Governance is the first SAMA pillar — and the first thing a SAMA examiner samples. The BCM committee is the artefact that proves governance is operational rather than aspirational. This article gives a working template for the committee charter, drawing on what we have seen pass SAMA examinations cleanly.
The parent topic is our SAMA BCM Framework pillar.
Why the committee matters
SAMA's BCM Framework expects top-management ownership of business continuity. A "BCM committee" with specific composition and a documented mandate is the operational expression of that expectation. Without one, even an otherwise-mature BCM programme will be flagged for governance weakness.
The committee is not the same thing as the operational BCM team. The BCM team runs the day-to-day work — BIAs, BCPs, exercises, AARs. The committee provides oversight, makes strategic decisions, and surfaces BCM posture to executive leadership. They meet on different cadences and own different decisions.
Composition
SAMA expects banking-sector composition. The committee charter should specify the roles (not named individuals) that sit on the committee and the rationale for each:
- Chair — typically the Chief Risk Officer or Chief Operating Officer. Owns the committee's effectiveness. Reports BCM posture to the Board Risk Committee or equivalent.
- Chief Information Security Officer (CISO) — cyber-resilience and IT continuity overlap. Critical for ransomware, cyber-incident and IT-DR scenarios.
- Head of Operations — owns the operational processes the BCMS protects. Their input drives BIA criticality decisions.
- Head of Information Technology — owns the IT infrastructure that BCPs depend on. Recovery capability commitments are theirs to deliver.
- Head of Treasury — liquidity, market exposure and payment-rail dependency are continuity issues, not just finance issues.
- Head of Retail / Customer Operations — customer-impact context for BIA decisions and crisis-comms approval.
- Head of Compliance / Legal General Counsel — regulatory notification, contractual obligations, customer-communication review.
- Head of Communications — owns the crisis-comms playbook and customer-facing messaging during real activations.
- BCM lead — secretariat. Prepares papers, captures minutes, tracks actions. Does not have a vote on committee decisions but owns the operational follow-through.
Deputies should be documented for every role. A committee that quorums only when specific individuals are available is fragile.
Mandate — what the committee decides
The charter should enumerate the committee's decision rights explicitly. Vague mandates ("oversee the BCM programme") produce committees that meet without deciding anything. Specific mandates produce auditable decision records.
Typical mandate areas:
- Approve the BCM policy and BCMS scope statement (annually)
- Approve the BIA methodology and the impact matrix
- Approve the continuity strategy for each critical service
- Approve the exercise programme calendar (annually)
- Review AARs and approve resulting improvement actions
- Review the §8.5 activation log for real-world activations
- Review and decide on resource requests — headcount, budget, technology
- Approve SAMA submissions before they leave the institution
Each decision area should have a documented cadence and a decision-record format.
Cadence
The charter should specify the minimum meeting cadence and the conditions for extraordinary sessions.
- Quarterly is the typical regular cadence. Sufficient for steady-state oversight without committee fatigue.
- Extraordinary sessions triggered by: real-world activation classified as crisis, major BCM-related supervisory feedback from SAMA, material organisational change (acquisition, restructure, new business line), failed certification audit or major non-conformity.
- Annual deep-dive — one quarterly meeting per year carries additional scope: full BCMS posture review, certification-cycle prep, annual planning.
Attendance and quorum rules should be stated. If quorum is two-thirds with at least three roles represented, write it down. SAMA examiners look for governance discipline, and unstated rules are read as no rules.
Decision-record format
The single most under-invested artefact in BCM governance. A working format captures, per decision:
- Decision — what was decided
- Rationale — why, with reference to the inputs (BIA, AAR, audit finding, risk assessment)
- Owner — accountable role for follow-through
- Due date
- Status — open / closed / deferred (with rationale if deferred)
- Linked artefacts — the BIA, BCP, AAR or audit finding the decision references
Carry decisions across meetings until they are closed or explicitly retired. Open decisions ageing past due dates with no re-prioritisation is the single most common governance finding.
The committee and the board
The BCM committee is not the board. It reports upward. The charter should specify:
- The board committee that receives BCM updates (typically the Board Risk Committee)
- The cadence of that reporting (typically quarterly)
- The escalation triggers — what BCM events must be reported to the board immediately
This linkage matters. SAMA examiners increasingly probe the board-level visibility of BCM posture, particularly after real-world incidents.
Common SAMA findings on governance
Three patterns recur:
Composition gaps. The committee meets, but the CISO or Head of Treasury never attends. Banking-sector composition is incomplete; deputies are not documented.
Minutes without decisions. Meetings happen on cadence, but minutes record attendance and discussion topics without naming decisions, owners or due dates.
Stale action register. Decisions are minuted but the resulting actions disappear into a separate register that nobody updates. Closing the loop requires the secretariat function to be staffed and disciplined.
All three are operational, not structural. The fix is rhythm, not redesign.
Where to start
If you are chartering a committee from scratch:
- Draft the charter — composition, mandate, cadence, decision rights, board reporting — and approve at top-management level.
- Set the recurring calendar. Get the committee dates in everyone's diary for the next four quarters now.
- Build the first decision register. Pre-populate with the standing decisions: policy approval, BIA methodology approval, exercise calendar approval.
- Run the first meeting. The agenda is shorter than later ones; cover charter ratification, current BCM posture, and the year ahead.
- Capture minutes in the working format from day one. Habit-formation matters.
The SAMA BCM pillar guide covers the broader regulatory context. For the platform surface that ties committee decisions to the underlying BCM artefacts they reference, see the BCMStack reporting module.