[OR] [R] BCM, OR, CR, TRM, OpRisk and CM Regulations by Middle East Central Banks

List of Major Guidelines, Policies, Frameworks, Regulations, and Standards issued by Central Banks and Monetary Authorities in the Middle East

Business Continuity Management (BCM), Operational Resilience (OR), Cybersecurity, Technology Risk Management (TRM), Operational Risk, and Crisis Management.

Introduction

Below is a consolidated list of major guidelines, policies, frameworks, regulations, and standards issued by Central Banks and Monetary Authorities in the Middle East, particularly those related to Business Continuity Management (BCM), Operational Resilience (OR), Cybersecurity, Technology Risk Management (TRM), Operational Risk, and Crisis Management.

Saudi Arabia

Saudi Central Bank (SAMA)

Business Continuity Management Framework (BCM Framework)

Issued by SAMA for all regulated financial institutions.

Key areas:

• BCM Governance
• Business Impact Analysis (BIA)
• Risk Assessment
• Recovery Strategies
• Crisis Management
• BCM Testing and Exercising
• Third-Party Resilience
• Continuous Improvement

The framework establishes minimum BCM requirements for all member organizations.

Cyber Security Framework

Key domains include:

• Cyber Governance
• Cyber Defense
• Cyber Resilience
• Third-Party Security
• Security Operations Centres (SOC)
• Incident Management

Operational Risk Management Requirements

Aligned with:

• Basel II
• Basel III
• Basel Committee Principles

United Arab Emirates (UAE)

Central Bank of the UAE

Operational Risk Regulation

Establishes minimum standards for operational risk management.

Focus areas:

• Operational Risk Governance
• Risk Appetite
• Risk Identification
• Monitoring and Reporting
• Loss Event Management
• Scenario Analysis

Operational Risk Standards

Requirements include:

• Business Continuity Policies
• Recovery Time Objectives (RTO)
• Recovery Point Objectives (RPO)
• Annual Testing Requirements
• Board Oversight

Technology Risk and Information Security Regulation

Covers:

• Technology Risk Management
• Cybersecurity Governance
• Information Security
• API Security
• Incident Response
• Cyber Resilience

Disaster Recovery and Business Continuity Management Requirements

Key requirements:

• Business Impact Analysis
• Alternate Recovery Sites
• Recovery Strategies
• Crisis Management
• Annual BCP Testing
• Management Review

Cyber Risk and Operational Resilience Framework

Major domains:

• Cyber Governance
• Cyber Risk Management
• Security Operations
• Incident Management
• Third-Party Risk
• Operational Resilience
• Regulatory Reporting

Retail Payment Services and Card Schemes Regulation

Includes:

• Technology Risk Management
• Cyber Incident Response
• BCM Requirements
• Disaster Recovery
• Penetration Testing
• Cyber-Attack Simulation Testing

Qatar

Qatar Central Bank

Information Security Risk Management Framework

Key requirements:

• Cybersecurity Governance
• Data Protection
• Security Operations
• Incident Response
• Vendor Risk Management

Business Continuity Management Guidelines

Focus areas:

• BCM Governance
• BIA
• Disaster Recovery
• Crisis Management
• Testing and Exercising

Operational Risk Management Framework

Aligned with:

• Basel Standards
• Enterprise Risk Management
• Operational Risk Reporting

Bahrain

Central Bank of Bahrain

Operational Risk Module (OM)

Part of the CBB Rulebook.

Includes:

• Operational Risk Governance
• Internal Controls
• Risk Reporting
• Outsourcing Risk
• Business Continuity

Cybersecurity and Information Security Requirements

Focus:

• Cyber Risk Management
• Security Governance
• Incident Reporting
• Third-Party Security

Business Continuity and Disaster Recovery Requirements

Key elements:

• BCM Programme
• Crisis Management
• Recovery Planning
• Testing and Validation

Oman

Central Bank of Oman

Risk Management Guidelines

Includes:

• Operational Risk
• Technology Risk
• Information Security
• Business Continuity

Cybersecurity Framework for the Banking Sector

Focus areas:

• Cyber Governance
• Threat Intelligence
• Incident Management
• Security Monitoring

BCM and Disaster Recovery Guidelines

Requirements include:

• BIA
• Recovery Strategies
• Alternate Sites
• Crisis Communications

Kuwait

Central Bank of Kuwait

Information Security and Cybersecurity Framework

Key domains:

• Cyber Governance
• Cyber Defense
• Security Monitoring
• Incident Response

Operational Risk Management Instructions

Coverage:

• Operational Risk Governance
• Key Risk Indicators (KRIs)
• Risk Reporting
• Loss Event Management

Business Continuity Management Requirements

Includes:

• BCP Development
• Testing and Exercising
• Recovery Site Management
• Crisis Management

Jordan

Central Bank of Jordan

Cybersecurity Framework

Key requirements:

• Security Governance
• Security Operations
• Cyber Resilience
• Third-Party Risk Management

BCM and Disaster Recovery Regulations

Areas covered:

• BCM Governance
• BIA
• Recovery Objectives
• Testing Programmes

Egypt

Central Bank of Egypt

Cybersecurity Framework for Banks

Focus:

• Information Security Governance
• Security Operations
• Incident Response
• Cyber Resilience

Operational Risk Framework

Requirements:

• Operational Risk Policies
• Scenario Analysis
• Risk Monitoring
• Internal Controls

Business Continuity and Disaster Recovery Guidelines

Coverage:

• BCM Governance
• Recovery Strategies
• Crisis Management
• Testing and Exercising

Regional Arab Banking Guidance

Arab Monetary Fund

Cyber Resilience Oversight Guidelines for the Arab Financial Sector

A regional guideline supporting Arab central banks and financial institutions.

Key areas:

• Cyber Governance
• Cyber Resilience
• Incident Response
• Threat Intelligence
• Third-Party Risk
• Supervisory Oversight

Common Regulatory Themes Across Middle East Central Banks

Most Middle East regulators are increasingly aligning with:

• Basel Committee on Banking Supervision Operational Risk Principles
• Financial Stability Board Operational Resilience Principles
• International Organisation for Standardisation ISO 22301 (Business Continuity Management)
• International Organisation for Standardisation ISO 27001 (Information Security)
• National Institute of Standards and Technology Cybersecurity Framework
• CPMI-IOSCO Principles for Financial Market Infrastructures (PFMI)

Increasingly, regulators are requiring institutions to:

1. Identify Critical Business Services (CBS).
2. Map interdependencies and interconnections.
3. Establish impact tolerances.
4. Conduct severe-but-plausible scenario testing.
5. Strengthen cyber resilience.
6. Manage third-party and cloud risks.
7. Demonstrate operational resilience rather than only disaster recovery capabilities.

For operational resilience benchmarking, the most mature and detailed regulatory frameworks in the Middle East currently come from the Saudi Central Bank (SAMA) and the Central Bank of the UAE, particularly in BCM, cyber resilience, operational risk, and technology risk management.

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.