Initiative of the year: Saudi Central Bank’s business continuity programme

Advanced planning has allowed Sama employees and systems to continue operating critical functions despite the Covid-19 lockdowns
Exterior of the Saudi Arabian Monetary Authority
Light Touch Studio

Business continuity planning at the world’s leading central banks typically has focused on shoring up resilience in the face of cyber or terrorist attacks. Few had made detailed plans about how to address the impact of a long-running, global pandemic, meaning the significant human resource, technological and financial stresses that resulted from Covid-19 a particular challenge. 

But those central banks that had introduced contingency plays such as the Saudi Central Bank’s (Sama) business continuity programme (BCP), were far better placed to support top management by ensuring business resilience through the use of smart technology, and effective communication with staff and external stakeholders as lockdowns hit.

Ayman Al-Sayari
Ayman Al-Sayari, Sama

Sama’s director of risk management and compliance, Abdulaziz Alkhaldi, began preparations on the central bank’s business continuity management more than four years ago, under the leadership of vice-governor Ayman Al-Sayari, who also had oversight for much of Sama’s Covid-19 crisis response. The central bank’s main aim was to manage incidents or crises in a way that would minimise business disruptions related to operational, financial, reputational, legal and regulatory risks – while also putting in place the processes, emergency funding, communication and key stakeholder engagement to effectively manage the BCP.

Sama had completed much of the work on its business continuity site, in addition to having established alternative data centres. The Middle Eastern central bank had previously performed a crisis simulation session. 

It had also established a three-tier response to any crisis. The first line is that business managers raise the potential issue. The second line involves a review by the business continuity team. And, if appropriate, the third line requires remedial action by the crisis management team.

Contingencies for Covid-19

Alkhaldi first started thinking about potential contingency plans for Covid-19 in February 2020 – well before any quarantine restrictions or remote working restrictions were introduced. 

The BCP design already included business interruption assessments such as recovery time objectives (RTO) and maximum tolerable period of disruption (MTPD) for all Sama business units. But Alkhaldi’s team started testing how existing plans might need to be overlayed to address restrictions on movement in the country. Focus was placed on maintaining the function of the central bank’s head office in Riyadh, Sama’s 11 branches, as well critical operations such as the payments system, monetary operations, reserve management, government banking, and supervisory and regulatory activities.

Abdulaziz Alkhaldi
Abdulaziz Alkhaldi, Sama

In February, Sama staff were provided with the technology needed to hold virtual meetings, with increasing numbers encouraged to work from home. The technology included the ability to use email via smartphones and a virtual private network (VPN) to access Sama systems. Capability assessments were conducted with all Sama staff in a bid to pre-emptively resolve any problems related to remote working. Awareness sessions were carried out to make staff of best practices related to cyber security. “It was a case of: prepare to prevent,” says Alkhaldi.

Essential staff required to work in offices were divided into two groups that would work on-site on different days to limit the impact in the event of an outbreak of infection among staff. There was also a significant amount of effort devoted to Sama’s 11 branches, particularly in the role they play serving government entities and distributing cash, which ultimately resulted in implementing precautionary measures for cash handling.

Attendance at Sama headquarters was suspended in March, when the Saudi government instructed public-sector workers to stay at home. Sama’s BCP then went into full operation. Prepared emails were sent to all employees explaining their roles and responsibilities, and new communication channels were established, with team leaders sending daily reports on the status of the BCP.

Sama worked with other government entities to secure licences that allowed critical staff to move about during the curfew. Sama officials also established alternative solutions in co-operation with government agencies to enable payment of salaries for millions of government employees in the event of crises or disasters. 

Another challenge came in the form of securing hardware during the pandemic. Sama ultimately provided staff with laptops and increased the bandwidth of its VDI (a service similar to a VPN, offering access to Sama’s servers).The availability of laptops was made easier because of having several hundred high-specification machines available for business continuity purposes, and reallocating laptops from staff performing non-critical functions to those that did. Also, top management made early contact with suppliers to ensure the timely arrival of batches of several hundred devices at a time. 

Fahad Al-Mubarak
Fahad Al-Mubarak, Sama governor

“We provided satellite phones for all the senior management and the branches in case of problems with communications,” Alkhaldi tells Central Banking. “In addition, we provided high-speed Wi-Fi routers to around 50 employees managing business-critical functions to ensure they still had online access, even if there were broadband service problems.”

Contingency plans also had to be extended from 30 days to several months. This included ensuring the VDI bandwidth was sufficiently large, as well as rolling over necessary licensing arrangements. 

“We had built our plan for up to 30 days. But the pandemic was more like seven months. So, we had to focus on IT to expand the capacity for everything,” says Alkhaldi.

Perhaps the biggest concern, however, was related to information security risk. “If someone working from home opened a personal email and got a virus, there was a risk that it could spread to Sama’s servers, and that would have a devastating impact, even potentially spreading to our disaster-recovery centres,” says Alkhaldi. “To mitigate this risk, Sama increased its cyber-security awareness campaigns and deployed cyber-security monitoring tools 24/7.” 

The Central Banking Awards were written by Christopher Jeffery, Daniel Hinge, Dan Hardie, Rachael King, Victor Mendez-Barreira, William Towning and Alice Shen

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@centralbanking.com or view our subscription options here: http://subscriptions.centralbanking.com/subscribe

You are currently unable to copy this content. Please contact info@centralbanking.com to find out more.

You need to sign in to use this feature. If you don’t have a Central Banking account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: