Business Continuity Management in Saudi Arabia: Aligning BCM to SAMA CSF and ISO 22301

Business continuity management (BCM) in Saudi Arabia sits at an unusual intersection. The Kingdom has its own regulator-issued BCM framework (the SAMA Business Continuity Management Framework) for the financial sector, an established international standard (ISO/IEC 22301:2019) that the rest of the market gravitates toward, and a cybersecurity framework family (SAMA CSF, NCA ECC) that increasingly treats cyber resilience as part of BCM rather than separate from it. Saudi organisations running BCM in 2026 have to satisfy all three at once.

This post explains how to build a business continuity programme in the Kingdom that aligns with SAMA CSF, the SAMA BCM Framework and ISO 22301 simultaneously, without running three parallel programmes.

What "BCM" actually means in Saudi practice

Business continuity management is the discipline of preparing an organisation to continue delivering its products and services at acceptable levels through disruption — and to recover them when disruption exceeds those levels. The discipline has four anchor activities: business impact analysis, recovery strategy, plan documentation, and exercising. Everything else in BCM is supporting infrastructure for those four activities.

The reason BCM matters in Saudi Arabia in 2026 is partly regulatory (SAMA, NCA and sectoral regulators all expect mature BCM from in-scope entities) and partly practical (the Kingdom's large infrastructure and digital-government programmes carry real continuity exposure that the boards of major Saudi organisations now treat as a top-tier issue).

The three frameworks Saudi BCM has to satisfy

SAMA BCM Framework

The Saudi Central Bank issues a dedicated Business Continuity Management Framework for member organisations, alongside the SAMA Cyber Security Framework. The BCM framework is mandatory for SAMA-regulated entities — banks, finance companies, insurance and reinsurance, money exchangers, payment service providers and credit information companies — and is assessed in supervisory engagements. It covers governance, business impact analysis, risk assessment, continuity strategy, plan documentation, exercising, training and management review, and it expects the BCM programme to be embedded into the organisation's overall governance rather than treated as an annexe.

ISO/IEC 22301:2019

ISO 22301 is the international standard for business continuity management systems. Like ISO 27001, it is built around management system clauses (4 through 10) and an annex of expectations specific to BCM. The 2019 revision tightened the language around risk-based thinking and clarified the relationship between BCM, risk management and supplier management. ISO 22301 is certifiable through accredited certification bodies and is the credential most commonly requested by Saudi enterprise buyers and international partners.

Cybersecurity overlay — SAMA CSF and NCA ECC

Both the SAMA Cyber Security Framework and the NCA Essential Cybersecurity Controls treat cybersecurity resilience as a first-class concern. SAMA CSF expects cyber scenarios to be considered in the BCM lifecycle and for cyber recovery to be exercised. NCA ECC has a dedicated Cybersecurity Resilience domain (domain 3) that requires cybersecurity to be integrated into BCM and BIA activities. In practice this means a Saudi BCM programme that ignores cyber scenarios — ransomware, destructive malware, large-scale data exfiltration, supplier cyber failure — will not satisfy any of the frameworks the regulators care about.

How a Saudi BCM programme is structured

A credible Saudi BCM programme has six layers, regardless of which framework is the primary driver.

Layer 1 — Governance and policy

Define the BCM policy, the governance structure, the roles and responsibilities, and the cadence of management oversight. The policy must be approved at the highest level, communicated to relevant staff, and reviewed on a defined schedule. SAMA, ISO and NCA all expect the same thing here; the difference is the audience that reads the policy.

For SAMA-regulated entities, the BCM governance structure should sit alongside (not under) the cybersecurity governance structure, with explicit linkage so that cyber incidents can trigger BCM activation and vice versa.

Layer 2 — Business impact analysis

The BIA identifies the products and services the organisation delivers, the activities and resources required to deliver them, the impacts of disruption over time, and the recovery time objectives (RTO) and recovery point objectives (RPO) appropriate to each.

A practical Saudi BIA for a regulated entity has five outputs:

• A prioritised list of products and services.
• Maximum tolerable period of disruption (MTPD) for each.
• Recovery time objective (RTO) for each, set inside the MTPD.
• Recovery point objective (RPO) for each (relevant to data recovery).
• Resource dependencies — people, IT systems, facilities, suppliers, third-party services.

The BIA should be a live document that is reviewed at least annually and whenever there is material change to the organisation's products, services or resource base. BIAs that age unreviewed for two years are routine SAMA findings.

Layer 3 — Risk assessment

BCM risk assessment identifies the threats that could disrupt the organisation's prioritised activities and assesses likelihood and impact. The threat list should explicitly include cyber scenarios — ransomware, destructive malware, large-scale data exfiltration, supplier cyber failure — alongside the traditional BCM scenarios of fire, flood, power loss, pandemic and key-person loss.

Risk assessment outputs feed the continuity strategy. They should be cross-referenced to the organisation's broader enterprise risk register so that BCM and enterprise risk are not telling different stories about the same threat.

Layer 4 — Continuity strategy

The continuity strategy is the chosen approach to achieving the RTOs and RPOs set in the BIA. Strategy options include relocation to alternative premises, work-from-home or alternative-work-location arrangements, technology recovery (active-active, active-passive, cold standby), supplier substitution, and reciprocal arrangements.

Saudi organisations frequently underinvest in technology recovery strategy because they assume their cloud or data centre provider has it covered. The provider has it covered for the provider's services; the organisation is responsible for its own end-to-end recovery, including how its applications come back together.

Layer 5 — Plan documentation

Continuity plans translate the strategy into actionable runbooks. A typical Saudi BCM plan set includes:

• A crisis management plan (high-level, board and executive-facing).
• An incident management plan (operational, for the BCM coordinator).
• Recovery plans for each prioritised product or service.
• IT disaster recovery plans for each in-scope system.
• Supplier failure plans for each material third-party.
• Communication plans (internal, regulator, customer, media).

Plans should be written for the people who will use them under stress — short, instructional, with checklists — not for the auditor who will read them in an air-conditioned office.

Layer 6 — Exercising and improvement

Plans that are not exercised do not work. SAMA, ISO and NCA all expect a documented exercise programme with a mix of types: walk-throughs, tabletops, simulations and live exercises. Each exercise should produce a report with observations, lessons learned and improvement actions tracked to closure. The exercise programme should explicitly include cyber scenarios alongside traditional BCM scenarios.

Aligning the three frameworks from one BCM library

The single biggest efficiency move in a Saudi BCM programme is to maintain one unified BCM artefact set — policy, BIA, risk assessment, strategy, plans, exercises — and tag each artefact to the framework references it satisfies. Done correctly, the same BIA produces the SAMA BCM submission, the ISO 22301 management review input and the NCA ECC resilience evidence.

Done incorrectly — three separate documents for three audiences — the organisation pays three times for the same work and produces three slightly different versions of reality.

The cyber-BCM linkage

The single biggest change in Saudi BCM in the last three years has been the shift from treating cyber as a sub-scenario of BCM to treating it as a parallel discipline that has to be exercised, planned and recovered in its own right. Practical implications:

• The BCM coordinator and the CISO should attend each other's planning meetings.
• The cyber incident response runbook and the BCM activation runbook should reference each other explicitly.
• Recovery time objectives for cyber-affected systems may need to be tighter than the headline RTO for the underlying business service, because cyber recovery often requires forensic preservation that adds time.
• Exercises should regularly include destructive cyber scenarios — not just availability scenarios.

How GRC Vantage supports Saudi BCM

GRC Vantage's BCM module supports the full BCM lifecycle — policy, BIA, risk assessment, strategy, plans, exercises and management review — on the same control library that the compliance, risk and audit modules use. SAMA BCM Framework, ISO 22301 and the NCA ECC resilience domain are pre-mapped, so a single BIA produces evidence for all three audiences. The platform can be deployed inside Saudi Arabia for data residency, and our Riyadh and Dammam delivery teams routinely work with Saudi banks and CNI operators on first-time BCM build-outs and certification programmes.

For the deeper international BCM context, read our pillar guide on ISO 22301 Saudi Arabia. For the SAMA-specific BCM Framework, read our SAMA frameworks guide. When you are ready to see a unified Saudi BCM programme running on real data, book a demo.