King III Requirements in South Africa and Business Corporate Governance considerations

This post is an overview of King III Requirements in South Africa


King III Compliance Legislation

Compared to the 800 pound, legal gorilla called the Sarbanes-Oxley Act, King III comes across as something of a softie in the world of corporate governance.
It’s not legislated and therefore not enforceable. Moreover, it takes the mild stance of “apply or explain” over “do or else”. However, a deeper inspection reveals a subtle and intelligent approach to ensuring its adoption. It should also be noted how King III compliance provides companies with multiple benefits – operational efficiency and assists in ensuring effective data protection,

People, Planet, Profit

The Code starts from a higher plane than Sarbanes-Oxley, a place that legal requirements don’t quite reach. SOX deals with how companies can redeem the trust of their shareholders through sound accounting processes, ethical auditing, and honest reporting. In contrast, King III begins with a worldview of the company as a corporate citizen that needs to take responsibility for its effect on the society, environment, and economy within which it operates. From this perspective there’s no real difference between shareholders and stakeholders – both groups have a vested interest in the company’s past, present and future behavior.

( Skip the details – download our White Paper on IT Management’s role in King III defined )

King III Requirements: From the Top

To get the ball rolling, King III looks to the very top level – the board. If a company is to act responsibly, it will need good leadership. Keeping to the letter of the law does not necessarily compel a company’s board to be good, thoughtful leaders. But when their activities and intentions (good or bad) are made transparent to stakeholders, a system is created that transcends the consequences of bucking the law. That means if the public knows what a company is up to, they have the opportunity to voice objections, or take action to protect themselves. The company in turn must choose to act ethically or face alienation from the very parties that give it life. But how is such transparency achieved?

The Mother of All Reports

Say hello to the Integrated Report – a comprehensive annual document that covers every facet of the company (not just the finances) extensively.
The older King I and II Codes called for a sustainability report to be created. This report showed how the company identified and addressed the risks it faced, the effectiveness of its processes, its effect on the environment and society, and several disclosures that were prescribed by the Code. It was presented in addition to the financial reports companies are so used to.

King III wants something different. It expects the two reports to be merged into one Integrated Report that shows the whole story. In this way there can be no downplaying sustainability in favor of profitability.

The new report gives the board, shareholders and stakeholders a complete overview of the company. From this information they can make their own assessment about its suitability as a corporate citizen they can trust.
It goes without saying that the contents of the report must be accurate. How this accuracy is achieved is the next step in the process …

The Auditing Committees King iii Requirements

Don’t get sidetracked by the word “audit”. These are not your run-of-the-mill committees concerned only with financial processes. This breed oversees the total scope of the Code’s requirements. In fact, auditing is so central to success that King III suggests five such committees that can monitor the company’s processes. They are:

  • The Audit Committee itself – it oversees the total audit activity and is responsible for providing the final assessments that will be included in the Integrated Report.
  • The Risk Committee is responsible for reporting on the company’s risk reduction initiatives.
  • A Remuneration Committee monitors how board members are compensated for their services.
  • A Nomination Committee is concerned with how board members are chosen for appointment.
  • A IT Steering Committee considers the requirements for procuring and managing IT systems and services.

Parallel to these, the traditional internal audit and external audit functions still step up regularly to make sure the company is performing its duties. As you may have guessed, the Audit Committee monitors these functions to see that they carry out their own duties in an unbiased manner.

The audit committees themselves have to be above influence and the Code describes the conditions for achieving this. While the Audit Committee monitors the company, it has to provide a report on its own activities and effectiveness to the board.

All the findings of the Audit Committee, the internal and external auditors and management are included in the final Integrated Report, along with assurances by each party of the credibility of the information (what the Code refers to as “combined assurance”).

Information and the Board

To a large extent the trustworthiness of the company depends on the accuracy of the information it creates, collects and stores in its day-to-day activities. King III recognizes the vital role IT plays in the continuity of the company by dedicating an entire section solely to the governance of IT systems.

The focus of the Code here is not to turn the members of the board into IT boffins, and by its own admission it doesn’t seek to lay down any overriding IT management practices. The end goal is to make sure the board is entirely accountable for the reliability of IT. They prove this by:

  • Taking direct responsibility for IT governance,
  • Making sure IT strategy fits in with their business objectives,
  • Calling on management to implement a recognized IT governance framework,
  • Overseeing any significant IT investments or expenditures,
  • Including IT in their risk management strategies (especially by making sure all applicable IT laws and codes are adhered to),
  • Ensuring the effective management of information assets,
  • Allowing the risk and audit committees to assist them with their IT responsibilities.

Of course, the real concern of the Code is not the IT system itself, but the protection of the data under its stewardship. Without proper protection and serious considerations of these king III requirements, information upon which the continuity of the company depends could fall into the wrong hands or be lost – either forever or long enough to affect the bottom line. In short, backing up data and making sure there is a security system in place to limit access to it is imperative to the well-being of the company.

Protect and Serve

At this point, King III isn’t just a set of ethical principles; it reflects current legal requirements concerning the protection and re

IT Managers: How to Protect Your Users Against Ransomware

The best way to protect yourself, your users and your business against ransomware is by setting up a proactive defence. The ransomware statistics paint a frightening picture for anyone in charge of IT: In Q3 2016 alone, 18 million new malware samples were captured. Source: Panda Labs   What that means is that the criminals…

Cibecs Joins Silicon Valley Top 20

Cibecs Joins Silicon Valley Companies to be Listed on Top 20 Most Promising Storage Solution Providers Cibecs, a leading South African endpoint backup, protection and security solution, has been recognised as one of the 20 Most Promising Storage Solutions by CIO Review. The list, compiled by industry insiders, highlights leading global technology providers that offer effective…

4 Signs You Need a New Endpoint Data Backup Solution

With more workers depending on laptops it is more important than ever to ensure that the work protected and stored on those devices is backed up and protected. Forrester Research says that 45% of corporate executives don’t follow policies for data use and handling. Underlining how at risk almost half of a business’s data actually…

Discover how easy endpoint data protection can be