As Singapore slowly moves into a new phase of COVID-19, from pandemic to endemic, ensuring operational resilience and business continuity remains at the forefront of many boardroom discussions. Successful digitalisation initiatives have allowed businesses to retain connectivity and improve efficiency and collaboration, especially as hybrid work models become more popular.
Business leaders in Singapore are aware of this; a survey by CPA Australia found that companies in Singapore were more likely to adopt technologies and build a long-term technology strategy compared to other countries in the region. Of the survey’s respondents, 83% reported that the key driver for adopting technologies is improving operational efficiency.
However, with the influx of new technology, leaders are facing another challenge in managing their organisations’ compliance. Thomson Reuters’ Cost of Compliance 2021 survey revealed that the biggest challenge organisations are facing is the increasing volume of regulatory change. Of the surveyed compliance officers, 78% expect the amount of regulatory information to grow. Depending on the nature of a business, keeping abreast of regulations can be quite challenging. As compliance requirements evolve, so should an organisation’s compliance strategy.
The evolving regulatory landscape
Over the past three years, Southeast Asia has witnessed accelerated change in its regulatory landscape. The widespread adoption of the GDPR is a testament to this. The GDPR has influenced the development of a bevy of new laws throughout Southeast Asia, drastically altering its data privacy landscape. In fact, between 2010 and 2020, 13 jurisdictions in Asia enacted new data privacy laws.
To cite a few, there was:
- Malaysia’s Personal Data Protection Act 2010;
- Singapore’s Personal Data Protection Act 2012;
- The Philippines’ Data Privacy Act of 2012;
- Thailand’s Personal Data Protection Act 2019; and
- China’s Personal Information Protection Law 2021.
The staggered adoption of these policies has created a ripple effect of concerns among businesses that operate across borders. Simply put, tracking the various regulatory changes is a monumental task, and leaders are increasingly aware of the need to overcome this management concern.
Concerns plaguing the boardroom
The most obvious of these concerns lies in the sheer volume of regulatory changes and the subtle differences of regulations across the region. Certain countries have to abide by different rules when it comes to the matter of data transfer between countries.
Besides that, the interpretation and implementation of these laws are not standard across every agency, leading to a great deal of confusion. International conflicts also pose concerns as geopolitical strife results in unexpected obstacles.
Establishing transparency and accountability
The uptake of BYOD policies, hybrid work environments, and shadow IT practices has caused organisations to operate with a blend of legacy and next-generation systems. Based on this, having a holistic view of the organisation’s systems and processes is vital to understanding and assessing what data is being collected and for what purposes.
Global standards, such as the GDPR, PCI DSS, and ISO/IEC 27001, already require organisations to maintain reports of their internal processes. Without having a clear view of the ongoing processes related to network and system security mechanisms, information security policies, and identity management systems, the risks to a business and its consumers are severely heightened. Thus, to ensure an organisation is complying with such standards, leaders must monitor critical assets, such as employee data, financial transactions, and network logs. Companies should ensure that all third-party affiliates comply with these standards as well.
Achieving and maintaining compliance with regulations
The rapid pace of change in regulations that organisations face is staggering. It is likely this trend will not abate. To overcome any challenges, it is wise to build a compliance plan. However, leaders must understand that there is no one-size-fits-all approach to achieving and maintaining compliance with regulations. The key is to understand the organisation’s unique requirements, then adopt the most applicable framework to standardise the process.
Among other approaches, the implementation of a governance, risk, and compliance (GRC) team aims to streamline an organisation’s compliance efforts. The GRC team should be composed of senior management executives as well as members from the legal, security, privacy, and IT teams. By eliminating the silos within departments and creating a collaborative culture of risk management, businesses can operate confidently knowing that there is a robust internal audit infrastructure in place.
This infrastructure is further strengthened when risk management is fully integrated into operations. However, to achieve this, it is vital to have a robust risk management framework in place. This can be achieved by following the steps below:
- Identify the GRC framework’s objectives: The initial step is to ascertain what the framework should achieve.
- Adopt an incremental implementation strategy: Although it may seem counter-intuitive, it is important to roll out this organisation-wide framework in stages.
- Clearly define key success indicators: Establish clear success metrics for all of the goals identified at the beginning of the GRC framework process.
- Determine which tools the framework requires: Identify the tools that will help meet the organisation’s objectives. However, when considering which tools to use, be sure to take ease of deployment and application security into consideration.
- Adapt the operational strategy: Given that GRC initiatives affect an organisation’s processes and systems, a GRC framework needs to be flexible enough to adapt when new threat vectors and regulations emerge.
The risk management and compliance framework is always a work in progress. By continually reviewing the framework, organisations can ensure they are always in compliance and their audits are frictionless.