There's a quiet crisis unfolding inside businesses right now, and most executives don't even know it's happening.

While boardrooms debate AI strategy and employees enthusiastically adopt tools like ChatGPT, Gemini, Deepseek, and Claude to turbocharge their productivity, a different conversation is being missed entirely: 

• What happens to the information you feed these platforms? 
• Who owns what comes out? 
• What are the legal and reputational consequences if something goes wrong?

The AI productivity wave is real and the benefits are undeniable. But in the rush to keep up, common sense around data protection and intellectual property is being left at the door. For CEOs, CFOs, and business owners of small and medium enterprises, this isn't a technology problem, it's a governance problem. And it needs your attention now!

What Actually Happens When Your Team Uses AI?

Before we talk about protections, you need to understand the basic mechanics. When someone in your business types a prompt into a free AI tool e.g. asking ChatGPT to summarise a contract, draft a client proposal using your company's methodology, or analyse financial data, that information travels to a third-party server. What happens next depends entirely on the platform's terms and conditions, and those terms vary significantly.

Think of it this way: if your employee walked into a public library, read aloud your confidential client list, your proprietary pricing model, and your internal legal correspondence, and then asked a librarian to help them write a report, would you be comfortable with that? Almost certainly not. Yet that is, in functional terms, what happens when sensitive business information is pasted into a consumer-grade AI tool with default settings.

The Terms and Conditions: What the Platforms Actually Say

The legal landscape here is not uniform, and it shifts regularly. But as a general principle, here is what executives need to know about the major platforms:

• ChatGPT (OpenAI): In its free tier and standard API usage, OpenAI has historically used conversations to train and improve its models, though users can opt out through settings. For business users on paid enterprise plans, OpenAI provides contractual commitments that your data will not be used for training, and conversations are not retained beyond the session. However, many employees using personal or informal accounts do not operate under these protections.
• Google Gemini: Similar principles apply. Consumer-facing Gemini products may use interactions to improve Google's services. Workspace business users with appropriate Enterprise agreements benefit from stronger data processing terms and data residency commitments, but again, this depends on your contract and how your staff are accessing the tool.
• DeepSeek: This Chinese-developed platform warrants particular caution. DeepSeek's privacy policy allows for the collection of a broad range of user data, which may be stored on servers in the People's Republic of China and subject to Chinese law, including laws that can compel companies to share data with government authorities. Several national governments and corporations have already moved to restrict or ban its use on work devices. For any business operating in regulated sectors, or handling data from clients in jurisdictions with strict data transfer rules, using DeepSeek with business information carries material risk.
• Claude (Anthropic): Anthropic similarly distinguishes between consumer and business use. On the free tier, conversations may be reviewed by Anthropic staff for safety and improvement purposes. Paid plans and the API come with stronger commitments around data not being used for training without consent, and enterprise agreements include formal data processing addenda.

The pattern across all platforms is consistent: free or personal tiers offer minimal protection; paid enterprise tiers offer significantly more. But "more" is not the same as "complete."

Are Paid Plans Enough? The Honest Answer.

Upgrading to a paid business plan does materially improve your position, and for most SMEs it should be a baseline requirement if staff are using these tools with any company data. Paid plans typically offer:

• Contractual commitments that your data will not be used to train AI models
• Data processing agreements that may satisfy regulatory requirements (such as POPIA, GDPR)
• Shorter or no data retention periods
• Reduced human review of conversations
• In some cases, the ability to choose data residency regions

However, there are important caveats. A paid subscription does not grant you unlimited privacy. Most platforms retain logs for safety, security, and abuse prevention purposes. Terms of service can change, and they do. And critically, a paid subscription does not protect you from your own employees making poor decisions about what to share.

There is also a subtler risk that paid plans do not address: the risk to your intellectual property from the outputs. If your team uses AI to generate a client deliverable, a strategic framework, a marketing campaign, or a software module, questions about who owns that output i.e. you, your client, or the AI platform, are not yet fully resolved in most jurisdictions. Courts and regulators are still catching up. In the meantime, the safest assumption is that AI-generated content may carry ownership ambiguity, and your contracts with clients should be updated to address this explicitly.

How SMEs Can Protect Themselves: Practical Controls

The good news is that you do not need a large IT department or cybersecurity budget to implement meaningful protections. What you need is clarity, policy, and discipline.

Start with an AI Acceptable Use Policy. This is the single highest-impact thing most SMEs can do right now. Your policy should define which AI tools are approved for business use, under what conditions, and with what categories of information. It should explicitly prohibit entering personal data, client confidential information, trade secrets, financial data, and legal communications into unapproved tools. It should be signed by every employee, not buried in an induction pack.

Classify your information. Not everything your business holds is equally sensitive. Create a simple tiered classification: public information, internal information, confidential information, and restricted information. Then map which tier is appropriate for AI use. As a rule of thumb, confidential and restricted information should never enter a consumer AI platform, and should only enter enterprise platforms with verified data processing agreements in place.

Centralise your AI tools. The proliferation of AI tools within an organisation, sometimes called "shadow AI", is one of the fastest-growing risks in business today. Employees will, with good intentions and genuine enthusiasm, find and use whatever tools help them work faster. Without a sanctioned set of approved tools, your data is scattered across dozens of third-party platforms, each with different terms and different risks. Pick a small number of approved tools, pay for appropriate-tier access, and make them easy to use. Friction drives shadow adoption.

Audit and review AI outputs. Particularly where AI is being used to create client-facing work, legal documents, financial analysis, or strategic advice, human review is not optional. AI tools hallucinate! They may produce confident-sounding content that is factually wrong. Without review processes, you risk reputational damage, legal liability, and in regulated industries, compliance failures.

Update your contracts. Both client contracts and employment agreements need to reflect the reality of AI use. Client contracts should address who owns AI-assisted deliverables and what data your firm may process using third-party AI tools. Employment agreements should include clauses on AI tool use, confidentiality obligations as they relate to AI, and the handling of AI-generated work.

Existing Frameworks: Your Built-In Head Start

If your business already operates under established information security or risk management frameworks, you may have more protection in place than you realise, as long as those frameworks have been updated to address AI.

ISO 27001 is the internationally recognised standard for information security management. At its core, it requires organisations to identify their information assets, assess the risks to those assets, and implement controls to manage those risks. An AI tool through which confidential data passes is an information asset risk, and ISO 27001's existing controls around third-party supplier management, access control, and incident response are directly applicable. Businesses certified under ISO 27001 should review their supplier register and risk assessments to explicitly include AI platforms. If you're not yet ISO 27001 certified, the framework provides an excellent roadmap even if formal certification isn't your immediate goal.

NIST CSF and NIST AI RMF (the AI-specific Risk Management Framework) offer complementary guidance. The NIST AI RMF, released in 2023, provides specific guidance on governing, mapping, measuring, and managing AI risks. It maps directly onto the kinds of decisions leaders face when deploying AI tools. It is freely available and does not require formal certification to use as a governance guide.

GDPR, POPIA and other data protection regulations provide hard legal obligations that must inform your AI strategy. If you handle personal data of individuals, the use of AI tools to process that data is subject to requirements including lawful basis for processing, data minimisation, and third-party processor agreements. Feeding customer personal data into an AI tool without a Data Processing Agreement in place is likely a data protection regulation violation, regardless of what the tool produces.

The common thread across these frameworks is that AI does not require you to reinvent your governance wheel. It requires you to extend the wheel you already have.

The Prompt Sprawl Problem: Managing AI's New Institutional Knowledge

Here is a challenge that almost no business is managing well yet, and that will become a significant operational risk within the next two to three years.

As teams integrate AI into daily operations, they develop prompts - the instructions they give AI tools to produce useful results. A well-crafted prompt can encode years of institutional knowledge: how your business approaches a problem, your pricing methodology, your client communication style, your quality standards. Over time, these prompts become business assets as valuable as any process document or client database.

The problem is that prompts are almost universally unmanaged. They live in individual employees' personal accounts on third-party platforms, in browser bookmarks, in Slack messages, and in people's heads. When that employee leaves, the prompt, and the knowledge embedded in it, leaves with them. When the platform changes its terms, that knowledge may have been shared without your knowledge. When a competitor poaches your team, they may bring your prompt library with them.

Managing prompt sprawl requires the same discipline as managing any other intellectual asset. Businesses should maintain a centralised prompt library, stored within company-controlled systems, not on third-party AI platforms. Prompts that encode proprietary methodology, client-specific processes, or competitive advantage should be treated as confidential business documents. Access should be controlled, and employees should understand that prompts created in the course of their employment are company property.

Practically, this can be as simple as a shared document repository with version control, or as sophisticated as a purpose-built prompt management system. The sophistication should match your scale, but the discipline should be universal.

A Simple Action Plan for Executives

You don't need to solve everything at once. Here is a prioritised starting point:

This week: Have a conversation with your leadership team about which AI tools your employees are currently using. You may be surprised. Establish a temporary moratorium on using any AI tool with client or confidential data until you have a policy in place.

This month: Draft and implement an AI Acceptable Use Policy. Audit your current AI tool subscriptions and upgrade to appropriate business-tier plans where relevant. Check whether your data protection agreements with key AI suppliers are in place.

This quarter: Review your client and employment contracts for AI-related gaps. Conduct a basic information classification exercise. Establish a centralised prompt library. Brief your team on the policy and the reasoning behind it. Compliance is far more likely when people understand why, not just what.

This year: Consider whether ISO 27001 or a similar framework is appropriate for your business as a signal of maturity to clients and partners. Monitor regulatory developments in your sector. AI-specific regulation is coming, and businesses that have built governance infrastructure will adapt far more easily than those starting from scratch.

The Bottom Line

AI tools are genuinely transformative, and the businesses that learn to use them well will have real competitive advantage. But advantage built on poor data governance is fragile. It exposes you to regulatory action, client loss, reputational damage, and competitive harm, often before you even realise the exposure exists.

The executives who will navigate this era well are not those who move fastest, but those who move with intention. They understand what their people are doing with these tools, they have clear policies in place, and they treat AI governance as a business discipline, not an IT afterthought.

The technology is moving quickly. Your governance doesn't have to chase it, it just has to be in place before something goes wrong.

Because in this environment, the question is not whether a gap in your AI governance will be exploited. It's whether you'll close it before or after it costs you.

If this resonates with challenges you're facing in your business, I'd welcome the conversation. The risks are real, but so are the practical solutions.

References & Further Reading

All sources are publicly available and were verified as of February 2026. Platform terms and privacy policies are subject to change — readers are encouraged to check the latest versions directly.

Platform Privacy Policies & Terms of Service

1. OpenAI — Business Data Privacy Commitments
   Official page detailing OpenAI's enterprise-level data handling, including the commitment not to train on business data by default across ChatGPT Enterprise, Team, and API plans.
   https://openai.com/business-data/
2. OpenAI — Enterprise Privacy Overview
   Covers SOC 2 compliance, data encryption standards, data residency options, and Data Processing Addendum availability.
   https://openai.com/enterprise-privacy/
3. OpenAI — Consumer Terms of Use
   Governs free and Plus user accounts, including provisions on content use for model improvement and opt-out mechanisms.
   https://openai.com/policies/row-terms-of-use/
4. Google — Generative AI in Google Workspace Privacy Hub
   Google's official FAQ covering how Workspace data is handled in Gemini, including the commitment that content is not used for model training outside the customer's domain without permission.
   https://support.google.com/a/answer/15706919
5. Google — Gemini Apps Privacy Hub
   Details how the consumer-facing Gemini app handles data, including the use of chats by human reviewers to improve Google products and services on the free tier.
   https://support.google.com/gemini/answer/13594961
6. Google — Gemini API Additional Terms of Service
   Explicitly distinguishes between paid services (no training on prompts/responses) and unpaid services (content used to improve Google products, with human reviewer access).
   https://ai.google.dev/gemini-api/terms
7. Google Workspace — Generative AI Security, Compliance and Privacy
   Overview of Gemini for Workspace enterprise certifications including ISO 42001, FedRAMP High, SOC 1/2/3, and HIPAA compliance.
   https://workspace.google.com/security/ai-privacy/
8. DeepSeek — Official Privacy Policy
   The primary source confirming that DeepSeek collects and stores personal data in the People's Republic of China and that data may be processed under Chinese law.
   https://cdn.deepseek.com/policies/en-US/deepseek-privacy-policy.html
9. Anthropic — Updates to Consumer Terms and Privacy Policy (August 2025)
   Official announcement of Anthropic's 2025 policy change allowing consumer account data to be used for model training (opt-in), with confirmation that Commercial Terms (Claude for Work, API, Enterprise) remain unaffected.
   https://www.anthropic.com/news/updates-to-our-consumer-terms
10. Anthropic Privacy Center — Is my data used for model training?
    Confirms that by default, commercial products (Claude for Work, API) do not use inputs/outputs to train models; training use requires explicit opt-in or feedback submission.
    https://privacy.claude.com/en/articles/7996868-is-my-data-used-for-model-training
11. Anthropic Privacy Center — How long do you store my data?
    Details retention periods: 30 days default for commercial users, up to 5 years for consumers who opt into model improvement, and up to 7 years for trust and safety flagged content.
    https://privacy.claude.com/en/articles/10023548-how-long-do-you-store-my-data

DeepSeek Risk & Regulatory Developments

12. CNBC — South Korea says DeepSeek transferred user data to China and the US without consent (April 2025)
    Reports findings of South Korea's Personal Information Protection Commission (PIPC), including unauthorised transfer of AI prompt data to Beijing Volcano Engine Technology Co.
    https://www.cnbc.com/2025/04/24/south-korea-says-deepseek-transferred-user-data-to-china-us-without-consent.html
13. IAPP — DeepSeek and the China Data Question (2025)
    Analysis from the International Association of Privacy Professionals on the legal nuances of DeepSeek's data flows and the distinction between direct data collection and international data transfer under GDPR.
    https://iapp.org/news/a/deepseek-and-the-china-data-question
14. NPR — International regulators probe how DeepSeek is using data (January 2025)
    Covers regulatory responses from Italy, Ireland, South Korea, and the US, including warnings to government staff and analysis from Yale cybersecurity researcher Samm Sacks.
    https://www.npr.org/2025/01/31/nx-s1-5277440/deepseek-data-safety
15. Lexology — DeepSeek Faces Overseas and Chinese Data Security Challenges (February 2025)
    Summary of global regulatory actions against DeepSeek as of mid-February 2025, covering bans and investigations across Italy, Belgium, South Korea, Australia, India, and the US.
    https://www.lexology.com/library/detail.aspx?g=e98373d5-d7ac-4b81-9958-b42a6d5ddbed
16. Security Magazine — Dangers of DeepSeek's Privacy Policy (February 2025)
    Analysis of DeepSeek's data collection practices, including the collection of keystroke patterns and the implications of Chinese law for data governance.
    https://www.securitymagazine.com/articles/101374-dangers-of-deepseeks-privacy-policy-data-risks-in-the-age-of-ai

AI Governance Frameworks

17. NIST — AI Risk Management Framework (AI RMF 1.0), January 2023
    The foundational US voluntary framework for managing AI risks across the AI lifecycle, covering governance, mapping, measurement, and management of AI-specific risks. Free to access and apply without formal certification.
    https://www.nist.gov/itl/ai-risk-management-framework
18. NIST — Generative AI Profile (NIST AI 600-1), July 2024
    Extension of the AI RMF specifically addressing risks unique to generative AI systems including large language models, covering intellectual property risks, data privacy, and third-party component risks.
    https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf
19. ISO — ISO/IEC 27001:2022 Information Security Management
    The internationally recognised information security standard. Annex A controls 5.19–5.22 cover third-party and supply chain risk management, directly applicable to AI tool governance.
    https://www.vanta.com/collection/tprm/third-party-risk-requirements-iso-27001
20. ISO — ISO/IEC 42001:2023 AI Management System Standard
    The AI-specific management system standard, structurally similar to ISO 27001. Organisations certified under ISO 27001 can typically achieve ISO 42001 compliance 30–40% faster due to overlapping governance structures.
    https://www.protechtgroup.com/en-us/blog/ai-governance-iso-42001-certification
21. AWS — AI Lifecycle Risk Management: ISO/IEC 42001:2023 for AI Governance
    Practical guidance on applying ISO 42001 in enterprise environments, including alignment with ISO 27001, NIST CSF, and GDPR.
    https://aws.amazon.com/blogs/security/ai-lifecycle-risk-management-iso-iec-420012023-for-ai-governance/

AI Data Risks & Enterprise Security

22. TechCrunch — Anthropic users face a new choice: opt out or share your chats for AI training (August 2025)
    Independent analysis of Anthropic's September 2025 policy change, including commentary on the UI design of the consent mechanism and its implications for enterprise users.
    https://techcrunch.com/2025/08/28/anthropic-users-face-a-new-choice-opt-out-or-share-your-data-for-ai-training/
23. Nightfall AI — Does ChatGPT Store Your Data in 2025?
    Detailed analysis of ChatGPT's 2025 data practices, including the 2024 policy change affecting free and Plus users, and a discussion of GDPR non-compliance concerns.
    https://www.nightfall.ai/blog/does-chatgpt-store-your-data-in-2025
24. Protecto — OpenAI Data Privacy Compared: OpenAI, Claude, Perplexity AI, and Otter (October 2025)
    Side-by-side comparison of enterprise and consumer data handling across major AI platforms, with practical guidance on channel selection for sensitive data.
    https://www.protecto.ai/blog/openai-data-privacy/
25. AMST Legal — Anthropic's Claude AI Updates: Impact on Privacy & Confidentiality (September 2025)
    Legal analysis of the September 2025 Claude policy changes, including the distinction between consumer and commercial account tiers and risks for SMEs using paid but non-enterprise plans.
    https://amstlegal.com/anthropics-claude-ai-updated-terms-explained/
26. Google Cloud White Paper — Generative AI, Privacy, and Google Cloud (September 2024)
    Google's official position on data sovereignty, model training, intellectual property, and GDPR alignment for enterprise customers using Vertex AI and Google Workspace.
    https://services.google.com/fh/files/misc/genai_privacy_google_cloud_202308.pdf

Disclaimer: This article is provided for informational purposes only and does not constitute legal or regulatory advice. AI platform terms and privacy policies change frequently. Businesses should seek independent legal and compliance advice before making decisions about AI tool deployment, data governance, or contractual arrangements.

A common and dangerous misconception is that JS2 is "someone else's problem." In reality, the "downstream" impact on non-financial service providers is not just transformative, it is a fundamental shift in the cost of doing business with the financial sector.

The Compliance Cascade: Why JS2 Matters to Your SME

JS2 mandates that financial institutions (FIs) manage Third-Party Risk Management (TPRM) with surgical precision. For an FI to remain compliant, they must ensure that their service providers, the SMEs providing cloud hosting, software development, payroll, or even specialized consulting, meet the same rigorous cybersecurity standards. Your business is no longer just a "vendor", you are a "critical information asset" in their regulated ecosystem.

Navigating the Framework Question: Prescription vs. Pragmatism

A frequent question I hear is: "Which framework do we have to use?" The answer requires understanding the difference between regulatory prescription and market expectation.

You are correct in your understanding: JS2 is not strictly prescriptive about which framework you must use. It is, however, prescriptive about the outcomes. Section 5(1)(a) requires a "documented cybersecurity strategy and framework" that is "proportionate to the nature, size, and complexity" of the business. While the regulator won't force you to pick ISO 27001 over NIST CSF, they will require you to prove that your chosen framework demonstrably addresses the specific "Fundamentals" and "Hygiene Practices" laid out in Sections 7 and 8.

This is where proportionality meets market reality. A five-person marketing agency supporting a bank's communications team faces a different risk profile than a 50-person firm hosting critical core-banking infrastructure. The FI's scrutiny, and the framework expected, should, in theory, reflect that difference. However, in the South African executive landscape, ISO 27001 remains the undeniable gold standard for irrefutable "evidence." When a Tier-1 bank conducts due diligence, "We follow NIST and here's how it maps to JS2" can be a valid, robust conversation. But "We are ISO 27001 certified" is often a closed ticket. The certification provides a shorthand for competence that a self-assessed framework, however well-executed, struggles to match.

The Downstream Requirements: Five Pillars of Evidence

Under JS2, you should expect your FI clients to request evidence supporting the following five pillars. The depth of evidence will be proportionate to the criticality of the service you provide.

A. Governance and Accountability

FIs must verify that their service providers have a governing body that takes formal responsibility for cybersecurity.

• The Evidence: Board minutes or management resolutions approving a Cybersecurity Strategy, and a designated individual (CISO, IT Director, or even a competent, mandated partner) accountable for its execution.

B. The 24-Hour Incident Notification Rule

Section 9 of JS2 mandates that FIs report material incidents to the Authorities within 24 hours. This creates a tight contractual cascade.

• The Downstream Impact: Your contract with an FI will likely be updated to require you to notify them immediately, often within 2–6 hours, so they can meet their own regulatory window. This SLA must be realistic and tested.
• The Evidence: A formal Incident Response Plan (IRP) that specifically includes the contact details, escalation paths, and agreed-upon notification SLAs for your FI clients.

C. Non-Negotiable Cybersecurity Hygiene

Section 8 outlines fundamental "hygiene" practices that are not optional.

• The Evidence: Proof of Multi-Factor Authentication (MFA) across all accessible systems, an active Patch Management Policy with evidence of consistent application, and records of regular Vulnerability Assessments or Penetration Testing appropriate to your environment.

D. Cyber Resilience and Business Continuity

While the specific "2-Hour Rule" for recovery applies to National Payment System participants under SARB Directive 01/2024, the "spirit" of resilience in JS2 (Section 11 on Outsourcing) requires that critical systems can be recovered. You will need to demonstrate that your plans are not just documents on a shelf.

• The Evidence: Alignment with a standard like ISO 22301 is beneficial, but the core requirement is proof of tested backups and a demonstrable understanding of the Recovery Time Objectives (RTO) that your FI clients' risk appetite demands.

E. Data Privacy and POPIA Alignment

POPIA's Condition 7 (Security Safeguards) is mirrored in JS2's requirements for "appropriate, reasonable technical and organizational measures." Compliance with one supports compliance with the other.

• The Evidence: A maintained Record of Processing Activities (ROPA) and documented evidence that all staff with access to personal information have undergone regular privacy and security awareness training.

The Strategic Shift: Turning Compliance into a Competitive Advantage

For many South African SMEs, this regulatory burden is viewed as a "grudge purchase", a costly hurdle to doing business. However, I argue the opposite.

In a market where the FSCA is tightening the screws, demonstrable compliance is your competitive moat. If you can proactively provide a "compliance pack" containing your independently audited framework (ideally ISO 27001), your JS2-aligned IRP, and your POPIA manual, you remove the friction from the FI's procurement and risk teams. You transform from a potential liability into a low-risk, easy-to-onboard partner.

A Note on Implementation: Working Smarter, Not Harder

Mapping these controls manually is an exercise in futility. The overlap between ISO 27001, POPIA, and JS2 is significant. Roughly 70-80% of the controls are shared. Attempting to manage them in spreadsheets leads to duplication, errors, and audit fatigue.

This is precisely the problem Exponuity was designed to solve. By using a unified platform, you perform the control implementation and evidence mapping once. When an FI asks for "JS2 compliance," you aren't starting from scratch; you are simply filtering your existing ISO/POPIA controls to generate a report that speaks the regulator's language. The principle, however, is sound regardless of the tool: manage to a comprehensive standard and report against multiple requirements.

Conclusion

The FSCA Joint Standard 2 has effectively turned South African Financial Institutions into "mini-regulators" of their own supply chains. For SMEs, the message is clear: the era of "security by obscurity" is over. The ability to evidence your controls proportionately, robustly, and ideally against a recognized standard, is now a prerequisite for participation in the financial economy. Those who view this as an investment in resilience and market access will thrive, those who delay will find themselves locked out.

References

• FSCA & PA (2024). Joint Standard 2 of 2024: Cybersecurity and Cyber Resilience Requirements for Financial Institutions.
• Republic of South Africa (2013). Protection of Personal Information Act (POPIA), Act No. 4 of 2013.
• SARB (2024). Directive No. 01 of 2024: Cybersecurity and Cyber-Resilience within the National Payment System.
• International Organization for Standardization (2022). ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection.

At Exponential IT Solutions, our GRC tool, Exponuity, solves a specific problem: the "Impact Blind Spot." To manage a modern enterprise, you must move beyond mono-dimensional scoring and embrace Multi-Faceted Impact Dimensions.

The Danger of the "Single Score" Fallacy

When a risk is assessed on a single scale, it forces a false equivalence between vastly different consequences. If a cyber-attack is rated as a "Level 4 Impact," does that mean it will cost R10 million, shut down production for a week, or land the Information Officer in legal hot water?

Without granularity, decision-makers cannot prioritise. A risk that is "High" financially but "Low" reputationally requires a different capital allocation than a risk that threatens your "Social License to Operate."

Tailoring Dimensions to ISO Standards

Different ISO certifications require different "lenses" of impact. A truly effective GRC system must pivot its evaluation criteria based on the domain:

• ISO 27001 (Information Security): Evaluates the CIA Triad—Confidentiality, Integrity, and Availability.
• ISO 45001 (Health & Safety): Focuses on the severity of physical harm and long-term occupational health.
• ISO 22301 (Business Continuity): Centers on Recovery Time Objectives (RTO) and service availability.
• ISO 14001 (Environmental): Measures ecological footprint and regulatory compliance.

Defining the Parameters: Moving from Subjective to Objective

The most significant weakness in legacy GRC processes is subjectivity. One manager’s "Moderate" is another’s "Catastrophic." Exponuity eliminates this by allowing executives to configure specific, quantifiable parameters for each dimension.

1. The Financial Dimension

   Instead of "Major Loss," we define clear Rand-value thresholds.
   Exponuity Parameter: Impact > R5,000,000 or > 2% of quarterly EBITDA.

2. The Legal & Regulatory Dimension

   In South Africa, the Information Regulator has increased its enforcement posture, recently issuing multi-million Rand fines to major departments.
   Exponuity Parameter: Administrative fine up to R10m per POPIA Section 109, or potential jail time for directors.

3. The Reputational Dimension
   Reputation in the age of social media is volatile.
   Exponuity Parameter: Sustained negative sentiment on X (Twitter)/LinkedIn; mention in national press for >3 days; loss of more than 5% of the customer base.

The Breakthrough: Dimension-Level Control Application

Perhaps the most powerful feature of Exponuity is the ability to apply controls to specific dimensions rather than the risk as a whole.

Most controls are specialists, not generalists. An insurance policy mitigates financial loss, but it doesn't stop your data from being leaked. A firewall protects confidentiality, but it doesn't help you with a Health and Safety audit.

How Weighted Net Scoring Works

Exponuity calculates a Net Residual Score by assessing how much a specific control reduces a specific dimension:

1. Assign Weights: You might decide that for a specific project, Reputational Impact is 60% of your concern, while Financial Impact is only 20%.
2. Targeted Mitigation: You map "Control A" (e.g., Encryption) to the Confidentiality dimension. The system calculates a reduction for that dimension only.
3. The Result: You get a mathematically defensible residual risk score that reflects the true state of your protection.

Case Study: The "Double-Edged" Breach

Scenario

A large South African financial services provider suffers a breach of 100,000 customer records.

The Traditional View

The risk was marked "High." A "Cyber Policy" was listed as a control. The residual risk was lowered to "Medium." The Board felt safe.

The Exponuity View (Multi-Dimensional) 

Exponuity broke the impact down into three dimensions:

• Financial Impact: R8m (Remediation + Fines).
• Legal Impact: Violation of POPIA conditions.
• Reputational Impact: High (Trust is the primary product).

The Control Performance:

• Control A (Cyber Insurance): Reduced Financial Impact by 90%. Net Score: Low.
• Control B (Encryption): Failed/Absent. Legal Impact remains Critical.
• Control C (PR Firm on Retainer): Only partially reduces Reputational Impact. Net Score: High.

Executive Outcome:

Because Exponuity applied the controls at the dimension level, it revealed a terrifying truth that the "Medium" score hid: The company was financially protected but legally and reputationally naked. This allowed the CEO to immediately authorise a budget for technical encryption controls, directly addressing the unmitigated legal exposure.

Aligning with King IV and International Best Practice

King IV emphasises "Integrated Thinking", the recognition that an organisation’s risks and opportunities are inseparable from its value creation. By using weighted dimensions, you aren't just checking a box; you are performing the high-level governance required of modern directors.

Furthermore, this level of detail is exactly what ISO auditors look for during a Stage 2 Audit. They want to see that your risk treatment plan is not an arbitrary list of actions, but a calculated response to specific impact vectors.

Elevate Your Governance with Exponuity

Risk is not a single number; it is a complex story with multiple chapters. If your GRC tool only lets you read one page at a time, you are missing the plot.

Exponential IT Solutions provides the tools and the expertise to transform your risk management from a passive reporting function into a proactive strategic advantage, within a South African sensitive price.

This discrepancy usually stems from a single, uncomfortable truth: If a business is entirely dependent on the owner’s intuition and presence, it isn't an asset, it’s a high-risk liability.

To secure a premium exit in the current economic climate, senior executives must move beyond mere profitability. They must prove Institutional Maturity.

The Common Pitfalls of the Owner-Managed Exit

Sophisticated buyers, whether they are local private equity firms or international trade players, look for "friction" during due diligence. In owner-managed firms, this friction usually appears in three areas:

1. The "Tribal Knowledge" Trap

   In many successful firms, critical operational knowledge exists only in the "heads" of the owner or a few long-term employees. To a buyer, this is a massive risk. If those key individuals leave post-acquisition, the business's "secret sauce" goes with them. Without documented processes, the business is seen as fragile and unscalable.

2. The Informal Control Environment

Many owners manage by "walking the floor" or through verbal instructions. While effective for a small team, it leaves no paper trail. A buyer cannot verify that risks are being managed, that quality is being maintained, or that legal obligations are being met if there is no evidence of a formal control framework.

3. Due Diligence Devaluation

   When a prospective buyer asks for a risk register or a compliance roadmap and the owner has to "get back to them" or start drafting documents from scratch, the valuation drops. This lack of readiness signals that the business is reactive rather than proactive, leading the buyer to bake a "risk discount" into their offer.

Strategy A: Making the Business "Investor-Ready"

To make a business attractive, you must demonstrate that it can function, and thrive, without you. This requires a conceptual shift toward Systems-Based Management.

• Process Documentation as an Asset:

  Clearly mapped workflows and standard operating procedures (SOPs) act as the "instruction manual" for the buyer. It transforms the business into a turnkey operation where a new owner can step in with minimal disruption.

• Evidence of Governance:

  Buyers value a business that has a "pulse." This means having established cycles for reviewing risks, updating policies, and checking compliance. It proves the business is governed by a system, not just a person.

• Risk Mitigation Frameworks:

  By formalizing how the business identifies and handles threats, whether they are cybersecurity risks, supply chain disruptions, or regulatory changes, you provide the buyer with peace of mind.

Strategy B: Increasing the Valuation Multiple

In valuation terms, your profit (EBITDA) is the base, but your Internal Controls determine the multiple.

The Result: A business with a robust, documented GRC (Governance, Risk, and Compliance) framework can often command a multiple significantly higher than a "messy" competitor with the same revenue.

Exponuity: The Bridge to a Successful Transition

This is why we developed Exponuity. In the context of a business sale, Exponuity isn't just a software tool, it is a Value Preservation Engine. It provides the digital infrastructure to house the "DNA" of your company, making the transition seamless and the valuation defensible.

For the Seller:

• Digital Due Diligence Room: Exponuity centralises your processes, controls, and compliance data. When a buyer asks for evidence of how you manage risk or quality, you aren't digging through emails, you are providing a professional, transparent dashboard.
• Building the Legacy: It allows you to download your years of experience into a structured system, ensuring your business survives your departure.

For the Buyer:

• Confidence and Clarity: The buyer isn't walking into a fog. They inherit a system that already has "guardrails" in place.
• Reduced Integration Time: Because the controls and processes are already documented and monitored within Exponuity, the new owner can focus on growth from day one, rather than trying to figure out how the business actually works.

Conclusion

A successful exit is not just about the final handshake, it’s about what you leave behind. By formalizing your governance and documenting your excellence, you protect your legacy and maximize your reward.

For many organisations, opportunity management has historically received far less attention than risk management. Risks were documented, analysed, mitigated, and audited. Opportunities were often noted briefly in management review minutes or captured informally without consistent follow-through. The 2026 revision challenges that imbalance.

From Risk-Based Thinking to Opportunity-Based Thinking

ISO 9001:2015 addressed risks and opportunities together under Clause 6.1, requiring organisations to determine and address both in order to give assurance that the QMS can achieve its intended results. In practice, this often resulted in a risk-dominant interpretation. Opportunities were framed as “the absence of a risk” rather than as positive drivers of improved performance.

Draft material for ISO 9001:2026 signals a clearer conceptual distinction. While risk and opportunity remain linked by uncertainty, the intent of the revision is to ensure that organisations give structured attention to favourable conditions and potential improvements, not only to threats.

For quality professionals, this represents an important shift from a primarily defensive posture to a more balanced, improvement-oriented approach consistent with the principles of continual improvement and evidence-based decision-making.

Clarifying the Concepts

Risk

Risk continues to be defined as the effect of uncertainty on expected results, with an emphasis on prevention, mitigation, and control of undesired outcomes.

Opportunity

Opportunities relate to circumstances that can lead to enhanced performance, improved customer satisfaction, increased efficiency, or strategic advantage. The intent is not speculative innovation, but deliberate, managed improvement aligned with organisational context and objectives.

This distinction matters because it affects how organisations plan, resource, implement, and evaluate actions within their QMS.

What ISO 9001:2026 Is Likely to Expect

ISO standards remain non-prescriptive by design. They do not mandate specific tools, models, or templates. However, quality professionals should expect auditors to look for a systematic and repeatable approach to opportunity management, analogous in rigour (though not identical) to risk management.

Based on the DIS direction and ISO’s established principles, the following elements are likely to be scrutinised:

1. Structured Identification of Opportunities

   Organizations should be able to demonstrate that opportunities are identified intentionally, using inputs such as:

   • analysis of internal and external context,
   • customer feedback and performance data,
   • technological developments,
   • process performance and nonconformity trends.
   
   

   The key audit question will be: How do you know these opportunities were identified systematically and not by chance?

2. Evaluation and Prioritisation

   While the standard does not prescribe scoring methods, organisations are expected to apply consistent criteria to decide which opportunities warrant action. Common approaches include assessing:

   • potential benefit or value,
   • feasibility or resource demand,
   • alignment with strategic and quality objectives.
   
   

   What matters is not the model chosen, but the consistency and rationale behind decisions.

3. Planned Actions

   As with risks, opportunities must be addressed through planned actions. Quality professionals should ensure that actions are:

   • defined,
   • assigned,
   • resourced,
   • integrated into existing processes rather than treated as side projects.
   
   

   Opportunities that remain perpetually “identified but not acted upon” are unlikely to withstand audit scrutiny.

4. Evaluation of Effectiveness

   A significant area of focus in ISO 9001:2026 is expected to be evidence that actions taken actually contributed to improved outcomes. This does not necessarily require financial ROI calculations, but organisations should be able to demonstrate:

   • what success looked like,
   • how results were measured,
   • whether the intended benefit was realised.
   
   

   This aligns with ISO’s broader emphasis on performance evaluation and continual improvement.

Implications for QMS Design and Auditing

For quality professionals, the practical implication is that opportunity management can no longer be treated as an informal extension of risk registers or management review discussions. It needs:

• clear ownership,
• traceability from identification to outcome,
• records sufficient to support audit conclusions.

Internal audit programmes will also need to adapt, ensuring auditors are equipped to assess opportunity-related processes with the same objectivity applied to risks and controls.

Supporting Opportunity Management with QMS Tools

As opportunity management becomes more structured, many organisations are reassessing whether their existing QMS or GRC tools are adequate. Systems designed primarily for compliance tracking may struggle to provide traceability between opportunity identification, action planning, and outcome evaluation.

Tools that support:

• consistent assessment criteria,
• versioned decision records,
• integrated action tracking,
• and historical evidence for audits,

will be better positioned to support ISO 9001:2026 expectations, particularly in organisations with complex or rapidly changing contexts.

Conclusion

ISO 9001:2026 reinforces a message quality professionals have long understood: effective quality management is not only about preventing failure, but about enabling improvement. Opportunity management is no longer a peripheral concept, it is becoming a core mechanism through which organisations demonstrate maturity, adaptability, and strategic alignment of their QMS.

For quality professionals, the task now is to ensure that opportunity management is embedded with the same discipline, evidence, and intent that already characterise effective risk management, well before the first 2026 audits begin.

The Danger: Why "Business as Usual" is a Gamble

Operating without a formal GRC program leaves you exposed to threats that can end an SME overnight:

• The Regulatory Hammer: Under POPIA, a significant data leak isn't just a PR nightmare, it’s a legal catastrophe. The Information Regulator can impose fines up to R10 million or even imprisonment (POPI Act No. 4 of 2013).
• Operational Collapse: Without a Business Continuity Plan (ISO 22301), an SME is one ransomware attack or infrastructure failure away from permanent closure.
• The "Silent" Exit: If you ever plan to sell your business, the first thing a buyer does is "due diligence." If your compliance is a mess, your valuation plummets.

The Competitive Edge: GRC as Your Sales Engine

The biggest shift in the modern economy is that compliance is now a prerequisite for commerce.

1. Skip the Queue: Large enterprises and government entities are de-risking their supply chains. If you hold ISO 27001 (Information Security) or ISO 9001 (Quality), you bypass many of the grueling "vendor questionnaires" that bog down your competitors.
2. The Trust Dividend: In a market full of fly-by-nights, being an ISO-certified SME signals that you are a "grown-up" company. It builds immediate trust with high-value clients who prioritise reliability over the lowest price.
3. ESG Advantage: With the rise of Environmental, Social, and Governance (ESG) reporting, having ISO 14001 (Environmental) or ISO 45001 (Safety) makes you a "safe" partner for corporates who need to prove their supply chain is ethical and green.

Efficient Implementation: Work Smarter

You don’t need a massive legal team. Modern GRC is about integration, not duplication.

• The "Map Once" Rule: Many ISO standards, and other popular frameworks e.g. CIS Controls, ITIL, etc overlap. If you secure your data for ISO 27001, you’ve already completed 60% of your POPIA requirements.
• Automate to Elevate: Managing this on spreadsheets is a recipe for failure. We developed Exponuity to give South African business owners a "single pane of glass" view. It aides evidence collection and alerts you to risks before they become crises.

References:

• Protection of Personal Information Act (POPIA), Act 4 of 2013.
• ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection.
• Small Business Trends: Data Breach Survival Rates.

However, this perception is dangerous. For an SME, a single unmanaged risk, be it a cyber breach, a key supplier going under, or a regulatory fine, can be an existential threat. A competitive advantage lies in identifying these risks and actively monitoring the controls you put in place to stop them.

The Two Pillars: Risk Management and Control Monitoring

To understand the value, we must distinguish between the two concepts:-

• Risk Management is the map. It identifies where the potholes and cliffs are. It asks: “What could go wrong with our finances, operations, or data?”
• Control Monitoring is the dashboard. It checks if the safety measures you installed are actually working. It asks: “Is our backup generator serviced? Is our firewall updated? Are our staff actually following the new expense policy?”

Implementing risk management without control monitoring is like buying an expensive alarm system but never checking if the battery is dead. You have the illusion of safety, but not the assurance.

The Value Proposition for the South African SME

When an SME combines these two disciplines, the shift from reactive fire-fighting to proactive strategy is profound.

1. Resilience in a Volatile Market
   South African markets are dynamic. By identifying risks early (e.g., supply chain disruptions due to logistics strikes), you can implement controls (e.g., dual suppliers). Monitoring these controls ensures that when the disruption hits, your "Plan B" is ready to launch immediately, not stuck in a dusty file.
2. Unlocking Growth and Finance
   Banks, investors, and corporate partners are increasingly risk-averse. When an SME applies for funding or tenders, demonstrating a mature grasp of risk sets you apart. It signals to a bank that you are a "safe pair of hands." Showing that you not only know your risks but have active, monitored controls to mitigate them can be the deciding factor in securing a loan or a lucrative contract.
3. Simplified Compliance
   With strict regulations like the Protection of Personal Information Act (POPIA) and FICA, compliance is non-negotiable. Control monitoring automates the evidence gathering. Instead of a frantic scramble before an audit, you have a continuous record showing that your data privacy controls were active and effective throughout the year.

Moving Beyond the Spreadsheet Trap

The biggest hurdle for most SMEs is the "how." traditionally, risk management lives in a chaotic web of Excel spreadsheets. These documents are rarely updated, easily corrupted, and almost impossible to report on. They are static documents trying to describe a dynamic business environment.

If you are relying on a spreadsheet to tell you if your critical business controls are failing, you will likely find out too late.

Enter Exponuity: Governance Built for Growth

This is where Exponuity changes the game for South African businesses. Designed to bridge the gap between complex enterprise requirements and SME agility, Exponuity moves your risk management out of dead spreadsheets and into a living, breathing ecosystem.

Exponuity allows you to:

• Centralize your Risk Register: Capture all your strategic and operational risks in one secure location.
• Link Controls to Risks: clearly map which procedures prevent which disasters.
• Automate Monitoring: Set schedules to review controls. If a control fails or a check is missed, the system flags it immediately, before it becomes a crisis.

For the South African business owner, Exponuity offers the clarity needed to navigate local challenges. It transforms risk from a "fear factor" into a strategic asset. By using Exponuity, you aren't just ticking boxes; you are building a resilient, investable, and compliant business ready to scale.

Don't wait for the next shock to test your resilience. Take control of your business's future today with Exponuity. 

The Building Analogy: Understanding the Components

Imagine constructing a secure, code-compliant building:

External Requirements (The Why)

• Legislation, Regulations & Standards = Building Codes and Zoning Laws
  External rules the organisation must follow

Internal Response (The What and How)

• Policies = Architectural Blueprints
  High-level statements of what the organisation will do to meet requirements
• Processes = Step-by-Step Construction Plans
  Detailed procedures implementing policies
• Risks = Things That Could Go Wrong
  Potential failures in processes or compliance gaps
• Controls = Safety and Quality Checks
  Specific safeguards preventing or detecting risks

The Relationship Chain: How Everything Connects

The power of a GRC data model emerges from how these elements interrelate:

1. Compliance Drives Policy: Legislation/Standards → are implemented by → Policies
2. Policy Guides Process: Policies → are executed through → Processes
3. Process Creates Risk: Processes → have/create → Risks
4. Risk Demands Control: Risks → are mitigated by → Controls
5. Control Validates Compliance: Controls → provide evidence for → Legislation/Standards

Practical Example: Payment Card Security

• Standard: PCI DSS requires cardholder data protection
• Policy: "All stored credit card numbers must be encrypted"
• Process: "Card-on-File" storage in e-commerce system
• Risk: Data breach from unencrypted storage
• Control: Automated encryption software
• Complete Loop: The control (encryption) provides evidence of PCI DSS compliance

Why These Relationships Matter: Five Strategic Benefits

Understanding these relationships transforms disconnected documents into an intelligent management system.

Implementation Framework

To build this intelligent system, structure your data model to capture:

1. The Compliance Layer: External requirements with effective dates and jurisdictions
2. The Governance Layer: Policies mapped to specific requirements
3. The Operational Layer: Processes with risk assessments
4. The Control Layer: Preventative/detective controls with testing schedules
5. The Evidence Layer: Documentation proving control effectiveness

The Business Transformation

A well-structured GRC data model creates a governance nervous system that provides:

• Strategic Clarity: Understanding what truly matters for compliance and risk management
• Proactive Management: Anticipating problems before they occur
• Cost Efficiency: Eliminating redundant efforts and focusing resources
• Business Enablement: Supporting growth with proper risk oversight
• Stakeholder Confidence: Demonstrating reliable compliance to regulators, investors, and customers

Conclusion

The relationships between legislation, policies, processes, risks, and controls form the backbone of effective organisational governance. By modeling these connections intentionally, organisations transform compliance from a reactive cost center into a proactive strategic asset. This framework doesn't just organise information, it creates organisational intelligence, enabling businesses to navigate complexity with confidence while building resilience, trust, and sustainable value. 

Exponuity adopts this framework and provides a ready-to-use capability to catalogue these relationships.

The Need for a Holistic View

A common pitfall of traditional BIA methods is their narrow focus, often concentrating solely on direct financial loss. However, a significant disruption triggers a ripple effect that touches every part of the enterprise. True risk assessment requires a holistic, multi-dimensional view that moves beyond simple balance sheet figures. Best practices, such as those advocated by NIST (National Institute of Standards and Technology) guidelines, require assessing impact across multiple dimensions specifically including Reputation, Legal, and Operational factors to ensure systems are protected based on total business criticality.

Modern BIA practices, as demonstrated by leading GRC platforms, provide this crucial richer picture. By assessing impact across multiple configurable dimensions such as Financial, Legal and Compliance, and Reputation, organizations gain a comprehensive, weighted view of their exposure. For example, a system failure might have a moderate financial impact, but simultaneously pose a catastrophic risk to compliance due to regulatory reporting breaches, or trigger extensive negative media coverage that erodes market trust for years.

The Power of Time-Based Granularity

A critical element that separates strategic BIAs from mere compliance exercises is the assessment of impact over time. Severity is not static. It grows exponentially the longer a critical process remains disrupted.

A multi-dimensional, time-based matrix allows risk managers to quantify this escalation. For instance, a financial impact that is Negligible at the 5-day mark might surge to Moderate by the 10-day mark. Simultaneously, a legal risk that was initially Moderate could escalate to an Extensive threat involving license revocation or mandated legal action if the disruption continues past a critical threshold. By weighting these factors, an aggregate impact score is calculated at various time intervals, providing an objective, quantifiable measure of mounting risk.

From Analysis to Actionable Strategy

The ultimate business value of the BIA lies in its output: the derivation of essential recovery metrics that dictate resource allocation and strategic planning. The calculated aggregate impact score directly informs three vital metrics as defined by international standards like ISO 22301:

• Maximum Tolerable Period of Disruption (MTPD): This establishes the absolute limit an organisation can endure an outage before the total impact becomes Catastrophic (e.g., 10 days). It is the line that must not be crossed.
• Recovery Time Objective (RTO): This is the targeted time for resuming operations (e.g., 5 days). The RTO is strategically set before the MTPD to ensure a buffer for recovery, testing, and unforeseen complications.
• Recovery Point Objective (RPO): This defines the maximum acceptable age of data loss that an organisation can sustain. It drives the design and frequency of backup and data replication strategies.

By linking RTO and MTPD directly to the multi-dimensional impact score, organisations ensure that recovery efforts are prioritised based on factual, aggregated business criticality, rather than guesswork or historical bias. Processes contributing to a high aggregate score (e.g., those impacting Legal or Reputation most severely) are guaranteed to receive the fastest RTOs and most robust recovery solutions.

Conclusion

Conducting a comprehensive BIA is far more than a task for the Business Continuity team. It is an intelligent component of a sound GRC strategy. By adopting a multi-dimensional, time-based approach, organisations move beyond simple risk identification to proactive resilience engineering. This strategic clarity allows for optimal resource allocation, focused investment in critical process recovery, and the preservation of financial health, legal standing, and invaluable brand reputation. The BIA is the essential compass that guides the enterprise toward sustained operational continuity and strategic success.

The default reaction for many businesses is to treat each of these as a separate project. You create a POPIA project, an ISO project, and a cyber-insurance checklist. The result is silos of compliance.

This siloed approach leads to "Audit Fatigue." Your IT team ends up answering the same questions three different times, in three different formats, for three different auditors. You might have one policy for "Data Privacy" to satisfy the Regulator and a separate, slightly different policy for "Information Security" to satisfy an ISO auditor. This isn't just inefficient; it creates operational risk. When policies overlap but don't align, gaps appear.

The Solution: The "Golden Control"

The most mature GRC (Governance, Risk, and Compliance) strategies move away from chasing regulations and start focusing on controls. The methodology is often called the "Golden Record" or the "High Water Mark" approach.

Instead of writing a control for every regulation, you write one internal control that satisfies the strictest requirement across all your obligations.

A Practical Example: The Password Dilemma

Imagine you are subject to three different requirements regarding user access:

• A Privacy Regulation: POPIA Section 19 requires "appropriate, reasonable technical measures" to prevent unlawful access [1].
• An Industry Standard: The Payment Card Industry Data Security Standard (PCI DSS) explicitly requires passwords to be changed every 90 days [2].
• A Cybersecurity Framework: ISO 27001 (Control A.5.17) requires strict management of authentication information [3].

If you treat these separately, you have three moving parts. In the Golden Control approach, you synthesize them into one internal standard:

“Passwords must be 12 characters, alphanumeric, and changed every 90 days.”

By implementing this single "Golden Control", you automatically satisfy the Privacy Regulation's demand for "reasonable measures," the PCI DSS specific timeframe, and the ISO framework simultaneously.

The Role of Technology

This is where spreadsheets fail. Managing a many-to-many relationship between hundreds of regulations and internal controls in Excel is a recipe for version-control disaster.

A specialized software tool, like Exponuity, transforms this theoretical mapping into a dynamic engine. It allows an organization to:

• Ingest the relevant laws and standards.
• Map them to a central repository of internal controls.
• Test Once, Report Many.

This is the ultimate efficiency gain. When you audit your "Golden Control" for passwords and gather the evidence (e.g., a screenshot of your Active Directory settings), the software automatically tags that evidence against POPIA, ISO 27001, and King IV. You effectively kill three birds with one stone.

Conclusion

Compliance shouldn't be about generating paperwork; it should be about generating trust. By consolidating your efforts into a unified framework, you reduce the burden on your team, cut the cost of external audits, and move from reactive checkbox-ticking to proactive risk management.

References:

1. Protection of Personal Information Act 4 of 2013, Section 19 (Security measures on integrity and confidentiality of personal information).
2. Payment Card Industry Data Security Standard (PCI DSS) v4.0, Requirement 8.3.
3. ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Annex A Control 5.17 (Authentication information).
4. King IV Report on Corporate Governance™ for South Africa, 2016, Principle 12 (Technology and Information).

1. Context and Rationale

Modern organisations depend on a diverse portfolio of software applications for daily operations. These may include licensed business tools, open-source programs, and cloud-based services. Without a formal SAM process, the business risks losing visibility over what software is installed, who is using it, and whether it complies with licensing and security requirements. This lack of control exposes the organisation to potential license non-compliance fines, data breaches, and malware infections introduced through unapproved or pirated software.

From an information security perspective, unapproved software can bypass established security controls, operate without patch management, and create exploitable vulnerabilities. For example, applications downloaded outside of IT governance may contain malicious code or fail to receive critical updates. Under ISO/IEC 27001 (Information Security Management Systems), clauses A.8.1 (Asset Management) and A.12.6 (Technical Vulnerability Management) require that organisations identify and manage information assets, including software, to mitigate such risks.

2. Business Objectives

The primary objectives of implementing a SAM register are:

• Visibility and Control: Maintain a complete and accurate inventory of all software assets across the organisation.
• Compliance Assurance: Ensure that all installed software is properly licensed, authorised, and aligned with vendor agreements and regulatory obligations.
• Information Security: Prevent the installation and use of unverified or insecure software that could compromise systems or data.
• Cost Optimisation: Identify unused or redundant software to reduce unnecessary licensing and maintenance costs.
• Governance and Accountability: Establish a formal approval process for software requests, reviews, and renewals.

3. Roles and Responsibilities

The key roles and responsibilities:

• IT Management: Maintain and update the SAM register, oversee software deployment, and ensure compliance with licensing and security policies.
• Information Security Officer: Review new software for security risks, ensure adherence to security standards, and integrate findings into the organisation’s risk register.
• Department / Business Unit Managers: Approve software requests within their business areas and ensure staff use only authorised applications.
• End Users: Comply with the approved software list and report any unauthorised installations or updates.

4. Benefits and Justification

A robust SAM register supports the organisation’s governance, risk, and compliance (GRC) framework by creating transparency and control over software assets. It enables regular security reviews of new and existing applications, reducing the likelihood of vulnerabilities and data leakage. Financially, it helps optimise software spend through license reallocation and the elimination of redundant tools. Operationally, it improves productivity by standardising software and ensuring compatibility across systems.

Moreover, implementing a SAM register strengthens compliance with ISO 27001 information security requirements and ISO 9001 quality management principles, particularly regarding continuous improvement and control of operational processes. It also supports audit readiness by providing clear evidence of software ownership, approval, and review.

5. Conclusion

A Software Asset Management Register is not merely an administrative tool—it is a critical control mechanism for protecting information assets, reducing costs, and maintaining compliance. By implementing a centralised, reviewed, and approved software register, the organisation demonstrates due diligence in managing its digital ecosystem, aligning technology use with its broader security and governance commitments.

Non-compliance is widespread in several fundamental areas of corporate governance and regulation.

• Corporate Governance (CIPC): A striking statistic highlights the challenge: 72% of the 3.1 million companies in South Africa reportedly fail to submit annual returns to the Companies and Intellectual Property Commission (CIPC) (Source: CIPC Annual Report, as cited by InfoDocs). This failure can lead to severe penalties, including de-registration, as seen when the CIPC recently de-registered over 640,000 companies.
• Data Protection (POPIA): Compliance with the Protection of Personal Information Act (POPIA) remains a major challenge. Common non-compliance pitfalls include an over-reliance on technology without adequate organisational measures and employee training, leading to employee error as a key cause of data breaches (Source: Bowmans Law). Another misconception is that consent is the only or primary legal basis for processing data.
• Financial and Anti-Money Laundering (AML): The Financial Sector Conduct Authority (FSCA) is aggressively increasing enforcement. In the 2023/24 financial year, the FSCA imposed nearly R943 million in administrative penalties for non-compliance, a dramatic increase from approximately R100 million the previous year (Source: Duja Consulting). The Financial Intelligence Centre (FIC) also imposes substantial fines, up to R50 million for legal persons, for non-compliance with the Financial Intelligence Centre Act (FICA) (Source: FIC).
• Health and Safety, Labour, and Tax: Compliance with the Occupational Health and Safety Act (OHSA) and strict labour laws are continuous requirements, especially in high-risk sectors like mining and construction (Source: Duja Consulting). For smaller businesses, tax compliance costs are often found to be regressive, meaning the burden is disproportionately heavier for them (Source: University of Pretoria).

The state of compliance among South African companies is complex, characterized by a challenging regulatory landscape and a high incidence of non-compliance, particularly among small to medium-sized enterprises (SMEs). Regulatory bodies are increasing enforcement, making the cost of non-compliance a significantly greater risk than the cost of maintaining compliance.

The High Cost of Non-Compliance

The financial and non-financial consequences of non-compliance far exceed the initial costs of being compliant. Globally, the cost of non-compliance is, on average, 2.7 times higher than the cost of maintaining compliance (Source: Ponemon Institute, as cited by Duja Consulting).

Role of Software in Assisting Compliance

Software tools, often referred to as Governance, Risk, and Compliance (GRC) solutions, such as Exponuity, offer crucial assistance, especially to SMEs burdened by resource constraints and regulatory complexity.

• Automation and Alerts: Software can automate the tracking of deadlines and regulatory changes (e.g., CIPC annual returns, tax submissions), sending proactive alerts to management.
• Centralised Documentation: It provides a central, auditable repository for all compliance documents (e.g., POPIA compliance frameworks, Health and Safety plans), making audits faster and easier.
• Simplified Filings: Tools specifically designed for South African regulations can simplify complex processes, such as CIPC filings, making compliance more accessible and affordable for smaller entities (Source: InfoDocs).
• Mitigating Human Error: By standardising processes and providing templates, software helps reduce the risk of non-compliance stemming from employee oversight or error, a major factor in data breaches.

Sources

• Startup removes complexity to counter non-compliance by 72% of SA's small businesses (InfoDocs Blog)
• Startup removes complexity to counter non-compliance by 72% of SA's small businesses (CBN)
• CIPC: List of Companies and CCs not compliant with BO filing (SA Accounting Academy)
• Compliance checklist report - CIPC
• CIPC Compliance Checklist (SAIPA PDF Slides)
• A decade of corporate regulatory compliance monitoring and enforcement actions by the companies and intellectual property commission - CIPC (Report PDF)
• The Ultimate Compliance Checklist for South African Businesses (SSLR Inc.)
• The Rising Cost of Non-Compliance: Why SMEs Need to Pay Attention (Struct Capital)
• Press release: Tech startup InfoDocs automates statutory compliance (CFO South Africa)

Purpose of a Risk Register

The main purpose of a risk register is to establish a systematic process for identifying, assessing, and mitigating risks. Risks may arise from various domains — operational, financial, compliance, technological, or strategic. By capturing these risks in a single register, management can monitor their evolution and ensure timely mitigation.

A risk register also supports corporate accountability by documenting actions taken to manage risk. In the event of an audit, inspection, or incident, the register provides evidence that the organisation has acted with due care and diligence, consistent with governance frameworks such as the King IV Report on Corporate Governance (2016).

Benefits of Maintaining a Risk Register

Informed Decision-Making

A risk register provides management with a comprehensive overview of potential threats and opportunities. By quantifying and prioritising risks, leaders can make data-driven decisions about resource allocation and strategic planning (Institute of Risk Management, 2023).

Compliance and Legal Protection

In South Africa, the Companies Act 71 of 2008 requires directors to exercise reasonable care, skill, and diligence — which includes the identification and management of material risks. The King IV Report further mandates integrated risk management as part of sound governance (IoDSA, 2016). Sector-specific laws such as the Protection of Personal Information Act (POPIA), Occupational Health and Safety Act (OHSA), and Financial Intelligence Centre Act (FICA) impose additional compliance requirements. A risk register ensures these obligations are tracked and met, reducing exposure to penalties.

Business Continuity and Resilience

Maintaining a risk register enhances preparedness for disruptions. For instance, risks such as cyberattacks, load shedding, or supply chain breakdowns can be identified, monitored, and linked to specific contingency plans. This is in line with the ISO 31000:2018 Risk Management standard, which promotes a proactive and integrated approach to risk management.

Accountability and Transparency

By assigning ownership for each risk, a register ensures accountability and fosters a risk-aware culture. Transparency also improves stakeholder confidence, demonstrating that management takes a structured and responsible approach to uncertainty.

Cost of Non-Compliance

Businesses that fail to maintain a risk register expose themselves to significant costs. Non-compliance with POPIA can lead to fines of up to R10 million or imprisonment (Information Regulator, 2023). Breaches of health and safety regulations under OHSA can result in criminal prosecution, business closure, or reputational damage. Beyond financial penalties, unmanaged risks can erode trust and threaten organisational sustainability.

Leveraging Technology

Modern risk management software, such as Exponuity, simplifies the process of maintaining a live risk register. These tools provide real-time updates, automated notifications, trend analysis, and dashboards for executive reporting. Integration with compliance and performance systems creates a single source of truth, improving accuracy and operational efficiency.

Conclusion

Maintaining a risk register is not merely a compliance exercise — it is a strategic necessity. It promotes foresight, accountability, and resilience, ensuring that the organisation can withstand challenges and seize opportunities confidently. In a landscape of evolving risks and regulations, a well-managed risk register remains a cornerstone of sustainable and responsible business management.

References

• Institute of Directors in Southern Africa (IoDSA). (2016). King IV Report on Corporate Governance for South Africa 2016.
• Government of South Africa. (2008). Companies Act No. 71 of 2008.
• ISO. (2018). ISO 31000:2018 – Risk Management: Guidelines.
• Information Regulator South Africa. (2023). Protection of Personal Information Act (POPIA) Compliance Guidelines.
• Institute of Risk Management (IRM). (2023). Fundamentals of Risk Management.

South African companies operate in a highly regulated environment shaped by a mix of statutory, sectoral, and governance frameworks. These include the Protection of Personal Information Act (POPIA), the Occupational Health and Safety Act (OHSA), Companies Act, Financial Intelligence Centre Act (FICA), Basic Conditions of Employment Act, and B-BBEE legislation.

A 2024 Deloitte Africa survey found that 83% of South African executives view regulatory compliance as one of their top three risks, while 57% admit their organisations lack full visibility over compliance obligations. The Information Regulator received 982 POPIA complaints in 2023/24, a sharp increase from previous years, illustrating heightened enforcement and public awareness (Information Regulator Annual Report, 2024).

Common areas of non-compliance include:

• Data privacy breaches (failure to secure or lawfully process data)
• Health & Safety lapses (non-compliance with workplace safety standards)
• Late statutory filings and reporting gaps (CIPC, SARS, Labour Department)
• Weak governance documentation (policies, audit trails, evidence of controls)

The Cost of Non-Compliance

Non-compliance carries severe financial, legal, and reputational risks.

• POPIA penalties: Up to R10 million per incident, plus potential criminal prosecution.
• Data breach cost: IBM’s 2024 Cost of a Data Breach Report estimates the average cost per breach in South Africa at R53 million (≈US$2.8 million).
• Health and safety fines: OHSA enforcement actions can exceed R5 million, excluding downtime and injury compensation.
• Reputational loss: PwC’s Global Economic Crime and Fraud Survey notes that 42% of South African companies experienced regulatory or compliance-related fraud losses in the past 24 months.

Beyond direct costs, companies suffer operational disruption, investor distrust, and loss of B-BBEE credibility, which can jeopardize contracts and financing opportunities.

Root Causes of Compliance Gaps

• Fragmented data and manual tracking using spreadsheets
• Limited understanding of overlapping regulations
• Poor internal communication between departments (Legal, HR, IT, Operations)
• Reactive, audit-based approach rather than continuous monitoring
• Insufficient leadership oversight and reporting mechanisms

The Case for Compliance Management Software

Modern compliance management platforms like Exponuity address these challenges by creating a “single source of truth” across all obligations.

Key features and benefits include:

• Centralised compliance registers: Map obligations from POPIA, OHSA, FICA, and others to responsible owners and deadlines.
• Automated task workflows: Ensure follow-ups, reminders, and escalation paths for overdue actions.
• Evidence and audit trail capture: Maintain proof of compliance for regulators and auditors.
• Incident and breach management: Log, classify, and report incidents with integrated templates for regulators.
• Real-time dashboards: Provide leadership visibility into compliance posture and emerging risks.
• Integration with HR, IT, and finance systems: Automatically update compliance requirements when policies or personnel change.

By digitising compliance, organisations reduce administrative costs by up to 40%, cut reporting time by 60%, and lower the likelihood of regulatory penalties by up to 70% (based on Deloitte RegTech Impact Study, 2023).

Conclusion

Compliance in South Africa is both a legal necessity and a strategic differentiator. As enforcement tightens, companies that invest in automated, transparent compliance systems will not only avoid costly penalties but also build stronger governance, stakeholder trust, and operational resilience.

References

1. Deloitte Africa. Africa Risk Report 2024.
2. Information Regulator South Africa. Annual Report 2023/24.
3. IBM. Cost of a Data Breach Report 2024.
4. PwC. Global Economic Crime and Fraud Survey: South Africa, 2024.
5. Department of Employment and Labour. Occupational Health and Safety Compliance Report 2023.
6. Deloitte. RegTech Impact Study 2023.
7. POPIA Enforcement Guidelines (Information Regulator SA, 2023).