King III Requirements in South Africa and Business Corporate Governance considerations

This post is an overview of King III Requirements in South Africa

King III Compliance Legislation

Compared to the 800 pound, legal gorilla called the Sarbanes-Oxley Act, King III comes across as something of a softie in the world of corporate governance.
It’s not legislated and therefore not enforceable. Moreover, it takes the mild stance of “apply or explain” over “do or else”. However, a deeper inspection reveals a subtle and intelligent approach to ensuring its adoption. It should also be noted how King III compliance provides companies with multiple benefits – operational efficiency and assists in ensuring effective data protection,

People, Planet, Profit

The Code starts from a higher plane than Sarbanes-Oxley, a place that legal requirements don’t quite reach. SOX deals with how companies can redeem the trust of their shareholders through sound accounting processes, ethical auditing, and honest reporting. In contrast, King III begins with a worldview of the company as a corporate citizen that needs to take responsibility for its effect on the society, environment, and economy within which it operates. From this perspective there’s no real difference between shareholders and stakeholders – both groups have a vested interest in the company’s past, present and future behavior.

( Skip the details – download our White Paper on IT Management’s role in King III defined )

King III Requirements: From the Top

To get the ball rolling, King III looks to the very top level – the board. If a company is to act responsibly, it will need good leadership. Keeping to the letter of the law does not necessarily compel a company’s board to be good, thoughtful leaders. But when their activities and intentions (good or bad) are made transparent to stakeholders, a system is created that transcends the consequences of bucking the law. That means if the public knows what a company is up to, they have the opportunity to voice objections, or take action to protect themselves. The company in turn must choose to act ethically or face alienation from the very parties that give it life. But how is such transparency achieved?

The Mother of All Reports

Say hello to the Integrated Report – a comprehensive annual document that covers every facet of the company (not just the finances) extensively.
The older King I and II Codes called for a sustainability report to be created. This report showed how the company identified and addressed the risks it faced, the effectiveness of its processes, its effect on the environment and society, and several disclosures that were prescribed by the Code. It was presented in addition to the financial reports companies are so used to.

The new report gives the board, shareholders and stakeholders a complete overview of the company. From this information they can make their own assessment about its suitability as a corporate citizen they can trust.
It goes without saying that the contents of the report must be accurate. How this accuracy is achieved is the next step in the process …

The Auditing Committees King iii Requirements

Don’t get sidetracked by the word “audit”. These are not your run-of-the-mill committees concerned only with financial processes. This breed oversees the total scope of the Code’s requirements. In fact, auditing is so central to success that King III suggests five such committees that can monitor the company’s processes. They are:

• The Audit Committee itself – it oversees the total audit activity and is responsible for providing the final assessments that will be included in the Integrated Report.
• The Risk Committee is responsible for reporting on the company’s risk reduction initiatives.
• A Remuneration Committee monitors how board members are compensated for their services.
• A Nomination Committee is concerned with how board members are chosen for appointment.
• A IT Steering Committee considers the requirements for procuring and managing IT systems and services.

Parallel to these, the traditional internal audit and external audit functions still step up regularly to make sure the company is performing its duties. As you may have guessed, the Audit Committee monitors these functions to see that they carry out their own duties in an unbiased manner.

The audit committees themselves have to be above influence and the Code describes the conditions for achieving this. While the Audit Committee monitors the company, it has to provide a report on its own activities and effectiveness to the board.

All the findings of the Audit Committee, the internal and external auditors and management are included in the final Integrated Report, along with assurances by each party of the credibility of the information (what the Code refers to as “combined assurance”).

Information and the Board

The focus of the Code here is not to turn the members of the board into IT boffins, and by its own admission it doesn’t seek to lay down any overriding IT management practices. The end goal is to make sure the board is entirely accountable for the reliability of IT. They prove this by:

• Taking direct responsibility for IT governance,
• Making sure IT strategy fits in with their business objectives,
• Calling on management to implement a recognized IT governance framework,
• Overseeing any significant IT investments or expenditures,
• Including IT in their risk management strategies (especially by making sure all applicable IT laws and codes are adhered to),
• Ensuring the effective management of information assets,
• Allowing the risk and audit committees to assist them with their IT responsibilities.

Of course, the real concern of the Code is not the IT system itself, but the protection of the data under its stewardship. Without proper protection and serious considerations of these king III requirements, information upon which the continuity of the company depends could fall into the wrong hands or be lost – either forever or long enough to affect the bottom line. In short, backing up data and making sure there is a security system in place to limit access to it is imperative to the well-being of the company.

Protect and Serve

At this point, King III isn’t just a set of ethical principles; it reflects current legal requirements concerning the protection and re