Many people ask us what their organisation must comply with. What is voluntary and what is mandatory. Organisations must comply with all applicable laws. So for example, you must comply with RICA, GDPR, POPIA, the Consumer Protection Act – but only if they apply to your organisation.
But what about non-binding things – like rules, codes and standards? For example, COBIT is not a law and therefore you do not have to comply with it. Organisations should consider adopting non-binding rules, codes and standards (including ICT rules, codes and standards). If they do, then according to the King Code they must comply with them.
What must you comply with and what do you just need to consider?
There is an important distinction that must be made here – that is the distinction between:
- applicable laws
- adopted non-binding rules, codes and standards,
- binding rules, codes and standards, and
- other non-binding rules, codes and standards.
You must comply with 1, 2, and 3 whereas you only need to consider adhering to non-binding rules, codes and standards. The first three are compulsory, the others are not.
Interestingly, the King Code is itself a non-binding code, so this reinforces the fact that the governance principles set out in it are not compulsory – the “apply and explain” approach applies. But for listed organisations, the King Code becomes a binding code because of the JSE listing requirements. They must comply with it. And if other organisations adopt the King Code, then they too must comply with it.
The IT governance chapter of King III™ includes the following statement: “the board should ensure that the company complies with IT laws and that IT related rules, codes and standards are considered.” King IV™ says that the governing body must oversee that laws are complied with. Therefore, it is clear that compliance is an important element of IT governance. You can buy a comprehensive list of ICT law, rules, code and standards from us.
Note: Copyright and trademarks for the King III™ and IV Report on Corporate Governance™are owned by the Institute of Directors in Southern Africa. All views are our own and we are not endorsed in any way by the Institute of Directors in Southern Africa.