The Central Bank of Oman issued a Business Continuity Management (BCM) Framework for all licensed banks and finance and leasing companies in the Sultanate, setting supervisory expectations for a service-centric, end-to-end approach to operational resilience. Firms are instructed to prepare and finalise their own BCM framework in line with the requirements by 30 June 2026 and ensure prompt implementation. The framework applies across all activities, including those delivered through outsourcing and third-party arrangements, and covers domestic banks and finance and leasing companies (FLCs) including their subsidiaries, foreign branches and representative offices, as well as licensed foreign banks and their overseas entities that provide services to branches operating in Oman. It places accountability on boards and senior management for governance and oversight, including approving BCM policy and disruption impact tolerances for Tier-1 critical services, establishing a senior-management BCM committee, appointing a BCM manager, and integrating BCM into enterprise-wide risk management. Core requirements span business impact analysis and dependency mapping, defined recovery objectives including Service Recovery Time Objectives, Recovery Time Objectives and Recovery Point Objectives, and documented and tested plans covering business continuity, IT disaster recovery including a geographically distinct alternative data centre, cyber resilience aligned to the Central Bank of Oman Cybersecurity and Resilience Framework, and crisis management. The framework also sets expectations for regular testing, internal audit review at least annually, external audit at least once every three years, and threat-led penetration testing or equivalent red-team exercises at least once every three years. Incident reporting timelines include notifying a designated Central Bank of Oman contact within two hours of discovering incidents that could severely disrupt operations or trigger business continuity plan activation, submitting an initial report within 24 hours, and providing a post-incident report within one month of resuming normal operations. Test reports must be submitted to the Surveillance Department within six weeks after testing, followed by an improvement action plan within three months of test report submission. The central bank will appoint and communicate a focal person within four weeks of publication of the framework, which replaces the BCM guidelines issued under an August 2010 circular.
Central Bank of Oman 2026-01-06
Central Bank of Oman issues new business continuity management framework and sets 30 June 2026 deadline for banks and finance and leasing companies
The Central Bank of Oman has introduced a Business Continuity Management (BCM) Framework for licensed banks and finance and leasing companies, emphasizing operational resilience through a service-centric approach. It mandates governance by boards and senior management, recovery objectives, and integration into risk management, with requirements for business impact analysis, IT disaster recovery, and cyber resilience. It also outlines incident reporting timelines and testing protocols, replacing the previous BCM guidelines from August 2010.