In the first part of this article I briefly gave my views on the following chapters in the King III Report and how I think it relates to ICT:
- Ethical leadership and corporate citizenship
- Boards and directors
- Audit committees
- The governance of risk
I did not consider The governance of information technology (IT) chapter, as this will form a separate and individual article. Let’s continue with the remaining chapters and I look forward to your engagements.
I would like to continue by considering the remaining chapters of King II, namely,
- Compliance with laws, rules , codes and standards
- Internal audit
- Governing stakeholder relationships
- Integrated reporting and disclosure
Compliance with laws, rules , codes and standards
There’s a multitude of laws, rules, codes and standards that ICT needs to adhere to. In general, the application hereof will be determined by the vertical that we find ourselves in. For example, the standards or laws governing ICT security for a bank will be much different from that of a retailer, which in turn will be different from the health sectors.
Then there are laws, rules, codes and standards that might apply to all verticals. An example hereof is the Protection of Personal Information Act. It is important that business do not disregard ICT and place it one side in a corner, but business need to make sure that they know the laws that impact on ICT.
A law might not necessarily appear to be ICT-related, but it can still impact ICT in business. If you think of local municipalities that are bound to the Municipal Finance Management Act (MFMA). At first glance it doesn’t seem to have anything to do with ICT, but when studied in more detail you’ll find it has huge impacts on ICT. How you a municipality can procure ICT goods, how they should manage ICT contracts, how they should deal with branding, sole proprietors, etc. We see further that the MFMA also makes it very difficult for local government ICT to manage the environment compared to the private sector ICT – Think of trying to build service provider relations. This is basically impossible due to the MFMA.
In most cases, I would advocate business to develop their own rules, codes and standards within their environment. These rules, codes and standards should be aligned and subjected to laws. The reason I support this is simply because it is easier to amend or adopt a company rule, standard or code that is found contradictory to the law.
Something that might be of importance is be cognisant of labour laws when adopting company rules, codes and standards. For example, labour law might state that a rule should be applicable and enforced on everyone in the company. Therefore if you create a rule for internet usage, you should ensure it applies to everyone (top-to-bottom), or create exclusion that is allowed in labour laws. Maybe not the best example, but what I am trying to say is you will not be allowed to selectively apply rules to certain sections, groups or individuals through company policies, if such application is prohibited by laws not directly linked to ICT.
I would also like to add that compliance to laws, rules, codes and standards is a question of culture and here I refer to an “ICT culture”.
An internal audit’s main objective is basically “assurance”. They need to look at processes, policies and activities and make sure business is adhering to these.
With ICT being part of almost all business processes and activities, it is critical that the relationship between internal audit and ICT is impeccable.
This is one of those symbiotic partnerships – Internal Audit needs ICT to assist them with providing assurance, while ICT needs internal audit to ensure them that the ICT processes, policies and activities are effective for the business.
Internal auditors do not have to be ICT techies, but it would be advisable if one member of an internal audit division at least have ICT governance or ICT management experience. It is often found that internal auditors do not understand why ICT operates and do things in certain ways and at the same time it is found that ICT do not understand why internal auditors need things done in a certain way. It is therefore important that these two roles communicate effectively and really try to understand each other’s functions and roles. If these two functions of business are able to find common ground, the company would already have a competitive advantage on many levels.
Governing stakeholder relationships
I consider three streams here. The first, which I have mentioned numerous times, is ICT not placed within the relevant positions to influence business. One of the reasons I want to add is the lack of management regard of ICT as a key stakeholder. The same way that management looks at expenditure, revenue, debt, processes, etc. – the same way they should look at ICT.
The second is realisation that ICT is in the position to aid the business to manage stakeholder relationships more effectively and the sooner business realise this, the better.
Lastly, you have the stakeholder relationship of ICT and external providers. This is sometimes vital to the business. My companies outsource their ICT-related services and only have a small ICT division that manages the relationship between the business and the service provider. Your external stakeholder in such a scenario have a more integrated role in the business and the management of that relationship can either make or break you.
Integrated reporting and disclosure
I attend many workshops, meeting and seminars where a network with ICT managers from different verticals. A common thread is business not trusting their ICT.
When discussing this and digging deeper into possible reason, the one reason I find in the majority of cases is ICT integrity. Now I’m not stating that these individuals do not have integrity. On the contrary, some of them ooze with integrity! The problem is them being “closet cases”. They do not put themselves out there in the face of business.
Apart from ICT involvement in integrated reporting, I would like to think of ICT specific reporting.
I know of an ICT Manager that started sending out quarterly newsletters to managing staff members on the state of ICT for that quarter. He made it a non-technical document, so to get engagement and allow the average person to clearly understand it. He would review the reports of other sections within the company and then build integrated reports that included ICT. Example, he would take the sales report of the previous month to see how many sales transactions the company had. He would then use the same figures and break it down to show how many sales were made via their website maintained by ICT. He completely went “out-of-the-box” in his thinking. Seeing the success through responses received, he increased the frequency over a period up to a point where the newsletter was sent out weekly to ALL staff.
In doing this, he placed the ICT division in the face of business and he was being transparent. No bells and whistles, but he disclosed the naked truth about what was happening in ICT within the company.
This eventually lead to the executive team asking him to monthly present them an oversight report on ICT. By being transparent and disclosing what most would keep in the “closet” he earned himself a spot at the executive table, even if it was only once a month!
ICT should make sure that they are able to report on almost every aspect of business and their operations. Then don’t keep your reports in a “closet”, but distribute it to as many people in the company that you think should be aware of it. This way you will earn respect, show integrity, be appreciated and establish ICT engagements within business.
Remember, the executive team is not interested in your technical expertise. They enjoy pie charts and graphs that reflects the status of their investments. This allows them to make critical decisions and if you are excluded from those decisions, you can only blame yourself for not putting ICT out there. Don’t hide yourself in the “closet”
I’m not trying to disseminate the King III Report, but I am trying to bring it closer to ICT. I know that I might have missed some critical points, but luckily you picked it up and will post back below. Once you’ve posted a comment (or not), don’t forget to share this article!
** It should be duly noted that the King III Report on Governance for South Africa is owned and the copyright of the Institute of Directors in Southern Africa (IoDSA). Please take note of the permitted usage thereof **