The renowned King III Report, copyrighted by IoDSA, is sometimes overlooked by business, especially the smaller companies. This is an internationally acclaimed and very valuable resource and I want to give a little overview of the principles of the King III Report.
The King Committee, chaired by Mervyn E King SC, was first formed in 1992 to consider corporate governance in line with international standards and in 1994 the first King Report was released. Eight years later, in 2002, we saw the release of the King II Report, which contained a Code of Corporate Practices and Conduct. In 2009 we saw the release of the King III Report on Corporate Governance which basically provides guidance in respect of:
- Ethical leadership and corporate citizenship
- Boards and directors
- Audit committees
- The governance of risk
- The governance of information technology (IT)
- Compliance with laws, rules , codes and standards
- Internal audit
- Governing stakeholder relationships
- Integrated reporting and disclosure
Each point here can basically be a topic on its own, but one point that I would like to make in terms of the King reports is our failure to enforce it through legislation. Yes, I know there were some alignment with the Companies Act and others, but is that enough? A full review must be done to see how and where King III principles were incorporated in legislation, especially the chapter on ICT.
Again, as seen in many of my other posts, legislation is trailing behind technology and the gap this is creating have negative impacts on ICT in South Africa. It is true that the King Committee wants the report to remain a non-legislative code, but I tend to disagree. Even if it remains non-legislative, it should then be used to inform and influence legislation. Maybe I should address a specific topic to the gap between Law and ICT?
Getting back to the King III Report. The chapters are quite extensive, so I will divide it up into two separate parts (posts) and find what I consider the crux in respect of ICT.
Ethical Leadership and Corporate Citizenship
I need to be very careful on what I write here given the current state of leadership in the various verticals in South Africa 🙂
Ethics have many varying definitions and interpretations, but at its core it is a personal and moral trait. No matter how ethical the values of a company is, if the people within that company are unethical, then it devalues the company’s ethical standards. The unethical actions of just one or two can devalue company standards dramatically.
I’ve been in the ICT industry since the 8-bit computer era and the one thing I came to learn was that I will never make it in the industry if I’m unethical. Not that I ever was or wanted to be! Further to that, now entering the legal sphere, this has become even more important to me.
It’s probably obvious how ethics is relative to ICT in a company. ICT is normally the information hub of a company and therein lies many “ethical risks”. For a long time information has been neglected, but today those controlling the information are the ones possessing all the “power”. This basically means that the ICT guys, who normally flies under the radar, can make or break a company literally by the click of a few buttons. Just imagine and ICT guy stealing information and selling it off to your competitor. The damage of ICT staff with no moral and ethical standards can come at a very high cost.
King III gives the leaders a guideline on how to instil a culture of ethics. It gives guidance on how to integrate ethics into company strategies and operations. Ignorance of ethics and moral standards can be fatal, yet we are in a position to mitigate ethical risks – Don’t be ignorant!
Boards and directors
So, ICT don’t always have a ‘seat at the table’. In many cases, ICT don’t even have a platform to contribute and give inputs to the table. Focusing on principle 2.8 of the King III Report, the board is responsible for IT governance. This does not necessarily mean that IT needs a physical seat at the table, however the board should make sure that ICT is provided with a platform to influence decisions.
ICT is an integral part of business and decisions can no longer be made without the consideration of ICT.
Just think of this seemingly non-ICT related decision. You are the CEO of company XYZ and your fleet manager submits a request to procure 2 additional vehicles. As per normal, the request is circulated to the director board members before the next board meeting. All members are supportive of the request as it yields more benefits to the operations. At the board meeting, the CFO is given instruction to consider the financials and report back at the next meeting, where after a final decision will be made. The CFO reports back that it’s going to cost about R10 000 per month for the 2 vehicles, excluding the running costs. This isn’t really affordable, but everyone knows that it is a dire requirement which have been put aside for the last 2 years. It is decided to put it off for another year and they will then revisit the request.
Six months later you are in an offline discussion with your IT Manager. During this conversation the vehicle issue came up. Your IT manager informs you that if you consider virtualising the data centre and taking some of the services to the cloud, you would save between R10000 – R15000 per month. You are totally confused, but at the next board meeting you inform your team and everybody is supportive. This will now allow you to have a more stable IT environment and with the savings you can procure the two vehicles. Two birds – One stone! Win-Win!
Now, if you included the ICT Manager in your decision-making processes, then you would have been able to buy the vehicles 6 months ago.
It is simple things like these, that might seem unrelated to ICT, but where ICT was able to give a solution. ICT governance is the responsibility of the board and here I would say the first step is for the board to give ICT the platform to influence decisions.
Principle 3.1. states “The board should ensure that the company has an effective and independent audit committee“. The majority of audit committee members are normally external as this brings independence to the table.
From an ICT perspective, it is important to ensure that at least one audit committee member is skilled and experienced in ICT governance. It is also important that ICT regularly features as an agenda item at audit committee meetings and the focus should be on ICT governance and not nitty-gritty technical stuff. I would say at least quarterly.
The governance of risk
One of the areas that is normally low on the agenda is ICT Risks. It is obvious that the reason is the fact that ICT is left to be governed by the ICT Manager, yet at the same time, he/she does not have any influence on executive decisions. In your company, the person responsible for risk should work closely with ICT. Not only on ICT-related risks, but again ICT may assist in other risk-related matters.
I am of the view that ICT should have and maintain a separate ICT Risk Register and Plan, which should align with the Enterprise Risk Plan of the company. Further hereto, the board should decide which ratings of ICT Risks should be incorporated into the Enterprise Risk Plan.
The governance of information technology (IT)
“Information systems were used as enablers to business, but have now become pervasive in the sense that they are built into the strategy of the business. The pervasiveness of IT in business today mandates the governance of IT as a corporate imperative.”
Due to the length of my comments, I am going to skip this chapter and focus on it in a separate post dedicated to ICT Governance.
Conclusion of Part 1
I’m not trying to disseminate the King III Report, but I am trying to bring it closer to ICT. I know that I might have missed some critical points, but luckily you picked it up and will post back below what I am missing or even misunderstanding. Once you’ve posted a comment (or not), don’t forget to share this article!
** It should be duly noted that the King III Report on Governance for South Africa is owned and the copyright of the Institute of Directors in Southern Africa (IoDSA). Click here to familiarise yourself with the permitted usage thereof **