Navigating SAMA’s business continuity management framework

11 October 2023 8 min. read

The Business Continuity Management (BCM) framework by the Saudi Arabian Monetary Authority (SAMA) provides a blueprint for organizations for how to react appropriately ahead and during times of emergency and crisis. But what does BCM exactly entail? And what are the benefits of adopting the methodology? Muhammad Kashif from Ecovis Al Sabti sheds light on the matter.

In today’s rapidly changing business world, being proactively prepared to manage unforeseen challenges is not only advantageous in terms of responsiveness, but also highly essential to survive in a highly dynamic and volatile risk landscape. According to the World Economic Forum, and as evidenced across all corners of the world, global risks are currently at a heightened level.

SAMA’s comprehensive BCM framework defines principles, objectives and control considerations for initiating, implementing, maintaining, monitoring and improving business continuity controls.

Navigating SAMA’s business continuity management framework

Who needs to comply with SAMA’s BCM framework?

  • All organizations affiliated with SAMA (so-called ‘member organizations’)
  • All banks operating in Saudi Arabia
  • All banking subsidiaries of Saudi banks
  • Subsidiaries of foreign banks situated in Saudi Arabia

Key compliance requirements

The SAMA BCM Framework comprises 13 key areas with more than 75 controls. These controls are in line with the two most significant international standards – ISO 22301 for Business Continuity Management System and ISO 31000 for Risk Management Guidelines.

Combined, the controls ensure ensures end-to-end coverage; needed to safeguard resilience and business continuity management.

BCM Governance
The BCM Governance entails establishing a robust governance framework for business continuity management that enables the organization to effectively and efficiently direct, control and monitor the BCM efforts.

This includes designating senior management responsibility, allocating adequate budget resources, forming a dedicated BCM Committee, setting up BCM Policy, appointing a qualified BCM manager, and defining the roles and responsibilities of key personnel involved in the BCM program.

BCM Strategy
In the BCM Strategy, organizations must align their BCM efforts with their overarching strategic business objectives.

This involves developing a well-defined strategy with long-term objectives, creating a roadmap with timelines for achieving these objectives, and ensuring a continuous review process to maintain alignment with evolving strategic goals.

Business Continuity Policy
The Business Continuity Policy centres on documenting and communicating an organization's commitment to BCM. It entails crafting a clear and comprehensive policy that articulates the objectives, scope, and responsibilities of the BCM program that is well aligned with the organization’s business objectives. Additionally, it emphasizes the importance of monitoring and measuring compliance with this policy.

Impact Analysis
This area mandates organizations to estimate the impacts of disruption over business by conducting a thorough Business Impact Analysis (BIA) and Risk Assessment (RA) and identify the critical business services, services, and activities.

The scope includes identifying these critical activities, assessing associated risks, prioritizing them, and periodically updating this assessment. The control considerations involve defining methodologies, performing these assessments, prioritizing activities, and ensuring continuous risk monitoring and management.

Business Continuity Plan
The Business Continuity Plan (BCP) focuses on developing detailed plans for critical activities. This involves the definition, approval, and maintenance of these BCPs, along with the creation of procedures for crisis response. Compliance with these plans should be closely monitored to ensure their effectiveness during disruption.

IT Disaster Recovery Plan
The IT Disaster Recovery Plan (DRP) tasks the organization with establishing a plan to ensure the recovery and restoration of critical technology services and infrastructure components. This includes the creation of alternative data centres, rigorous backup and recovery processes, and the implementation of security controls. Compliance and effectiveness of the IT DRP are key areas of concern.

Cyber Resilience
Cyber Resilience emphasizes the importance of ensuring the reliability and robustness of critical infrastructure and software. It necessitates thorough risk assessments for infrastructure changes, adherence to rigorous development and testing procedures, and regular architectural reviews to meet availability and continuity requirements.

Crisis Management Plan
The Crisis Management Plan outlines the necessity of having a well-defined plan in place to effectively manage major incidents. This includes setting criteria for declaring a crisis, establishing a command centre, defining crisis management teams and their roles, contact details, steps during and after a crisis, communication plans, and conducting regular crisis management tests to ensure readiness.

Testing validates the effectiveness of Business Continuity Plans and Disaster Recovery Plans. It necessitates regular testing of these plans through simulation exercises, ensuring they cover various scenarios, and documenting results. Continuous monitoring and periodic evaluation of testing outcomes are crucial to maintaining a resilient BCM program.

Awareness and Training
This is one of the key elements that contribute to transforming the culture of an organization. It focuses on establishing and maintaining a training and awareness program that fosters BCM competency among staff and establishes a risk-based culture.

This includes ensuring that employees and relevant third parties are familiar with BCM policies and plans, have defined roles and responsibilities, and receive training to meet the required level of experience, skills, and competencies.

Communication underscores the importance of maintaining clear and regular communication with SAMA regarding BCM matters. It requires reporting disruptive incidents promptly, coordinating media communication in such cases, seeking SAMA's approval for significant decisions, and sharing test results.

Effective communication is key to ensuring transparency and compliance.

Periodic Documents Review
Periodic Documents Review mandates organizations to establish a process for regularly reviewing and updating BCM documents. This includes ensuring that all documents, including policies, plans, and procedures, remain up-to-date and relevant. It is essential to have a standard version controlling with a clearly defined last review date for each document to track their currency.

Assurance emphasizes the need for independent reviews and audits of the BCM program. Organizations must conduct these reviews and audits by qualified external or internal parties.

These reviews aim to ensure the effectiveness of BCM activities and provide assurance regarding compliance with the SAMA BCM Framework. Identified gaps and improvements should be reported to senior management and the BCM committee for action.

Benefits of compliance

Implementing the SAMA BCM Framework brings several valuable benefits such as:

Business Resilience
It enhances business resilience by ensuring the continuity of crucial operations during disruptions, thereby minimizing potential revenue losses, and maintaining market position.

Regulatory Compliance
Adherence to the BCM framework demonstrates a commitment to Saudi Arabian compliance standards, reducing the risk of regulatory penalties and scrutiny.

Proactive Risk Management
BCM instils a culture of proactive risk management among employees, equipping them to efficiently address challenges and disruptions. It places a strong emphasis on data security and privacy, helping companies prevent data breaches and remain compliant with data protection regulations, safeguarding against reputational damage and legal liabilities.

The framework also promotes efficient recovery through rigorous testing and documentation of business continuity plans. This enables companies to bounce back swiftly from disruptions, reducing operational downtime and financial impact.

Trusted Brand and Reputation
SAMA BCM compliance signals a dedication to operational excellence and resilience, enhancing the company's reputation and trustworthiness.

In summary, implementing BCM in line with SAMA’s requirements offers a comprehensive approach to risk mitigation, competitive advantage, and stakeholder confidence, all contributing to the company’s overall operational effectiveness and success.