IT Alignment to King III

The King Committee on Corporate Governance in South Africa has placed IT firmly on the board agenda. “In exercising their duty of care, directors should ensure that prudent and reasonable steps have been taken regarding IT governance”. King III goes on to say that “the board should be responsible for IT governance”.

The board is expected to provide leadership, ensure proper value delivery and effectively manage IT risks. Why is this a board level problem? The pervasive nature of information technology is such that there are inherited information risks across the organizations value network. This is a scary thought - by implication there is inherited risk between organizations in outsourcing contracts for example. But let’s focus on the challenge inside the organization. The board needs assurance that information resources are managed effectively and efficiently to achieve corporate objectives.

CXO Advisor view

The governance of information technology and the information assets of the organization have always been a management issue. The better managed an organization the better the information flows support decision making, resource allocation and funding. Most IT functions in South Africa today report to the Chief Financial Officer. The language of business is finance. For this reason it is imperative that IT functions can communicate their budgets and strategic initiatives in a business language that is not only financially sound but also clear in terms of risk and return. Efficiency and effectiveness trip off the tongue but what do they really mean from an IT perspective? King III is driving boards to understand the implications of the technology related decisions they make. The key is to communicate such that business decisions can be made about information technology and related resources.

Key messages

  • The traditional people, process, technology perspective touted by many IT experts does not fully address the pervasive nature of information technology. The information assets of the organization are often dispersed either by geography or by people.
  • An information life cycle view is more appropriate than the technology focused; plan – build – run view.
  • It is relatively easy for the board to understand the desired outcomes of the IT function supported by the Three Role model
  • Strategy maps have been used for a number of years now to illustrate what key result areas an organization is driving to convert intangible assets to tangible outcomes. The Three Role Model provides the language for an easily understood strategy map for business about IT outcomes.
  • The Three Role Model also provides the language for an easily understood strategy map for business about IT risks.
  • The “apply or explain” approach of King III is not a “get out of jail free” card.
  • Traditional controls and standards such as CoBiT and ITIL do not easily provide board level assurance.