South Africa's King governance codes have defined the standard for corporate governance since King I in 1994. King IV, released in 2016, embedded risk governance as a core board responsibility. As the governance landscape evolves toward what practitioners increasingly call "King V" thinking — reflecting post-pandemic governance expectations, ESG integration, digital risk, and AI governance — South African boards face heightened expectations for risk oversight. This guide explains what boards must know and do in 2026 to fulfil their risk governance obligations. Organisations looking to support their board's risk oversight with technology can explore GRC software built for South Africa.
Board Risk Oversight Obligations Under King IV
King IV places ultimate responsibility for risk governance at the board level. Principle 11 states: "The governing body should govern risk in a way that supports the organisation in setting and achieving its strategic objectives." This is not a delegatable obligation — the board retains accountability even when risk management is executed by management.
Specific board obligations include:
- Set risk governance direction: Approve the risk management policy, risk appetite, and risk tolerance parameters
- Oversee risk management: Satisfy itself that risk management is effective — not just that processes exist
- Integrate risk with strategy: Ensure that risk-taking is intentional, informed, and within approved appetite
- Disclose risk governance: Report transparently on risk governance in the integrated annual report
- Oversee combined assurance: Ensure that assurance activities are coordinated and cover key risks
"Apply and Explain" — Not "Apply or Explain"
King IV operates on an "apply and explain" basis — organisations must explain how they have applied each principle, not just whether they have. This shifts the focus from box-ticking to demonstrating governance outcomes. Investors, the JSE, and rating agencies assess the quality of the explanation, not just its presence. Weak or generic risk governance disclosures are a governance red flag.
The Board Risk Committee
Most South African listed companies and larger public sector entities maintain a dedicated board risk committee to assist the board in its risk oversight role. Best practice for a board risk committee in 2026 includes:
| Aspect | Best Practice Standard |
|---|---|
| Composition | Majority independent non-executive directors; risk expertise required (not just oversight experience) |
| Meeting frequency | At least quarterly; additional meetings for material risk events |
| Risk information | Receives real-time risk dashboards between meetings, not just periodic reports |
| Mandate | Clear, board-approved terms of reference covering all risk categories including technology, ESG, and AI risk |
| Management interface | Direct access to CRO and management, not filtered through the CEO |
| Escalation | Defined escalation triggers for reporting to the full board between scheduled meetings |
Emerging Risk Areas Requiring Board Attention in 2026
AI and Technology Risk
Boards increasingly need to oversee AI risk — not just IT risk. This includes AI model failure, algorithmic bias, AI-enabled fraud, and the governance of AI-assisted decision-making. King IV's principle of governing technology and information assets applies directly to AI systems. The board's risk committee must understand AI risk even if board members are not technologists.
Climate and ESG Risk
JSE-listed companies and large organisations face growing stakeholder expectations for climate-related risk disclosure aligned with TCFD (Task Force on Climate-related Financial Disclosures) and the new IFRS S1/S2 sustainability disclosure standards. The board's risk oversight must extend to climate transition risk, physical climate risk, and social risks.
Geopolitical and Macroeconomic Risk
South Africa's economic environment in 2026 — load shedding, political uncertainty, rand volatility, and post-greylisting financial sector expectations — requires boards to maintain a clear view of strategic risk exposure and scenario analysis outcomes.
Combined Assurance: The Board's Oversight Tool
Combined assurance is King IV's model for coordinating assurance activities to provide a comprehensive picture of risk and control across the organisation. Under combined assurance:
- First line (management): Owns and manages risks and controls, provides primary assurance
- Second line (risk and compliance): Provides oversight assurance through the risk framework and compliance programme
- Third line (internal audit): Provides independent assurance on the effectiveness of risk management and controls
- External assurance providers: External auditors, sustainability assurance providers, regulatory inspectors
The board must be satisfied that the combined assurance model covers key risks adequately — that there are no significant gaps between the risks identified and the assurance received on those risks.
What Boards Need from Risk Reporting
Many board risk reports are still too operational — long tables of risks with ratings, rather than strategic insights. Boards in 2026 need:
- Top risk profile: A clear view of the organisation's highest-priority risks and how they have changed since the last meeting
- Appetite monitoring: Whether risk exposure is within approved appetite parameters — with flagging of breaches
- Emerging risks: Horizon-scanning insights about new or developing risks not yet in the risk register
- Assurance coverage: A combined assurance map showing which risks have assurance coverage and where gaps exist
- Strategic risk integration: Linkage between risk exposure and strategic objective achievement
Technology that provides these insights in a dashboard format — accessible between board meetings, not just in PDF reports — significantly improves the quality of board risk oversight.
Summary
- King IV places ultimate risk governance accountability at the board level — this cannot be delegated
- The board risk committee must have genuine risk expertise, not just oversight experience
- AI, ESG/climate, and geopolitical risk are emerging categories that boards must actively oversee in 2026
- Combined assurance provides the board's primary mechanism for satisfying itself that risk management is effective
- Board risk reporting must shift from operational risk tables to strategic insights — top risks, appetite monitoring, emerging risks, and assurance coverage
- Technology enables real-time risk oversight between meetings, not just quarterly PDF reports
Frequently Asked Questions
Is King IV mandatory for all South African companies?
King IV applies on an "apply and explain" basis to all JSE-listed companies as a condition of listing. It also applies to public sector entities (Schedule 1 to the PFMA) and is recommended for all other organisations. Non-listed companies are not legally required to comply, but institutional investors, lenders, and large customers increasingly expect King IV governance standards as a condition of doing business.
What is the difference between King IV and King V?
As of 2026, King V has not been formally released. "King V thinking" refers to the evolution of governance expectations since King IV — incorporating ESG integration, AI governance, post-pandemic resilience requirements, and enhanced stakeholder accountability. The Institute of Directors South Africa (IoDSA) periodically issues supplementary guidance addressing these developments. Boards should monitor IoDSA publications for formal King V when it is released.
Can the board delegate risk management to the CRO?
Risk management execution can be delegated to the CRO and management. Risk governance accountability cannot. The board must satisfy itself that risk management is effective — which requires active oversight, not passive receipt of reports. A board that relies entirely on the CRO without exercising independent judgement on risk information is not fulfilling its King IV obligations.
How should the board handle AI risk oversight?
Boards should ensure that AI risk is explicitly included in the risk appetite statement and risk register. The board risk committee's terms of reference should cover technology and AI risk. Boards should receive regular briefings on AI systems in use, their risk profile, and the controls in place. Independent AI risk assessments and audit coverage of AI systems are increasingly considered best practice. The NIST AI Risk Management Framework provides a useful structure for AI risk governance.
References
1. Institute of Directors South Africa. King IV Report on Corporate Governance for South Africa, 2016.
2. JSE Limited. Listings Requirements — Corporate Governance. Updated 2024.
3. National Treasury. Framework for Managing Programme Performance Information. 2010.
4. IFRS Foundation. IFRS S1 and S2 Sustainability Disclosure Standards. 2023.
5. Task Force on Climate-related Financial Disclosures (TCFD). Final Report. 2017.
6. Institute of Internal Auditors. Three Lines Model. 2020.
7. Institute of Directors South Africa. Board Risk Committee Guidance. 2024.
