The Director’s Duty under KING V with Caroline Mouton

Key Takeaways

• King V prioritises technology governance, making it crucial for directors’ ethical and environmental oversight responsibilities.
• Reporting is mandatory for specific organisations, with JSE-listed companies required to follow 13 core principles.
• Technology risk is a core business concern, requiring board accountability for data and cybersecurity strategies.
• Organisations must promote AI literacy and embed compliance, prioritising human values and safety in AI.
• Effective compliance differentiates corporate policies from SOPs, ensuring adaptable procedures support consistent goal achievement and audits.
• Data governance resides at the board level, guiding strategy and delegation, distinct from execution by IT.
• Top companies create specialised technology and ethics committees to oversee information strategy, data protection, and responsible AI adoption.

Webinar Details

Title: The Director’s Duty under KING V with Caroline Mouton
Date: 2026-06-17
Presenter: Caroline Mouton
Meetup Group: DAMA SA User Group Meeting
Write-up Author: Howard Diesel

How does King V Impact Governance and Compliance?

The transition from the King IV to the King V corporate governance code introduces crucial new compliance standards for organisations, specifically focusing on Principle 10.

The King Code is a globally recognised governance framework that is heavily integrated into ESG and organisational reporting. The latest iteration, King V, elevates the strategic importance of technology governance, making it an essential consideration for businesses responding to compliance-focused RFPs. Principle 10 of this framework explicitly addresses the formal governance of data, information, and technology, requiring leaders to understand these domains beyond basic operational support.

Key Takeaways

• King V introduces stricter, strategic compliance for corporate data and technology.
• The framework is recognised globally and frequently required in vendor RFPs.

FAQ

• What is King V Principle 10? It is a corporate governance guideline focusing specifically on the board-level oversight and strategic management of data, information, and technology.

Figure 1 Principle 10: Data & Information Governance

Figure 2 About the Speaker

What are the Definitions of IT and Data?

King V provides specific definitions for technology and data terms to establish a unified foundation for corporate governance.

Under the King Code, Information Technology (IT) strictly refers to hardware, software, networks, and cloud storage. Operational Technology (OT) covers physical and industrial devices. Emerging technology encompasses disruptive innovations like artificial intelligence (AI), quantum computing, and biotechnology.

The framework also strictly distinguishes between data and information. Data consists of raw facts, symbols, and values. Information is data that has been processed, organised, and consolidated to provide actionable context, relevance, and purpose.

Key Takeaways

• IT is defined as hardware and software, which is governed separately from physical OT devices.
• Information is structured data that delivers actionable knowledge and insight.

FAQ

• How does King V distinguish between data and information? Data refers to raw facts and values, whereas information is data that has been processed and structured to provide context and understanding.

Figure 3 Disclosure

Figure 4 Data, Information and Technology

Figure 5 Distinct but Interconnected Fields

Figure 6 Distinct but Interconnected Fields pt.2

Is Ethical Technology Governance a Board Responsibility?

Ethical technology governance is a non-delegable fiduciary duty that requires direct oversight from corporate boards.

Technology management is no longer a back-office IT function; King V establishes data and technology as a core strategic pillar equivalent to human resources or enterprise risk. Corporate directors carry personal liability for technology outcomes, making executive empowerment in data stewardship an operational necessity.

Modern technology governance focuses on achieving specific ethical outcomes rather than mere technical outputs. Boards are responsible for ensuring organisational legitimacy, prudent conformance, an ethical culture, and continuous value creation. This requires leaders to actively evaluate the economic, social, and environmental impacts of all deployed technologies.

Key Takeaways

• Boards carry personal legal liability for corporate technology governance.
• Strategic focus must shift from technical system outputs to ethical and societal outcomes.

FAQ

• What are the core technology governance duties of a corporate board? A board must ensure technological legitimacy, continuous conformance, ethical deployment, and overall organisational value creation.

Figure 7 Distinct but Interconnected Fields pt.3

Figure 8 Ethical Technology Governance Creates Sustainable, Long-term Value

Figure 9 The End of IT Deference

Figure 10 Governance Transforms from Infrastructure Oversight to Strategic Stewardship

Figure 11 Information Mastery Directly Drives the Four King V Governance Outcomes

Figure 12 Section 76: the Statutory Duty to be Informed

Figure 13 Governance Paradigm Shift

Figure 14 The Fiduciary Blind Spot in a Rapidly Shifting Business Environment

Figure 15 Another Reason

Figure 16 The Data to Knowledge Hierarchy

Figure 17 The Director’s Duty under King V

What are the Key Principles of the King Code?

The King Code is a foundational corporate governance framework that has evolved into a streamlined set of 13 principles under King V.

Originally commissioned by Nelson Mandela and established by Dr Mervyn King in 1994, the King Code was designed to promote ethical corporate behaviour in South Africa. Owned by the Institute of Directors, the framework has expanded to become a globally influential standard.

King V significantly simplifies previous iterations by minimising the code to 13 core principles. Furthermore, reporting against these guidelines is now mandatory for JSE-listed companies. A major update in King V includes a standardised disclosure framework template, which makes compliance reporting highly structured and measurable.

Key Takeaways

• King V consolidates historical corporate governance rules into 13 core principles.
• JSE-listed companies must use the new standardised disclosure framework for compliance.

FAQ

• Who manages the King Code? The framework is owned and managed by the Institute of Directors in South Africa.

Figure 18 Introduction to IoDSA

Figure 19 Key Changes in the King V Code

How does King V Framework Affect Governance Practices?

King V operationalises governance by mapping recommended practices to core principles, effectively turning technology risk into board-level business risk.

The framework operates on an “adapt and adopt” methodology, meaning companies must explicitly explain how they intend to achieve required governance outcomes if they choose to deviate from the recommended practices. These outcomes focus heavily on demonstrating an ethical culture, performance, conformance, and stakeholder legitimacy.

Under King V, boards are accountable for the full lifecycle of enterprise data, encompassing cybersecurity strategies, outsourced technologies, and third-party vendor risks. Any significant technological risk must be evaluated with formal mandates and reported directly to the board, utilising the same oversight applied to financial risk management.

Key Takeaways

• Companies must publicly justify any deviations from King V’s recommended practices.
• Technology and data risks are now legally classified as core business risks requiring continuous board monitoring.

FAQ

• How does King V handle outsourced technology risk? Boards must continuously monitor and mandate reporting for any significant risks associated with third-party vendors and external data transfers.

Figure 20 The Structure of the King V Code

Figure 21 King V on a Page

Figure 22 King V on a Page pt.2

Figure 23 The 6 Dimensions of Oversight

Figure 24 Mapping the Pitfalls: Cyber & Third-party Risk

Figure 25 Data Functions as a Strategic Asset throughout a Continuous Lifecycle

Figure 26 Resilience Expands Beyond Prevention to Encompass the Entire Ecosystem

Figure 27 Tech Risk is Business Risk

Figure 28 Approved Frameworks Forge the Pathway for Data Control

Figure 29 The Feedback Loop: Periodic Assurance

Figure 30 Periodic Assurance Closes the Loop to Inform Continuous Steering

How can we Mitigate Corporate Liability with AI?

Mitigating corporate liability requires mandatory AI governance training and the implementation of automated, code-level compliance mechanisms.

Artificial Intelligence introduces unique, non-deterministic risks, behaving more like an autonomous digital employee than traditional software. To govern it effectively, executives must acquire high-level AI literacy through dedicated board briefings that address algorithmic biases and training data limitations.

Organisations must also integrate human-centric values directly into AI systems. King V emphasises that written policies are no longer sufficient; safety guardrails, human override protocols, and privacy rules must be hard coded into the AI itself. This involves deploying specialised software agents whose sole purpose is to continuously audit and enforce system compliance.

Key Takeaways

• AI governance requires continuous, role-based literacy training across the entire organisation.
• Compliance rules and override protocols must be coded directly into AI software as automated agents.

FAQ

• Why is traditional policy insufficient for governing AI? AI requires hard-coded safety guardrails and automated compliance agents to continuously monitor its non-deterministic decision-making.

Figure 31 Practical Actions to Mitigate Liability

How do Companies Implement King V Effectively?

Leading organisations successfully implement King V by establishing dedicated, board-level digital transformation and information governance committees.

Best-in-class companies intentionally separate data and information governance from traditional IT management to fully satisfy King V requirements. For example, the Sanlam group created a standalone Digital Transformation and Information Technology Committee directly on their board, elevating digital strategy out from beneath standard risk compliance.

Similarly, the Woolworths group integrated a specific ethics governance framework to handle data protection and the ethical use of generative AI. By involving CEOs, CFOs, and board chairs directly in these specialised committees, leading companies ensure that AI deployment drives operational efficiency while maintaining strict, top-down regulatory compliance.

Key Takeaways

• Enterprise data governance and IT management should be treated as distinct organisational operations.
• Overachieving companies place digital transformation and AI committees directly at the board level.

FAQ

• How should a corporate board structure technology governance? Boards should establish dedicated technology and information committees that include executive leadership to ensure strategic digital oversight.

Figure 32 Real-world Example

Figure 33 Governance & Management of Information & Technology

Figure 34 A Typical Governance Structure

Figure 35 Sanlam Limited: Multi-layered IT Governance

Figure 36 WHL 2025 King IV Report – Principle 2: Ethics

Figure 37 King IV Principle 11 > King V Principle 8: Risk

What are Real-world Examples of Corporate IT Governance?

A structured compliance framework effectively bridges high-level corporate policies with auditable daily operating procedures.

Translating board mandates into daily action requires a strict hierarchy of documentation. A framework defines the organisational intention, which is codified into a formal policy outlining exactly what must be achieved. Crucially, well-written policies should remain stable over many years and rarely require updates.

Policies are subsequently translated into dynamic processes, which define team responsibilities, and Standard Operating Procedures (SOPs), which provide granular execution instructions. These SOPs contain the actual technical controls that generate the auditable evidence required by internal risk managers and external auditors.

Key Takeaways

• Policies define what an organisation must do, while SOPs detail exactly how to execute it.
• Effective SOPs establish measurable technical controls that generate valid compliance audit evidence.

FAQ

• How often should corporate policies be updated? High-level policies should rarely change, whereas operating procedures and processes should be updated frequently as tools or structures shift.

Figure 38 Information Governance Structure of Woolworths Holdings

Figure 39 The Compliance Gap

Figure 40 Compliance Management

Figure 41 Compliance Framework

Figure 42 Sample Data and Information Management Framework

Where should Data Governance Ideally Reside in Organisations?

Effective data governance must be led by leadership capable of delegating authority, clearly separating high-level strategic oversight from daily technical management.

A common organisational challenge is determining exactly where data governance should reside. The King Code framework dictates that governance strictly belongs with board directors and designated ethics committees who possess the organisational authority to set strategic direction and delegate power.

Data management, conversely, is a distinct discipline handled by executive leadership and IT teams who execute the frameworks handed down by the board. To manage AI and data investments safely, governance bodies must utilise a delegation of authority framework that explicitly defines decision mandates and risk limits for major technology initiatives.

Key Takeaways

• Governance bodies set strategy and delegate power, while management teams execute the operations.
• Delegation frameworks provide vital guardrails for financial and strategic decision-making regarding data lifecycles.

FAQ

• Where should data governance sit within an organisation? Governance must reside with board-level directors or ethics committees who have the institutional authority to set mandates, not within the IT management department.