Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​​​New Governance Guidance Stretches Thinking on Ethics, Risk, and More​​​​

Comments Views

The King Code of Corporate Governance has been a fine source of principles and practice for governance, including risk, assurance, and compliance, ever since its initial release.

The Institute of Directors in Southern Africa has released for comment the draft of King IV, Report on Corporate Governance for South Africa 2016. (My thanks to Quinton van Eeden for sharing the draft with me.)

I recommend the document to all board members, senior executives, and risk and assurance practitioners.

I will highlight and comment on a few excerpts of note from the Introduction and Foundational Concepts section. But please read the entire document.

  • Corporate governance, for the purposes of King IV, is about the exercise of ethical and effective leadership by the governing body.​

    ​​Such leadership includes four overarching responsibilities of the governing body: (i) providing strategic direction; (ii) approving policy to put strategy into effect; (iii) providing informed oversight of implementation and performance, and (iv) disclosing.

    Ethical and effective leadership should result in the following beneficial governance outcomes for the organization: (i) an ethical culture; (ii) sustainable performance and value-creation; (iii) adequate and effective control by the governing body, and (iv) protecting and building trust in the organization, its reputation, and legitimacy.

​Comment: The emphasis on ethical leadership is interesting. It's not enough to be effective and successful today if the reputation is damaged. King IV recognizes an obligation to society of the corporation, perhaps more so than in other parts of the world. It's also interesting that the organization needs to be seen as having ethical leadership, not only by outsiders but also by employees. The draft code continues in this vein.

  • Good corporate governance has its foundation in effective and ethical leadership. Effective leadership is about directing performance, and it is results-driven. It is about achieving purpose and strategic goals. Ethical leadership is exemplified by responsibility, accountability, fairness, and transparency. Ethical leadership and effective leadership should reinforce each other.

  • In addition to setting the example with its own ethical behavior, the governing body should ensure that it governs the ethics of the organization. The critical role of ethics cannot be overstated. As King III put it: "ethics … is the foundation of, and reason for, corporate governance."

    ​Ethics includes, but is not limited to, the prevention of fraud and corruption. Ethics refers not only to the relations between the organization and its internal stakeholders, but extends to the organization's ethical relationship with society, its responsibility for the ways resources are used and how outcomes are affecting the economy, society, and the environment. Ethics considerations are part of the rationale for regarding the organization as an integral part of society, for corporate citizenship, sustainable development, and stakeholder inclusivity.​

  • The governance of ethics refers to the role of the governing body in ensuring that the management of ethics results in an ethical culture. The governance of ethics in the organization is the manner in which values are given expression and implemented. Both the ethics of governance and the governance of ethics should be in place.
  • The term, "culture" is well entrenched in the discourse on business ethics and corporate governance, but also in management disciplines in general. Its essence is: "The way we do things around here when no one is watching." An ethical corporate culture is therefore an indication of norms that have been established over time on the way things are done. Ethical benchmarks, as set out in ethics codes, should be the norm for behavior before an organization can claim to have an ethical culture.​

​​Comment: The emphasis on the board being active in assuring the ethical culture of the organization goes further than I have seen elsewhere. The board will need help obtaining that assurance, as it can only assess itself the conduct of the people it works with in top management — as represented by their behavior during board meetings.

  • Integrated thinking is defined as the pro-active "consideration by an organization of the relationships between its various operating and functional units and the capitals that the organization uses or affects. Integrated thinking leads to integrated decision making and actions that consider th​e creation of value over the short, medium, and long term. Integrated thinking takes into account the connectivity and interdependencies between the range of factors that affect an organization's ability to create value over time.

    Integrated thinking is about much more than eliminating silos. Integrated thinking starts with the governing body making decisions in an integrated manner. Having the value-creation process ​as a regular agenda item will drive integrated thinking and reporting. Integrated thinking furthermore presupposes that the governing body gives regular consideration to how responsive the business model and activities are to changes in the external environment and expectations of material stakeholders.

    With the governing body having set the tone, integrated thinking should be embedded through the integration of strategy, risk and opportunity, sustainable development, performance, and outcomes.

Comment: I like this idea of integrated thinking — so much better than "risk thinking." I especially like the focus on decision-making and the integration of strategy, risk and opportunity, and performance.

Second comment: Note the reference to "risk and opportunity," rather than just risk. I am writing about this separately in my personal blog at

  • Even though some members of the governing body may be classified as independent and others not, as a matter of law, an independent state of mind an​d the responsibility to bring objective judgment to bear are part of the legal duties of all those charged with governance. This is true whether a person is classified as executive, non-executive, or a non-executive independent member of the governing body.

Comment: please see my earlier post at

  • In the King IV Code, the role of the social and ethics committee is generally defined as "uphold, monitor, and report on organizational ethics, responsible corporate citizenship, sustainable development, and stakeholder inclusivity." This encompasses the statutory duties, but the intent is to have the activities of this committee contributing to ethics, strategy, and objectives beyond mere compliance.

Comment: The concept of a "social and ethics" committee is interesting. I commend it for consideration by every board.

  • The traditional view of risk is that it is “the effect of uncertainty on objectives,” but risk can be seen from various perspectives. It is about not knowing what events may or may not occur, the likelihood of an event occurring and the possible effect (negative or positive) on objectives. King IV recognizes that organizations strive to achieve strategic objectives in an increasingly volatile environment, fraught with uncertainties that may work to the benefit or detriment of the organization, depending on its objectives. Mindfully taking these uncertainties into account when plotting the organization’s course makes it more likely that opportunities can be captured and risks mitigated.

    The global financial crisis showed how excessive-risk taking could cause corporate failure. At the same time, risk is necessarily part of business, and enterprise can be defined as the undertaking of risk for reward. Risk-taking per se is therefore not to be discouraged, but rather excessive risk-taking. What would constitute excess is a matter of judgment by the governing body, which it should exercise and clarify by setting the level of risk appetite and tolerance.

Comment: I could quibble that effects of uncertainty are not limited to events, but can be the results of situations — and very definitely are the result of decisions. But that would take away from the excellence of this section in King IV. It is important to note that not taking sufficient risk, being overly averse to risk, can be very damaging to an organization and its success.

  • King III introduced the combined assurance model, but this concept needs to be developed. King IV expands the traditional "three lines of defense" to "five lines of assurance" to incorporate all assurance role players. The model emphasizes that assurance is not primarily about defense but rather about having an adequate and effective control environment and strengthening the integrity of reports for better decision-making.

    Internal audit as part of the third line of assurance remains pivotal to corporate governance. Its role has evolved in recent years for it to contribute insight in the business and furthermore, foresight through the use of pattern recognition, trend assessment, analysis, and scenarios. An internal audit function should strive for this level of excellence.

Comment: Congratulations to King IV for discarding the "three lines of defense" term in favor of "five lines of assurance." It is not perfect, but at least it recognizes that the management of risk is not limited to playing defense and avoiding failure.​

The Draft Code includes a number of principles, with explanatory detail and guidance. I highly recommend it as a tool for evaluating the effectiveness of your own organization's governance, including risk management, compliance, and assurance (including internal audit).

What do you like/dislike in the draft of King IV?

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • FSE-August-2020-Blog-1
  • Three-Lines-August-2020-Blog-2
  • Galvanize-August-2020-Blog-3