try to follow [the recommendations].”
Overall, Eyal is not complimentary: “While the intentions are good, the execution falls well short. King III will not give people the right understanding and guidance in terms of how to execute properly.”
Naturally, opinions differ. Says Sybase SA BI Practice project manager Cameron McKenzie: “The King III report will provide a greater return on investment as it addresses the sustainability of IT (including hardware, software re-usability and architecture), as well as the spread of key skills and understanding. It also ensures that IT governance is a framework that supports the effective and efficient management of information resources.
“King III will have a positive impact on IT governance as it refers to and encourages the use of best practices such as Cobit, ITIL, MOR methodologies. It passes the responsibility back to board level with more disclosure, thus bringing about greater transparency,” he states.
Up to you
However well or badly it has been written, what matters is that King III still isn't mandatory and this is a problem. But then, perhaps it shouldn't be, given it differs from international standards in this arena, which poses the question, 'why do we need a separate standard when the ISO (ISO 31 000) one will do just fine?'
It passes the responsibility back to board level.
Cameron McKenzie, project manager, Sybase SA BI Practice
Says Eyal: “King III is only as good as the regulations around it or the enforcement that comes into play. SA does not enforce its laws - we know that. It starts with the guy taking R50 out of an ID book.”
That, of course, poses a whole set of questions about culture, and maturity, and leadership, which South Africans may want to spend some time pondering.
Says Rizzo: “We agree with it and support it. It is the right message for SA in the current climate and economy. [Governance, risk and compliance] is always going to be seen as a grudge purchase, but in these times if you skimp, don't skimp on governance. You can't have less control. We're seeing increased fraud, bribery and corruption on the forensics side of our business. Don't cut on the controls when the economy is down. Rather put new market niches on hold. Part of governance is determining whether you're getting the right information out of IT systems to make the right decisions.”
And in an economic downturn, making the right decisions is critical. What King III does, to an extent, is ask IT to account for failed projects, something many a vendor and consultant is not going to be happy about. But it's a necessary part of the industry's maturity. Accountability - across the board - is a skill South Africans have to learn, and fast. Let's hope King III helps some of them do it.
Share