The SAMA BCM Framework: A Practitioner's Guide for KSA Banks and Fintechs

The Saudi Central Bank (SAMA) supervises every bank, insurance company, finance company, fintech, payment service provider and money exchanger licensed to operate in the Kingdom. Operational resilience sits high on its supervisory agenda, and the SAMA BCM Framework is the document that codifies what SAMA expects from each of those entities.

This guide is the cornerstone of our SAMA series. It walks through the framework's structure, the requirements that show up most often in examinations, the practical overlap with ISO 22301, and the realistic compliance timeline for a mid-market institution.

Who the SAMA BCM Framework applies to

Every SAMA-licensed institution operating in KSA. In practice that means:

• Commercial and Islamic banks
• Insurance and reinsurance companies
• Finance companies (consumer, real-estate, SME)
• Fintechs licensed under SAMA's regulatory sandbox or full licence regime
• Payment service providers and electronic money institutions
• Money exchangers and remittance providers
• Credit information companies

SAMA examines compliance during routine supervisory cycles and samples specific requirements. Non-conformance is documented in examination findings and tracked through SAMA's enforcement framework. The penalty surface ranges from formal letters and remediation plans, through licence-condition changes, to financial penalties for serious or repeated failings.

The framework is mandatory, not advisory. The phrase "is encouraged to" appears nowhere in the operative clauses.

The five SAMA pillars

The framework organises requirements around five themes — the operational structure most KSA practitioners refer to as "the SAMA pillars":

Pillar 1: Governance. Top-management ownership of the BCM programme. A documented BCM committee with banking-sector composition. Clear roles, responsibilities and escalation. Board-level visibility of BCM posture.

Pillar 2: Business Impact Analysis. A repeatable, defensible BIA methodology that identifies critical business services, their dependencies, and target recovery objectives. SAMA expects the BIA to drive every downstream artefact.

Pillar 3: Business Continuity Strategy and Plans. Documented strategies for each critical service. BCPs that meet the equivalent of ISO 22301 §8.4.4 content requirements — purpose, scope, activation criteria, responsibilities, recovery procedures, RTO and RPO. Plans that are version-controlled and approved at the right level.

Pillar 4: Exercise Programme. An annual exercise calendar covering every critical plan. Mixed exercise types (tabletop, walkthrough, simulation, live). After-action reports closed out with traceable improvement actions.

Pillar 5: Continual Improvement and Reporting. Management-review cycle. Improvement-action register. Periodic reporting to SAMA on BCM posture, exercises performed, real-world activations and resilience metrics.

Note on counting: SAMA's own documentation organises requirements at multiple levels of granularity, so the "number of controls" varies depending on whether you count principles, sub-clauses or examination questions. We deliberately use "the five SAMA pillars" rather than a specific control count.

SAMA versus ISO 22301 — where they align and where they don't

SAMA draws heavily on ISO 22301:2019. The BIA structure, the plan-content requirements, the exercise programme and the improvement-action loop all map cleanly. An ISO 22301-certified institution will cover most of SAMA's requirements without rework.

Where SAMA adds beyond ISO 22301:

• Banking-sector committee composition. SAMA expects specific roles (CRO, CISO, Head of Operations, Head of Treasury, Head of Retail, etc.) on the BCM committee, with documented attendance and decision records. ISO 22301 leaves committee composition open.
• Periodic SAMA submissions. Quarterly or annual returns covering BCM posture, exercise calendar status and real-world activations. ISO 22301 has no equivalent regulator-facing submission.
• KSA data residency. For cardholder data and certain customer records, data and recovery infrastructure must remain inside KSA. ISO 22301 is location-neutral.
• Arabic-language documentation. Where applicable to internal stakeholders and regulators, key BCM documents are expected in Arabic alongside English. ISO 22301 does not specify language.
• Sector-specific scenario coverage. Stress scenarios SAMA explicitly looks for — cyber, third-party concentration, regional power, regional comms, payment-rail dependencies — go beyond the generic "credible disruptions" of ISO 22301.

In practice, the most efficient compliance path is to operate the BCMS to ISO 22301 standard and layer the SAMA-specific evidence on top rather than treating them as separate programmes. See the ISO 22301 implementation guide for the underlying BCMS structure.

What a SAMA examiner samples first

Examination scope varies, but the opening questions are predictable. In our experience the top five sample targets are:

1. The BCMS scope statement and BCM committee minutes. Examiners want to confirm governance is real, not paper. They will read the last two or three committee meeting records.
2. The latest BIA for the most-critical service. Usually card authorisation, core banking, or — for fintechs — the primary product service. They will trace dependencies and verify the impact ratings have been refreshed within the agreed cycle.
3. The BCP for that same service. Activation criteria, RACI, target RTO and RPO, phased recovery steps. Plans that lack discrete §8.4.4 fields are flagged.
4. The annual exercise programme and the most recent AAR. Was the plan exercised? When? Were observations recorded? Were improvement actions closed out?
5. The management-review minutes and improvement-action register. Did leadership see the results? Were decisions captured? Are open actions ageing?

The three most common SAMA findings

Across the engagements we have visibility into, three patterns recur in roughly two-thirds of examinations:

Finding 1: Plans authored, not exercised. BCPs sit in the document repository, last touched the day they were approved. No exercise calendar covers them. No AAR exists. The fix is unglamorous: build the exercise calendar, run at least a tabletop per critical plan per year, and capture an AAR with named improvement actions.

Finding 2: Stale BIAs. The BIA was performed once, two or three years ago. Critical processes have changed since. The dependency map no longer reflects reality. The fix is to make the BIA an annual artefact, owned by process owners not the BCM team, with a documented review trigger when a process changes materially.

Finding 3: Management-review gaps. Management-review meetings happen, but the documented inputs (audit findings, exercise outcomes, improvement-action status) are missing or inconsistent. The fix is a structured template with named inputs and explicit outputs, used the same way every cycle.

All three are operational discipline issues, not framework-interpretation issues. SAMA examiners are pragmatic — they reward visible, current evidence over paper completeness.

A realistic 12-month SAMA compliance roadmap

For a SAMA-licensed institution starting from a low baseline, the typical roadmap looks like this:

Months 1-2: Governance and scope. Charter the BCM committee with the right composition. Approve the BCM policy and BCMS scope statement. Identify critical business services (the input to the BIA cycle).

Months 2-4: BIA cycle. Run BIA workshops for every critical service. Capture impact ratings, dependencies, RTOs and RPOs. Validate with process owners.

Months 4-7: Strategy and plans. For each critical service, decide the continuity strategy (mitigate, recover, transfer, accept) and author the BCP to §8.4.4-equivalent quality. Version-control everything.

Months 7-9: Exercise programme. Build the annual exercise calendar. Run tabletops for the top-three plans. Capture AARs and improvement actions.

Months 9-10: Management review. First formal management-review cycle. Capture inputs, decisions, outputs. Refresh the improvement-action register.

Months 10-12: Audit prep and SAMA dialogue. Internal audit covering governance, BIA, BCP, exercises, review. Address findings. Engage SAMA early on submission cadence and any sector-specific expectations.

With a platform that ships §8.4.4 fields, exercise programme and management-review templates native, this timeline compresses to 6-8 months for a mid-market institution. The constraint becomes BCM team bandwidth and process-owner availability, not software functionality.

The SAMA submission pack

For institutions in active SAMA dialogue, the submission pack is typically a bundled set of:

• BCM policy and BCMS scope statement
• BCM committee charter and recent minutes
• BIA summary for critical services
• BCP register with status (current, in review, retired)
• Exercise calendar and AAR summary
• Improvement-action register
• Management-review minutes for the period
• Any real-world activations and post-incident reports

The pack is most credible when generated from a single underlying dataset — committee minutes that reference real BIA outcomes, exercise records that reference real BCP IDs, AARs whose improvement actions appear in the register. Building each artefact from scratch in Word or Excel makes inconsistencies inevitable and adds rework every cycle.

Where SAMA is heading

Two directional signals are worth watching. First, cyber-resilience integration: SAMA's BCM expectations increasingly overlap with the NCA ECC cybersecurity controls, particularly around third-party concentration risk and ransomware-recovery scenarios. Treat them as one resilience programme, not two.

Second, third-party and concentration risk: SAMA has communicated growing concern about reliance on shared service providers — cloud, payment-rail, core-banking vendors. Expect future examinations to push harder on third-party BCM evidence, including contractual right-to-audit, SLAs and the institution's own BCP coverage for vendor failure scenarios.

Where to start

If you are early in your SAMA BCM journey, the highest-leverage moves in the first ninety days are:

1. Charter the committee. Without active governance, every other artefact is at risk of going stale.
2. Define scope tightly. Don't try to BCM-cover everything. Identify the critical services and ringfence them.
3. Get one critical service to BIA-and-plan quality. Use it as the template. The other services follow the same pattern.
4. Run a tabletop early. It will expose the gaps that documentation alone hides.
5. Build the submission pack as you go. Every artefact you produce should be reusable as evidence in dialogue with SAMA.

The cluster articles in this series unpack each move:

• What SAMA examiners ask first — the opening-meeting script (article)
• How to write a SAMA-grade BCM committee charter (article)
• Mapping ISO 22301 evidence to SAMA submission requirements (article)

If you want to see what SAMA-ready evidence looks like inside a platform, the BCMStack platform overview walks through the SAMA-mapped reporting surface and KSA-resident data handling.