New IT Governance Regulation: A Strategic Blueprint for Libyan Banks

By Julio Alonso

Six months subsequent to the issuance of the Central Bank’s IT Governance Regulation No. (2023/21), our scrutiny uncovers a notable lag in the compliance maturity across Libyan banks, with a mere fraction—under 10%—having embarked on their preliminary capability and maturity evaluations. This comprehensive regulation, crucial for bolstering operational robustness and mitigating risks, prescribes a meticulously staggered, multi-year assimilation approach, presenting a complex challenge far beyond a mere procedural formality.

As the Central Bank’s initial audits approach at year-end, the imperative for banks to address their compliance shortfalls intensifies. This urgency prompts a critical examination: How should banks best-navigate towards achieving full compliance?

What Changes with CBL’s Circular No. (2023/21)?

The Central Bank of Libya’s regulation extends a 105-page directive requiring Libyan banks to integrate a sophisticated IT governance architecture aligned with 13 defined strategic goals. This directive mandates the establishment of specialized committees for strategic oversight and alignment, along with the development of over 20 critical reports and 26 foundational policies, supported by 40 distinct practices segmented into detailed tasks aimed at reinforcing IT governance facets.

Leveraging principles from COBIT 2019, the regulation emphasizes a structured approach to IT environment management and governance, focusing on optimizing processes, organizational structures, information flows, and the cultural framework. It prescribes a governance model that integrates strategic planning, risk management, compliance, and performance evaluation to enhance operational resilience and efficiency.

The regulation also stipulates the adoption of advanced IT frameworks and tools for risk assessment, data protection, and cybersecurity, aligning with global best practices. Banks are expected to establish clear accountability mechanisms, continuous monitoring systems, and feedback loops to ensure ongoing compliance and adaptability to evolving IT governance standards. This comprehensive approach aims to elevate the Libyan banking sector’s IT governance to international standards, ensuring robust risk management and strategic agility.

Why are Libyan Banks Struggling with IT Governance Compliance?

The challenges Libyan banks face in implementing the CBL’s IT governance framework are multifaceted and significant. Firstly, the complexity of the framework is not merely in establishing new roles and responsibilities; it necessitates a comprehensive restructuring of existing roles, responsibilities, procedures, and reporting mechanisms, affecting virtually every aspect of banking operations. This complexity introduces a substantial layer of difficulty, as it demands foundational changes across the banks’ operational paradigms.

Additionally, the scarcity of local expertise specialized in this specific regulatory framework compounds the implementation challenges. Given that this framework represents a novel approach within the Libyan context, the absence of precedent and local knowledge base exacerbates the banks’ difficulties in navigating the implementation process.

Compounding these issues is the fact that many Libyan banks operate on a relatively small scale, with limited financial resources available for significant investments in international consultancy or expertise. This financial constraint severely limits their ability to seek external guidance and support, which is often crucial for undertaking such comprehensive governance reforms.

Our research indicates that these compounded challenges have resulted in a significant lag in compliance efforts, with less than 10% of Libyan banks having initiated the mandatory initial assessment of their current IT governance standing. This indicates a widespread struggle among Libyan banks to align with the CBL’s mandates, primarily due to the intricate nature of the required changes, the lack of specialized local expertise, and financial limitations.

Towards Compliance with the New IT Governance Regulation

Achieving compliance with the Central Bank’s IT governance mandates is undeniably a multi-year endeavour, necessitating strategic foresight, allocated resources, and an unwavering dedication to perpetual enhancement. It is with this understanding that we present our concise blueprint for Libyan banks:

1. Immediate Capability Assessment: Banks must prioritize conducting comprehensive capability and maturity assessments to establish a clear baseline of their current IT governance status. This crucial first step cannot be understated in its importance for setting the stage for all subsequent compliance efforts.
2. Strategic Role Establishment: It is imperative for banks to quickly establish the necessary governance structures, including critical roles, mandates, and committees, that are currently lacking or misaligned. This foundational structure will provide the necessary oversight and strategic direction for the compliance journey.
3. Customized Compliance Framework Development: Banks should be aware that there are no one-size-fits all solutions, and so develop a tailored compliance framework addressing their unique operational context and challenges. This framework should integrate best practices from recognized standards such as COBIT 2019, ISO 31000, ISO 27000, ISO 20000, ISO 17000, ISO 9000, CENELEC EN 50173, and CENELEC EN 50600, among others.
4. Investment in Capacity Building: Parallel to structural adjustments, banks must invest in comprehensive training and capacity building for their staff to embed new processes and ensure readiness for regulatory scrutiny. This includes familiarizing employees with new compliance roles, responsibilities, and best practices.
5. Rigorous Audit and Evaluation: A continuous cycle of internal and external audits and evaluations is essential to monitor compliance progress, identify gaps, and implement corrective actions. These evaluations will also prepare banks for the Central Bank’s audits and ensure ongoing adherence to governance standards.
6. Establishment of Continuous Improvement Processes: Compliance should be viewed as a continuous journey, not a destination. Banks should establish mechanisms for ongoing improvement and feedback, ensuring that IT governance remains agile and responsive to evolving regulatory requirements and operational challenges.
7. Foster a Culture of Compliance: Finally, banks must cultivate a culture that values and prioritizes compliance and risk management. This cultural shift is fundamental to ensuring that compliance becomes an integral part of the banking operations and is sustained over the long term.

By adhering to these recommendations, Libyan banks can navigate the complexities of the IT governance framework, address their current compliance deficits, and establish a robust governance structure that enhances operational resilience and aligns with international best practices.

National or International expertise?

Choosing between national and international expertise for IT governance in Libya involves a strategic balance. While international experts offer global best practices, their potential lack of local context, cultural understanding, and language compatibility can limit effective collaboration. Our analysis indicates a preference for Libyan IT governance providers like ARD Technologies, who bring local insights essential for compliance. However, international expertise can still play a vital role, particularly in specialized committees such as the IT Governance, Steering, and Risk Committees outlined by the CBL.

Conclusion

In conclusion, the Central Bank of Libya’s IT Governance Circular No. (2023/21) sets forth a comprehensive and challenging path toward enhanced operational integrity and risk mitigation for Libyan banks. The journey to compliance is marked by the need for strategic planning, structural reconfiguration, and a commitment to continuous improvement, underscored by less than 10% of banks currently meeting preliminary assessment standards. The intricate requirements of this regulation, reflective of global best practices and the detailed frameworks like COBIT 2019, necessitate a multi-layered approach to IT governance, integrating strategic oversight, risk management, and performance evaluation.

Our blueprint for achieving compliance emphasizes the importance of immediate and comprehensive capability assessments, establishment of strategic governance structures, development of customized compliance frameworks, significant investments in capacity building, rigorous audit and evaluation processes, establishment of continuous improvement mechanisms, and fostering a culture of compliance.

As Libyan banks navigate this demanding landscape, the blend of local insight from providers like ARD Technologies, coupled with selective international expertise, will be key to building a resilient, compliant, and strategically agile banking sector. The path forward is challenging but essential for aligning Libyan banks with international standards and ensuring their robust participation in the global financial ecosystem.