Court underlines risk management threats

Source: itweb.co.za

Internet attorney Reinhardt Buys says a recent court judgment underlines the importance of IT risk management in companies.

Buys says that notwithstanding the requirements of the King II report, a recent court case concluded that a person may be held liable for damages or losses that resulted from a so-called "negligent omission" - the failure and/or refusal to do something when reasonably required to do so.

He says the risk management duty was established by the Supreme Court in the judgment of Minister of Safety and Security v Van Duivenboden [2002] 3 All SA 741 (SCA).

In the judgment, Judge Nugent stated: "A negligent omission is unlawful only if it occurs in circumstances that the law regards as sufficient to give rise to a legal duty to avoid negligently causing harm. It is important to keep that concept quite separate from the concept of fault."

Buys says: "In practical terms, this judgement implies that a company may be held liable for the damages caused by a certain risk, for example a virus that infected the company's network, if a reasonable person would have foreseen the risk and would have acted to prevent the risk or at least limit its consequences.

"Virus infections and hack attacks on corporate networks are in the press on a daily basis. No company or company director can claim they did not know about or foresee such risks. The total effect of the Van Duivenboden judgement and the risk management guidelines of the King II report are that company directors, including non-executive directors, should identify potential risks and take all reasonable steps to avoid the risk or limit its consequences.