The King Code defines corporate governance as “the exercise of ethical and effective leadership by the governing body”. The King Code is important because it outlines what constitutes ethical and effective leadership. The article summarises the King Code, links to relevant source documents, and explains how we can help you apply it to your organisation.

Apply the King Code, turn governance into strategy, and move your organisation several steps ahead.

Why the King Code is important

The purpose of King is to:

  • create an ethical culture in organisations,
  • improve their performance and increase the value they create,
  • ensure there are adequate and effective controls in place,
  • build trust between all stakeholders,
  • ensure the organisation has a good reputation,
  • ensure legitimacy.

These are all crucial to building value and creating a better society.

Who does the King Code apply to?

The King Code applies to all organisations, especially organisations listed on the JSE. Unlisted companies, trusts, and NGOs are not obligated to comply, but it is still good practice to do so. Historically, many found the King Code too complex and therefore smaller organisations have seldom applied the principles. The latest version tries to address this by cutting down on the principles; however, the language is not easy, so we have decoded it below for all organisations, big and small, to apply the principles to their organisation.

While the King Code is voluntary, the courts have confirmed that it serves as a standard for interpreting the duties of directors under Section 74 of the Companies Act 2008.

How can we help you?

  • Improve your organisation’s IT Governance, Risk and Compliance by attending one of our events.
  • Gain the tools and insight to help you transition from one version of the King Code to the next by asking for our help or attending one of our events.
  • Make the right disclosures for the King Code by asking us to assist you. We have developed clever ways to help you draft accurate, customised disclosures for your organisation as painlessly as possible.
  • The transition from King IV to King V by getting our King IV Toolkit (Comparison tables and King planning tools).
  • Align your IT policies with the King Code principles by asking us to review or draft IT policies that comply with them.
  • Comply with IT Laws by getting a List of IT Laws and the Michalsons IT Legal Framework.
  • Operationalise the King Code with reference to emerging technologies such as AI by attending our webinar on Applying the King Code for IT governance.

Principles in the King Code

Below are principles that relate to our focus areas.

Risk governance under the King Code

“The governing body governs risk in a way that enables the organisation to sustain and optimise its strategy and objectives.” (Principle 8). The governing body should take several actions.

  1. Set the strategic direction for risk and for an effective organisation-wide risk management system. It may delegate to a risk committee.
  2. Approve policies, frameworks and standards that give effect to its direction.
  3. Oversee and monitor implementation. Ensure the organisation takes action.
    1. Conduct risk assessments.
    2. Agree on the risks the organisation should be willing to take to pursue its strategic objectives.
    3. Implement effective risk responses.
    4. Have business continuity arrangements.
    5. Embed risk management into day-to-day operations and decision-making processes.
    6. Adopt an iterative, responsive approach.
  4. Consider periodic assurance.

Compliance governance under the King Code

“The governing body governs compliance with applicable laws and adopted policies, non-binding rules, codes and standards in a way that promotes ethics and responsible corporate citizenship.” (Principle 9). The governing body should take several actions.

  1. Set the strategic direction and be accountable for an effective organisation-wide system of compliance. It may delegate to a risk (or other) committee.
  2. Approve policies (like a Regulatory Compliance Policy or Data Protection Policy), frameworks and standards that give effect to its strategic direction. Specify which non-binding rules, codes and standards the organisation adopts.
  3. Oversee and monitor implementation. Ensure the organisation takes action.
    1. Integrate compliance into the broader organisation-wide risk management system.
    2. View compliance not only for the obligations it creates, but also for the rights and protections it affords.
    3. Take a holistic perspective on the interrelation between applicable laws and regulations and adopted non-binding rules, codes and standards.
    4. Monitor the regulatory environment and respond appropriately to changes or developments in regulatory policy.
  4. Consider periodic assurance. (For example, conduct a compliance audit.)

Data, information and technology (IT) governance under the King Code

“The governing body governs data, information and technology in a way that enables the organisation to sustain and optimise its strategy and objectives.” (Principle 10). The governing body should take several actions.

Data and information governance under the King Code

  1. Set the strategic direction for effective, compliant, and ethical information (including data) management and control (including acquisition, creation, use, dissemination
    and disposal). It may delegate to a risk (or other) committee. (To achieve this, the governing body might need an executive briefing on IT GRC)
  2. Approve policies, frameworks (like the NIST Cybersecurity Framework) and standards (like ISO 27001 and IT Governance Joint Standard for financial institutions) that give effect to its strategic direction.
  3. Oversee and monitor implementation. Ensure the organisation takes action.
    1. Structure data resources and information assets to optimise information management throughout its lifecycle.
    2. Manage and control data resources and information assets ethically and responsibly.
    3. Comply with laws and regulations. (For example, POPIA and IT Laws)
    4. Identify and classify data.
    5. Secure and protect information to safeguard its confidentiality, integrity and availability. (Join our Cybersecurity compliance programme)
    6. Protect the privacy of personal information.
    7. Ensure information quality.
    8. Manage the risks associated with using outsourced services, suppliers, and third parties (including across jurisdictions). Third-party risk management (TPRM).
  4. Consider periodic assurance.

Technology governance under the King Code

  1. Set the strategic direction for the effective, compliant, and ethical acquisition, development, use, and distribution of technology products or services (like SaaS) within and by the organisation. It may delegate to a risk (or other) committee.
  2. Approve policies (including an AI Policy and Acceptable Use of AI Policy), frameworks and standards that give effect to its strategic direction.
  3. Oversee and monitor implementation to realise the envisaged benefits from the organisation’s technology strategies, investments, assets, resources, products, and services. Ensure the organisation takes action.
    1. Comply with laws and regulations. (For example, POPIA and IT Laws)
    2. Have a disaster recovery plan to promote organisational resilience and business continuity.
    3. Dispose of obsolete technology responsibly.
    4. Identify and classify data.
    5. Secure and protect information to safeguard its confidentiality, integrity and availability. (Join our Cybersecurity compliance programme)
    6. Manage the risks associated with using outsourced services, suppliers, and third parties (including across jurisdictions). Third-party risk management (TPRM).
  4. Oversee and monitor the organisation’s use of emerging technologies to achieve specific outcomes.
    1. Create sustainable value for the organisation within its economic, social, and environmental context.
    2. Assess, evaluate and respond to associated risks and opportunities to align current risk exposures with established risk appetite and tolerance levels.
    3. With respect to artificial intelligence (AI governance):
      1. Adhere to the values of ethics, human centricity, accountability, transparency, explainability, security, privacy, fairness and trustworthiness. (This is the purpose of the Michalsons AI governance programme)
      2. Ensure clear accountability for decisions, actions, outputs and outcomes (includes subjecting the processes, data, models, algorithms, resources and tools used in the development, implementation, monitoring and management of automated technologies to human oversight and override mechanisms that are commensurate with the level of risk to the organisation and its stakeholders.)
  5. Consider periodic assurance.

By embedding global best practices into their governance approach, South African organisations can leverage the King Code as a practical framework to align AI oversight with ethical standards (UNESCO Recommendation on the Ethics of Artificial Intelligence), strategic objectives, and global competitiveness in an AI-driven economy. Key practices include robust data and information governance, strong cybersecurity, and transparent, explainable AI tools. These ethical principles complement the King Code principles organisations already apply, and we empower organisations to extend their existing governance structures to effectively apply them to AI governance.

What is different in the versions of the King Code?

The King Code has undergone many changes since its first publication in 1994. With all the changes in business (such as technological changes) it was inevitable that the King Code would have to be updated from time to time. Each version of King builds on the one before.

Evolution of king code

The first Code was published way back in 1994, and we have had King I, King II, King III, King IVand King V, with King V being the latest edition (the effective date for King V applies to financial years starting after 1 January 2026).

Countries with Similar Codes

By updating the Code, we are keeping up with international practices. Other countries have codes similar to the King Codes. These countries include the US, Canada and Australia.

Note: The Institute of Directors in Southern Africa NPC (IoDSA) owns the copyright to all of the King reports or codes on governance (including the latest version namely the King V Code™) and owns various trademarks in relation to King IV (including King IV™, King IV Report™, King IV Report on Corporate Governance™ and King IV Code™) and King V. All of the IoDSA’s rights are reserved. All views are our own, and we are not associated or endorsed in any way by the IoDSA.