The treatment of information technology in the King Report on Corporate Governance has come of age with a far more detailed set of guidelines contained in the release of its third version.
The report reflects the changing approach to and perception of IT from a corporate governance perspective, says Marius van den Berg, director: technology security and risk services at Ernst & Young South Africa.
“While there was very little focus on IT in King 1 and 2, for the first time a major focus is brought to bear with a separate chapter dedicated to what has become an essential resource for the operation of every business,” Van den Berg says.
In King 3, it is recommended that the board takes responsibility for IT governance, which he says can be mapped to IT governance frameworks provided by organisations such as the IT Governance Institute. The necessity for environmental responsibility and sustainability is introduced, while culture and ethics in IT governance are also introduced.
“The emphasis falls on principles rather than explanations and strongly introduces responsibility for IT at the board level,” Van den Berg notes. “Also, the days are gone of the board indulging in the excuse of ignorance where IT is concerned and King 3 is driving that.”
The overriding principle is one of ‘apply or explain’. This, Van den Berg explains, provides an opportunity for directors to do just that – they can apply the principles, or justify why they have not been applied. “This is in contrast to a ‘comply or else’ approach. That provides for some flexibility and deals with potential criticism of the cost of control.”
The necessity for flexibility is reflected in the fact that bringing IT into the umbrella of corporate governance guidelines is potentially akin to herding cats.
“IT is an extraordinarily broad and complex field and function. As a result, organisations have to get some frameworks or tools to help shape their thinking; that said, there is not necessarily a clear cut right or wrong way of managing IT. While regulations or guidelines for its effective governance are necessary, the key is that they have to be practical and relevant.”
King 3, continues Van den Berg, reflects the changing perspective of IT and the way that it is approached. “There is recognition that IT executives are becoming more integral to the operation of the business, rather than being perceived as a distinct, even rogue, element of the business. IT is elevated to a board-level issue, which must be managed in line with business strategy.”
Perhaps appropriate in the parlous economy, but not as a result of it, Van den Berg says there is also a strong shift towards achieving value and accountability from IT rather than simply dealing with a ‘risk management’ perspective.
“This is reflected in King 3 and the expanded treatment that IT receives; there is a clear need for an IT governance charter or framework which sets out accountability at a high level,” Van den Berg says.