King III Corporate Governance Code puts responsibility for IT Governance firmly at board level

The recently released King III, for the first time in the evolution of SA’s Corporate Governance Code, considers the key strategic role of Information Technology and its importance from a governance perspective.

“This is the first instance that IT Governance has been afforded such status” says Angeli Hoekstra, PricewaterhouseCoopers SA and IT Governance Global Leader. “Because IT is so pervasive in business today, its importance has now been elevated to board and risk and audit committee levels. King III recognises IT as an integral part of the business and a strategic corporate asset that also carries some significant risks. It therefore needs to be well governed and controlled to ensure that IT supports the strategic objectives of the organisation.”

Hoekstra highlights some key fundamental changes that will occur in corporate IT, as a result of King III. “IT will now get the dedicated attention of the board, and IT decisions, accountability, policies, standards, controls, procedures and reporting will have to become far more formalised and embedded in an organisation. A proper IT Governance framework becomes essential, as the board will have to demonstrate how it has fulfilled all of these new responsibilities.”

The relevant chapter – Chapter Five on the Governance of Information Technology – contains seven principles and 48 accompanying recommendations for companies to follow with regard to IT Governance.

The first of these principles makes the board responsible for IT Governance. Hoekstra says that previously, this responsibility would have fallen on the Chief Information or Chief Financial Officers and would not necessarily have been reported on at board meetings.

Another principle is that IT must be aligned with the overall business strategy of the company, including its sustainability objectives. Hoekstra says that in line with the sustainability theme which permeates all of King III, the board must consider ‘green’ issues and the sustainability impact of technology. “Issues to consider include procurement (for example, is equipment energy-saving), how to reuse equipment or dispose of it effectively, and minimising wastage (for example by reducing excessive printing).”

King III recommends that the board should delegate IT responsibility to management (such as appointing a Chief Information Officer), but remains accountable. The Code also recommends that the risk and audit committees assist the board in carrying out its IT responsibilities. The risk committee considers the broad risk implications of IT whereas the audit committee has a narrower focus that relates to financial reporting and going concern issues.

Another principle is that the board should monitor and evaluate significant IT investment and expediture and ensure value delivery of IT. Hoekstra says this means that besides understanding the IT expenditures by, for example, an IT chart of account and project benefits tracking systems, it should also include understanding the value of the different IT functions, which is far more difficult to measure.

As King III has a very strong focus on risk management, it inevitably requires that IT risk management form part of the overall risk management strategy of the business. The Code also requires that the board gives due consideration to effective information management, information privacy and security such as privacy protection and securing the confidentiality, integrity and availability of information systems and assets.

Hoekstra highlights that the IT Governance King III chapter is not only about IT Governance but also about IT management, as without the right management processes in place, one can not comply with the overall governance principles. She further adds that best practices such as ITIL, CobiT, ISO 38500 and the like provide guidance.

Hoekstra concludes that while these added board responsibilities may appear daunting, they do carry significant benefits beyond mere compliance. “There will be a greater understanding of IT costs and how they impact Return on Investment, unnecessary expenditure will be avoided, and IT spend outside of that which aims to provide general business support will have to add convincing value. IT decision-making and accountability will be clarified, relationships with key IT partners should improve, and IT performance should naturally move closer to international best practice.”