The Institute of Directors recently released the draft Third King Report on Corporate Governance (King III) for public comment.
Unlike previous reports, King III deals with IT governance in detail for the first time.
According to the introduction of the Report: “[i]nformation systems were used as an enabler to business, but have now become pervasive in the sense that they are built into the strategy of the business [and] the risks involved in information technology (IT) governance have become significant”.
In contrast to King I and King II that only applied to listed companies and certain public bodies, the Third Report will apply to all corporate entities, regardless of size and incorporation.
It becomes operational on 1 March 2010.
The purpose of King III is to provide guidelines (in the form of principles) to South African corporate entities on good corporate governance practices.
Unlike the USA, South Africa opted for a flexible approach in terms of which corporate governance rules are not codified in legislation. A so-called ‘apply or explain’ model is followed in terms of which companies must apply King III or be able to explain why they did not.
Although failure to comply with King III is not subject to statutory penalty or punishment, courts will determine whether or not directors and managers complied with their common law and statutory duties with reference to King III.
Consequently, any failure to meet a recognised standard of governance, albeit not legislated, may render a director or executive management member liable in law.
“Less than 7 of the 141 pages of the Report deal with IT governance – that is simply not enough for such an important corporate issue” says IT lawyer Reinhardt Buys of Buys Inc. Attorneys who refers to the new IT governance provisions in King III as “generally incomplete, confusing and disappointing”.
“The problems start with the random use of important terms that are not defined in the Report at all. For example, in the IT governance provisions reference is made to ‘plans’, strategies’, ‘policies’, ‘frameworks’, and ‘standards’ without any indication as to the meaning and definition of these terms”.
According to the SANS Security Policy Project clear definitions of these terms facilitate understanding and avoid confusion.
“A policy is typically a document that outlines specific, valid and enforceable requirements or rules that apply to everybody in a company. Failure to comply with a policy may result in disciplinary action. For example, an IT security policy would cover the rules and prohibitions related to information security. A standard is typically a non-binding, international and generally accepted set of principles on a specific topic like ISO17799, whereas a guideline is typically a collection of system specific or procedural specific "suggestions" for best practice”.
“If courts may later refer to King III in order to determine director liability, clarity and certainty of the terms used are paramount” says Buys.
“The King III Report requires a section that defines terms in line with internationally accepted norms”.
“Regarding duties and responsibilities, King III states that “IT governance is the responsibility of the board and management”. Then separate duties are assigned to ‘board members’, ‘the CEO’, ‘the Chief Information Officer’ and “all executives”.
To further complicate matters the management of IT risks is assigned to ‘audit committees’ but “[g]iven the pervasive nature of information technology in most companies, the board may wish to task the risk committee to oversee IT strategy, governance and risk management on its behalf”.
“In order to provide proper guidance, King III should be much clearer on who is responsible for what”.
Finally, references in King III to international standards and IT governance frameworks are incorrect and outdated.
In paragraph 113 on page 92, BS7799-1:1991 is referred to as “one of the long standing information security standards”.
However, the standard referred to is older than 17 years and have been updated and renamed many times.
BS 7799 was a standard originally published by the British Standards Institute (BSI) in 1995. It was written by the United Kingdom Government’s Department of Trade and Industry (DTI), and after several revisions, was eventually adopted by ISO as ISO/IEC 17799, "Information Technology – Code of practice for information security management" in 2000.
ISO/IEC 17799 was most recently revised in June 2005 and was renamed to ISO/IEC 27002 in July 2007.
In June 2008 the International Standards Organisation (ISO) released ISO 38500:2008 – the most updated and internationally accepted standard for IT governance specifically.
“Notwithstanding this important international development and the availability of an international standard on IT governance, King III makes no reference thereto”.
Written comments on the Report and the Code are welcomed and should be submitted on 25 April 2009.
The draft version of King III may be downloaded from http://african.ipapercms.dk/IOD/King3/