Stay up to date with our latest news
By Mark Scott, Executive Director - Risk Management, j. awan & partners
Most financial institutions in the GCC have a business continuity plan. A smaller number have actually tested it in the last twelve months. Fewer still could tell you with confidence how long their most critical services could withstand a disruption before causing real harm to clients, to the business, or to their regulator’s patience.
That distinction between having a plan and being operationally resilient is at the heart of where regulatory expectations across the GCC are now heading.
The direction of travel is clear
In late March 2026, the Dubai Financial Services Authority published Consultation Paper No. 170, setting out proposals for a new operational resilience framework for all DFSA-authorised firms. The consultation closed at the end of May. The final framework is expected to be published before the end of 2026, with a transition period during which firms will be expected to demonstrate implementation progress.
The framework is built around five interconnected requirements. Firms must identify which of their services are critical, set impact tolerances for each of those services meaning the maximum disruption a service could sustain before causing unacceptable harm, map the systems, people, processes and third parties that support those services, test that the firm can actually remain within its tolerances under realistic stress scenarios, and notify the DFSA where a material disruption breaches or comes close to breaching those thresholds.
The DFSA is not moving in isolation across the region. The Qatar Financial Centre Regulatory Authority formalised its operational resilience requirements in 2024 through RM/2024-4, the Operational Resilience and Miscellaneous Amendments Rules, embedding resilience obligations directly into its regulatory framework for QFC-authorised firms. In April 2026, the QFC introduced a targeted business continuity package for firms navigating the regional environment, including filing extensions and operational flexibility measures, which reflects the practical pressure that resilience expectations are placing on regulated firms at the moment.
The Central Bank of the UAE has its Operational Risk Regulation applying to all licensed banks, which requires banks to have appropriate policies, processes and controls to identify, monitor and mitigate operational risks and consider ways to improve operational resilience. A standalone operational resilience framework from the CBUAE, comparable to what the DFSA has now proposed, has not yet been published, but market expectation is that it will follow. Firms that wait for it before starting the work will find themselves well behind.
SAMA’s Cybersecurity Framework, which applies to all Saudi-regulated financial institutions, includes business continuity and resilience as a core domain, requiring firms to demonstrate they can operate and recover during disruptions. The FCA, which sets a benchmark that many GCC regulators actively reference, published observations from firms’ self-assessments in March 2026, identifying a consistent gap where firms were defining important business services too broadly, and their impact tolerances lacked clear methodology or rationale.
Regulators are increasingly sophisticated in how they distinguish frameworks that exist on paper from firms that have worked through what matters and what would happen if it failed.
What this means in practice
When we work with clients on operational resilience, the conversation almost always follows the same pattern. The firm knows resilience matters. It has a BCP. It has some form of recovery documentation. But when we ask which processes would cause the most damage if they failed for 24 hours, and how quickly the firm could restore them, the answers become less clear. When we ask whether the board has reviewed and approved those thresholds, the answer is usually that the board has signed off a high-level policy rather than something it has properly interrogated.
That gap between governance in name and governance in practice is exactly where regulators are now focusing. The DFSA’s Dear SEO Letter of 1 March 2026, issued to DIFC firms in light of the regional environment, reminded firms of the importance of maintaining robust operational resilience and effective risk management frameworks. The consultation proposals published later that month gave that reminder a regulatory structure.
The questions worth asking now
At this stage, the starting point is not about having a full resilience programme, but a structured conversation with senior management around a small number of questions.
Which of your firm’s services would cause the most harm to clients, to counterparties, or to the business if they were disrupted for two hours, for 24 hours, for a week? That is the beginning of a critical services map, and it is typically more revealing than firms expect.
For each of those services, what is the realistic recovery time if the primary delivery mechanism fails? Not the documented recovery time, the actual one, based on the last time something went wrong.
How dependent are those services on third parties, and have those dependencies been formally mapped and reviewed? The DFSA’s proposals specifically call for firms to map the resources and dependencies that underpin critical services, and third-party concentration risk sits squarely in that scope.
When did the board last see a credible test of the firm’s BCP, not a paper exercise, but a scenario that actually challenged assumptions?
The cost of leaving it late
Operational resilience programmes are not quick to build if done properly. Identifying and mapping critical services, setting
meaningful impact tolerances, running credible scenario tests, and embedding that work into governance processes takes time and internal commitment. Firms that begin the work now, ahead of formal regulatory implementation, are in a materially different position from those that wait for a supervisory request.
There is also a practical point about the sequence of work. Resilience mapping, BIA reviews, and BCP testing surface issues that take time to resolve, including dependency gaps, IT recovery shortfalls, and governance weaknesses. Those issues are manageable if there is time to address them. They are harder to explain when a regulator has already asked the question.
The direction of travel across the GCC is consistent. The DFSA has published its proposals. The QFCRA has embedded its rules. The CBUAE framework is expected to follow. The firms that will be best placed going into 2027 are those that treat resilience as an operational reality rather than a compliance requirement, and can demonstrate the difference.
J. Awan & Partners provides operational resilience advisory, business impact analysis, BCP testing and resilience programme development to regulated financial institutions across the GCC. For a conversation about your firm’s position, contact info@jawanpartners.com or visit jawanpartners.com.
Operational resilience: what good looks like going into 2027
Operational resilience is becoming a core regulatory expectation across the GCC, with firms expected to prove they can maintain critical services during disruptions. Those that act early will be better prepared for both regulatory scrutiny and operational shocks.
Operational resilience: what good looks like going into 2027
Operational resilience is becoming a core regulatory expectation across the GCC, with firms expected to prove they can maintain critical services during disruptions. Those that act early will be better prepared for both regulatory scrutiny and operational shocks.
By Mark Scott, Executive Director - Risk Management, j. awan & partners
Most financial institutions in the GCC have a business continuity plan. A smaller number have actually tested it in the last twelve months. Fewer still could tell you with confidence how long their most critical services could withstand a disruption before causing real harm to clients, to the business, or to their regulator’s patience.
That distinction between having a plan and being operationally resilient is at the heart of where regulatory expectations across the GCC are now heading.
The direction of travel is clear
In late March 2026, the Dubai Financial Services Authority published Consultation Paper No. 170, setting out proposals for a new operational resilience framework for all DFSA-authorised firms. The consultation closed at the end of May. The final framework is expected to be published before the end of 2026, with a transition period during which firms will be expected to demonstrate implementation progress.
The framework is built around five interconnected requirements. Firms must identify which of their services are critical, set impact tolerances for each of those services meaning the maximum disruption a service could sustain before causing unacceptable harm, map the systems, people, processes and third parties that support those services, test that the firm can actually remain within its tolerances under realistic stress scenarios, and notify the DFSA where a material disruption breaches or comes close to breaching those thresholds.
The DFSA is not moving in isolation across the region. The Qatar Financial Centre Regulatory Authority formalised its operational resilience requirements in 2024 through RM/2024-4, the Operational Resilience and Miscellaneous Amendments Rules, embedding resilience obligations directly into its regulatory framework for QFC-authorised firms. In April 2026, the QFC introduced a targeted business continuity package for firms navigating the regional environment, including filing extensions and operational flexibility measures, which reflects the practical pressure that resilience expectations are placing on regulated firms at the moment.
The Central Bank of the UAE has its Operational Risk Regulation applying to all licensed banks, which requires banks to have appropriate policies, processes and controls to identify, monitor and mitigate operational risks and consider ways to improve operational resilience. A standalone operational resilience framework from the CBUAE, comparable to what the DFSA has now proposed, has not yet been published, but market expectation is that it will follow. Firms that wait for it before starting the work will find themselves well behind.
SAMA’s Cybersecurity Framework, which applies to all Saudi-regulated financial institutions, includes business continuity and resilience as a core domain, requiring firms to demonstrate they can operate and recover during disruptions. The FCA, which sets a benchmark that many GCC regulators actively reference, published observations from firms’ self-assessments in March 2026, identifying a consistent gap where firms were defining important business services too broadly, and their impact tolerances lacked clear methodology or rationale.
Regulators are increasingly sophisticated in how they distinguish frameworks that exist on paper from firms that have worked through what matters and what would happen if it failed.
What this means in practice
When we work with clients on operational resilience, the conversation almost always follows the same pattern. The firm knows resilience matters. It has a BCP. It has some form of recovery documentation. But when we ask which processes would cause the most damage if they failed for 24 hours, and how quickly the firm could restore them, the answers become less clear. When we ask whether the board has reviewed and approved those thresholds, the answer is usually that the board has signed off a high-level policy rather than something it has properly interrogated.
That gap between governance in name and governance in practice is exactly where regulators are now focusing. The DFSA’s Dear SEO Letter of 1 March 2026, issued to DIFC firms in light of the regional environment, reminded firms of the importance of maintaining robust operational resilience and effective risk management frameworks. The consultation proposals published later that month gave that reminder a regulatory structure.
The questions worth asking now
At this stage, the starting point is not about having a full resilience programme, but a structured conversation with senior management around a small number of questions.
Which of your firm’s services would cause the most harm to clients, to counterparties, or to the business if they were disrupted for two hours, for 24 hours, for a week? That is the beginning of a critical services map, and it is typically more revealing than firms expect.
For each of those services, what is the realistic recovery time if the primary delivery mechanism fails? Not the documented recovery time, the actual one, based on the last time something went wrong.
How dependent are those services on third parties, and have those dependencies been formally mapped and reviewed? The DFSA’s proposals specifically call for firms to map the resources and dependencies that underpin critical services, and third-party concentration risk sits squarely in that scope.
When did the board last see a credible test of the firm’s BCP, not a paper exercise, but a scenario that actually challenged assumptions?
The cost of leaving it late
Operational resilience programmes are not quick to build if done properly. Identifying and mapping critical services, setting
meaningful impact tolerances, running credible scenario tests, and embedding that work into governance processes takes time and internal commitment. Firms that begin the work now, ahead of formal regulatory implementation, are in a materially different position from those that wait for a supervisory request.
There is also a practical point about the sequence of work. Resilience mapping, BIA reviews, and BCP testing surface issues that take time to resolve, including dependency gaps, IT recovery shortfalls, and governance weaknesses. Those issues are manageable if there is time to address them. They are harder to explain when a regulator has already asked the question.
The direction of travel across the GCC is consistent. The DFSA has published its proposals. The QFCRA has embedded its rules. The CBUAE framework is expected to follow. The firms that will be best placed going into 2027 are those that treat resilience as an operational reality rather than a compliance requirement, and can demonstrate the difference.
J. Awan & Partners provides operational resilience advisory, business impact analysis, BCP testing and resilience programme development to regulated financial institutions across the GCC. For a conversation about your firm’s position, contact info@jawanpartners.com or visit jawanpartners.com.