What Is King IV?
King IV is the King Report on Corporate Governance for South Africa, issued by the Institute of Directors in South Africa (IoDSA). Unlike technical risk frameworks, King IV is governance-driven. It focuses on how leadership structures, ethical culture, and decision-making processes ensure that risk is properly identified, managed, and disclosed.
King IV applies to:
- Listed companies: JSE listing requirements mandate King IV application
- State-owned entities: SOEs are expected to apply King IV
- Public sector institutions: Municipalities and public entities
- Private companies and non-profits: On an apply-and-explain basis
King IV is principle-based, not rules-based. Organisations are expected to apply the principles and explain how they do so in a way that achieves good governance outcomes.
Apply and Explain
King IV uses an "apply and explain" approach rather than "comply or explain." This means organisations must apply the principles and then explain how their practices achieve good governance outcomes—focusing on substance over form.
Governance Outcomes Under King IV
King IV is built around four governance outcomes, all of which are directly influenced by risk management:
| Outcome | Description | Risk Connection |
|---|---|---|
| Ethical Culture | Values-based leadership and ethical decision-making | Risk culture, tone at the top, ethical risk awareness |
| Good Performance | Strategy execution and sustainable value creation | Risk-adjusted performance, opportunity management |
| Effective Control | Internal controls and risk management | Control environment, risk treatment, monitoring |
| Legitimacy | Stakeholder trust and accountability | Risk disclosure, transparency, stakeholder engagement |
Risk management is not a standalone function under King IV. It is a governance enabler that supports all four outcomes.
The Role of Risk Management in King IV
Under King IV, risk management is primarily a leadership and oversight responsibility, not merely a technical or operational task.
King IV expects organisations to:
- Govern risk in a way that supports strategic objectives: Risk enables strategy
- Ensure that risk oversight is exercised at board level: Not delegated entirely
- Integrate risk into performance, compliance, and assurance: Connected systems
- Disclose risk governance practices transparently: Apply and explain
Risk management under King IV is therefore about how decisions are made, not just how risks are documented. This approach aligns well with enterprise risk management principles.
Leadership and Oversight Responsibilities
The Governing Body (Board / Council)
King IV assigns ultimate responsibility for risk governance to the governing body. This includes:
- Approving risk policy and risk appetite: Setting the boundaries
- Overseeing the implementation of risk management: Active engagement
- Ensuring that risk information supports decision-making: Quality and timeliness
- Delegating appropriately while retaining accountability: Cannot abdicate responsibility
Common failure: Boards approve risk frameworks but do not actively engage with risk information. Risk becomes a compliance item rather than a governance priority.
Management
Management is responsible for:
- Implementing risk management processes: Operational execution
- Identifying and assessing risks across operations: Using tools like risk registers
- Designing and executing risk responses: Controls and treatments
- Reporting risk information to the governing body: Clear, decision-useful reporting
King IV expects management to treat risk management as an operational discipline, not a reporting exercise.
Accountability Cannot Be Delegated
While boards may delegate risk management activities to committees or management, ultimate accountability for risk governance remains with the governing body. Delegation is not abdication.
Risk Appetite and Tolerance Under King IV
King IV places strong emphasis on risk appetite as a governance tool.
Risk appetite:
- Articulates the level of risk an organisation is willing to accept: Quantitative and qualitative
- Guides strategy, planning, and decision-making: Not just documentation
- Provides context for evaluating risk exposure: Against defined thresholds
A common weakness in South African organisations is that risk appetite statements exist but are not operationalised. King IV expects risk appetite to influence real decisions, not remain theoretical.
Understanding the difference between inherent and residual risk helps organisations communicate how controls bring exposure within appetite.
Risk, Performance, and Strategy Alignment
One of King IV's key contributions is the explicit link between risk and performance.
King IV expects organisations to:
- Consider risk when setting strategic objectives: Risk-informed planning
- Monitor whether risk exposure aligns with performance outcomes: Variance analysis
- Use risk information to explain performance variances: Root cause understanding
This alignment is critical in:
- Public sector performance management: Government accountability
- SOE turnaround strategies: State-owned entity governance
- Listed company reporting: Investor communication
Risk Management and Assurance Under King IV
King IV adopts a combined assurance approach. This means:
- Management, internal audit, external audit, and other assurance providers work in a coordinated way: No duplication or gaps
- Risk information informs assurance planning: Audit focus follows risk
- Assurance activities provide comfort over risk management effectiveness: Evidence-based
In practice, this requires linking risks, controls, incidents, and audit findings—not managing them in silos.
Three Lines Model
Combined assurance typically follows a three lines model:
| Line | Role | Responsibility |
|---|---|---|
| First Line | Management | Own and manage risks and controls |
| Second Line | Risk & Compliance | Provide oversight, guidance, and monitoring |
| Third Line | Internal Audit | Provide independent assurance |
Learn how to prepare for an audit using a risk register to support combined assurance.
King IV and Compliance Risk
King IV expects organisations to manage compliance risk proactively.
This includes:
- Understanding applicable laws and regulations: Complete inventory
- Monitoring compliance obligations: Systematic tracking
- Integrating compliance risk into the risk management framework: Not separate silos
In the public sector, this often includes:
- PFMA (Public Finance Management Act)
- MFMA (Municipal Finance Management Act)
- Treasury Regulations
- Sector-specific legislation
Failure to manage compliance risk effectively often results in adverse audit outcomes from the Auditor-General.
Disclosure and Transparency
Under King IV's apply-and-explain philosophy, organisations must disclose:
- How risk is governed: Board and committee structures
- How risk management supports objectives: Integration with strategy
- How assurance over risk is achieved: Combined assurance model
These disclosures are scrutinised by:
- Regulators and the JSE
- External and internal auditors
- Investors and analysts
- Parliamentary and council oversight bodies
Poor or generic disclosures are often interpreted as weak governance. Effective disclosure demonstrates that risk management is embedded in decision-making, not just documented.
Common Misinterpretations of King IV Risk Management
Many organisations struggle with King IV because of the following misconceptions:
| Misconception | Reality |
|---|---|
| Treating King IV as a compliance checklist | King IV is about governance outcomes, not tick-boxes |
| Delegating risk entirely to a risk department | Board retains ultimate accountability |
| Confusing risk reporting with risk management | Reports are outputs; management is the discipline |
| Failing to link risk to performance and assurance | King IV requires integration, not silos |
King IV is not about having policies—it is about how leadership governs risk in practice.
King IV in Practice (South African Context)
Organisations that apply King IV effectively:
- Use risk information in board and committee meetings: Active discussion
- Align risk, compliance, audit, and performance reporting: Integrated view
- Maintain evidence for oversight and assurance: Documentation supports practice
- Treat apply-and-explain as a governance opportunity: Not a reporting burden
Those that fail often experience:
- Repeat audit findings
- Weak oversight and accountability gaps
- Reputational damage and stakeholder distrust
King IV vs ISO 31000 and COSO ERM
King IV, ISO 31000, and COSO ERM serve different but complementary purposes:
| Aspect | King IV | ISO 31000 | COSO ERM |
|---|---|---|---|
| Primary Focus | Governance and oversight | Risk process | Strategy and performance |
| Geographic Relevance | South Africa | Global | Global |
| Audience | Board and leadership | Enterprise and operations | Board and executives |
| Style | Principle-based | Principle-based | Component-based |
In practice:
- King IV sets governance expectations: What boards must oversee
- COSO ERM supports strategic oversight: How risk connects to strategy
- ISO 31000 supports operational execution: How risks are managed day-to-day
They are complementary, not competing. Many South African organisations use all three.
Summary
- King IV positions risk management as a cornerstone of good governance in South Africa
- The governing body (board) retains ultimate accountability for risk governance
- Risk appetite must be operationalised to guide real decisions, not just documented
- Combined assurance integrates management, risk, compliance, and audit functions
- Apply-and-explain requires disclosure of how governance outcomes are achieved
- King IV complements ISO 31000 and COSO ERM rather than replacing them
Frequently Asked Questions
Is King IV mandatory?
King IV is not legislation, but it is widely expected and applied across South African organisations. For JSE-listed companies, King IV compliance is a listing requirement. Public entities and municipalities are expected to apply King IV principles as part of good governance practice.
Does King IV replace risk frameworks like ISO 31000?
No. King IV governs how risk is overseen at governance level, while ISO 31000 governs how risk is managed at operational level. The two are complementary—King IV sets expectations for board oversight, and ISO 31000 provides the process framework for execution.
Who is responsible for risk under King IV?
Ultimate responsibility for risk governance lies with the governing body (board or council). Management is responsible for implementing risk management processes and reporting to the governing body. Internal audit and other assurance providers give comfort over risk management effectiveness.
What is the apply-and-explain approach in King IV?
King IV uses an "apply and explain" approach where organisations apply the principles and then explain in their integrated reports how they have applied them to achieve good governance outcomes. This differs from the old "comply or explain" approach and focuses on substance over form.