The release of the King V Code on Corporate Governance for South Africa, 2025 (King V), represents an evolution in South Africa’s governance framework. For organisations already aligned with King IV, their focus should be on achieving governance maturity, rather than a structural overhaul. The question boards should now be asking is no longer “what must be rebuilt?” but rather “how do we evolve our existing governance arrangements to better deliver on the four governance outcomes”?

King V raises expectations by sharpening the focus on integrated thinking, positioning governance as performance-enabling, and sustainable value creation.

A stronger emphasis on integrated governance

The governance role of the governing body is a continuous, integrated cycle encompassing:

  • Check circle iconsteering the organisation and setting its strategic direction;
  • Check circle iconformulating policies and putting together plans to give effect to the set direction and then deliberating on and approving these policies and plans;
  • Check circle icondelegating the implementation to management and exercising oversight and monitoring thereof; and
  • Check circle iconensuring accountability of the organisation to its stakeholders through formal reports, disclosures and engagement.

In carrying out this role, governing bodies must operate across four complementary dimensions: (i) they need to look inward at the organisation itself, and (ii) outward at the economic, social and environmental context in which it operates; (iii) they must balance a present‑day focus on oversight and control with accountability for past decisions, while at the same time (iv) keeping a clear eye on the future through strategy and policy.

Technology governance moves to the centre

Under King IV, technology governance was embedded within corporate governance, focusing on aligning technology with business strategy, strengthening resilience, and ensuring that information, data and technology risks were well governed and compliant. The aim was to create resilient organisations capable of adapting to technological advancements while safeguarding against emerging risks.

King V elevates data, information and technology into a strategic pillar (Principle 10), positioning them as core to value creation, sustainability and stakeholder trust. This shifts the governing body’s role from oversight alone to active stewardship of how data and technology are used responsibly.

For boards, this means technology oversight must be integrated, regular, and strategic, not episodic or technical in nature.

Combined assurance becomes a strategic board tool

While King IV introduced combined assurance, King V significantly raises expectations around its application. Boards are now expected to ensure a deliberate, coordinated, and outcomes‑focused approach to assurance across:

  • Check circle iconManagement controls
  • Check circle iconInternal audit
  • Check circle iconExternal audit
  • Check circle iconRisk, compliance, and specialist assurance providers

The objective is not simply assurance coverage, but confidence, reducing duplication, closing blind spots, and enabling the board to rely on a coherent, consolidated view of risk and control effectiveness. In practice, combined assurance moves from being a governance concept to a strategic mechanism supporting board accountability.

Governing in the data, information and technology era: from oversight to stewardship

Under King IV, the governing body and its committees were primarily positioned as oversight and review forums. King V allows forflexibility in governance structures provided that boards can demonstrate effective oversight and achievement of governance outcomes.

For Principle 10, the test should be: “Has the governing body structured itself in a way that enables informed, ethical and effective stewardship of data, information and technology?

Use of existing committees (combined or expanded mandates)

  • Check circle iconMany organisations will locate Principle 10 oversight within the Risk Committee, provided its mandate is expanded to include:
    • Check circle iconData and information governance risks (privacy, quality, ethics)
    • Check circle iconTechnology and cyber risk
    • Check circle iconOutsourced technology and data processing risks
    • Check circle iconEmerging technology risks and opportunities (including AI)
  • Practical governance actions
    • Check circle iconStrengthening skills through appointments, inductions, or targeted development
    • Check circle iconImproving collaboration between committees, management, and assurance providers
    • Check circle iconEnsure standing agenda items on:
      • Check circle iconCyber posture and incidents
      • Check circle iconMaterial data breaches or privacy issues
      • Check circle iconTechnology investment risk and value realisation
  • Check circle iconThe Audit Committee may play a supporting role, particularly in relation to:
    • Check circle iconData quality and integrity underpinning reporting
    • Check circle iconAssurance over information controls
    • Check circle iconOversight of assurance on data and technology governance
  • Where there is no separate technology committee, the Audit Committee can:
    • Check circle iconOversee assurance reports on Principle 10
    • Check circle iconCoordinate with Risk Committee to avoid gaps or duplication

Specialist or hybrid committees (adaptive practice)

Organisations may form specialist committees provided they enhance effectiveness.

  • Check circle iconTechnology / Digital / Data Committee
    • Check circle iconThis is increasingly appropriate where technology and data are central to value creation in the organisation, or there is significant reliance on digital platforms, data analytics or AI.
    • Check circle iconTypical mandate under Principle 10
      • Check circle iconOversight of data and technology strategy alignment
      • Check circle iconMonitoring ethical use of data and AI
      • Check circle iconReview of major technology investments
      • Check circle iconEscalation of material risks to the board

Smaller organisations and individual delegation

King V recognises that smaller or less complex organisations may delegate Principle 10 responsibilities to a single board committee with a broad mandate, or an individual board member with relevant expertise.

  • Check circle iconConditions for effective application
    • Check circle iconDelegation must be formal and documented
    • Check circle iconReporting lines to the full governing body must be clear
    • Check circle iconThe board must retain ultimate accountability
  • Compensating measures may include:
    • Check circle iconMore frequent board-level reporting
    • Check circle iconExternal assurance or advisory input
    • Check circle iconClear escalation thresholds for data or technology incidents

Ensuring Principle 10 is implemented in substance, not form

To evidence effective application of Principle 10 through governance structures, boards should be able to demonstrate that:

  • Check circle iconOversight of data, information and technology is explicitly allocated
  • Check circle iconCommittee mandates, terms of reference and board charters are updated accordingly
  • Check circle iconThere is regular reporting on:
    • Check circle iconData governance effectiveness
    • Check circle iconTechnology risks, opportunities and resilience
    • Check circle iconEthical and compliant use of emerging technologies
  • Periodic independent assurance is obtained and considered
  • Disclosures explain how proportional application still achieves the objectives of Principle 10 in the overall pursuit of the governance outcomes.

Capability matters more than committee structure

King IV moved away from a “tick box” approach to board committees. Rather than prescribing specific committees, it placed the responsibility on the governing body to determine which structures are appropriate for the organisation. Committees were therefore a matter of informed judgement, shaped by the organisation’s needs and stakeholder interests, and not a compliance exercise. Under King V, existing audit and risk committee structures for many organisations remain fit for purpose provided they evolve, while in others, some overlapping committees may need to be consolidated. The emphasis is on the expectation that boards and committees should collectively demonstrate effective governance outcomes across:

  • Check circle iconFinancial and integrated reporting
  • Check circle iconEnterprise and emerging risks
  • Check circle iconTechnology, cyber, and data governance
  • Check circle iconESG and sustainability
  • Check circle iconGovernance and ethics

Major failures (cyber breaches, AI misuse, data ethics scandals) consistently trace back to weak board‑level understanding . Boards are therefore expected to understand, challenge and guide data and technology decisions.

What boards should do next to respond to King V?

To respond effectively to King V expectations, boards, audit and risk committees should consider the following actions:

  1. Reassess integration across oversight functions – Evaluate how audit, risk, technology, and assurance currently intersect.
  2. Update mandates and committee charters – Explicitly reflect King V integration expectations, including technology and ESG oversight, within the committees’ terms of reference.
  3. Strengthen governance capability – Assess whether the current board and committee composition provides sufficient depth in risk, technology, digital resilience, and sustainability.
  4. Elevate combined assurance – Ensure combined assurance is coordinated, deliberate, and aligned to the organisation’s most material risks.
  5. Focus on governance outcomes – Refocus discussions toward decision quality, resilience, and value creation.

King V does not demand more governance. It demands better governance.

For boards, executives, and regulators alike, this is an opportunity to strengthen trust, resilience, and long‑term performance through truly integrated oversight.