King IV places IT governance on the board table
The King IV report has ushered in a new corporate governance landscape for SA's organisations, especially when it comes to information security.
So said Carolynn Chalmers, corporate governance advisor at Candor Governance, who was speaking at the ITWeb Security Summit 2017 in Midrand.
King IV, which became effective in November last year, replaced King III as the guideline for the governance structures and operation of companies in SA.
The framework has been revised to bring it up to date with international governance codes and best practice. "Corporate governance is the exercise of ethical and effective leadership by the governing body towards the achievement of governance outcomes. With the coming in of King IV, South Africa is seeing a changing governance landscape," she said.
She pointed out that King I, which came into play in 1994, only targeted listed companies, large public entities as well as banks and insurers. King II, which became effective in 2002, went further to introduce risk management, internal audits and integrated sustainability reporting.
In 2010, King III was ushered in with the intention of including all organisations. It also saw the introduction of IT governance, business rescue and alternative dispute resolution, review of shareholders remuneration, as well as integrated reporting.
While King III had the intention to include all organisations, King IV actually does, Chalmers said.
She said the biggest difference between King III and IV is that the former had 75 practices and principles, while the latter was trimmed down to only 16, meaning it's much easier to read and is thus more practical.
"King IV is the new landscape. King III was not really applicable to everyone and it was too prescriptive, following a tick-box approach."
Among the biggest stipulations of King IV is that the board should be responsible for IT governance and IT should be aligned with the performance and sustainability objectives of the company, Chalmers said.
While King III had the intention to include all organisations, King IV actually does.Carolynn Chalmers, Candor Governance
It also notes that the board should delegate to management the responsibility for the implementation of an IT governance framework, and should monitor and evaluate significant IT investments and expenditure.
"According to King IV, IT should form an integral part of the company's risk management. The board should ensure that information assets are managed effectively, and a risk committee and audit committee should assist the board in carrying out its IT responsibilities."
She also noted that principle 12 says the governing body should govern technology and information in a way that supports the organisation in setting and achieving its strategic objectives.