The King III report has had many ripple effects on business, especially since many of the recommendations form the basis of new laws and regulations such as the Protection of Personal Information Act (POPI) and even the Consumer Protection Act (CPA). This has made good corporate governance an important deciding factor for many investors. However, companies are overlooking the issue of data quality (DQ) – or lack thereof – thwarting their initiatives to comply whilst introducing a host of risks to the organisation.
While the report does not provide recommendations for DQ directly, IT governance and risk management are vital components of compliance, and at the heart of both of these aspects lies sound data governance. If data is not clean and accurate, it not only introduces risk but makes compliance all but impossible, which means that DQ is vital in order for organisations to meet the recommendations of King III and other legislations.
King III revolves around governance, financial risk, and the importance of producing accurate financial results. In effect, it is South Africa’s answer to the American Sarbanes-Oxley legislation, and is embedded in law under the provisions of the new Companies Act. It is seen as sound business practice, a gesture of good faith and good corporate governance. Specifically, one of the key recommendations within the report requires that Directors attest to the effectiveness of internal financial controls. It states that accurate financial controls can only be achieved if the data from which reports are being derived can be proved to be correct, accurate, complete and relevant.
King III also explicitly discusses IT governance and its implications with respect to overall corporate governance and risk management. Amongst other factors, the framework requires that IT Risk be measured and included as a metric within overall corporate risk, and that IT concentrate on value delivery. Data governance and DQ as a result, fall into this area, since inadequate data governance will negatively impact overall IT governance and poor data quality is a major risk factor for the business, introducing the potential for failure of systems and business processes, thus impacting on organisational risk. At a number of our clients, we have seen Data Governance move from an IT reporting function to a Risk reporting structure, as the Data Governance Organisation matures and business begins to fully understand the value.
If organisations are to meet the recommendations presented in King III, they need to be confident that the information contained in reports to stakeholders is accurate, and they must understand how this affects organisational and other risks, which is all driven by the underlying data and the quality thereof.
Taking this further into actual legislation, the CPA states that any decisions made by an organisation that have a negative impact on customers can result in the organisation being held liable, and POPI requires that any personal information held about clients be subject to stringent controls. This makes it vital to have accurate, consistent and secure data, along with sound data governance, which links back to the recommendations of King III, in order to manage risk.
However, it is also important to bear in mind that DQ is not a once off exercise that can simply be completed and forgotten about. It is vital to have a roadmap for DQ that provides clear, tangible directives and is frequently updated to meet changing business needs. This must also be linked into an overarching data governance strategy and integrated within the wider business processes of the organisation. Data governance, apart from improving risk and compliance, also has a number of benefits, including increased business accountability, greater transparency, a better relationship between IT and business and lowered costs through improved risk mitigation.
Ultimately King III is about managing risk through aspects such as improved governance, and DQ is a key factor in operational risk management across all areas of the business. In order to manage risk it is vital to firstly identify what could go wrong and how, as well as the impact of this and what could be done to control this impact, which relies on clean and accurate data. If the data is ‘dirty’, then it stands to reason that subsequently all inferences made from this data will be correspondingly poor, which increases risk and lowers levels of compliance.
This piece was previously published by ITWeb – The growing enterprise and the dataqualitymatters blog