IT RISK MANAGEMENT DISCLOSURE IN THE INTEGRATED REPORTS OF THE TOP 40 LISTED COMPANIES ON THE JSE LIMITED

Download This Article

Ben Marx ORCID logo, Covanni Du Preez

https://doi.org/10.22495/rgcv7i3p3

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

Abstract

Information Technology (IT) has become an integral part of virtually all modern day organisations. The advent of IT has given rise to numerous benefits which increase productivity and efficiency in the workplace, however, IT also brings with it significant risks that can have an impact on an organisation’s ability to function as a going concern. Organisations, especially those listed on the Johannesburg Stock Exchange (JSE), are required to submit an Integrated Report (IR) on an annual basis in which they indicate how they used the resources at their disposal to create value for the organisation and its stakeholders during the year under review. The IR is also a forward-looking document, as opposed to the traditional, backward-looking reports. The purpose of this paper is to determine to what extent IT Risk and IT Risk Management are disclosed in the IR’s of the Top 40 Listed Companies on the JSE. It further aims to determine whether IT Risks are included as material risk in the entity’s risk statements of the Integrated Report, and whether proper explanations are provided on how the materiality of the risks are determined and dealt with. This is done by means of an empirical study consisting of a content analysis of the IRs of the Top 40 listed companies on the JSE. The results of the analysis indicates that more than half of the companies included IT risk as part of their material risks and outlined appropriate and detailed processes that were followed by the company to manage those IT risks. The findings of the study accordingly support the need for communicating significant risks and the management thereof to stakeholders as part of the integrated nature of governance of entities. However, it is disconcerting that some companies are not doing this, and accordingly are not realising the need for communicating significant matters to their stakeholders and the value that informative and credible reporting will bring to an entity’s Integrated Report.

Keywords: Risk Management, IT Risk Management, Integrated Reporting, International Integrated Report Committee (IIRC) Framework

Received: 18.02.2017
Accepted: 18.05.2017

How to cite this paper: Marx, B., & Preez, C. H. (2017). IT risk management disclosure in the integrated reports of the top 40 listed companies on the JSE limited. Risk governance & control: financial markets & institutions, 7(3), 27-34. https://doi.org/10.22495/rgcv7i3p3