SAMA Business Continuity
Management Framework
The Saudi Central Bank's mandatory Business Continuity Management Framework for every SAMA-supervised bank, insurer, payment provider, fintech and money exchanger. Governance, BIA, BCP, DRP, cyber resilience, crisis management, testing and assurance.
What SAMA BCM covers
The SAMA Business Continuity Management Framework is issued by the Saudi Central Bank as a mandatory continuity standard for every Member Organization the regulator supervises. It defines what SAMA expects from a credible BCM programme — from board-level governance through to the testing cadence that demonstrates the programme actually works.
The framework is closely aligned to ISO 22301 but layers Saudi-specific obligations on top: regulator notification for significant continuity events, mandatory inclusion of cyber-resilience scenarios, and treatment of national shared services (such as the payment switch) as in-scope dependencies. SAMA inspectors routinely test the programme during on-site supervision.
The complete control library below covers 15 BCM disciplines from BCM Governance through to Assurance — 75 control statements in total, each carrying a canonical SAMA reference ID.
Complete SAMA BCM controls
The Saudi Central Bank Business Continuity Management Framework — mandatory requirements for governance, business impact analysis, recovery strategies, BCP/DRP plans, crisis management, testing and assurance for every SAMA-supervised financial institution.
- 15
- Domains
- 75
- Subdomains
- 75
- Controls
- 75
- Assessable
To direct, control and evaluate the overall approach to business continuity within the Member Organization.
Board of directors or a delegated executive member should have the ultimate responsibility for the BCM program.
The board of member organization, or a delegated member of senior management should allocate sufficient budget to execute the required BCM activities.
A BCM Committee should be established and mandated by the board of directors.
Senior management, such as CRO, COO, CIO, CISO, BCM manager and other relevant departments should be represented in the business continuity committee.
A business continuity committee charter should be developed and should reflect: a. Committee objectives b. Roles and responsibilities c. Minimum number of meeting participants d. Meeting frequency (minimum on quarterly basis)
A BCM function should be established.
A BCM manager/head should: a. Be appointed b. Have appropriate authority to manage the BCM program c. Be qualified and have appropriate experience, skills and competencies to implement and maintain the BCM program within the member organization
The BCM function should be adequately staffed with qualified team members.
Cross-functional teams, consisting of strategic, tactical and operations team members should contribute in implementation and maintenance of the business continuity and disaster recovery plans.
To ensure that business continuity initiatives are in alignment with the strategic business objectives and embeds BCM as part of the good management practice within the Member Organization, for continual improvement in maturity.
The business continuity strategy should be defined, approved, implemented and maintained.
The strategy should at minimum define: a. Long-term strategic objectives for implementing and maturing the BCM program b. Road map with timelines for achieving strategic objectives c. Requirements for continual review and validation of alignment of the BCM program with strategic objectives
To document the Member Organization's commitment and objective of the business continuity program, and to communicate this to the relevant stakeholders.
A business continuity policy should be defined, approved, implemented and communicated.
The business continuity policy should at the minimum identify: a. Objectives b. Scope c. Responsibilities
The compliance with the business continuity policy should be monitored.
The effectiveness of policy implementation should be measured and periodically evaluated.
Scope exclusions for the BCM should be documented and periodically evaluated. The justifications for scope exclusions should be documented and approved by BCM committee and senior management.
To ensure that each Member Organization has identified and prioritized their business processes along with key dependencies, and identified adequate controls in order to fulfill their business, regulatory, legal and compliance requirements with regards to business continuity.
Methodology for BIA and RA should be defined, approved, implemented and maintained.
The Member Organization should periodically perform a Business Continuity risk assessment. It should include, but not limited to: a. Identify potential internal and external threats, including single point of failures that may cause disruption to critical activities as determined in the BIA considering people, process, technology and premises b. Assess and prioritize potential risks by evaluating potential threats based on their operational impact and probability of occurrence c. Select required controls to manage identified risks d. Define treatment plan and implement BCM controls
The Member Organization should identify and prioritize the activities (i.e., products, services, business functions and processes) by performing BIA to determine the following but not limited to: a. The potential impact of business disruptions for each prioritized business function and processes, including but not restricted to financial, operational, customer, legal and regulatory impacts b. The recovery time objectives (RTOs), recovery point objectives (RPOs) and maximum Acceptable Outage (MAO) c. The internal and external interdependencies d. Supporting recovery resources
The BCM committee should endorse the prioritized list, BIA results, RA and the defined RTOs, RPOs and MAOs.
Risk assessment results should be communicated to the BCM committee.
The BIA and RA should be updated annually and when major changes occur (such as change in structure and organization of people, process, technology, suppliers and locations).
The risk assessment should include risks associated with overall organization as well as data centers (primary and alternative), which are not owned by the Member Organization (e.g., consider the timeframe needed to relocate to a new site and accordingly, it should include a sufficient timeframe in the contractual agreement).
Capability of vendors, suppliers and service providers to support and maintain service levels for prioritized activities during disruptive incidents should be assessed at least on a yearly basis.
Member Organizations should ensure that RTOs are adequately defined for payment systems, customer related services, etc. considering the high availability of these operations and minimum disruption in the event of disaster.
To ensure that the Member Organization has the capability to identify and clearly define the actions to be taken, and resources which are needed to enable the organization in managing a disruptive interruption and to come back to a position where normal business processes can resume.
A BCP should be defined, approved, implemented and maintained in readiness for use during disruptive incidents, to enable the Member organization to continue delivering its important and urgent activities, at an acceptable pre-defined level.
The member organization should define, approve and implement procedures for responding to disruptive incidents. The procedures should collectively include: a. Key resources (e.g., people, equipment, facilities, technologies) b. Defined roles, responsibilities and authorities for stakeholders c. A process to manage the immediate consequences of a disruptive incident and escalation procedures d. A process to continue the critical activities within predetermined recovery objectives (RTO, RPO and MAO) e. A process to resume the Member Organization's operations to business-as-usual once the incident is resolved f. Guidelines for communicating with employees, relevant third-parties and emergency contacts g. Process for including relevant cyber security requirements, if any, within the business continuity planning
The compliance with the BCP should be monitored.
The effectiveness of the BCPs should be measured and periodically evaluated.
The BCM Manager and BCM coordinators are responsible to maintain and keep the BCPs and arrangements up-to-date.
The Member Organization should have sufficient alternative business workspace(s) where it can relocate the required resources to deliver the critical processes required as per predefined recovery objectives in the BIA.
The alternative business workspace(s) should have clear demarcation of the sitting arrangement for different business units.
The Member Organization should implement sufficient logical, physical and environmental security controls in order to support the same level of access and security in case the alternative location needs to be activated.
For all critical activities, as determined by the BIA, the Member Organization should ensure that the key service providers (if any) have a BCP in place and their plans tested at least on a yearly basis.
To ensure the Member Organization has IT DRP and up-to-date list of critical activities in place, in case of a disruptive incident.
An IT DRP to recover and restore technology services and infrastructure components (data, systems, network, services and applications) should be defined, approved, implemented and maintained in alignment with business impact analysis.
The Member Organization should establish an alternative data center at an appropriate location. The location should be identified based on: a. A risk assessment to confirm that the location does not share the same risks of the main data center (e.g., geographical threat) b. Upon approval from SAMA
Data, system, network and application configurations, and capacities in the alternative data center should be commensurate to such configurations and capacities maintained in the main data center.
Member Organization should implement the same logical, physical, environmental and cyber security controls for the alternative data center as for the primary data center.
The Member Organization should define and implement a backup and recovery process.
The Member Organization should have offsite location for storing backups.
Formal contracts should be signed with third parties to ensure the continuity of outsourced services or delivery of replacing hardware or software within the agreed timelines in case of a disaster. Include guidelines to ensure that the contracts signed with external service providers are aligned with the BIA and RA outcomes.
The IT manager should be responsible to maintain and keep the disaster recovery plans and arrangements up to date with an overall accountability of integration within the BCM Program on the BCM Manager.
The compliance with the disaster recovery plan should be monitored.
The effectiveness of the IT DRP should be measured and should be evaluated on a yearly basis as minimum.
To ensure that the Member Organization's critical services, business functions and processes are available when required and resistant to disruptions.
All changes to the infrastructure and software, which directly support the identified critical services, business functions and processes, should: a. Be subject to in-depth risk assessments to ensure the agreed business requirements regarding availability and recovery are met. b. Follow strict development, testing and change management procedures to avoid single point of failures or malfunctioning.
A periodic architectural review should be defined and approved to ensure the business requirements regarding availability and business continuity are being correctly addressed and implemented.
To ensure the Member Organization has effective crisis management plan in place and up-to-date for critical member organization products, services, business functions and processes, in case of a disruptive incident.
A crisis management plan should be defined, approved and implemented.
The compliance with the crisis management plan should be monitored.
The effectiveness of the business continuity program within the crisis management plan should be measured and periodically evaluated.
The Member Organization should document a crisis management plan(s) that define(s) how crisis resulting from a major incident(s) will be addressed and managed, and should include at least: a. Criteria for declaring a crisis. b. The member organization should establish a command center for centralized management and an emergency command center. c. Crisis-management team members. Considering representatives of the critical products, services, functions and processes of the Member Organization (including Communications department) d. Contact details of those who are part of the crisis management team (including third-parties) e. Definition of the steps to be taken during and after a crisis or disaster (including the mandates required) f. Communication plan including the media response plan, to address the communication with the internal and external stakeholders during crisis. g. The frequency of crisis management tests
Periodic BCP simulation testing to validate that the Member Organization's existing BCP and DRP work as defined and employees and third-parties are trained to execute these plans.
The Member Organization should periodically conduct BCP simulation test exercises ("at least once a year").
The tests should consider appropriate scenarios that are well planned with clearly defined objectives (e.g., per function, per service, per process, per location, per worst cases scenarios). The Member Organization should take into consideration to include cyber security scenarios.
Defined test scenarios should cover the activation and involvement for crisis management team.
After the completion of the above individual tests, each Member Organization should consider conducting an integrated BCM test for all critical services, business processes and functions.
Periodic DR testing combined with BCP to ensure the readiness and capability of DR to resume critical business operations in case of a major disaster.
The Member Organization should periodically execute a DR test combined with BCP ("at least once a year").
The Member Organization should conduct an evaluation of the executed DR test of IT DR infrastructure that supports the Member Organization's critical systems to ensure the readiness and capability of DR to resume critical business operations for a period of time in case of a major disaster.
The DR test results should provide an evaluation and suggestions for improvements to manage disruptive events impacting the Member Organization's business continuity.
It should cover the activation and involvement of the crisis management team.
Documentation, independent observation, and reporting of executed BCP and DRP test results.
Detailed results of all exercises and tests should be documented for future reference. The exercises/tests results should include, but not be limited to the following considerations: a. Confirm meeting the objectives of the exercised plan b. Confirm capabilities and readiness of recovery resources c. Document lessons learnt and the required improvements d. In case of failure, capture the root-cause of the failure and remediation actions should be tracked to successful conclusion
Re-testing of the plan within the defined timelines in case of a failure, the timelines should not exceed the limit of three (3) months.
The Internal Audit of the Member Organization, or a qualified external auditor, should observe the business continuity and disaster recovery testing activities as an independent participant in order to provide a reasonable assurance on the executed activities, test results and to observe if the executed tests are meeting the Member Organization's overall Business Continuity program objectives.
All BCP and DRP tests results should be reported to the BCM committee, senior management and the board of directors.
The Member Organization should ensure BCM integration into its day-to-day activities, through an ongoing awareness plan, which should be documented.
The Member Organization and relevant third-parties, such as providers and suppliers should be: a. Familiar with relevant parts of business continuity policy and plans b. Contractually bound to provide their services or products within the agreed time, in case of disruptive event c. Familiar with their point of contact or their local BCM coordinator in the Member Organization d. Familiar with their roles and responsibilities during disruptive incidents
A training program should be provided once on an annual basis to employees involved in BCM to achieve the required level of experience, skills and competences.
The Member Organization should periodically measure the effectiveness of the training and awareness program.
To ensure that continuous communication is maintained with SAMA by defining, agreeing and adhering to communication protocol, frequency, and roles and responsibilities for communications.
The Member Organization should report all disruptive incidents classified as "Medium" or "High" to SAMA "Banking IT Risk Supervision" immediately. A post-incident report should be communicated to SAMA after the Member Organization resumes to normal operations.
The Member Organization should coordinate with SAMA Supervision when communicating with the media in case of incidents.
Member Organizations should seek SAMA's approval when selecting a new site for its main or alternative data center, or when relocating the current main or alternative data center.
The Member Organization should communicate the approved program for executing business continuity and disaster recovery tests, for the upcoming year, with SAMA "Banking IT Risk Supervision" by end of January of every year.
Test results of business continuity and disaster recovery should be shared with SAMA within four weeks after the test. The Member Organization should identify the improvements based on the test performed and provide an action plan to SAMA within two months after the submission of the test results.
To ensure that all the business continuity documents are up to date and can be used during a disruptive incident to recover the business operations.
Member Organizations should establish a process for document review/update to ensure the BC documents are up-to-date, reviewed and approved.
All documents should clearly identify the last date in which the document was reviewed and approved.
To ensure that an independent party is reviewing the BCM framework activities and reporting the identified issues to the senior management independently.
Member organization should conduct review / audit of BCM by qualified independent internal / external party.
The Member Organization should identify the gaps and provide a road map to enhance the BCM within the organization.
The identified gaps along with road map should be reported to senior management and BCM committee.
Frequently asked questions
- What is the SAMA BCM Framework?
- The SAMA Business Continuity Management Framework is the mandatory continuity standard issued by the Saudi Central Bank. It applies to every SAMA-supervised entity — banks, insurers, finance companies, payment service providers, money exchangers and credit information companies — and defines minimum BCM controls covering governance, BIA, recovery strategies, plans, testing, awareness and assurance.
- Is SAMA BCM the same as ISO 22301?
- No. SAMA BCM is closely aligned to ISO 22301 — the structure of BIA, recovery strategy, plans, testing and continuous improvement maps directly across — but SAMA adds Saudi-specific requirements that ISO 22301 does not codify, including regulator notification windows, mandatory cyber-resilience scenarios, and dependency management for national shared services. An ISO 22301-certified programme is most of the way to SAMA compliance but needs targeted uplift to close the Saudi-specific gaps.
- What does a SAMA inspection of the BCM programme cover?
- SAMA inspectors typically test four areas: (1) board-approved BCM policy and named programme owner; (2) most recent BIA covering every critical process with documented RTO/RPO; (3) most recent test report including issues identified and closed; (4) any real continuity event in the last 12-18 months — the timeline, decisions, customer impact and lessons learned. Documentation that doesn't match what the team actually did during an event is the most common finding.
- How does cyber resilience fit into the SAMA BCM Framework?
- Cyber resilience is treated as a parallel continuity discipline, not a sub-scenario. The framework requires destructive cyber events (ransomware, wiper malware, supply-chain compromise) to be in-scope continuity scenarios with their own recovery plans, considered immutable backups, and rehearsed cross-team between the BCM and cybersecurity functions. The SAMA BCM Framework intersects with the SAMA Cyber Security Framework on this point.
- How often must BCM plans and exercises be refreshed?
- The BCM policy and BIA must be refreshed at least annually and after any material business change. Critical-process recovery plans should be tested through tabletop, walkthrough, technical-recovery or full-simulation exercises at a frequency proportionate to criticality — at minimum annually for the most critical processes. Lessons learned from every test and real incident must feed back into the next BIA, plans and risk register; year-on-year programme improvement is itself an inspection criterion.
- What is the relationship to the SAMA Outsourcing Regulations?
- SAMA BCM intersects with the SAMA Outsourcing Regulations whenever a material outsourcing arrangement is involved. The bank's BCM obligations extend to the outsourced supplier's continuity capability — contractual recovery commitments, ongoing monitoring of the supplier's BCM posture, and dependency mapping. If a cyber incident at a critical supplier triggers the bank's continuity event, the bank is still on the hook for SAMA notification even if the root cause is in the supplier's environment.
Run your SAMA BCM assessment with GRC Vantage
The complete SAMA BCM control library is pre-loaded inside GRC Vantage with evidence templates, ownership workflow and submission-ready reporting. Hosted inside Saudi Arabia for data residency.