The King IV Report and King Code (King IV) is an important instrument that governs the leadership of an organisation through principles of ethics and good governance. King IV is an extension of the King III report in that King IV has been revised in many aspects to align it with international best practice. King IV is often referred to as a Report. The instrument is structured like a report, and it includes a Code.
The King Code contains a set of principles and recommended practices that aims to achieve good governance outcomes. Collectively, King IV sets out what ethical and effective leadership is and more importantly, it deals with information and technology governance (or IT Governance) extensively.
The Institute of Directors in Southern Africa NPC (IoDSA) owns the copyright to all four of the King reports or codes on governance (including the latest version namely the King IV Report™) and owns various trademarks in relation to King IV (including King IV™, King IV Report™, King IV Report on Corporate Governance™ and King IV Code™). All of the IoDSA’s rights are reserved. All views are our own and we are not associated or endorsed in any way by the IoDSA.
- create an ethical culture in organisations;
- improve their performance and increase the value they create;
- ensure there are adequate and effective controls in place;
- build trust between all stakeholders;
- ensure the organisation has a good reputation;
- promote transparency and meaningful reporting to stakeholders.
It is worth noting that the governing body is referred to by various names, like the board, EXCO, the steering committee, compliance, or risk committee. The members have different titles, like executives, board members, directors, trustees, committee members or EXCO members.
- assume responsibility for the governance of Information and Technology (IT) by setting the direction for how these should be approached;
- approve policy to give effect to its set direction on the employment of IT;
- delegate to management the responsibility to implement and execute effective IT management;
- oversee the management of IT, including overseeing that:
- any IT risks are identified and managed in terms of the organisation’s risk-management policy;
- the organisation is resilient;
- conduct proactive monitoring of IT intelligence to identify and respond to cyber-attacks;
- the organisation complies with the relevant laws;
- exercise ongoing oversight of the management of information to ensure it results in:
- an information architecture that supports confidentiality and integrity;
- the protection of privacy of personal information;
- the continual monitoring of security of information;
- exercise ongoing oversight of the management of technology to ensure it results in:
- appropriate responses to developments in technology and the management of disruptive effects;
- consider receiving periodic independent assurances on the organisation’s IT arrangements, including outsourced services
The governing body should govern compliance with applicable laws in a way that supports the organisation being ethical and a good corporate citizen by:
- delegating to management responsibility for implementation and execution of effective compliance management;
- exercising ongoing oversight of compliance and overseeing that:
- the regulatory environment is continually monitored to ensure appropriate responses to changes and developments;
King IV does not set out any compliance obligations for non-listed companies. There are no penalties or consequences for non-compliance. You can apply the principles to your organisation on a voluntary basis. However, non-listed companies are encouraged to align their practices with the principles of King IV in the spirit of being responsible corporate citizens.
Good governance and related laws
Part of Good IT Governance is that organisations should consider the impact of related laws. For example, there is a vast overlap between the principles of King IV and the Protection of Personal Information Act (POPIA). While King IV sets the standard for IT Governance, POPIA requires organisations to protect personal information of people. So, if a data breach occurs within an organisation, the heads of that organisation may be held liable for any harm that a person may suffer as a result of an organisation not protecting their personal information.
Obtaining a CyberProfiler scan and implementing the remediation recommendations provided in its report can help your organisation:
- ensure that IT risks are identified and managed;
- highlight areas of potential concern which may require action;
- be more resilient by proactively accessing risk exposure reports;
- proactively monitor intelligence in relation to potential cyber-attacks;
- comply with relevant laws, e.g., POPIA
- ensure that it’s responsive to disruptive technologies emanating from new cyber threats; and
- obtain independent periodic reviews of its potential IT vulnerabilities.
Implementing DMARC on your company’s email domain can help your organisation:
- identify and manage IT risks related to spoofing by analysing the regular reports provided;
- be more resilient by preventing you email domain from being compromised;
- protect its information through sound information management;
- ensure that data protection principles are adhered to;
- boost trust with its customers by demonstrating the use of good technologies; and
- ensure that it can respond to disruptive technologies emanating from new cyber threats.