The King IV Code™ once again deals with information and technology governance (or IT Governance) in detail. For the first time, IT Governance was specifically dealt with in King III™ with a whole chapter on the topic. In the King IV Code™, the scope of the IT governance section has expanded and more emphasis has been placed on it. This is in line with the trend of IT becoming pervasive in all aspects of the operations of organisations.
Why is IT Governance Important?
According to Principle 12 of King IV™, the purpose of IT Governance is to support the organisation to set and achieve its objectives. The main outcome of your IT Governance efforts should be adequate and effective control, but you should be aiming to achieve all governance outcomes.
What will the King IV™ Code mean for your IT Governance?
Are you going to have to revisit your IT governance frameworks, charters, and policies? Yes, but it shouldn’t be an extensive exercise. King IV™ is on an apply and explain basis so it is not compulsory unless you’re listed. IT governance policies should also be transparent on various aspects including management of information and technology and remedial action taken when major incidents occur.
Technology and Information Governance?
This is not a typo – King IV™ refers to technology and information governance. This is strange because we are all familiar with the term information and technology governance (or IT Governance). We do not understand why the drafters have decided to change the terminology they use. The final King IV™ explains that the committee wanted to highlight that technology and information can stand on their own. They wanted to put the focus on information and not just technology.
We also do not understand why communications governance is not included. We think information, communications and technology governance (or ICT Governance) is probably the best term to use, although Internationally IT Governance is the established term.
The fourth Industrial Revolution
The King IV Report™ (page 30) refers to the advances in technology and digitisation as the fourth Industrial Revolution and stresses what a big impact it has on all organisations. We think it should be referred to as the Information Revolution, but it doesn’t really matter.
Who is Responsible?
The governing body must oversee and delegate
It is the governing body of the organisation that must oversee that the responsibilities for IT are:
- appropriately resourced,
- sufficiently defined.
The IT Governance Practices the King IV Code™ Recommends
The King IV Code™ (practices under principle 12 on pages 62 and 63) recommends that the governing body should:
- assume responsibility by setting the direction for how the organisation should approach and address IT,
- approve policy to give effect to the direction,
- delegate to management the responsibility to manage IT effectively,
- oversee the management of IT, including overseeing that:
- IT risks are integrated into organisation-wide risk management,
- the organisation is resilient,
- management responds to security and social media incidents,
- IT is used ethically and responsibly,
- IT laws are complied with,
- information management sustains and enhances the intellectual capital of the organisation,
- an enabling and supportive IT architecture exists,
- personal information is protected,
- information is secured,
- the risks pertaining to the sourcing of IT are managed,
- the organisation responds to disruptive technologies,
- consider receiving periodic independent assurances on the organisation’s IT arrangements, including outsourced services,
- disclose the governance and management of IT by the organisation, including disclosing an overview, focus areas, actions taken and plans.
Please note that this is the plain language version of this principle – you must read the full text yourself.
The reference to cyber-security risk in the draft was strange and has been left out of the final King IV™. Was it just an acronym for information security risk? There is a big overlap with section 19 of the Protection of Personal Information Act here and maybe less so with the Cybercrimes and Cybersecurity Bill.
Action you could take
- Increase your awareness by attending a practical workshop on IT GRC, Cyber Crime and Security or Information Security and POPI.
- Comply with IT Laws by getting a List of IT Laws and the Michalsons IT Legal Framework.
- Ask Michalsons to review your IT Policies.
- Conduct an IP audit for you so you know what intellectual capital you have.
- Read a plain language overview of the King Report and King Code.
If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.
Note: Copyright and trademarks for the King III™ and IV Report on Corporate Governance™ are owned by the Institute of Directors in Southern Africa. All views are our own and we are not endorsed in any way by the Institute of Directors in Southern Africa.