What Is King V?
King V is the King Report on Corporate Governance for South Africa, 2025, issued by the Institute of Directors in South Africa (IoDSA). Launched on 31 October 2025, it comprises the King V Code on Corporate Governance, King V Foundational Concepts, King V Glossary, and the King V Disclosure Framework.
Like King IV before it, King V is governance-driven. It focuses on how leadership structures, ethical culture, and decision-making processes ensure that risk is properly identified, managed, and disclosed.
King V was released guided by three overarching goals: aligning King IV with evolving regulatory and governance developments; simplifying and clarifying its structure and content; and standardising disclosure in support of accessibility, transparency and consistency.
King V applies to:
- Listed companies: JSE listing requirements incorporate certain King V practices as mandatory
- State-owned entities: SOEs are expected to apply King V
- Public sector institutions: Municipalities and public entities
- Private companies and non-profits: On an apply-and-explain basis
King V is principle-based, not rules-based. Organisations are expected to apply the principles and explain how they do so in a way that achieves good governance outcomes. King V consolidates King IV's 17 principles into 13, with clearer structure and a new standardised Disclosure Framework.
Apply and Explain
King V retains the "apply and explain" approach from King IV. Organisations must apply the principles and explain how their practices achieve good governance outcomes — focusing on substance over form.
Effective Date
Disclosure on King V application is effective for financial years commencing on or after 1 January 2026, with early adoption encouraged.
Governance Outcomes Under King V
King V refines the four governance outcomes from King IV, now articulated as “Ethical Culture,” “Performance and Value Creation,” “Conformance and Prudent Control,” and “Legitimacy.” All four are directly influenced by risk management:
| Outcome | Description | Risk Connection |
|---|---|---|
| Ethical Culture | Values-based leadership and ethical decision-making | Risk culture, tone at the top, ethical risk awareness |
| Performance and Value Creation | Strategy execution and sustainable value creation, including systems value | Risk-adjusted performance, opportunity and sustainability risk management |
| Conformance and Prudent Control | Internal controls and risk management | Control environment, risk treatment, monitoring |
| Legitimacy | Stakeholder trust and accountability | Risk disclosure, transparency, stakeholder engagement |
Risk management is not a standalone function under King V. It is a governance enabler that supports all four outcomes.
The Role of Risk Management in King V
Under King V, risk management remains primarily a leadership and oversight responsibility, not merely a technical or operational task.
King V expects organisations to:
- Govern risk in a way that supports strategic objectives: Risk enables strategy
- Ensure that risk oversight is exercised at board level: Not delegated entirely
- Integrate risk into performance, compliance, and assurance: Connected systems
- Disclose risk governance practices through the standardised Disclosure Framework: Apply and explain
A significant evolution in King V is its emphasis on systems value — the recognition that organisations are not just affected by their external environment, but are embedded within it. Organisations should create value for broader economic, social and environmental systems, recognising that long-term organisational success relies on the vitality and resilience of surrounding socio-ecological systems.
This reframes risk management from protecting the organisation to protecting the systems the organisation depends on. This approach aligns well with enterprise risk management principles.
Want the full framework with worked examples?
Leadership and Oversight Responsibilities
The Governing Body (Board / Council)
King V assigns ultimate responsibility for risk governance to the governing body. This includes:
- Approving risk policy and risk appetite: Setting the boundaries
- Overseeing the implementation of risk management: Active engagement
- Ensuring that risk information supports decision-making: Quality and timeliness
- Delegating appropriately while retaining accountability: Cannot abdicate responsibility
King V enhances committee composition requirements for risk and social and ethics committees, with the recommendation of including at least one independent non-executive. This strengthens the quality of oversight at committee level.
Common failure: Boards approve risk frameworks but do not actively engage with risk information. Risk becomes a compliance item rather than a governance priority.
Management
Management is responsible for:
- Implementing risk management processes: Operational execution
- Identifying and assessing risks across operations: Using tools like risk registers
- Designing and executing risk responses: Controls and treatments
- Reporting risk information to the governing body: Clear, decision-useful reporting
King V expects management to treat risk management as an operational discipline, not a reporting exercise.
Accountability Cannot Be Delegated
While boards may delegate risk management activities to committees or management, ultimate accountability for risk governance remains with the governing body. Delegation is not abdication.
Technology and AI Governance
A meaningful addition in King V is the expanded treatment of technology risk. King V recognises that governing bodies must be technologically literate, and not just financially literate.
King V expands data, information and technology governance with AI requirements, including emphasis on establishing accountability in AI-related decisions, actions and outcomes. King V also recognises the evolving nature of the cyber risk landscape and the changing tactics threat actors use to access valuable company data.
For organisations deploying AI tools — whether in operations, decision-making, or client-facing services — the governing body is now expected to understand and oversee the risks those tools introduce.
Risk Appetite and Tolerance Under King V
King V retains strong emphasis on risk appetite as a governance tool.
Risk appetite:
- Articulates the level of risk an organisation is willing to accept: Quantitative and qualitative
- Guides strategy, planning, and decision-making: Not just documentation
- Provides context for evaluating risk exposure: Against defined thresholds
A common weakness in South African organisations is that risk appetite statements exist but are not operationalised. King V expects risk appetite to influence real decisions, not remain theoretical.
Understanding the difference between inherent and residual risk helps organisations communicate how controls bring exposure within appetite.
Risk, Performance, and Strategy Alignment
One of King V's key contributions is its deepened link between risk, performance, and systems value creation.
King V expects organisations to:
- Consider risk when setting strategic objectives: Risk-informed planning
- Monitor whether risk exposure aligns with performance outcomes: Variance analysis
- Use risk information to explain performance variances: Root cause understanding
- Assess sustainability-related risks through a double materiality lens: Both financial impact and broader societal and environmental impact
King V places enhanced emphasis on double materiality — both financial and impact materiality — for sustainability-related disclosures. This is particularly significant for public sector entities and SOEs accountable to Parliament, councils, and communities.
This alignment is critical in:
- Public sector performance management: Government accountability
- SOE turnaround strategies: State-owned entity governance
- Listed company reporting: Investor communication
Risk Management and Assurance Under King V
King V retains a combined assurance approach. This means:
- Management, internal audit, external audit, and other assurance providers work in a coordinated way: No duplication or gaps
- Risk information informs assurance planning: Audit focus follows risk
- Assurance activities provide comfort over risk management effectiveness: Evidence-based
In practice, this requires linking risks, controls, incidents, and audit findings — not managing them in silos.
Three Lines Model
Combined assurance typically follows a three lines model:
| Line | Role | Responsibility |
|---|---|---|
| First Line | Management | Own and manage risks and controls |
| Second Line | Risk & Compliance | Provide oversight, guidance, and monitoring |
| Third Line | Internal Audit | Provide independent assurance |
Learn how to prepare for an audit using a risk register to support combined assurance.
King V and Compliance Risk
King V expects organisations to manage compliance risk proactively. This includes:
- Understanding applicable laws and regulations: Complete inventory
- Monitoring compliance obligations: Systematic tracking
- Integrating compliance risk into the risk management framework: Not separate silos
In the public sector, this often includes:
- PFMA (Public Finance Management Act)
- MFMA (Municipal Finance Management Act)
- POPIA (Protection of Personal Information Act)
- Treasury Regulations
- Sector-specific legislation
King V will supplement existing legal and regulatory frameworks such as POPIA and regulatory guidelines like the Joint Standard 2 of 2024 issued by the Financial Sector Conduct Authority and the Prudential Authority regarding Cybersecurity and Cyber Resilience Requirements.
Failure to manage compliance risk effectively often results in adverse audit outcomes from the Auditor-General.
Disclosure and Transparency Under King V
One of the most significant departures from King IV is the introduction of the King V Disclosure Framework, which sets out the form and content for required disclosure on the application of King V. Any organisation wishing to claim application of King V must use the Disclosure Framework and publish governance disclosures in accordance with its specifications, with the governing body accountable for approving the disclosures.
Organisations must disclose:
- How risk is governed: Board and committee structures
- How risk management supports objectives: Integration with strategy and systems value
- How assurance over risk is achieved: Combined assurance model
- A concluding statement on governance outcomes: Whether the four outcomes have been achieved
These disclosures are scrutinised by:
- Regulators and the JSE
- External and internal auditors
- Investors and analysts
- Parliamentary and council oversight bodies
Poor or generic disclosures are often interpreted as weak governance.
Common Misinterpretations of King V Risk Management
Many organisations struggle with King V because of the following misconceptions:
| Misconception | Reality |
|---|---|
| Treating King V as a compliance checklist | King V is about governance outcomes, not tick-boxes |
| Delegating risk entirely to a risk department | Board retains ultimate accountability |
| Confusing risk reporting with risk management | Reports are outputs; management is the discipline |
| Failing to link risk to sustainability and systems value | King V requires organisations to consider their role in the broader economic, social and environmental system |
| Ignoring AI and technology as a governance risk | King V explicitly requires oversight of AI accountability and cyber risk |
King V is not about having policies — it is about how leadership governs risk in practice.
King V in Practice (South African Context)
Organisations that apply King V effectively:
- Use risk information in board and committee meetings: Active discussion
- Align risk, compliance, audit, and performance reporting: Integrated view
- Maintain evidence for oversight and assurance: Documentation supports practice
- Govern technology and AI risks with the same rigour as financial and operational risks
- Apply double materiality to sustainability-related risk decisions
Those that fail often experience repeat audit findings, weak oversight and accountability gaps, and reputational damage and stakeholder distrust.
King V vs ISO 31000 and COSO ERM
King V, ISO 31000, and COSO ERM serve different but complementary purposes:
| Aspect | King V | ISO 31000 | COSO ERM |
|---|---|---|---|
| Primary Focus | Governance, oversight, and systems value | Risk process | Strategy and performance |
| Geographic Relevance | South Africa | Global | Global |
| Audience | Board and leadership | Enterprise and operations | Board and executives |
| Style | Principle-based | Principle-based | Component-based |
| Disclosure | Standardised Disclosure Framework required | No disclosure framework | Voluntary reporting guidance |
In practice:
- King V sets governance expectations: What boards must oversee
- COSO ERM supports strategic oversight: How risk connects to strategy
- ISO 31000 supports operational execution: How risks are managed day-to-day
They are complementary, not competing.
Free PDF Guide
Download the complete King V Risk Management guide as a PDF. Ideal for sharing with your board, risk committee, or governance team.
Summary
- King V challenges organisations to move from governance as compliance to governance as culture, anchored in integrity, accountability and sustainability
- King V consolidates 17 King IV principles into 13, with a new standardised Disclosure Framework
- The governing body retains ultimate accountability for risk governance
- Risk appetite must be operationalised to guide real decisions, not just documented
- Combined assurance integrates management, risk, compliance, and audit functions
- King V introduces explicit AI governance and cyber risk oversight requirements
- Double materiality requires organisations to consider both financial and broader impact when assessing sustainability risks
- King V complements ISO 31000 and COSO ERM rather than replacing them
Frequently Asked Questions
Is King V mandatory?
King V is not legislation, but it is widely expected and applied across South African organisations. For JSE-listed companies, King V compliance is incorporated into listing requirements. Public entities, SOEs, and municipalities are expected to apply King V principles as part of good governance practice. Private companies and non-profits may apply it on a voluntary basis.
Does King V replace King IV?
Yes. King V succeeds King IV as South Africa's primary corporate governance code. Disclosure on King V application is effective for financial years commencing on or after 1 January 2026. Organisations should transition their governance practices and disclosures from King IV to King V accordingly.
Who is responsible for risk under King V?
Ultimate responsibility for risk governance lies with the governing body (board or council). Management is responsible for implementing risk management processes and reporting to the governing body. Internal audit and other assurance providers give comfort over risk management effectiveness through combined assurance.
What is the King V Disclosure Framework?
The King V Disclosure Framework is a new standardised framework that sets out the form and content for required disclosure on the application of King V. Any organisation wishing to claim application of King V must use this framework and publish governance disclosures in accordance with its specifications. This is one of the most significant departures from King IV.
How does King V address AI and technology risk?
King V explicitly expands data, information and technology governance with AI requirements. It emphasises establishing accountability in AI-related decisions, actions and outcomes. King V also recognises the evolving cyber risk landscape and expects governing bodies to be technologically literate — not just financially literate — to effectively oversee these risks.
Save this guide for later
Download the PDF version to read offline or share with your team.
