BCP Diagnostic | j. awan & partners

Getting Started

Tell us about your organisation

This helps us tailor the diagnostic and its output to your firm type, size, and footprint. GCC financial services regulators expect controls to be proportionate to a firm's scale and complexity, and so does this tool.

Which best describes your organisation? (select one)

Bank or Deposit-Taking Institution

Retail, commercial, or wholesale banking

Investment Firm or Broker-Dealer

Discretionary or advisory investment management, brokerage, market making

Asset Manager or Fund Manager

Collective investment schemes, fund management, portfolio management

Family Office

Single or multi-family office

Insurance or Re-insurance Firm

Insurers, re-insurers, captives, insurance managers and brokers

Payment Service Provider or Fintech

Payment institutions, stored value facilities, digital financial services

Corporate Finance or Capital Markets Firm

Arranging, underwriting, structured finance, sukuk issuance

Professional Services or Compliance Advisory

Legal, audit, risk, or regulatory advisory firms operating under a licence

Government-Linked or Sovereign Entity

Sovereign wealth, government investment vehicles, public sector financial entities

How many employees does your firm have globally? (select one)

1 to 10 11 to 50 51 to 200 200 or more

In which GCC countries does your firm have a physical presence? (select all that apply)

Does your firm have offices or operations outside the GCC? (select all that apply)

Section 1 of 10 — People & Workforce

Do you know where your people are, and are they supported?

The GCC has one of the highest concentrations of expatriate professionals in the world. Staff locations, morale, and key person cover are foundational continuity questions right now.

1.Do you have an up-to-date record of where all staff are currently based, including senior management and those in control functions?

Yes, we have a current and documented view of all staff locations Partially, we have a general sense but it is not formally documented No, we do not have a clear picture of staff locations right now

2.Are you maintaining regular structured communication with your team, including at least twice-weekly touchpoints and support for personal pressures such as school closures or family concerns?

Yes, structured touchpoints are in place and happening consistently Somewhat, communication is happening but is not structured or consistent No, we have not changed our communication cadence

3.Have you identified key person dependencies and documented interim cover arrangements, and considered what a sustained reduction in your expatriate workforce would mean for your minimum viable operations?

Yes, key person risks are documented, cover is in place, and we have assessed minimum viable staffing Partially, we have identified some dependencies but arrangements are not fully documented No, this has not been formally addressed

Section 2 of 10 — Operational Continuity

Can your operations absorb third-party disruption, and do you have visibility before it hits?

Third-party disruption and counterparty delays can compound quietly before becoming a crisis. The most important question is whether a disruption would be visible to you in time to act.

4.Have you mapped your critical third parties, outsourced providers, and counterparties, and confirmed their current operational status?

Yes, we have mapped critical third parties and confirmed their status Partially, we have checked some but not all critical dependencies No, we have not actively reviewed third-party status

5.Have you identified alternative third parties and/or outsourced providers, including cloud providers, for critical services, and confirmed remote access and supervision controls for staff working from home?

Yes, alternatives are identified, remote access is confirmed, and supervision controls are in place Partially, some of this is in place but gaps remain No, we rely on primary arrangements with limited contingency

6.Is your firm prepared to switch from its primary IT systems and applications to contingency or manual arrangements if required, and has this been tested?

Yes, contingency and manual workaround arrangements are documented and have been tested Partially, arrangements exist but have not been formally tested or documented No, we have not addressed IT contingency or manual fallback arrangements

Section 3 of 10 — Cyber & Information Risk

Are your systems and data resilient to the current threat environment?

Cyber incidents do not respect geographic boundaries. The current environment has significantly elevated phishing, fraud, and infrastructure concentration risks for GCC firms.

7.Do you know where your critical systems and data are hosted, including cloud provider locations, and have you validated backup and failover arrangements?

Yes, we have a clear system and data map, and failover arrangements have been tested Partially, we have some visibility but have not fully tested failover or confirmed cloud concentration risk No, we do not have clear visibility of system dependencies and hosting locations

8.Have you issued targeted staff guidance on heightened phishing, fraud, and information-sharing risks, including the obligation to use internal escalation channels rather than sharing operational details externally?

Yes, specific current-environment guidance has been issued and staff are aware of escalation channels Partially, general policies exist but no specific guidance has been issued for the current environment No, we have not issued specific cyber or information-handling guidance related to current events

Section 4 of 10 — Regulatory & Client Continuity

Are you staying ahead with your regulator and your clients?

Regulators notice when firms go quiet. Clients remember how their advisors responded during uncertain periods long after the situation resolves. Both require personal engagement, not generic communications.

9.Have you proactively engaged your regulator(s), particularly if your BCP has been invoked, staff locations have changed, or any regulatory obligations are at risk?

Yes, we have engaged proactively and our regulator(s) are informed of our current position We have not needed to yet, but we have a clear plan to engage if required No, we have not considered regulatory engagement in light of current events

10.Have senior leaders made personal, direct contact with your key clients, not a newsletter or circular, but a genuine conversation about their situation and yours?

Yes, senior leaders have personally reached out to key clients Partially, we have sent general communications but not personal senior outreach No, our client communication approach has not changed

Section 5 of 10 — Financial Resilience

Do you have the financial visibility and buffers to absorb disruption?

Financial risks in the current environment often have an operational dimension. Delayed payments, disrupted transactions, and compounding cash flow pressures can build before they become visible.

11.Have you stress-tested your cash flow and liquidity position against a 90-day disruption scenario using current-environment assumptions rather than last year's planning cycle?

Yes, we have reviewed liquidity buffers against current-environment assumptions Partially, we have reviewed our position but not run a specific disruption stress scenario No, our cash flow position has not been reviewed in light of current conditions

12.Have you reviewed your expected inflows and receivables, and proactively engaged counterparties where payment delays are possible, recognising that the risk is often operational rather than credit-related?

Yes, we are monitoring expected inflows closely and have engaged key counterparties Partially, we are watching it but have not proactively engaged counterparties No, our approach to monitoring inflows and receivables has not changed

13.Have you paused or deferred non-critical projects, recruitment, or system upgrades to reduce operational strain and preserve capacity for what matters now?

Yes, we have reviewed discretionary initiatives and deferred what is not essential right now Under consideration, we have discussed it but have not made decisions yet No, our project and initiative plans have not changed

Section 6 of 10 — Governance & Strategy

Is leadership owning this?

Firms with board-level sponsorship of BCM and clear documented arrangements are consistently better positioned to navigate and recover from disruption quickly and proportionately.

14.Has your board or management committee formally met to document the firm's current position and response strategy, with clear ownership assigned across key risk areas?

Yes, a formal meeting has been held, the strategy is documented, and ownership is clear Partially, discussions have happened but nothing is formally documented No, we have not formally convened to discuss the current environment

15.Has your firm reviewed and updated its Business Continuity Plan within the last 12 months, and does it reflect your current operating model, staff arrangements, and third-party dependencies?

Yes, our BCP has been reviewed recently and reflects our current operating model Partially, a BCP exists but has not been reviewed or updated recently No, we do not have a current BCP in place

Section 7 of 10 — Crisis Communications & Social Media

Is your firm communicating with one clear, controlled voice?

In the GCC, reputational risk can move quickly across a small, relationship-driven market. The current environment has also generated significant volumes of misinformation and AI-generated content on social media, creating real risk for firms whose staff engage with or share it.

🔒

Advanced Resilience Area. The questions in sections 7 to 10 go beyond immediate response and assess your firm's structural preparedness. Firms that score well here are typically in the strongest position as conditions evolve.

16.Do you have a designated spokesperson and a defined crisis communications protocol, covering internal messaging, client communications, media enquiries, and regulatory notifications?

Yes, a protocol is in place with a named spokesperson and clear escalation paths Partially, informal arrangements exist but nothing is formally documented No, we do not have a formal crisis communications protocol

17.Have you issued clear guidance to staff on social media use during the current environment, including the risks of sharing unverified content, AI-generated material, or information that may conflict with government communications or attract regulatory attention?

Yes, specific social media guidance has been issued and staff understand the firm's expectations Partially, a general social media policy exists but no specific current-environment guidance has been issued No, we have not addressed social media conduct in the context of current events

Section 8 of 10 — AML & Financial Crime Continuity

Are your financial crime controls holding up under disruption?

Disrupted environments create elevated financial crime risk. Sanctions evasion, payment rerouting, and fraud increase when controls are under pressure. Maintaining AML and KYC capabilities during a crisis is a regulatory expectation across the GCC.

18.Have you confirmed that your AML, KYC, and transaction monitoring capabilities remain fully operational, including where staff are working remotely or key personnel are absent?

Yes, financial crime controls have been confirmed as operational under current working arrangements Partially, controls are likely operational but have not been formally confirmed under disruption conditions No, we have not reviewed financial crime control operability in the context of current disruption

19.Have you reviewed your sanctions screening and escalation procedures in light of the current geopolitical environment, including any changes to relevant sanctions lists or guidance from your regulator?

Yes, sanctions screening has been reviewed and updated for the current environment Partially, standard procedures are in place but have not been specifically reviewed for current conditions No, sanctions and financial crime procedures have not been reviewed in light of current events

Section 9 of 10 — Data Residency & Insurance Coverage

Are two often-overlooked areas of your resilience framework holding up?

Data residency breaches can occur quietly when staff work across borders. Many firms discover only during a crisis that their insurance policies do not respond to the scenario they are facing.

20.Have you confirmed that data residency, data privacy agreements, and client confidentiality requirements continue to be met under current working arrangements, particularly where staff are working remotely from outside the GCC or in the event of a temporary switch to servers located outside the UAE?

Yes, data residency and privacy obligations have been reviewed and controls are in place for current arrangements Partially, we are aware of the requirements but have not formally reviewed compliance under current arrangements No, data residency and privacy in the context of current working arrangements has not been addressed

21.Have you reviewed your insurance policies, including business interruption, political risk, professional indemnity, and D&O, to understand whether they respond to geopolitical disruption scenarios and whether war or political risk exclusions apply?

Yes, policies have been reviewed and we understand what is and is not covered in the current environment Partially, we have coverage in place but have not reviewed the specific exclusions for geopolitical scenarios No, we have not reviewed our insurance coverage in the context of current events

Section 10 of 10 — Scenario Planning & Testing

Has your resilience framework actually been tested against what is happening now?

Many firms have BCPs designed for IT failure or pandemic scenarios. Geopolitical disruption tests different things, and regulators across the GCC are increasingly expecting evidence that firms have exercised their plans, not just documented them.

22.Has your firm run a tabletop exercise or scenario test against a geopolitical or regional disruption scenario, and has your BCP been reviewed and tested against a denial-of-access scenario as well as full evacuation?

Yes, we have run a geopolitical scenario exercise and our BCP covers denial-of-access scenarios Partially, BCP exercises have been run but not specifically against geopolitical or denial-of-access scenarios No, we have not run a formal BCP exercise recently

23.Do you have a documented process for escalating from business-as-usual monitoring to formal BCP invocation, and does your team know what triggers that decision and who makes it?

Yes, escalation triggers, decision authority, and the invocation process are clearly documented and understood Partially, there is a general understanding but it has not been formally documented or communicated No, we do not have a clear escalation and invocation framework

Prepared. Business ContinuityDiagnostic Tool