To many companies, GRC (governance, risk and compliance) is a giant ape scaling the office walls.
As technology becomes more pervasive and critical to business success, the hairy creature that is GRC also gains in its complexity. Legislation surrounding various aspects of corporate governance, especially the management of business critical and personal data, further adds to the risk mix that companies are exposed to.
South African Judge Mervyn King identified this exposure and has, since 1994, led the way in establishing an (internationally recognized) benchmark by which boards of directors could measure their compliance in all aspects of business.
The King III Report is his latest offering, with a greater focus on IT governance – separating the “information” and “technology” components to assist companies in managing this critical business component.
According to the report, “The board should understand the strategic importance of IT, assume responsibility for the governance of IT, and place IT governance on the board agenda.” King III strongly emphasises the point that, when it comes to GRC, a company’s board of directors can delegate responsibilities and functions of it but, ultimately, they are accountable for it.