Many organizations are still struggling with BCBS239, even 5 years later after the first publication of the BCBS239 Principles (January 2013). This could have different reasons such as:
►Approaching the Principles as a IT problem and as consequence of this looking only for IT solutions.
►Approaching as a one-off ‘thing’ (tick-box approach).
►Focussing literally on the Principles and their related requirements.
► Setting up as a side project with understaffed resources and budget.
► Lack of skills and knowledge to interprete the Principles.
► Taking the wrong steps: one step forward and two steps backwards.
► Continuously changing the plans and/or BCBS239 program manager.
► Only a bottom up approach or a top down approach.
►No change management model used, solution is therefore not sustainable.
► The worst: don’t know about the existence of this regulation.
Obviously there will be many more reasons, but let’s focus on the building blocks, which should be at least on your bucket list toward the compliancy.
The first steps within a change management model is to create awareness and desire, not only on senior management level, but also from the bottom-up side of an organization. If you do not see the problem, you will not find the solution either.
Above all, the key is changing the mindset why the organization should be BCBS239 compliant. What are the internal drivers for this regulation?
The first thing on the list should definitely be a plan how the organisations wants to approach BCBS239. There is no ‘one-size fits all solution’ for organizations. Every organization has their own strengths and weaknesses. This can be either on systems, processes, data or people. Therefore creating a high level plan would help you to have the right discussions and will help you to tackle the first hurdles such as: available resources or budgeting.
Employees should have a good understanding of what BCBS239 is and what kind of compliancy risks are related. By giving workshops to senior employees, you will be able to create little champions within a department or team. This will also help you to the increase the accuracy level for the Self-Assessment.
Before making investment in large projects, make sure the investment is done wisely in other words invest in the compliancy gaps with the largest materiality risks. Therefore it’s important to perform an assessment on each Principle and their related requirements. The assessment should be through the whole organization, even subsidiaries, horizontal and vertical. We have a developed an efficient hybrid model (Self-Assessment and Assessment) for this.
This Self-Assessment should be seen as a reoccurring activity within your organization. The ambition level for the Self-Assessment is minimum to the scope of BCBS239, but can be extended and in some cases should be extended to for instance internal reports. Some national supervisors requires to have all regulatory reporting in scope.
The Self-Assessment results will lead to an inventory of compliancy gaps. By prioritizing the compliancy gaps to materiality, you will be able to make a conscious investment on the various solutions.
The solutions are divided into three categories, quick-win solution, short term solutions and long term solutions.
The period need for implementing the short term and long term solution can be from 6 months up to 3 years, sometimes even longer when IT Architectural solutions are involved. In the meantime your organization is exposed the potential risks. These risks should also be mitigated till sustainable solutions are implemented. This way you can be in control and/or minimize the potential risks.
New initiatives or projects within your organizations should be complaint proof and should take the Principles into account when launching the new initiative or executing a project. Using a BCBS239 Framework helps you to assure the BCBS239 compliancy within your organization.
The BCBC239 initiatives and solutions needs to be monitored on progress on regular basis. By using a BCBS239 Dashboard, deviation on the timelines or planning can easily be reported. The reports on the progress should also go the Senior Managers of the organization. This will help you to get the attention, focus and priority for BCBS239. Using ‘early warnings’ will help you to prevent compliancy gaps.
The road towards BCBS239 compliancy should start as a Program or a large project (within small organizations) and finally be embedded as a BCBS239 Competence Centre within your organization.
What to know more? We have developed several instruments and tools to make the road to BCBS239 compliancy much easier. Also our subject matter experts with many years of experiences in BCBS239 can help your organization. We can help you in a customized approach which suits your size of organization and will transfer the BCBS239 knowledge to your employees.
Please contact us by mail firstname.lastname@example.org and we will make together the journey toward BCBS239 Compliancy.