First-Aid Program for KSA Banks Aligned with SAMA Operational Risk Guidance

Why this matters in Saudi Arabia

Bank branches in KSA carry a unique risk profile - high foot-traffic, vulnerable customer demographics, and cardiac-event probability raised by stress and heat. SAMA's operational risk guidance expects every branch to maintain trained first-aiders, working AEDs and a documented medical-emergency procedure.

This guide walks banking branches and operations centres through the full lifecycle of first-aid - from regulatory scoping and risk identification to control deployment, evidence collection and ongoing assurance - in language an HSE manager, project director or auditor can hand to a site team on Sunday morning.

Saudi regulations and standards

The regulatory stack you must satisfy when running first-aid programmes in the Kingdom:

• OSHA 29 CFR 1910.151 medical and first aid (reference)
• AHA BLS guidelines 2020
• SAMA Operational Risk Management framework
• ISO 45001:2018 Clause 8.2
• MoH first-aid certification rules

The Saudi labor framework places primary duty on the employer (Saudi Labor Law Article 121-129): you must provide a safe workplace, identify and assess hazards, supply PPE at no cost to the worker, train employees in their language, and notify the Ministry of Human Resources and Social Development (MHRSD) and GOSI on serious incidents. MHRSD Ministerial Decision 3337/1442H (the workplace-conditions regulation) operationalises these duties with specific articles on physical agents, chemical agents, ergonomics, lighting, ventilation and the seasonal midday-work ban. For environmental aspects the lead authority is the National Centre for Environmental Compliance (NCEC) under Royal Decree M/165 (2020) and its 2021 Executive Regulations.

What to implement

A defensible programme is built in seven layers - each addressed by a concrete deliverable rather than a wishlist:

1. Policy and leadership commitment
   • Top-management signed policy (ISO 45001:2018 Clause 5.2 / ISO 14001:2015 Clause 5.2).
   • Documented HSE objectives with measurable KPIs.
   • Annual management review minutes filed.
2. Scope, context and interested parties
   • Site list with criticality grading.
   • Stakeholder register (regulator, client, contractor, neighbour, community).
   • Legal register (MHRSD, NCEC, SASO, Civil Defense, GOSI, MoH) updated quarterly.
3. Risk and opportunity register
   • Hazard identification at task, process and facility levels.
   • Risk-matrix scoring (5x5 likelihood x consequence).
   • Hierarchy-of-controls applied (eliminate -> substitute -> engineer -> administer -> PPE).
4. Operational controls
   • Site-specific procedures (PTW, JSA, MOC, LOTO, confined-space, hot-work).
   • Pre-task briefings (toolbox talks).
   • Site induction with Arabic and worker-language briefing.
5. Competence and training
   • Training matrix by role x skill x expiry.
   • Evidence of attendance, evaluation and refresher.
   • Third-party certifications stored (NEBOSH, IOSH, OPITO, IOGP).
6. Performance monitoring
   • Leading indicators (PTW compliance, observation closure, training currency).
   • Lagging indicators (TRIR, LTIFR, environmental excursions, near-miss rate).
   • Quarterly KPI report to top management.
7. Audit, review and continual improvement
   • Internal-audit programme aligned with ISO 19011.
   • Management review at planned intervals.
   • Corrective-action register with closure dates and effectiveness verification.

Templates

Copy and adapt the table below into your HSE management system or - if you already run Skyline - paste it directly into the Procedures module so every site uses the same baseline:

| Component | Description | Owner | Cadence | |------------------------------|-------------------------------------------------------------------|------------------|----------------------| | Policy | Top-management signed, posted in Arabic + English | CEO / Top mgmt | Annual review | | Scope and objectives | Documented scope, SMART objectives, measurable KPIs | HSE Manager | Annual | | Hazard identification | Task / process / facility hazards; 5x5 risk matrix | Line supervisors | Continuous | | Operational procedures | PTW, JSA, MOC, emergency, contractor management | HSE + Operations | As needed | | Training and competence | Matrix by role x skill x expiry; LMS evidence | HR + HSE | Per matrix | | Performance monitoring | Leading + lagging KPIs, monthly reports | HSE | Monthly + quarterly | | Audit and review | Internal audit per ISO 19011; management review at intervals | Lead auditor | Quarterly + annual | | Continual improvement | NC / CA register; lessons learned; revision of controls | HSE | Continuous |

Common gaps in KSA audits

After auditing more than 200 KSA sites across construction, oil and gas, manufacturing and offices, the same gaps recur - most are paperwork gaps, not technology gaps:

• Policies in English only - Saudi Labor Law requires worker-language communication. Translate to Arabic and to the dominant migrant-worker language (Hindi, Urdu, Tagalog, Bengali) on site.
• Risk register exists but never reviewed - auditors check the date of last update. A 2-year-old hazard register fails ISO 45001 Clause 6.1.4.
• Training records not retained - courses delivered but certificates not collected. Retain for tenure of employment + 5 years minimum.
• PPE issued without job-specific selection - generic catalogue procurement without JSA cross-reference. Auditor flag every time.
• Sub-contractor controls weaker than principal - flow-down clauses absent. Mega-project clients audit Tier-2 and Tier-3 directly.
• Emergency drills not evidenced - drill held but no signed register, no debrief minute, no corrective action raised on issues.
• Management review missing items - ISO 45001 Clause 9.3 has a prescribed input/output list. Missing items = automatic non-conformity.
• MOC (Management of Change) treated informally - changes to equipment, procedure, personnel not formally risk-assessed; this is the highest-leverage process-safety gap in KSA petrochem.
• Internal audit done by an unqualified auditor - ISO 19011:2018 demands evidence of competence. Send your auditors to a Lead Auditor course (NEBOSH or IRCA registered).
• Action closure dates slip without trace - auditors test the aging of open corrective actions; aged >90 days is a Major finding.

Roles and responsibilities - RACI

A first-aid programme needs one owner at executive level and clear accountability for every operational step. Sample RACI:

| Activity | CEO / GM | HSE Manager | Line Supervisor | Worker | HR | Legal | |-----------------------------------------|----------|-------------|------------------|--------|----|-------| | Issue HSE policy | A | R | C | I | C | C | | Maintain legal register | I | R | C | I | I | A | | Risk assessment (task) | I | C | A / R | C | I | I | | Permit-to-Work | I | C | A / R | R | I | I | | Training delivery and records | I | A | C | I | R | I | | Incident investigation | I | A | R | C | C | C | | Internal audit | A | R | C | I | C | C | | Management review | A / R | R | I | I | C | C | | Regulator interaction (MHRSD / NCEC / GDCD) | A | R | I | I | I | C | | Corrective-action closure | I | A | R | I | I | I |

Legend: R = Responsible, A = Accountable, C = Consulted, I = Informed.

Note: under ISO 45001:2018 Clause 5.1, top management must take overall accountability for the prevention of work-related injury and ill-health. You cannot delegate this to the HSE manager.

Compliance evidence - what auditors look for

KSA auditors (MHRSD inspectors, NCEC inspectors, Civil Defense officers, ISO accredited certification bodies, third-party contractor auditors for SACS-210) all converge on the same evidence pyramid:

1. Tier 1 - Approval evidence: signed policy, signed management-review minute, signed annual HSE objectives.
2. Tier 2 - Programme evidence: HSE plan, training matrix, legal register, risk register, audit programme.
3. Tier 3 - Operational evidence: PTW log, JSA bank, toolbox-talk attendance, drill register, BBS observation log.
4. Tier 4 - Performance evidence: KPI dashboard, leading/lagging trend charts, NC and CA register.
5. Tier 5 - Continual-improvement evidence: lessons-learned bulletins, revised procedures with traceable revision dates, closed-out previous-audit findings.

Practical auditor heuristic: from the moment the auditor walks in, anything not dated and signed is treated as draft. Keep an evidence index - one Excel sheet or one GRC view - that maps each control to its current piece of evidence, its custodian and its expiry.

Tooling - software, forms and apps

You do not need an enterprise platform to comply, but a digital trail makes audits trivially easier:

• SKYLINE EHS (this site's product) - Arabic-first, PDPL-resident, integrates with GOSI / ZATCA / Absher; modules for PTW, JSA, training, incident, audit, environmental and ESG.
• Enablon / Intelex / Quentic / Sphera - global enterprise platforms, strong analytics, slow Arabic and KSA localisation.
• iAuditor (SafetyCulture) - best-in-class mobile inspection forms; cheap entry, weaker workflow.
• Power BI / Looker Studio - pair with an EHS data warehouse for executive KPI dashboards.
• MS Forms / Google Forms - acceptable interim for very small sites (<50 employees).
• Wazuh / Elastic - for cybersecurity-side overlap if your HSE platform stores personal data subject to PDPL.
• NIOSH Pocket Guide and OSHA eTools - free reference content for occupational-exposure thresholds.
• EFI Smart Bands - wearable heat-stress monitoring for outdoor crews.
• Garmin inReach / SPOT - satellite SOS for lone-worker programmes in remote KSA terrain.
• Mobile gas-detection - RAE Systems, MSA Altair, Industrial Scientific Ventis Pro; calibration cert on file.

FAQ

Q1: Is ISO 45001 mandatory in Saudi Arabia? A: Not by law. It is contractually mandatory on most large public-sector projects and a strong differentiator at procurement.

Q2: Which authority enforces workplace safety - MHRSD or MoH? A: MHRSD enforces the safety side (physical hazards, working conditions, midday ban). MoH owns occupational health (medical surveillance, fit-to-work). They cross-refer cases; you need both.

Q3: How often must I run a fire drill? A: Civil Defense expects at minimum one full evacuation drill annually. SBC 801 high-rise and high-occupancy buildings often run twice a year; document each one with debrief minute.

Q4: Do I need to file my HSE plan with a regulator before mobilisation? A: For private projects, no. For Royal Commission, NEOM and Civil Defense permit projects, yes - review and approval are pre-conditions of mobilisation.

Q5: How long must I retain HSE records? A: Minimum 5 years for general records, 30 years for asbestos/medical surveillance, 40 years for radiation exposure. Personal-data retention also follows PDPL minimisation principles.

Next steps with SKYLINE

SKYLINE delivers full EHS / HSE programmes for KSA enterprises: gap assessment, ISO 45001 / 14001 certification readiness, SBC 801 fire-safety design review, contractor pre-qualification audits and 24x7 SOC-style HSE monitoring through our EHS service and HSE service. Talk to a Saudi-certified HSE consultant today: WhatsApp +966-13-590-9890 or email info@skylinepos.net.

Related guides

• HSE training matrix template
• ISO 45001 OHS certification - KSA implementation
• HSE leading and lagging KPIs
• HSE internal-audit checklist
• /services/ehs-environment-health-safety
• /services/hse