Operational Resilience · BCM & ISO 22301
Operational Resilience
Consulting
Regulators have stopped asking “are you secure?” and started asking “will you stay up?” Operational resilience consulting builds your answer: an ISO 22301:2019-grade business continuity management system — BIA, recovery objectives, tested plans, crisis response — that satisfies what CBUAE, SAMA, APRA CPS 230, and EU DORA now demand of the vendors serving regulated financial institutions.
Our consultants have prepared ADIB (Abu Dhabi Islamic Bank), Mashreq Bank, and AMEX for ISO 22301 in the Middle East. Engagements run 8–16 weeks with a fixed-fee quote after scoping; accredited certification-body fees are billed separately.
ISO 22301:2019-anchored · CBUAE · SAMA · APRA CPS 230 · Last reviewed June 2026
The Regulatory Wave
Four Regimes, One Question for Vendors
Regulators in the Gulf, Australia, and the EU cannot supervise your customers’ resilience without reaching their suppliers. Each regime below lands on your desk the same way: as a continuity clause, a questionnaire, or a certification demand in a contract you want to keep.
United Arab Emirates
CBUAE — the UAE bank vendor mandate (Dec 2025)
The Central Bank of the UAE’s operational-risk, business-continuity, and outsourcing rules require banks to ensure critical vendors maintain robust continuity arrangements. UAE banks have turned that into a hard procurement ask — ISO 22301-aligned, and increasingly certified, BCMS from suppliers — with the first contract-deadline wave landing in December 2025.
What it means for you as a vendor: No credible BCMS evidence means failed vendor assessments and removal from approved-supplier lists.
Saudi Arabia
SAMA — Business Continuity Management Framework
The Saudi Central Bank’s BCM Framework is mandatory for member organisations — banks, finance companies, insurers, payment providers — and is built directly on ISO 22301, with its scope extending to subcontractors and third parties and DR/BCP testing expected at least annually.
What it means for you as a vendor: SAMA-regulated customers will ask you to evidence an equivalent, tested BCMS in vendor due diligence.
Australia
APRA CPS 230 — supplier contracts by 1 July 2026
APRA’s Prudential Standard CPS 230 on operational risk management has been in force since 1 July 2025, making Australian banks, insurers, and superannuation trustees accountable for the resilience of their material service providers. Pre-existing provider contracts must comply by the earlier of their next renewal or 1 July 2026.
What it means for you as a vendor: If you supply an Australian financial institution, continuity, tolerance, and exercise-participation clauses are entering your contract at its next renewal — if they have not already.
United Kingdom & European Union
EU DORA — ICT third-party risk
The EU’s Digital Operational Resilience Act (Regulation 2022/2554) has applied since 17 January 2025. Its ICT third-party risk pillar obliges financial entities to write mandatory resilience provisions into contracts with ICT providers and to maintain a register of every such arrangement — with UK regulators running parallel operational-resilience regimes.
What it means for you as a vendor: If EU financial entities run on your software or services, DORA-driven clauses — continuity, testing, exit plans — are flowing into your MSAs.
Primary sources: APRA Prudential Standard CPS 230 and the SAMA Business Continuity Management Framework, alongside the CBUAE Rulebook’s operational-risk and outsourcing standards and Regulation (EU) 2022/2554 (DORA). India is moving the same way: the RBI’s April 2024 Guidance Note on Operational Risk Management and Operational Resilience aligns Indian banks and NBFCs with the Basel operational-resilience principles.
A scope note, in plain terms: TCSA is an implementation consultancy, not a prudential or legal adviser. We do not interpret CBUAE, SAMA, CPS 230, or DORA for your regulated customers — we build the ISO 22301-grade BCMS that lets you, the vendor, evidence what those regimes ask of you.
Middle East Track Record
Our consultants have prepared ADIB (Abu Dhabi Islamic Bank), Mashreq Bank, and AMEX for ISO 22301 in the Middle East.
That work sits inside a wider record of 500+ audits across India, USA, UK, Australia and UAE — see verified client reviews and outcomes. When a Gulf bank’s vendor-risk team reads your BCMS, it is built in the format their own regulators trained them to expect.
What We Deliver
The Working Parts of a Resilience Programme
Six deliverables, one management system. Everything below is built to ISO 22301:2019 clause requirements, so the same artefacts serve customer due diligence and the certification audit.
Business impact analysis (BIA)
Prioritised activities, dependency mapping across people, systems, suppliers, and sites, and impact-over-time analysis — the analytical core every regulator and bank vendor-risk team asks to see first.
RTO / RPO definition
Recovery time and recovery point objectives — plus maximum tolerable periods of disruption — set per activity, agreed with owners, and defensible in front of a customer’s risk reviewers.
Continuity strategy & plans
Resourcing strategies and activation-ready business continuity and IT disaster-recovery plans: who invokes, who recovers what, in which order, with which workarounds.
Crisis management
A crisis-management structure with defined roles, escalation thresholds, and stakeholder and customer communication templates for the first hours of a disruption.
Exercising & testing
A planned exercise programme — tabletop walkthroughs through scenario simulations — with documented results and corrective actions: the evidence customers and regulators actually request.
ISO 22301 certification prep
Documentation, internal audit, and management review completed before the certification body arrives, with support through Stage 1 and Stage 2. We prepare you; an accredited body certifies.
Engagement & Scope
Scoping to Certification in 8–16 Weeks
A TCSA-led resilience engagement runs in five phases. Phases overlap deliberately — the BIA feeds the build while scoping conversations are still settling edge cases.
| Phase | Indicative timeline | What happens |
|---|---|---|
| 1 · Scoping & gap assessment | Weeks 1–2 | Current continuity posture assessed against ISO 22301:2019 and the resilience clauses your customers’ regulators are pushing into vendor contracts; agreed scope statement and engagement plan. |
| 2 · BIA & risk assessment | Weeks 2–5 | Business impact analysis across products and dependencies; RTO, RPO, and MTPD targets per prioritised activity; risk assessment of disruption scenarios. |
| 3 · BCMS build | Weeks 4–10 | Continuity strategies, business continuity and IT disaster-recovery plans, crisis-management structure, and the BCM policy and objectives that hold the system together. |
| 4 · Exercise & evidence | Weeks 9–13 | Tabletop and scenario exercises with documented results and corrective actions; evidence pack assembled for customer due diligence and the certification audit. |
| 5 · Certification support | Weeks 12–16 | Internal audit and management review, then on-call support through the accredited certification body’s Stage 1 and Stage 2 audits (optional; the body’s fees are billed separately). |
Consulting is quoted as a fixed, all-inclusive fee after a scoping call — varying with headcount, sites, products in scope, and whether accredited ISO 22301 certification is included. Certification-body audit fees are billed separately by that body.
One BCMS, Many Regulators
How One ISO 22301 System Answers Four Regimes
Build the artefacts once, to the strictest reading, and map them outward. This is the working translation we use between ISO 22301:2019 and what each regime expects a vendor to show.
| ISO 22301 element | CBUAE (UAE) | SAMA (Saudi Arabia) | APRA CPS 230 (Australia) | EU DORA |
|---|---|---|---|---|
| BIA & prioritised activities | Vendor continuity arrangements reviewed in bank outsourcing assessments | BIA required under the BCM framework | Identify critical operations and the resources they depend on | Map ICT services supporting critical or important functions |
| RTO / RPO / MTPD targets | Recovery objectives evidenced to bank vendor-risk teams | Recovery objectives set per the framework | Tolerance levels for disruption to critical operations | Recovery time and point objectives in the ICT risk framework |
| Continuity strategy & plans | Documented, current BCP expected from critical suppliers | ISO 22301-based business continuity plans mandated | Credible plans to operate within tolerance through disruption | ICT business continuity policy with response and recovery plans |
| Exercising & testing | Test results requested in due diligence and renewals | DR and BCP testing at least annually | Systematic testing of continuity arrangements, including providers | Digital operational resilience testing programme |
| Supplier & third-party continuity | Outsourcing standards push obligations down the chain | Framework scope covers subcontractors and third parties | Material service provider management; existing contracts by 1 Jul 2026 | Mandatory third-party contract provisions and a register of information |
| Crisis & incident response | Incident notification expectations toward the bank and regulator | Disruptive incidents reported to SAMA | Operational-incident notification expectations to APRA | Major ICT incident classification and reporting |
Working summary for vendors, not legal advice — each regime’s obligations bind your regulated customers, who interpret them with their own advisers. Your job is the evidence; that is the part we build.
Operational Resilience — Frequently Asked Questions
Straight answers from the team behind 500+ audits across India, USA, UK, Australia and UAE.
What is operational resilience, and how is it different from business continuity?
Business continuity is the discipline: the plans and capability to keep operating through disruption. Operational resilience is the outcome regulators now supervise — demonstrating that your critical services stay within defined tolerance through cyber incidents, outages, and supplier failures, with evidence to prove it. Regimes like APRA CPS 230 and EU DORA define the resilience outcomes; ISO 22301:2019 provides the certifiable management system — BIA, recovery objectives, tested plans, continual improvement — that produces the evidence. In practice, an ISO 22301-grade BCMS is how a vendor operationalises operational resilience.
Do vendors really need ISO 22301 certification, or is alignment enough?
It depends on what your contracts say. In the UAE, the wave that began in December 2025 increasingly demands accredited ISO 22301 certification from banks’ critical suppliers, so alignment alone may not pass. Under SAMA, CPS 230, and DORA, customers typically need credible evidence — a BIA, recovery objectives, tested plans, exercise results — rather than a certificate per se, and a well-documented aligned BCMS often clears due diligence. We scope to what your contracts actually require and build the BCMS so you can step up to accredited certification without rework if a customer later insists on it.
How is operational resilience consulting priced?
Engagements are custom-scoped — to headcount, sites, the number of products in scope, your regulator or contract deadlines, and whether accredited ISO 22301 certification is included. We provide a fixed, all-inclusive quote after a short scoping call: no hourly billing, no scope creep. That covers scoping, the business impact analysis, RTO/RPO definition, continuity and crisis plans, exercising, and certification preparation. If you proceed to certification, the accredited certification body’s audit fees are billed separately by that body.
How long does an engagement take?
Plan on 8–16 weeks end to end: scoping and gap assessment in weeks 1–2, the BIA and risk assessment by week 5, the BCMS build through week 10, exercising and evidence by week 13, and certification-audit support through week 16 where certification is in scope. Smaller single-product vendors land at the lower end. If you are facing a hard contract deadline — a UAE bank cutoff or a CPS 230-driven renewal — we compress by running the BIA and plan build in parallel.
Does TCSA issue the ISO 22301 certificate?
No — and you should be wary of anyone who offers both. TCSA is the implementation consultant: we build the BCMS, run the exercises, and prepare you for audit. The certificate is issued by an independent, accredited certification body after its own Stage 1 and Stage 2 audits, which keeps the certification credible to the banks and regulators reading it. We support you through both stages and stay on call for auditor questions.
Can one BCMS satisfy CBUAE, SAMA, CPS 230, and DORA at the same time?
In substance, yes — each regime asks a vendor for the same core artefacts: a business impact analysis, recovery objectives, documented and tested continuity plans, supplier-continuity arrangements, and incident response. We build those once, anchored on ISO 22301:2019, and map them outward to each regulator’s vocabulary. What differs is contract-specific detail — notification timelines, audit rights, exit plans — which we fold into the same BCMS rather than running parallel programmes. One caveat: we are implementation consultants, not regulatory counsel; interpretation of a regime’s legal obligations for your customer stays with their advisers.
Keep Exploring
Related Reading
ISO 22301 Overview
What a BCMS is, who demands it, and how certification works.
Read moreISO 22301 Knowledge Hub
Every guide in the business-continuity cluster, in one place.
Read moreRegulator Mapping
One BCMS mapped to CBUAE, SAMA, APRA CPS 230 and DORA.
Read moreSAMA CSF & BCM
The Saudi Central Bank's cyber and continuity frameworks, demystified.
Read moreMiddle East — UAE & Saudi Arabia
How we serve Gulf banks, vendors and enterprises, remote + on-site.
Read moreAustralia
SOC 2, ISO 27001 and ISO 22301 for Australian companies — AEST-friendly.
Read moreWritten By Expert Auditors
Get Started
Ready Before the
Next Contract Renewal?
UAE bank cutoffs have passed, CPS 230 reaches existing supplier contracts by 1 July 2026, and DORA clauses are already in EU paperwork. Build the BCMS once — before the deadline picks the timeline for you.
ISO 22301:2019-anchored · CBUAE · SAMA · APRA CPS 230 · DORA · Serving India, GCC, Australia & EU vendors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours