To many companies, GRC (governance, risk and compliance) is a giant ape scaling the office walls.

As technology becomes more pervasive and critical to business success, the hairy creature that is GRC also gains in its complexity. Legislation surrounding various aspects of corporate governance, especially the management of business critical and personal data, further adds to the risk mix that companies are exposed to.
South African Judge Mervyn King identified this exposure and has, since 1994, led the way in establishing an (internationally recognized) benchmark by which boards of directors could measure their compliance in all aspects of business.
The King III Report is his latest offering, with a greater focus on IT governance – separating the “information” and “technology” components to assist companies in managing this critical business component.

According to the report, “The board should understand the strategic importance of IT, assume responsibility for the governance of IT, and place IT governance on the board agenda.” King III strongly emphasises the point that, when it comes to GRC, a company’s board of directors can delegate responsibilities and functions of it but, ultimately, they are accountable for it.

Key requirements of King III

The King III Report discusses key IT governance responsibilities (of directors) across seven principles, some of which are:

  • The board is responsible for information technology (IT) governance
  • IT should be aligned with the performance and sustainability objectives of the company
  • IT should form an integral part of the company’s risk management
  • A risk committee and audit committee should assist the board in carrying out its IT responsibilities.

Download the full report here.

According to the report, all boards of directors have to prove (amongst other things) that they have an IT governance framework in place, that they employ sound Information Security practices, and have effectively planned for Business and Disaster recovery.


What it means in terms of company data?

“Technology risks should form an integral part of a company’s overall risk management strategy,” says Richard Dewing, CEO of automated data backup and recovery solutions company, Cibecs.   “Legislation, like the Protection of Personal Information Bill in South Africa, makes it imperative for companies to carefully manage the kind of information they have, how it is used, how it is stored and how it is secured.”

King III sets clear guidelines for the management of company data.

A company needs to be able to prove its ability to recover from a disaster. Its mechanisms to do this should be regularly tested (and demonstrated) to the board so that it can satisfy any interested parties, and itself, of the company’s capacity to effectively continue its operations in the event of a disaster.

The board needs to be fully aware of the legal risks associated with non-compliance to all relevant legislation governing IT – especially those affecting the “information” part of the IT function.

Information is subject to a range of risks that need to be managed, such as: theft of intellectual property, internal risks posed by disgruntled employees and a host of other concerns that could have a damaging effect on the company’s image and its operations.

“Managing the security of company data requires the implementation of effective control and management systems, as well as the ability to report on the success (or failure) of those systems,” says Dewing. “It is crucial that organizations remember that they are ultimately responsible for their data.”

Governance, risk and compliance need not be a giant monkey on a company’s back. Implementing the guidelines set out in King III should greatly benefit any organization in terms of operational efficiency and business continuity.

The legal compliance aspect of it all is just an added bonus.

Check this blog regularly for more information, including future articles about King III and other issues relating to effective user data management.

For more information read our blog on how backup software can enable easier corporate governance compliance

You can also download our White Paper on IT manager’s role in corporate governance compliance

IT Managers: How to Protect Your Users Against Ransomware

The best way to protect yourself, your users and your business against ransomware is by setting up a proactive defence. The ransomware statistics paint a frightening picture for anyone in charge of IT: In Q3 2016 alone, 18 million new malware samples were captured. Source: Panda Labs   What that means is that the criminals…

Cibecs Joins Silicon Valley Top 20

Cibecs Joins Silicon Valley Companies to be Listed on Top 20 Most Promising Storage Solution Providers Cibecs, a leading South African endpoint backup, protection and security solution, has been recognised as one of the 20 Most Promising Storage Solutions by CIO Review. The list, compiled by industry insiders, highlights leading global technology providers that offer effective…

4 Signs You Need a New Endpoint Data Backup Solution

With more workers depending on laptops it is more important than ever to ensure that the work protected and stored on those devices is backed up and protected. Forrester Research says that 45% of corporate executives don’t follow policies for data use and handling. Underlining how at risk almost half of a business’s data actually…

Discover how easy endpoint data protection can be