SAMA spotlight | BCM frameworks

Released in February 2017, the business continuity management (BCM) framework released by the Saudi Central Bank (known as SAMA) - based on industry leading practice and international standards - is designed to enhance licensees’ resilience and to ensure operations and services are available around the clock. SAMA’s BCM framework document defines the principles, objectives and control considerations required to initiate, implement, maintain, monitor and improve business continuity controls.

What is business continuity management?

Part of an organisation’s overall management system, BCM is a holistic management process that identifies potential threats to an organisation and how those threats, if realised, might impact business operations. BCM provides a framework for building organisational resilience that safeguards the interests of an organisation’s key stakeholders, reputation, brand and value-creating activities.

Which Saudi businesses does the SAMA framework apply to?

• All organisations affiliated with SAMA – including subsidiaries, employees, subcontractors, third parties and customers
• All banks operating in Saudi Arabia
• All banking subsidiaries of Saudi banks
• Subsidiaries of foreign banks situated in Saudi Arabia?

How is SAMA’s BCM framework structured?

Aligned with leading practice such as ISO/IEC 22301, ISO/IEC 27001:2022, good practice guidelines from the UK’s Business Continuity Institute (BCI) and professional practice guidelines from the US’s Disaster Recovery Institute International (DRII), the framework sets out principles, objectives and control considerations for 13 domains:

• BCM governance
• BCM strategy
• Business continuity policy
• Business impact analysis (BIA) and risk assessment (RA)
• Business continuity plan (BCP)
• IT disaster recovery plan (DRP)
• Cyber resilience
• Crisis management plan
• Testing (BCP testing, DRP testing and executed tests)
• Awareness and training
• Communication
• Document reviews
• Assurance

What other areas of an organisation does BCM impact?

BCM framework documents overlap corporate policies for related areas including:

• Enterprise risk management
• Health, safety and environment (HSE)
• Physical security
• Cybersecurity

Our BCM team – led by Darrshan Manukulasooriya who was recently recognised by the BCI (UK) as the region’s leading business continuity consultant – can:

• Validate current BC readiness (including on-site and remote business continuity)
• Assess the maturity of BC frameworks
• Assess gaps in BC frameworks and recommend improvements
• Upgrade BC frameworks
• Support the outsourcing of business continuity functions