KUALA LUMPUR: Governments and industry bodies in Southeast Asia need to bring in new regulatory changes and update existing ones following growing security and privacy concerns.
ManageEngine vice president of products Rajesh Ganesan these concerns are the significant drivers of regulatory change in the region.
Advancements in technology, such as the Internet of Things (IoT), artificial intelligence (AI), and machine learning (ML) come with a set of vulnerabilities and security loopholes, he said.
"Practices such as bring your own device (BYOD) and shadow information technology (IT) have also raised security concerns like targeted cyberattacks and data exfiltration.
"In response to this, governments and industry bodies have little option than to take steps to bring in new regulations and update existing ones," he told the New Straits Times in an email interview.
Rajesh noted several concerns among business leaders navigating change for their organisations.
Among them are varying interpretations whereby different interpretations of the laws by the various agencies within the geographical area tasked with interpreting and implementing the law create uncertainties.
He also highlighted that subtle differences in the regulations across geographies on a related subject often cause issues for those organisations that have their operations worldwide.
Besides, business leaders are also wary of political developments while adapting to regulatory changes.
"International conflicts and their implications on the local operations of global companies is a case in point.
"The possibility of an organisation being asked to shut down operations at short notice because of a geopolitical situation is also a concern," said Rajesh.
Another concern is for them to keep themselves updated as there is a need to keep track of the ever-changing regulatory landscape and be agile to the changes without significantly hampering the operations.
To enable business leaders to achieve stead accountability and compliance, Rajesh noted business leaders could constitute a governance, risk, and compliance (GRC) team, headed by a senior member of the management, with members from legal, compliance, security, privacy, and IT teams.
The periodic meetings between these teams help the organisation stay in sync with the latest regulatory developments.
Another option to consider is for them to embed compliance-related activities within the various departments, which will lead to a robust internal audit infrastructure.
"Those embedded assets can undertake the risk assessment and audit-related functions.
"The centralised compliance team will be tasked with the overall program management and coordinating external audits," he said.
He also suggested that business leaders create compliance dashboards that reflect the teams' risk management and audit readiness and have a common control framework defined for their organisation.
"Another suggestion is for them to develop a continuous compliance program.
"It should be an ongoing process that continually reviews the organisation's compliance position. This helps reduce audit fatigue and the time spent in preparation for each audit," said Rajesh.
Rajesh said companies could build a robust risk management framework to build a successful compliance plan for businesses in the region. This is to integrate risk management into operations.
"The incident management process should feed the inputs for the risk management framework," he said.
Training and educating employees on regulation and compliance is also vital for organisations.
"Assess regulatory and compliance needs while signing contracts and ensure that the clauses are in tune with how the business operates," he added.
Rajesh said businesses are also required to highlight the role of GRC functions as a business enabler so that employees willingly participate in risk management functions.