King III and the CIO

With King III being a much talked about governance requirement for JSE listed companies I thought I'd look at the Information Technology implications of King III - specifically how it affects the CIO. Bear in mind that King III is about 'adopt or explain' rather than 'comply or else!'
King III, in Chapter 5, states "The board is to appoint a suitably qualified and experienced individual as the chief information officer who is expected to:

  • Interact regularly on matters of IT governance with the board, or appropriate board committee, or both
  • Understand the accountability and responsibility of IT
  • Implement an IT Governance framework to deliver value and manage risk
  • Take responsibility for the implementation and monitoring of IT governance
    within the company
  • Seek leadership from the board, obtain direction and an understanding of the ethics and values that will influence and guide practices and behaviour within IT to achieve sustainable performance
  • Implement an Accountability framework to assign decision-making rights
  • Implement a suitable organisational structure and define terms of reference
  • Be a bridge between IT and the business
  • Ensure transparency through regular reporting to the board
  • Implement IT processes and governance mechanisms
  • Implement IT frameworks, policies, procedures and standards
  • Enable IT to add value to the business and mitigate risks
  • Incorporate IT into the business processes in a secure, sustainable manner
  • Develop and implement an IT governance charter and policies
  • Encourage the desirable use of IT by requiring managers to provide timely information, comply with the direction given and to conform to the principles of good governance
  • Implement an ethical IT governance and management culture
  • Create an awareness of the maturity levels of governance
  • uild management skills and competencies to govern and promote a common language
  • Incorporate IT governance in corporate governance
  • Adopt and implement an IT control framework
  • Implement processes to ensure that reporting to the board is complete, timely, relevant, accurate and accessible
  • Obtain assurance on the effectiveness of the IT control framework
  • Sustain and enhance the company’s strategic objectives
  • Implement a strategic IT planning process that is integrated with the business strategy development process
  • Enable the improvement of the company’s performance and sustainability
  • Integrate IT plans with the business plans
  • Define, maintain and validate the IT value proposition
  • Align IT operations with business operations
  • Align IT activities with environmental sustainability objectives
  • Implement a robust process to identify and exploit, where appropriate, opportunities to improve performance and sustainability of the company in line with triple bottom line objectives
  • Include relevant representation from the business in oversight structures
  • Have regard for the legislative requirements that apply to IT
  • Understand business requirements and long-term strategy
  • Have a strategic approach and facilitate the integration of IT into business strategic thinking
  • Translate business requirements into efficient and effective IT solutions
  • Exercise care and skill over the design, development, implementation and maintenance of sustainable IT solutions
  • Support the business and governance requirements in a timely and accurate manner through the acquisition of people, process and technology
  • Optimise resources usage, leverage knowledge
  • Ensure that the business value proposition is proportional to the level of investment
  • Deliver the expected return from IT investments
  • Measure and manage the amount spent on and the value received from technology
  • Protect information and intellectual property
  • Conduct post-implementation reviews to learn from each implementation
  • Promote sharing and re-use of IT assets
  • Ensure all parties in the chain from supply to disposal of IT services and goods apply good governance principles
  • Monitor and enforce good governance across all suppliers
  • Obtain independent assurance that outsourced service providers have applied the principles of IT governance
  • Obtain independent assurance of the effectiveness of the IT controls framework implemented by service providers
  • Obtain independent assurance that the basic elements of appropriate project management principles are applied to all IT projects
  • Regularly demonstrate to the board that the company has adequate business resilience arrangements in the event of a disaster affecting IT
  • Implement a risk management process based on the boards risk appetite
  • Design, implement and monitor the IT risk management plan
  • Maintain an IT risk register, including IT legal risks
  • Comply with applicable laws and regulations
  • Perform continual risk assessments
  • Select and use an appropriate framework for managing risk (e.g. COSO)
  • Consider and implement appropriate risk responses
  • Implement an IT controls framework
  • Minimise risks
  • Manage information assets effectively
  • Ensure the integrity and availability of information and information systems in a timely manner
  • Implement information records management and ensure information assets are identified, classified, retained, stored, archived, protected and made available when required for business and legal purposes
  • Establish a business continuity programme for the company’s information and successful execution of the business’ activities
  • Identify all personal information processed by the company and treat this as an important business asset, including being processed in accordance with applicable laws
  • Implement an information security strategy
  • Implement an information security management system in accordance with an appropriate information security framework
  • Provide the Audit and Risk Committees with relevant information about IT risks and the controls in place
  • Measure, manage and communicate IT performance
  • Report to the IT Steering Committee on IT performance
  • Consider using IT to aid the company’s risk management, compliance and audit efforts.

The Institute of Directors in Southern Africa owns the copyright in this publication titled ‘King Report on Governance for South Africa’, and the ‘King Code of Governance Principles’ (King III).