[BCM] [ARC] [E3] [BCS] [T1] Mitigation Strategies and Justification

Threat

Existing Controls

Risk Rating

Risk Level

Risk Treatment (Residual Risk)

Additional Mitigation Strategy

Justification for Selected Mitigation Strategy

Cybersecurity breach of donor or client data

Firewall, antivirus software, limited user access, basic data encryption

High

Critical

Moderate

Implement advanced endpoint protection, multi-factor authentication (MFA), and regular penetration testing

Sensitive data (donors, clients) must be protected to ensure privacy and compliance with PDPA. Enhanced controls reduce the attack surface and reassure stakeholders.

Fire or structural damage at ARC premises

Fire extinguishers, smoke detectors, and evacuation procedures

Medium

High

Low

Install fire suppression systems and off-site data backup

While fire is unlikely, the impact is high. These strategies ensure minimal service disruption and data loss.

Loss of key personnel (e.g. therapists, program heads)

Job shadowing, documented SOPs

High

High

Moderate

Develop succession plans and cross-training programs

ARC’s programs are highly specialised. Knowledge transfer and redundancy in skillsets reduce operational impact.

Pandemic or infectious disease outbreak

Basic health protocols, some remote work capacity

High

High

Moderate

Formalise a pandemic response plan, improve hybrid learning and service delivery platforms

Ensures continuity of services for beneficiaries even during physical disruption scenarios.

Funding cuts or loss of a major donor

Donor relationship management, some diversified funding

Medium

High

Moderate

Expand grant applications, increase public outreach and CSR partnerships

Diversifying funding sources reduces dependence and financial vulnerability.

IT system failure or prolonged downtime

Local backups, basic maintenance

High

High

Moderate

Implement cloud-based systems with disaster recovery capabilities and service level agreements (SLAs)

Ensures rapid recovery and minimal disruption to operations and communications.

Reputation damage due to a negative media or stakeholder incident

Public relations SOPs, trained spokespeople

Medium

Medium

Low

Develop a crisis communication plan, conduct regular stakeholder engagement and scenario drills

Helps maintain trust and confidence among parents, donors, and partners during crisis situations.

Disruption in training or intervention programmes

Physical backup classrooms, flexible scheduling

Medium

Medium

Low

Digitalise training content and maintain virtual delivery infrastructure

Allows uninterrupted service delivery, particularly for beneficiaries requiring consistent support.

Volunteer or staff misconduct

Code of conduct, background checks

Medium

Medium

Low

Strengthen HR policies, introduce whistleblower channels, and conduct regular ethics training

Promotes a safe and professional working environment and encourages early reporting.

Utility outages (e.g. power, water, internet)

Emergency generator, basic contingency plans

Medium

Medium

Low

Explore UPS (uninterruptible power supply), mobile internet backup, and portable facilities for critical services

Ensures essential services are operational even during outages.