The King IV Code deals with information and technology governance (or IT Governance) in detail. IT Governance was first dealt with specifically in King III™ with a whole chapter and principle on the topic. In the King IV Code™, the scope of the IT governance section has expanded and more emphasis has been placed on it. This is in line with the trend of IT becoming pervasive in all aspects of the operations of organisations.
Why is IT Governance Important?
According to Principle 12 of King IV™, the purpose of IT Governance is to support the organisation to set and achieve its objectives. The main outcome of your IT Governance efforts should be adequate and effective control, but you should be aiming to achieve all governance outcomes.
What will the King IV Code mean for your IT Governance?
Are you going to have to revisit your IT governance frameworks, charters, and policies? Yes, but it shouldn’t be an extensive exercise. King IV is on an apply and explain basis so it is not compulsory unless you’re listed. IT governance policies should also be transparent on various aspects including management of information and technology and remedial action taken when major incidents occur.
Technology and Information Governance?
This is not a typo – King IV refers to technology and information governance. At first, this seemed strange because we are all familiar with the term information and technology governance (or IT Governance). We didn’t understand why the drafters had decided to change the terminology they used. Then, the final King IV explained that the committee wanted to highlight that technology and information can stand on their own. They wanted to put the focus on information and not just technology.
Information governance is as important as technology governance
We believe the committee should also have included communications governance. We think information, communications and technology governance (or ICT Governance) is probably the best term to use, although Internationally IT Governance is the established term.
The fourth Industrial Revolution
The King IV Report (page 30) refers to the advances in technology and digitisation as the fourth Industrial Revolution and stresses what a big impact it has on all organisations. We think it should be referred to as the Information Revolution, but it doesn’t really matter.
Who is Responsible?
The governing body must oversee and delegate
It is the governing body of the organisation that must oversee that the responsibilities for IT are:
- appropriately resourced,
- sufficiently defined.
The IT Governance Practices the King IV Code Recommends
The King IV Code (practices under principle 12) recommends that the governing body should:
- assume responsibility by setting the direction for how the organisation should approach and address information and technology (IT),
- approve policy to give effect to the direction,
- delegate to management the responsibility to manage IT effectively,
- oversee the management of IT, including overseeing that:
- IT risks are integrated into organisation-wide risk management,
- the organisation is resilient,
- management responds to security and social media incidents with a breach coach,
- IT is used ethically and responsibly through an IT policy,
- IT laws are complied with,
- information management sustains and enhances the intellectual property protection of the organisation,
- an enabling and supportive IT architecture exists,
- data protection,
- information security law aspects are in place,
- the risks pertaining to the sourcing of IT in IT contracts are managed,
- the organisation responds to disruptive technologies,
- consider receiving periodic independent assurances on the organisation’s IT arrangements, including outsourced services,
- disclose the governance and management of IT by the organisation, including disclosing an overview, focus areas, actions taken and plans.
Please note that this is the plain language version of this principle – you must read the full text yourself.
The reference to cyber-security risk in the draft was strange and has been left out of the final King IV. Was it just an acronym for information security risk? There is a big overlap with section 19 of the Protection of Personal Information Act here and maybe less so with cyber crime law.
Action you could take
- Empower yourself with knowledge and tools to effectively transition from King III to King IV by attending our IT GRC workshop that includes King IV.
- Make the right disclosures for King IV by asking us to assist you. We have created clever ways to assist you to draft accurate customised disclosures for your organisation as painlessly as possible.
- Transition from King III to King IV by getting our King III to King IV Comparison Tables and King Planning Tool.
- Comply with IT Laws by getting a List of IT Laws and the Michalsons IT Legal Framework.
- Ask Michalsons to review your IT Policies.
- Conduct an IP audit for you so you know what intellectual capital you have.
- Read a plain language overview of the King Report and King Code.
If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.
Note: The Institute of Directors in Southern Africa NPC (IoDSA) owns the copyright to all four of the King reports or codes on governance (including the latest version namely the King IV Report™) and owns various trademarks in relation to King IV (including King IV™, King IV Report™, King IV Report on Corporate Governance™ and King IV Code™). All of the IoDSA’s rights are reserved. All views are our own and we are not associated or endorsed in any way by the IoDSA.