To many companies, GRC (governance, risk and compliance) is a giant ape scaling the office walls.

As technology becomes more pervasive and critical to business success, the hairy creature that is GRC also gains in its complexity. Legislation surrounding various aspects of corporate governance, especially the management of business critical and personal data, further adds to the risk mix that companies are exposed to.
South African Judge Mervyn King identified this exposure and has, since 1994, led the way in establishing an (internationally recognized) benchmark by which boards of directors could measure their compliance in all aspects of business.
The King III Report is his latest offering, with a greater focus on IT governance – separating the “information” and “technology” components to assist companies in managing this critical business component.

According to the report, “The board should understand the strategic importance of IT, assume responsibility for the governance of IT, and place IT governance on the board agenda.” King III strongly emphasises the point that, when it comes to GRC, a company’s board of directors can delegate responsibilities and functions of it but, ultimately, they are accountable for it.

Key requirements of King III

The King III Report discusses key IT governance responsibilities (of directors) across seven principles, some of which are:

• The board is responsible for information technology (IT) governance
• IT should be aligned with the performance and sustainability objectives of the company
• IT should form an integral part of the company’s risk management
• A risk committee and audit committee should assist the board in carrying out its IT responsibilities.

Download the full report here.

What it means in terms of company data?

“Technology risks should form an integral part of a company’s overall risk management strategy,” says Richard Dewing, CEO of automated data backup and recovery solutions company, Cibecs.   “Legislation, like the Protection of Personal Information Bill in South Africa, makes it imperative for companies to carefully manage the kind of information they have, how it is used, how it is stored and how it is secured.”

King III sets clear guidelines for the management of company data.

A company needs to be able to prove its ability to recover from a disaster. Its mechanisms to do this should be regularly tested (and demonstrated) to the board so that it can satisfy any interested parties, and itself, of the company’s capacity to effectively continue its operations in the event of a disaster.

The board needs to be fully aware of the legal risks associated with non-compliance to all relevant legislation governing IT – especially those affecting the “information” part of the IT function.

Information is subject to a range of risks that need to be managed, such as: theft of intellectual property, internal risks posed by disgruntled employees and a host of other concerns that could have a damaging effect on the company’s image and its operations.

“Managing the security of company data requires the implementation of effective control and management systems, as well as the ability to report on the success (or failure) of those systems,” says Dewing. “It is crucial that organizations remember that they are ultimately responsible for their data.”

Governance, risk and compliance need not be a giant monkey on a company’s back. Implementing the guidelines set out in King III should greatly benefit any organization in terms of operational efficiency and business continuity.

The legal compliance aspect of it all is just an added bonus.

Check this blog regularly for more information, including future articles about King III and other issues relating to effective user data management.

For more information read our blog on how backup software can enable easier corporate governance compliance

You can also download our White Paper on IT manager’s role in corporate governance compliance