How Noggin Helps Expedite Alignment with the Saudi Central Bank’s (SAMA) Business Continuity Management Framework (Version 1.0, 2017)

Executive summary

In 2017, the Saudi Central Bank developed and issued a series of business continuity-focused regulations called the Business Continuity Management (BCM) Framework. The BCM Framework was designed to ensure that institutions such as banks, finance companies, payments systems, payment services providers, and credit bureaus improved their overall organizational resilience and preparedness for disasters or other adverse events.

This document is intended for Boards of Directors, CEOs, Chief Information/Security Officers, Chief Risk Officers, senior and executive management, business owners, information asset owners, business continuity managers, internal auditors, and business continuity professionals and decision-makers who are responsible for and involved in defining, implementing, and reviewing their organizations’ business continuity controls in order to familiarize them with:

• who SAMA is and why the BCM Framework was issued
• what the BCM Framework is and the best practices after which it was modelled
• who must comply with the BCM Framework’s regulations
• what the BCM Framework’s requirements are for compliance
• the benefits of aligning with the BCM Framework
• how Noggin can help your organization expedite its BCM Framework alignment

Who is SAMA?

The Saudi Central Bank — or SAMA, short for the Saudi Arabian Monetary Authority, or the name by which it was known until 2020 — oversees the country’s banking and finance sectors. It is both the central bank of the Kingdom of Saudi Arabia and its primary financial regulatory authority, responsible for devising, implementing, and maintaining key monetary policies intended to maintain the stability of the Saudi economy and promote its growth.

Other key functions that SAMA performs include:

• issuing and regulating the Saudi national currency (Saudi Riyal)
• managing monetary reserves
• managing foreign currency reserves and regulating currency exchange
• establishing and conducting procedures to prevent financial crimes, such as money laundering, and other crimes commonly associated with financial institutions
• representing the Saudi government in regional and international organizations, authorities, forums, and conferences related to banking and finance
• protecting financial institution consumers
• establishing, developing, and operating fintech platforms

Why did SAMA issue the BCM Framework?

In 2016, the Saudi government launched an ambitious multi-phase policy agenda composed of many structural, economic, social, and cultural reforms called Vision 2030. In the years since, its three central “Vision Themes” — “A Vibrant Society,” “A Thriving Economy,” and “An Ambitious Nation” — have since been elaborated upon and codified into concrete and achievable strategic objectives that have been systemically approached through new policy.

Many of Vision 2030’s objectives are centered on the diversification and modernization of the Saudi economy, which includes the improvement of business continuity practices to meet the complex needs of today’s risk landscape.

Officially, SAMA issued the BCM Framework as a means to improve business continuity practices among organizations within the nation’s banking sector, especially in the event of accidents, disasters, or other adverse events. In its introduction, SAMA calls out “the needs of 24/7 availability” for financial institutions’ business operations and sought to devise the framework in order to “ensure continuity and availability of their operations and services.”

What is the BCM Framework, and what is it based on?

The BCM Framework is a series of business continuity requirements issued by the Saudi Central Bank designed to help the organizations over which SAMA has supervisory authority elevate their preparedness against threats that would disrupt normal business operations, in an effort to:

• Improve organizational resilience
• Maintain the ability to achieve near- and long-term strategic goals
• Protect assets, including holdings and reputation

The requirements contained within the BCM Framework were derived after considering banking and finance industry best practices and international business continuity standards and guidance, specifically:

• ISO 22301:2012 — (Societal security) Business continuity management systems — Requirements (Note: This standard was updated in 2019 to ISO 22301:2019.)
• ISO/IEC 27001:2013 — (Information technology) Security techniques — Information security management systems — Requirements (Note: This standard was updated in 2022 to ISO/IEC 27001:2022 and has since been amended in 2024.)

SAMA also referenced best practice guidelines from prominent thought leaders in the business continuity space, such as the Business Continuity Institute (BCI) and the Disaster Recovery Institute International (DRI).

What are the BCM Framework’s requirements for compliance?

SAMA’s BCM Framework comprises 13 core business continuity principles, each with its own series of requirement specifications. They must all be met by applicable organizations in order to achieve full compliance. Requirement specifications include:

1. BCM Governance

Each organization must create, implement, and maintain its own business continuity governance framework that senior management must monitor. This includes the creation of a chartered BCM Committee by the organization’s Board of Directors — on which at least one member of senior management must serve — with defined objectives, roles and responsibilities, and meeting requirements.

Once the structure of the organization’s governance framework is defined, it should be shared with all relevant employees and third-party organizations.

Additionally, one member of the committee should be appointed as the BCM Manager, specifically someone with the necessary experience and skills to implement and maintain a business continuity program.

Cross-functional teams composed of strategic, tactical, and operations team members are also recommended to contribute to business continuity and disaster recovery efforts.

2. BCM Strategy

Each organization must formulate a business continuity strategy that aligns with the organization’s overall strategic business objectives. This is to ensure that business continuity is a key and integrated consideration when determining such objectives.

The business continuity strategy must include its own long-term strategic objectives for implementation and maturation, a road map or other series of defined benchmarks for measuring progress against such objectives, and regular reviews to ensure continued alignment with overall strategic business objectives.

3. Business Continuity Policy

Each organization must create and document a business continuity policy with clearly defined objectives, scope, and responsibilities. The policy should also set protocols for monitoring its compliance, regular assessments of its effectiveness, and periodical evaluations for any exclusions, which must be approved by the BCM Committee.

Once the policy is set in place, it should be shared with all relevant stakeholders.

4. Business Impact Analysis (BIA) and Risk Assessment (RA)

Each organization must perform a business impact analysis (BIA) and risk assessment (RA) to ensure full awareness of its threat potential, the operational impact of an adverse incident or other failure on its core processes, its key dependencies, and any gaps in its business continuity controls or ability to fulfill business continuity compliance requirements.

Together, the BIA and RA must include an internal and external threat evaluation, an assessment and prioritization of potential risks based on impact and likelihood of occurrence, the selection of controls that can mitigate identified risks, and a defined treatment plan.

They should also determine the potential impact of disruption for each core function and process, the organization’s recovery time objectives (RTOs), recovery point objectives (RPOs), and maximum acceptable outage (MAO), internal and external interdependencies, and the resources available to support recovery.

The RA must also address risks from third-party organizations (e.g. data centers) and account for the ability of critical third parties to maintain service levels for prioritized functions or processes during disruption.

Both the BIA and RA should be performed annually and when the organization undergoes a major change to how it performs operations. All BIA and RA results should be shared with the BCM Committee.

5. Business Continuity Plan (BCP)

Each organization must create, implement, and maintain a business continuity plan (BCP) to ensure the organization knows which actions to perform and which resources are available to assist with restoring normal operations after a disruption occurs.

The procedures for responding to a disruption within the plan should include key resources, roles and responsibilities, communication guidelines for internal and external stakeholders, and processes for managing immediate fallout, maintaining mission-critical functions, resumption of normal operations, and addressing any relevant cybersecurity issues.

The BCM Manager must ensure that BCM coordinators monitor the organization’s compliance with its BCP, and that its effectiveness is routinely evaluated.

All organizations should also enforce that third-party service providers related to mission-critical functions must implement their own regularly tested BCPs.

6. IT Disaster Recovery Plan (DRP)

Each organization must create, implement, and maintain an IT disaster recovery plan (DRP) to ensure the organization knows how to restore the functionality of its IT services and infrastructure, including data systems, servers, networks, and other critical applications, in the event of a disruption.

The plan must include the designation of an alternative data center with similar configurations, capacities, and cybersecurity protocols — but a dissimilar risk landscape (to prevent disruption recurrence) — and a clear backup recovery process with offsite backup storage. Contracts with third-party IT product and service providers should also stipulate a continuous delivery of services, or a guarantee of replacement hardware or software, within an agreed timeframe in the case of an adverse event.

An IT manager must maintain the IT DRP and provide the BCM Manager with proof of its comprehensiveness and readiness. The organization should also monitor its compliance with its IT DRP. Effectiveness should be routinely evaluated.

7. Cyber Resilience

When making changes to IT infrastructure that supports mission-critical functions or processes, each organization must perform risk assessments to ensure that availability and recovery requirements are met, and observe strict development, testing, and change management protocols to avoid single points of failures or malfunctions. Regular architectural reviews of IT infrastructure should also be performed.

Organizations are also responsible for meeting the cybersecurity threat management and vulnerability management protocols listed in the SAMA Cyber Security Framework.

8. Crisis Management Plan

Each organization must create, implement, and maintain a crisis management plan to ensure the organization is prepared to rapidly and efficiently respond to disruptive incidents and maintain critical communications and communication channels during such events while protecting core functions, processes, products, and services.

The plan must include criteria for declaring a crisis, protocols for creating a hub for unified command and an Emergency Operations Center (EOC), the designation of crisis management team members and their contact info, workflows for coordinating a unified crisis response, a defined crisis communication plan that addresses internal and external audiences, and the frequency of crisis management testing exercises.

The organization must also monitor its compliance with its crisis management plan, and the plan’s effectiveness should be routinely evaluated.

9. Testing

Each organization must establish testing protocols for both their BCP and IT DRP to train response team members on their roles and responsibilities and evaluate the effectiveness of each plan.

BCP tests should occur regularly at least once a year, target likely scenarios that involve individual functional or procedural disruptions — including cybersecurity scenarios, if they apply — and include response testing from the crisis management team. Once tests for individual disruptions are completed, testing is also recommended for more complex scenarios involved multiple failures of critical functions or processes at once.

IT DRP tests should also occur regularly, at least once a year, test the ability to restore IT infrastructure functionality and critical business operations within a targeted timeframe, and include response testing from the crisis management team. Once an IT DRP test is completed, its results should be evaluated for lessons learned and plan improvements.

All test results should be documented, and should confirm if plan objectives were achieved, assess the readiness of resources for recovery, and include observations and actionable insights for future plan improvements. Test results should also be shared with the BCM Committee, senior management, and the Board of Directors.

When a plan is tested, an internal or external auditor is recommended to observe its execution in order to confirm that it has been executed as designed and aligns with the organization’s business continuity program objectives.

The results of failed tests should cite any identified root causes and proposed plan adjustments to prevent recurrence. Re-testing should occur within three months.

10. Awareness and Training

Each organization must create, implement, and maintain a training and awareness program to ensure team members and relevant third parties integrate business continuity management principles into day-to-day activities, and develop the requisite skills to both support the organization’s business continuity strategy and help achieve its long-term strategic objectives.

The training and awareness program should familiarize team members and relevant third parties with pertinent elements of the organization’s business continuity policy and BCP, designated points of contact or BCM coordinators, and roles and responsibilities during disruptive events. For third parties, it should also reinforce contractual obligations for the delivery of business continuity services.

The program should be conducted for team members and relevant third parties at least once a year, and the organization should routinely evaluate its effectiveness.

11. Communication

Each organization must create, implement, and maintain a protocol for communicating with SAMA regarding issues pertinent to its BCM program.

The communication protocol should include sending reports to SAMA for all incidents identified as having resulted in a “medium” or “high” level of disruption, sending post-incident reports to SAMA for all such incidents, coordinating with SAMA when contacting the media due to an incident, and gaining SAMA’s approval of site selection for new or relocated main or alternative data centers.

For BCP and IT DRP tests, the communication protocol should also include sharing approved protocols for the next year’s BCP and IT DRP tests, submitting BCP and IT DRP test results to SAMA within four weeks of testing, and providing an action-plan to SAMA for plan improvements within two months of a BCP or IT DRP test results submission.

12. Periodic Documents Review

Each organization should review and update all documented business continuity program policies, plans, and procedures, both on a regular set schedule and when making major changes to critical functions, processes, products, or services.

The review process should ensure that documents are up-to-date and approved, and documents should clearly display the most recent review and approval date.

13. Assurance

Each organization’s BCM program must be regularly reviewed and audited by a qualified internal or external party to ensure both its effectiveness and its compliance with the SAMA BCM Framework.

Program auditors should identify and document gaps, provide a documented road map with recommended program improvements, and share such documents with both the BCM committee and senior organizational management.

The benefits of aligning with the BCM Framework

The benefits of aligning with the BCM Framework

There are a number of compelling reasons why your organization should strive to meet the business continuity management requirements specified in the BCM Framework document; they include:

Proactive risk management

Compliant organizations are more likely to anticipate threats to their operations, thereby empowering them to take actions that can mitigate or neutralize threats before they escalate into disruptive events. The fewer disruptions your organization experiences, the safer and more productive it becomes, and the sooner it can achieve its near- and long-term strategic objectives.

Business/operational resilience

Disasters and crises are inevitable, but by developing the BCM Framework’s required business continuity protocols, such as a business continuity strategy, business continuity policy, BCP, and IT DRP, your organization will be more prepared to withstand any potential disruption, limit the impact, recover any losses suffered, and return operations to the normal course of business when such events occur.

Regulatory compliance

By adhering to the BCM Framework’s core principles and detailed requirements, your organization can safely avoid suffering penalties for noncompliance, including but not limited to steep fines, revocation of good standing, or even temporary or permanent suspension of operations within SAMA’s jurisdiction.

Assurance

By meeting every requirement within the BCM Framework — most specifically, the regular evaluations of BCM strategies, policies, and plans — you’ll not only achieve the peace of mind that comes with improved preparedness and a full slate of business continuity protocols, but also gain complete confidence in their effectiveness and ability to deliver intended results at the times they are most needed.

Trusted brand and reputation

Achieving full alignment with the requirements of the BCM Framework is a tangible demonstration of both your organization’s desire to operate within Saudi Arabia and its reliability as a trusted partner that can assist the government’s larger goals and initiatives, such as the modernization of the Saudi economy as laid out in Vision 2030.

How Noggin can help expedite your alignment with the BCM Framework

Many organizations who have implemented key organizational resilience protocols like business continuity policies and plans have historically relied on antiquated or legacy tools, such as spreadsheets, Word documents, or other fragmented systems to do so. The use of tools like these introduces a number of challenges, including:

• Fragmentation
• Lack of real-time visibility
• Manual reporting burden
• Difficulty tracking training exercises

All of these challenges not only delay response efforts, thus increasing the magnitude of any potential damage or loss of services, but also increase the risk of a compliance failure, which is the opposite of their intended objectives.

Luckily, advanced digital solutions like Noggin’s enterprise resilience management software can help your organization centralize the creation and maintenance of key BCM tools mandated by the BCM Framework, including your business continuity strategy, business continuity policy, BCP, IT DRP, and crisis management plan. Noggin can also manage the BCP, IT DRP, and crisis management plans upon activation, and document the testing of these tools.

Specifically, your organization can expedite its alignment with the BCM Framework’s compliance requirements for each core principle because Noggin empowers you to:

Conclusion

SAMA issued the BCM Framework in 2017 both to spur organizations in Saudi Arabia’s banking and finance sectors to improve their business continuity practices and to ladder up to larger goals for the future of the Saudi economy that the government set in its Vision 2030 roadmap. Organizations that seek to operate within SAMA’s jurisdiction should, therefore, see the BCM Framework not as a deterrent but as an impetus to strengthen their approaches to business continuity.

But whether your organization is developing the BCM Framework’s required business continuity tools and protocols for the first time — or enhancing existing tools and protocols — enterprise resilience management software like Noggin is the simplest, most intuitive way to expedite alignment – now and for the future.

To see how easily enterprise resilience management software can help your organization achieve and maintain BCM Framework compliance, request a demo of Noggin today.