My Dinner with Dr. Mervyn King

His Royal Highness Prince Charles, in a videotaped welcome message kicking off The Institute of Internal Auditors International Conference in London this summer, spoke of the importance of long-term value creation, noting that nonfinancial reporting is changing the face of internal audit.

He deferred on the subject to a general session speaker, Professor Mervyn E. King – not the former head of the Bank of England, but the former South African judge widely considered a staunch champion of corporate governance and viewed by some as the father of integrated sustainability reporting.

King, the eponymous architect of South Africa’s pioneering integrated reporting framework, has served and, I believe, continues to serve as chair of the International Integrated Reporting Council (IIRC). The IIRC was created by Prince Charles to examine long-term solutions to value creation and break the cycle of corporate governance driven by short-term financial pressures. Quite a daunting task, and one which required a special person to lead the effort.

Some 14 years ago, I undertook a 32-day trip around the globe to promote a book I wrote on the topic of enterprise risk management. This was, in fact, the first book published on the subject. One of the countries I visited was South Africa. My partners at Andersen in Johannesburg arranged a dinner with several individuals, including Dr. King. It was a long table in a private room and Dr. King and I were seated directly across from each other. While I am sure Dr. King has long forgotten that evening in Johannesburg, it was a memorable experience for me personally. I learned firsthand that he and I had a common core set of views on a wide variety of topics around corporate governance, risk management and internal control, and their importance to creating and protecting enterprise value. Most importantly, he was quite the gentleman.

At the time, Dr. King was chairing a committee that prepared what became known as the King II Report, which updated a prior version of a governance framework. Issued in March 2002, the report covered such topics as directors and their responsibility, risk management, internal audit and integrated sustainability reporting. Acclaimed internationally, King II was a rich source of input to the U.S. Congress in formulating the Sarbanes-Oxley Act. Since then, Dr. King has consulted with and advised bodies all over the world on King II and governance generally.

In 2009, King II was updated because Dr. King was of the view that sustainability issues did not warrant a mere separate chapter but should be integrated into the mainstream. The resulting King III report asserted that strategy, risk, performance and sustainability are inseparable; hence, the phrase “integrated reporting” was used throughout the report.

I recently saw an article referencing King III and its impact on integrated reporting. The principles of the King III framework, which now form the nucleus of the IIRC’s integrated reporting framework, raise the bar for governing and managing an organization. They can be summarized as follows:

  • Good governance is essentially about effective leadership. Leaders need to define strategy, provide direction, and establish the ethics and values that will influence and guide practices and behavior with regard to sustainability performance.
  • Sustainability is now the primary moral and economic imperative, and it is one of the most important sources of both opportunities and risks for businesses. Nature, society and business are interconnected in complex ways that need to be understood by decision makers. Incremental changes towards sustainability are not sufficient – we need a fundamental shift in the way companies and directors act and organize themselves.
  • Innovation, fairness and collaboration are key aspects of any transition to sustainability – innovation provides new ways of doing things, including profitable responses to sustainability. Fairness is vital because social injustice is unsustainable and collaboration is often a prerequisite for large-scale change.
  • Social transformation and redress is important and needs to be integrated within the broader transition to sustainability. Integrating sustainability and social transformation in a strategic and coherent manner will give rise to greater opportunities, efficiencies and benefits, for both the company and society.
  • Sustainability reporting is in need of renewal in order to respond to a) the lingering distrust among civil society of the intentions and practices of big business, and b) concerns among business decision makers that sustainability reporting is not fulfilling their expectations in a cost-effective manner.

These are sound principles. Slavish devotion to short-term financial goals is an unwise policy from the standpoint of the long-term interests of our global society. While the almighty bottom line will always be important, income inequality, resource preservation, chronic unemployment, carbon footprint size and other issues suggest that business strategies should drive long-term corporate growth and profitability by considering environmental and social issues in the business model. Some take this mantra seriously. Many don’t. King III is a call to action on this front.

Looking back fondly on that dinner, so many years ago, I raise a glass once again in Dr. King’s honor and wish him continued success at bringing his much-needed ideas into the corporate and public company mainstream.

For more on the work of the IIRC, visit For more on Mervyn E. King and King III, visit


Tuning the Tone at the Top: Is Your Board “on Board” with Data Security and Privacy?

With cyber attacks and data breaches routinely making media headlines, conventional wisdom suggests companies would be making IT security and data privacy a top priority.

But the results of Protiviti’s 2014 IT Security and Privacy Survey indicate many organizations still have done little to safeguard against such potential crises. And worse, they are ill-prepared to mitigate them if they should strike.

Perhaps, most glaring – and difficult to explain – is the lack of corporate initiative with regard to written information security policies (WISPs) and data encryption policies. More than one-third of survey respondents said they do not have a WISP in place, and 41 percent lacked a data encryption policy.

Such findings are startling, considering that 46 of 50 states have data privacy laws that impose significant penalties on organizations that expose confidential data. Every privacy-related law holds accountable the company in possession of private data if that information is breached. Just as important, nearly all of these laws allow for leniency if the targeted organization has a WISP and data encryption policy. There is no way to sugarcoat it. With the opportunity to minimize legal liability, it is imperative for companies to adopt these policies.

Beyond highlighting such deficiencies, our survey provides insights into key factors that help organizations establish and maintain a robust IT security and privacy profile. Conducted in the second quarter of this year, the survey incorporates responses from more than 340 CIOs, chief information security officers, and other IT executives and management-level professionals.

The common denominator among entities with strong cybersecurity profiles is an engaged board of directors that is cognizant of security and privacy issues. According to our survey, 78 percent of organizations with boards demonstrating a high or medium level of engagement and understanding of security risks had all “core” information security policies in place. It is important to note that involvement doesn’t mean boards must be aware of every security practice detail. However, boards that set a strong “tone at the top” will drive their organizations to plan and implement more robust cybersecurity measures.

Our survey’s findings repeatedly show striking differences in security performance between companies with strong board engagement in information security and those without it.

For example, with data volume growing almost exponentially, it is paramount for companies to stratify their data based on importance and apply appropriate retention and destruction dates to each type, according to regulatory and legal requirements or industry standards. Here again, there is a clear divide between companies with regard to this pressing challenge: 87 percent of companies with boards that are highly engaged in information security have a clear data classification policy, compared with 64 percent for those lacking board engagement.

Likewise, although all companies can fall victim to hackers, it is interesting that those with a board that is more engaged in information security likely will recover more quickly after an attack: 77 percent of these companies have a formal and documented crisis response plan that would be executed in such an event. By comparison, only 47 percent of companies without high board engagement in information security are similarly prepared.

The obvious question is, why is high board engagement in information security such a differentiator? In our experience, operational teams in these organizations are compelled to tackle IT security issues earnestly as a result of oversight and direct questions from board members. Furthermore, they likely are producing meaningful metrics and communicating effectively with the board, which in turn may authorize management to make greater investments in security measures.

The clear takeaway here is that a board that is highly engaged in information security often leads to a security-conscious environment that fosters a true understanding of an organization’s capabilities – and, just as importantly, its limitations.