Graham Croock, Director, IT Audit, Risk and Cyber Lab at BDO SA
On a global scale, we are watching the world change dramatically. Technologically, organisations are compelled to apply corporate business principles that keep pace with these changes. The highly anticipated King IV Report™, launched on the 1st November 2016, reveals a dynamic code of business principles that is in line with our ever-changing world. King IV™ is a business tool to assist organisations in creating more robust strategies. As with King III™, King IV™ deals with information and technology governance (IT Governance), but for the first time, IT Governance is specifically addressed in a whole chapter. Specifically in line with the trend of technology becoming more and more prominent in every aspect of organisations.
The report recognises that technology is now more than just an enabler, but that technology is now both the source for future opportunities at organisations and platforms on which it conducts its business.
According to Principle 12 of King IV™, the purpose of IT Governance is “to support the organisation to set and achieve its objectives.”
In King IV™, there is a great emphasis on organisational Boards taking on a more hands-on approach. This includes periodically carrying out formal reviews of the competence of the organisation’s IT function. Although the assessment of the technology function is reasonably common in organisations, the formalisation of the assessment process is new. The Board is tasked with the approval and overseeing of the technology and information policy of the company. The overseeing of these policies, according to King IV™, should be in relation to the:
- Integration of people, technologies, information and processes across the organisation
- Integration of technology and information risks into organisation-wide risk management
- Arrangements for business resilience
- Proactive monitoring of intelligence to identify and respond to incidents, including cyber-attacks and adverse social media events
- Management of the performance of, and the risks pertaining to, third-party and outsourced service providers
- Assessment of value delivered to the organisation through significant investments in technology and information, including the evaluation of projects throughout their life cycles and of significant operational expenditure
- Responsible disposal of obsolete technology and information in a way that has regard to environmental impact and information security
- Ethical and responsible use of technology and information
- Compliance with relevant laws
Along with a variety of responsibilities that now sit with the board, Principal 7 of King IV™ addresses the actual composition of the governing body. A diverse board composition is better equipped to drive strong governance and compliance. King IV™ encourages boards to seek members with a wide range of backgrounds and skills so as to strike the perfect balance of risks and opportunities. Diverse and strong board composition creates an increased knowledge of governance, which will foster better understanding of compliance requirements, which have become more and more complex, especially on the fast growing technology and innovation fronts. In many organisations, members of the board of do not realise the importance of technology as a critical business driver, and how to apply the correct governance pillars. It is essential that boards either need to be tech-savvy, or foster the critical governance infrastructures to provide the competency and expertise for technology in the business.
While King III™ called on companies to ‘apply or explain’, King IV™ requires entities to explain how the principles are applied, ergo, apply and explain. Companies are going to have to revisit their IT governance frameworks, charters, and policies. Companies need to increase their good governance arsenal by upskilling management and staff.
Read more BDO Insights