What SAMA Examiners Ask First: The Opening Meeting Script

A SAMA BCM examination is not a surprise event. SAMA gives notice, scope is communicated in advance, and the institution has time to prepare. What surprises most teams is how directional the first hour is — the opening meeting frames the rest of the engagement, and the artefacts surfaced (or not surfaced) in it shape every subsequent line of questioning.

This article walks through the patterns we have observed across SAMA BCM examinations. The parent topic is our SAMA BCM Framework pillar.

The opening — first 30 minutes

The examination team is typically two to four people: a lead examiner plus subject specialists (operational resilience, IT-DR, cyber). The opening is conversational rather than confrontational. They will introduce themselves, restate the scope of the examination, and walk through the engagement plan.

This is your first sampling. Pay attention to:

• Scope confirmation. Has the scope changed since the notification letter? Sometimes additional services or scenarios are added based on recent supervisory signals. Catch this early.
• Document request list. What do they want to see first? The order tells you the focus areas.
• Interview list. Whom do they want to speak to? The list usually includes the BCM lead, CRO, CISO, Head of Operations, and at least one process owner.

The opening is also the institution's first opportunity to set the tone. Present the BCM committee chair (or CRO), the BCM lead, and the IT-DR lead. The institutional response should be coordinated and confident — not defensive, not dismissive.

The first round of questions

The examination team will then move to substantive questions. In our experience, the first round covers governance and scope, in roughly this order:

Question 1: "Walk us through the BCM committee — who sits on it, how often it meets, what it decides." They want to confirm SAMA's banking-sector composition expectation is met. Have the committee charter, the last four meeting minutes and the decision register ready. See our BCM committee charter article for the working template.

Question 2: "Show us your BCMS scope statement." They want to verify scope is explicit and tied to critical business services. A vague scope statement is the most common opening finding.

Question 3: "Which services do you consider critical and how was that decided?" This is the trapdoor into the BIA. The institution that can answer in 30 seconds with a clear list is in a much stronger position than the one that has to "pull the BIA together."

Question 4: "How often is the BIA refreshed?" The expected answer is "annually, with material-change triggers." Anything weaker — "we did one two years ago" — drives the conversation into BIA-currency territory immediately.

Question 5: "Walk us through the BCP for [a specific critical service]." They will name a service and ask for the plan. The institution that produces the plan on a laptop in 30 seconds, with §8.4.4-equivalent fields visible, is in a meaningfully stronger position than the one that fetches a Word file from a SharePoint folder five minutes later.

The deep dives

After the opening round, the examination moves to deep dives on specific services. The pattern is consistent: pick a critical service, trace it end-to-end.

For the chosen service, expect questions on:

• The BIA — impact ratings, dependencies, MTPD, RTO, RPO. Read our BIA pillar guide for the underlying methodology.
• The continuity strategy — recover, mitigate, transfer or accept, with rationale.
• The BCP — §8.4.4 fields, activation criteria, recovery procedures, responsibilities.
• The exercise record — when last exercised, by what method, what the AAR said.
• The §8.5 activation log — has the plan been invoked for real? What was the outcome?
• Improvement actions — what came out of the last exercise or activation? Are they closed?

The end-to-end trace is the same pattern as an ISO 22301 Stage 2 audit. The institutions that have organised their BCM data around this trace move through the examination smoothly. The ones that have to assemble the trace from separate spreadsheets each time get bogged down.

Interview rounds

Examiners will interview specific roles to triangulate the documentary evidence. The interviewees usually include:

• The CRO or BCM committee chair. Strategic context, board-level reporting, recent supervisory feedback.
• The BCM lead. Operational details — exercise programme, AARs, improvement actions, current programme posture.
• The CISO. Cyber-resilience integration, ransomware scenarios, third-party concentration.
• The Head of Operations. Process-owner perspective on BIA outcomes and recovery procedures.
• The IT-DR lead. Technical recovery capability — RTO/RPO evidence, replication, failover testing.
• At least one process owner. Sample the front-line ownership of BCM artefacts.

The most-common interview finding is divergence between the documented programme and the front-line understanding of it. Process owners who cannot articulate the BIA for their own process, or who do not know the RTO they are supposed to deliver, surface a programme that is owned by the BCM team rather than the business.

What the closing meeting covers

At the end of the examination, the team presents preliminary findings. Categorised:

• Observations — areas for improvement that are not formal findings.
• Findings — non-conformances that must be addressed. Tracked through SAMA's enforcement framework.
• Significant findings — serious or repeated non-conformances. May carry licence-condition implications.

Each finding will have a target remediation timeline. The institution should not push back on findings during the closing meeting — there will be a formal response process afterwards. Focus the closing on understanding the finding, not on disputing it.

Preparation checklist

In the 30 days before a SAMA examination, the highest-leverage activities:

1. Re-attest the BCMS scope statement and BCM committee charter.
2. Verify every critical-service BIA has been refreshed within the past 12 months.
3. Walk the end-to-end trace yourself for the top three critical services. Fix any breaks.
4. Refresh the §8.5 activation log — every exercise and real-world activation captured.
5. Brief the interviewees — not on what to say, but on where the relevant artefacts live and how they would access them in the meeting.
6. Prepare the artefact bundle in a single accessible location, organised by service. Speed of retrieval is a credibility signal.

For the broader regulatory context, see the SAMA BCM Framework pillar. For the platform surface that organises BCM evidence around the SAMA examination pattern, the BCMStack KSA solutions page covers the SAMA-mapped reporting layer.