Integrated Reporting - A technical ISO challenge?
By Terry Booysen
Chief Executive Officer
CGF Research Institute (Pty) Ltd
More organisations are beginning to realise that their ability to produce an annual Integrated Report -- as recommended by the King Report on Governance for South Africa 2009 (King III) -- is not as simple as they may have first believed. Needless to say, there is now more than ever before a critical need for boards and their executive management to understand why IT governance has become such a key component for their risk management discussions at board level. Simply put; without a robust IT governance strategy and framework, an organisation is going to find it almost impossible to collate the necessary information it requires for the purposes of producing this important report.
Unlike years gone by, the debate that suggested that information technology (IT) was merely a ‘business enabler’ is clearly redundant; IT has in fact become the backbone of business of almost any size. And irrespective of what part of the world your organisation may be operating in, without a well thought through and efficient IT strategy, an organisation is pretty much doomed.
It is for these reasons -- amongst other -- that King III has paid particular attention to IT governance, and together with the board’s responsibility to govern their risks and risk management, it will be quite interesting to see how the organisation will produce a meaningful and concisely written Integrated Report. The intention of the Integrated Report is to provide a holistic view of the manner in which the organisation has dealt with their financial reporting, as well their non-financial performance regarding social, environmental and other governance related matters. Clearly where organisations have disregarded the value of IT, or where they have failed to use IT in a manner that optimises its ability to accurately collate information across all its entire supply chain; compiling the Integrated Report will become a nightmare and the information may be questionable if it has been extrapolated from its rank and file who rely on unstructured or haphazard information and reporting systems.
It is also most likely that both informed institutional investors as well as any potential activists, will add further pressure upon organisations to deliver a report wherein accurate information is provided, and which will be used for their respective objectives and purpose. Naturally in both cases, the organisation will most certainly not want to have an Integrated Report which is not produced on time, or contains ineffectual, inaccurate or misleading information. Besides the likely backlash from the organisation’s stakeholders, the extent to which the information is misrepresented could also carry additional penalties and liability (joint and several) from the Companies Act ’08, specifically under the auspices of reckless behaviour. Moreover, because the JSE -- through its Listings Requirements -- has made it compulsory for all listed companies to comply with King III and the Integrated Reporting requirements, further penalties could be imposed upon those organisations who do not comply. To avoid the obvious consequences, organisations may begin to re-consider the importance – but critical role fulfilled by a decent and robust IT platform which includes an information security management system (ISMS) containing a set of policies concerned with information security and other IT related risks which are linked to ISO 27001.
The governing principle behind an ISMS is that an organisation should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk. As with all management processes, an ISMS must remain effective and efficient in the long term, and must have the ability to adapt to any changes in the internal and external environment of the organisation. While many organisations may have a number of information security controls in place, without ISMS however, the controls in themselves may be somewhat disorganised and disjointed, and therefore hamper the organisation’s ability to draw and collate the required information for their Integrated Report.
In line with the King III recommendations, the board will need to step up to the plate and understand that IT is in itself not only a technical issue meant for the operations, but indeed has become a significant component for regular strategic debate. Furthermore, the ability -- or the lack thereof -- to collate accurate information for the Integrated Report for that matter, is also intertwined with the security and protection of the organisation’s information. Failing to maintain a discussion of this importance at the highest levels of the organisation will also, and most likely lead to negative impacts upon the following areas of the organisation:
· the business continuity;
· various forms of damages and loss;
· loss of competitive edge;
· profitability and cash-flow;
· image and reputation; and
Professor Mervyn King SC, who is the chairman of the International Integrated Reporting Council and the King Committee said an Integrated Report is not simply bolting the sustainability report of an organisation to its financial report. It incorporates -- in clear language -- material information from these and other sources to enable stakeholders to evaluate an organisation’s performance, and to make an informed assessment about its ability to create and sustain value.
Besides the challenges organisations may still face regarding their ability to produce their Integrated Report, not least their technical IT issues, they will further need to establish how to ‘pitch’ the tone within the Integrated Report so that the report also conveys the culture of the organisation. As with so many things in life -- particularly with the scrutiny of all the organisation’s stakeholders regarding the governance measures taken by the organisation -- stakeholders increasingly want to see the ‘human side and touch’ of the organisation. If this in itself was not enough of a challenge; how and what will organisations report in their Integrated Reports when there are no specific guidelines or standards that define the content of an Integrated Report?
In closing, through the contents provided in the Integrated Report, stakeholders will have the ability to decide both for financial and or ethical reasons, whether an organisation is deserving of their support, and whether it should be allowed to continue its operations should such operations be offensive or damaging to the people and environment. South Africa is one of the first countries worldwide to actively encourage Integrated Reporting as a recommended business practice and this is articulated in King III.
CGF Research Institute (Pty) Ltd
Breaking News »