The Saudi Central Bank’s Business Continuity Management Framework, explained end-to-end. Origin and scope, who must comply, the five pillars, what auditors actually sample, how it overlaps with ISO 22301, and a 12-month compliance roadmap for SAMA-regulated organisations.
The SAMA BCM Framework is the Saudi Central Bank’s regulatory standard for business continuity management at every SAMA-licensed entity in the Kingdom. It supersedes earlier banking-continuity guidance and consolidates SAMA’s expectations into a single outcome-focused document covering the full BCM lifecycle from governance through to continual improvement.
The framework is outcome-focused, not prescriptive. SAMA specifies what a competent BCMS must achieve — defined governance, demonstrable BIA, documented BCPs, regular exercising, evidence of continual improvement — without dictating the exact tools or templates an organisation must use to get there. Organisations that operate a mature ISO 22301 BCMS already satisfy most requirements; SAMA adds KSA-specific expectations on top.
In practice, the framework is sampled during SAMA’s routine supervisory cycles. Examiners select a subset of requirements to test against an institution’s evidence, and findings flow into the standard SAMA enforcement framework. The institutions that handle examinations cleanly are the ones with operational discipline behind their BCMS — not just the ones with the prettiest documentation.
What this guide covers. The five SAMA pillars, the requirements an examiner samples first, the overlap with ISO 22301, and a 12-month roadmap to a SAMA-defensible BCMS. What it doesn’t cover. Verbatim clause text — the framework is a SAMA primary document and you should reference it directly via the SAMA Rules and Guidelines portal alongside this guide.
The framework applies to every entity SAMA licenses regardless of size. Below is the comprehensive list with practical compliance notes for each segment.
Local commercial banks, foreign-bank branches and Islamic banks. Highest examination scrutiny — annual sampling is standard.
Cooperative insurance, reinsurance, takaful and brokers. Examined alongside SAMA's insurance-supervision framework.
Real-estate finance, productive-asset finance, consumer micro-finance, finance leasing. Sampled triennially in most cases.
Payment service providers, e-money issuers, robo-advisors, crowdfunding platforms. Often sampled at first licensing review.
Acquirers, issuers, mada / SADAD service providers. BCM is examined as part of operational-resilience supervision.
Licensed exchange houses. Compliance scope is lighter but the framework still applies in proportion to exposure.
The framework is structured around five operational pillars. Each pillar has specific requirements, expected evidence, and a standard examination pattern.
Pillar 1
A documented BCM committee with banking-sector-aligned composition, charter, meeting cadence, and decision authority. Minutes captured, BCMS scope statement signed by top management, BCM policy approved annually.
BCMStack tables
bcm_committee, committee_meetings, bcms_artefacts (scope statement, BCM policy)Pillar 2
Process inventory with criticality classification, impact-over-time analysis (financial / regulatory / reputation / customer / staff), RTO and RPO calculation per process, dependencies mapped to applications, vendors, locations and staff.
BCMStack tables
bia_processes, bia_assessments, bia_impact_categories, bia_resource_timeframes, bia_process_dependenciesPillar 3
One plan per BIA-critical service or grouped capability. ISO 22301 §8.4.4 fields (purpose, scope, activation/deactivation criteria, target RTO/RPO, classification). Phased recovery (respond/recover/restore) per §8.4.5. Activation log per §8.5.
BCMStack tables
bcp_plans, bcp_recovery_steps, bcp_team_members, bcp_stakeholder_comms, bcp_activationsPillar 4
Annual programme with mandatory coverage of SAMA themes (IT system loss, cyber, critical-vendor unavailability, staff unavailability, workspace disruption). Exercises typed (tabletop, walkthrough, simulation, full-scale, drill, parallel, cutover). MSEL injects + evaluator observations + AAR with SAMA SLA dates.
BCMStack tables
annual_test_programmes, exercises, exercise_injects, exercise_observations, exercise_evaluationsPillar 5
Internal audit programme covering BCMS scope. Audit-finding lifecycle (open → corrective action → verification → closure). Improvement-action register threaded across all modules. Management review with required inputs (audit, exercises, KPIs) and recorded outputs.
BCMStack tables
audit_reviews, gap_register, improvement_actions, bcms_evidence (mgmt-review minutes, audit reports)Every pillar has a dedicated module or repository surface in BCMStack. Where the framework expects evidence (scope statement, BCM policy, audit report, management-review minutes), the platform provides an attestation-tracked repository — you author elsewhere and link, the auditor sees consistent evidence.
See full clause-to-module mapping →The first 30 minutes of any SAMA BCM examination follow a predictable pattern. Below is the priority order we’ve seen consistently across institutions.
Top management commitment + governance evidence.
Evidence the auditor expects
Signed scope document; committee charter; last 12 months of meeting minutes with attendance, decisions and action items.
Common red flags
Committee meets less than quarterly · minutes are template-only with no real decisions · scope statement is older than 24 months
Demonstrates the institution understands its dependencies.
Evidence the auditor expects
Approved BIA assessment dated within last 12 months · process-dependency map (apps / vendors / locations / staff) · RTO and RPO per critical process.
Common red flags
BIA hasn't been updated since the institution acquired or shed major systems · dependencies don't reflect the current environment · RTO/RPO are aspirational, not justified
Examining activation criteria, RACI, and recovery sequence.
Evidence the auditor expects
ISO 22301 §8.4.4 fields populated · phased recovery (respond / recover / restore) · IMT roster + RACI · stakeholder comms tree.
Common red flags
Plan is a free-text document with no structured §8.4.4 fields · activation criteria are vague · phased recovery isn't separated from initial response
Plans must be tested. The framework specifies coverage themes.
Evidence the auditor expects
Approved annual programme with at least one exercise per SAMA theme · last exercise's MSEL, observations, AAR, and improvement actions raised.
Common red flags
Programme is documented but exercises haven't actually run · AAR is missing or sparse · improvement actions aren't traced to closure
Continual improvement evidence. The BCMS must feed back into governance.
Evidence the auditor expects
Last management review with required inputs (audit findings, exercise outcomes, KPIs, customer feedback) and outputs (decisions, action items).
Common red flags
Management review is signed off but inputs are missing · improvement actions accumulate without closure · no trend visible across review cycles
Pattern recognition
Three findings appear in roughly two-thirds of examinations: BCPs that have been authored but not invoked or exercised in the prior 12 months, management-review cycles where the required inputs are missing or stale, and BIA assessments that don’t reflect current critical processes. All three are about operational discipline, not about structure or templates.
An ISO 22301-certified institution covers most of SAMA’s requirements via clause overlap. SAMA adds KSA-specific items that ISO 22301 doesn’t prescribe. Below is the side-by-side.
| Topic | ISO 22301:2019 | SAMA addition |
|---|---|---|
| BCM committee | §5.3 — roles and responsibilities | Required composition: senior representation from Risk, IT, Operations, Compliance, Internal Audit. Documented charter. |
| BIA structure | §8.2 — BIA + risk assessment | Same structure; SAMA expects impact-over-time analysis covering financial, regulatory, reputational, customer-service and staff dimensions. |
| BCP content | §8.4.4 — purpose, scope, activation, deactivation, classification, RTO/RPO | Same fields; SAMA additionally requires linkage to specific bank-sector continuity scenarios (cash service, settlement, regulatory reporting). |
| Phased recovery | §8.4.5 — phased response/recovery/restore | Same; SAMA examiners specifically sample whether phases are differentiated rather than treated as one flat list. |
| Activation log | §8.5 — implied through performance evaluation | SAMA explicitly requires a structured invocation record. Each activation captured with trigger, decision-maker, outcome, lessons learned. |
| Exercise programme | §8.5 — exercising and testing | SAMA-specific theme coverage: IT system loss, cyber, critical-vendor unavailability, staff unavailability, workspace disruption — at minimum across the year. |
| Audit + management review | §9.2 / §9.3 | Same; SAMA cross-references to its broader supervisory framework. Findings traced through to closure under SAMA enforcement guidelines. |
| Documented information | §7.5 | Same; SAMA expects Arabic-language documentation where customer-facing or staff-facing. |
| Periodic SAMA submissions | — | SAMA-specific. Periodic supervisory reports on BCMS state; deadlines align with SAMA's broader supervisory cycle. |
| Data residency | — | SAMA-specific. Cardholder data, customer master data, transaction-record archives expected to remain within KSA per the broader SAMA cybersecurity framework. |
ISO 22301 references draw on the published ISO 22301:2019 standard. SAMA references draw on the published BCM Framework via the SAMA Rules and Guidelines portal.
A pragmatic quarter-by-quarter sequence for institutions starting fresh or rebuilding after a finding. Compresses to 6-9 months on BCMStack with the BIA wizard and §8.4.4 templates.
Each SAMA pillar maps to specific BCMStack modules + repository surfaces. Click any module to see its product page.
| SAMA pillar | BCMStack module(s) | Notes |
|---|---|---|
| Governance | Committee charter, meetings, minutes. Attestation-tracked policy library. | |
| BIA | Configurable impact matrix · impact-over-time · dependencies · RTO/RPO/MTPD. | |
| BCPs | ISO 22301 §8.4.4 native fields · §8.4.5 phased recovery · §8.5 activation log. | |
| Exercise programme | ISO 22398-aligned · MSEL injects · AAR · SAMA coverage rollup. | |
| Audit + improvement | Improvement-action register · evidence repository · cross-module rollup. | |
| Crisis activation | Structured crisis events · BCP activation linkage · auto-coded action items. |
Yes for every SAMA-licensed entity in Saudi Arabia: banks, insurance companies, finance companies, fintechs, payment service providers and money exchangers. SAMA examines compliance during routine supervisory cycles and samples specific requirements; non-conformance is documented in examination findings and tracked to closure under SAMA's enforcement framework.
SAMA's BCM Framework draws heavily on ISO 22301:2019 — the BIA, BCP, exercise programme and improvement-action structures align closely. SAMA adds KSA-specific requirements: a documented BCM committee with banking-sector composition, periodic SAMA submissions, KSA data residency for cardholder data, and Arabic-language documentation where applicable. An ISO 22301-certified organisation will cover most of SAMA's requirements but still needs to address the SAMA-specific items.
In our experience the top five samples are: (1) the BCMS scope statement and BCM committee minutes — to confirm governance is real, not paper, (2) the latest BIA assessment for the most-critical service — to confirm the institution understands its dependencies, (3) the BCP for the highest-criticality process — examining activation criteria, RACI, target RTO and RPO, (4) the annual exercise programme and the most recent After-Action Report — to confirm plans have been tested, (5) the management-review minutes and improvement-action register — to confirm the BCMS feeds back into governance.
Partly. ISO 22301:2019 certification demonstrates a competent BCMS and covers most SAMA requirements via clause overlap. However, SAMA still expects evidence of KSA-specific items (committee composition aligned to the banking sector, periodic SAMA submissions, KSA-residency data handling) that ISO 22301 doesn't prescribe. ISO 22301 is necessary but not sufficient. The most efficient path is to operate the BCMS to ISO 22301 + add the SAMA-specific evidence layer on top.
Greenfield: 6-12 months from first BIA workshop to a SAMA-defensible BCMS. With BCMStack's BIA wizard, BCP §8.4.4 templates, and ISO 22398 exercise programme, that timeline collapses to 3-6 months for a mid-market organisation. The constraint is your team's bandwidth and the depth of process inventory work needed, not the software.
Three findings appear in roughly two-thirds of examinations: (1) BCPs are authored but not invoked or exercised within the prior 12 months — paper plans without operational evidence, (2) the management-review cycle is documented but the inputs (audit findings, exercise outcomes, improvement actions) are missing or stale, (3) BIA assessments are out of date and don't reflect current critical processes. All three are about operational discipline more than about structure.
PDF export endpoints for BCP and BIA are live today. The dedicated SAMA submission pack — a cover letter plus clause-mapped evidence index drawing from every relevant module — is on our near-term roadmap. Talk to us if you have a SAMA submission deadline in the next 90 days; we can prioritise the build.
Tell us your institution, your next SAMA examination date, and where your BCMS lives today. We’ll show you the platform mapped to the five SAMA pillars and outline a 6-9 month compliance plan against your timeline.
Book a 20-minute demoAlready evaluating? See BCMStack vs Castellan, or read about ISO 22301:2019 and ISO 22398:2013.