A recent discussion on a corporate outlook towards digital safety, particularly for women in the workplace, hinged on technology and information governance environment within corporates.
NAMCODE’s Chapter 5, which largely stems from the King III governance code, vests this responsibility in the board of directors in a form of governance of information and technology to integrated reporting.
King IV’s Principle 12, which follows suit, elevated this further to being part of corporate DNA, taking cognisance that technology is no longer just an enabler but a platform to conduct business, thus a distinct source of value creation.
In the wake of the 4th IR as well as the 5th IR on the horizon, technology continues to make strides and it is radically changing how we do business and ethically how we adopt these technologies as we have heard from the just-ended inaugural 4th IR Expo and Conference in Namibia.
Institute of Directors Southern Africa (IoDSA), already back in 2016, highlighted in King IV code that technology advancements, which heralded the dawn of the 4th IR in our midst today, are so rapid that they can be the cause of disruption and risk but equally yield new opportunities to gain a competitive advantage.
Let us zoom into King IV’s principle 12, which elucidated how technology governance and security should be governed.
Firstly, the code recommended in practice that there should be ongoing oversight on TI, governed in a manner that supports organisation settings to attain its strategic objectives, and it should serve as a recurring item on the board’s agenda.
One such element of TI governance is the security of information, which has become a critical leg.
This is considering the increased cybercrime activities both in velocity and scale during the pandemic as reported by the Security magazine in 2021.
Identity theft was found to have doubled during the pandemic, while data leakages continued to be a significant blind spot for businesses, especially when remote working kicked in, subsequently raising the costs of breaches.
Hence, IoDSA emphasised that when governing information, it warrants the protection of private personal information, and continual monitoring of information security is of emphasis.
NAMCODE suggests that information management should encompass information security and information privacy, of which initiatives are driven by requirements and concerns about data privacy, information security and legal compliance.
It recommended establishing processes to ensure the maintenance and monitoring of data quality as well as establishing a business continuity programme to address the company’s information and recovery requirements. Holistically, the boards are expected to ensure there is an information security framework and an Information Security Management System (ISMS) is developed and implemented based on security principles.
This is to ensure the confidentiality and integrity of information and the availability of information and information systems timely.
On the technology front, IoDSA recommended that technology risk be integrated into company-wide risk management and, amongst others, pointed out risk management on technology sourcing.
Additionally, monitoring and response to the latest technology – not only by capturing potential opportunities but managing disruptive effects on the organisation itself as well as its business model.
Secondly, IoDSA recommended there should be periodic independent assurance on the effectiveness of TI in the organisation, including outsourced services.
Thirdly, there should be Disclosure in TI, which should include TI governance and management, significant changes in policy and remedial actions taken in response to major incidents.
The above principles are, to a large extent, provided for in NAMCODE, which places the responsibility of the IT management framework on the board, particularly establishing and implementing the IT charter and policies to minimise IT risks.
NAMCODE also recommended in practice that a risk and audit committee assists the board in carrying out its IT responsibilities.
There should also be an individual responsible for the management of IT, a suitably qualified and experienced person, often a Chief Information Officer (CIAO) to serve as a bridge between IT and the business.
All in all, companies, as they mature their technology and information governance environment, should consider standards of governing TI, particularly ISO/IEC 38 500, which is an international standard for corporate governance of information technology.
*The opinions expressed in the article are that of the author and are in no way linked to any affiliates.