Brandon Faber (South Africa) - South Africa's "KING III" Report

Why following this leading document on Good Corporate Governance and its impact on IT is a good idea.

Compared to an 8000 pound, legal gorilla like the Sarbanes-Oxley (SOX) Act, King III comes across as something of a softie in the world of corporate governance. It's not legislated and therefore not enforceable. Moreover, it takes the mild stance of "apply or explain" over "do or else".

However, a deeper inspection reveals intelligent reasoning for its global adoption.

Information and the Board

To a large extent the trustworthiness of the company depends on the accuracy of the information it creates, collects and stores in its day-to-day activities. King III recognizes the vital role IT plays in the continuity of the company by dedicating an entire section solely to the governance of IT systems.

The focus of the Code here is not to turn the members of the board into IT boffins, and by its own admission it doesn't seek to lay down any overriding IT management practices. The end goal is to make sure the board is entirely accountable for the reliability of IT. They prove this by:

Taking direct responsibility for IT governance

  • Making sure IT strategy fits in with their business objectives
  • Calling on management to implement a recognized IT governance framework
  • Overseeing any significant IT investments or expenditures
  • Including IT in their risk management strategies (especially by making sure allapplicable IT laws and codes are adhered to)
  • Ensuring the effective management of information assets
  • Allowing the risk and audit committees to assist them with their IT responsibilities

Of course, the real concern of the Code is not the IT system itself, but the protection of the data under its stewardship.

Without proper protection, information upon which the continuity of the company depends could fall into the wrong hands or be lost - either forever or long enough to affect the bottom line.

In short, backing up data and making sure there is a security system in place to limit access to it is imperative to the well-being of the company.

Protect and Serve

At this point, King III isn't just a set of ethical principles; it reflects current legal requirements concerning the protection and retention of data. Acts of Parliament, such as South Africa's Electronic Communications and Transactions Act of 2002 and Companies Act of 2008, place requirements on companies that without the retention or protection of data would not be possible.

This includes retention periods of documents, protection of personal information, the retention of electronic communications, and the availability of this information to cyber inspectors. Companies who don't conform to these requirements may find themselves on the wrong side of the law.

Grassroots Thinking

Apart from the legal requirements that compel companies to backup and secure their information, these two practices are just plain common sense. A company that finds itself with a crashed hard drive that used to contain live transactional data starts running in slow-motion; without proper backups, it comes to a dead stop.
In the same way, lax security measures can have any number of consequences from virus attacks on servers to the theft of Intellectual Property vital to the company's survival.

The Result

In effect, the Code creates a self-regulating system of checks and balances, and its power to influence the way companies do business can be seen in the following examples:

- Shareholders want to be assured that they can trust the enterprise to act as a responsible steward of their investment, and can make use of the Code to achieve this goal;

- The Johannesburg Securities Exchange (JSE ) has made King III compliance compulsory in its own listing requirements, and has established an SRI (Socially Responsible Investment) index for grading the compliance efforts of companies;

- The Companies Act of 2008 reflects numerous recommendations of the previous King II Report.

The full effect of King III remains to be seen but it's certain that its proposals will find their way into every facet of South African (and Global) business in the future.



We haven't reiterated all the details of King III in this article for one simple reason: the Code is an easy read. It starts with a fairly long preamble by Mervin King which contains sound logic and insights not found in derivative articles; the Code proper is in tabular format and is written in layman's terms. To download a copy of the Code visit the website of the Institute of Directors in Southern Africa at:



Brandon Faber is Marketing Manager at Cibecs. The full-length article on South Africa's KING III Report can be found here.




« Ali Ahmar (Middle East) - Securing the Mobile Workforce


Pedro Cruz (Brazil) - Could Online Data be the New Black? »

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?