King III and Data Governance

The release of King III on 1 September 2009 brings with it significant opportunities for organisations that embrace its corporate governance principles. King III has been promulgated due to the requirement to comply with international corporate governance trends – such as Sarbanes-Oxley (SOX)  – and as a response to the anticipated new Companies Act.

Like SOX, King III requires that Directors attest to the effectiveness of internal financial controls. Accurate financial controls can only be achieved if the data from which reports are being derived is “provably correct” – accurate, complete and relevant. For most organisations, financial results are derived from an aggregation of financial data from many sources. Proving effective controls requires the ongoing reconciliation of the base aggregated data against the multiple sources, along with measures of accuracy, completeness and timeliness at each level. A understanding of these measures – and an appropriate improvement process – is critical to allow Directors to answer the question “Are you confident that the published results are accurate for the period?”

Unlike previous governance frameworks in South Africa, King III explicitly discusses IT Governance and its implications with respect to overall corporate governance and risk management. Amongst other factors, the framework requires that IT Risk be measured and included as a metric within overall corporate risk, and that IT concentrate on value delivery. A Data Governance program manages the inherent risks of poor quality data – ranging from rework to project failure and write off.  Our customers have documented ongoing savings running into hundreds of millions that can be directly attributed to data quality assessments and improvements.

In order to achieve these goals we recommend an holistic approach that leverages an enterprise technology platform and employs a consulting engagement model that empowers business owners to become proactive participants in the validation, measurement, and management of all data.  This type of solution would provide foundation processes for enterprise governance of risk and modeling data, and ensure data is matched and linked to enable business users such as GRC teams to correctly validate, aggregate and model risks as required by new regulation