Part 1: BCS - Mitigation Strategies and Justification
Notes for BCM Institute's Course Participants: This is the template for completing the "Part 1: BCS - Mitigation Strategies and Justification."
Mitigation Strategies and Justification
The effectiveness of any risk management framework hinges on the strategic implementation of mitigation measures that reduce or
eliminate potential threats to an organisation.
For Bandtree, a government-linked company under Darussalam Assets, the critical role it plays in managing national infrastructure and property assets demands a proactive and structured approach to threat mitigation.
Purpose of Chapter
This chapter, BCS Part 1: Mitigation Strategies and Justification, presents a comprehensive assessment of identified threats affecting Bandtree’s operations and assets. It outlines the existing control measures, evaluates residual risks, and proposes additional mitigation strategies based on industry best practices and organisational context.
Each mitigation strategy is supported by a clear justification to ensure alignment with the company's business continuity principles and operational priorities.
Drawing reference from the BCM Institute's Part 1: Mitigation Strategies framework, this chapter provides a systematic risk treatment plan aimed at minimising vulnerabilities, enhancing resilience, and ensuring that the organisation’s risk posture supports long-term sustainability and service continuity.
This is a structured Mitigation Strategies table for Bandtree, incorporating the BCM Institute's guidance note for “Part 1: Mitigation Strategies” and contextualising for property management:
|
Threat |
Existing Controls |
Risk Rating |
Risk Level |
Risk Treatment (Residual Risk) |
|
1. Fire outbreak in managed buildings |
Fire extinguishers, fire alarms, evacuation plans, and fire drills |
High (e.g., 16) |
High |
Risk Reduction |
|
2. Theft/vandalism of assets |
CCTV, security guards, access card entry |
Medium-High (e.g., 12) |
High |
Risk Reduction / Transfer |
|
3. Natural disaster (flooding, storms) |
Elevated building design, emergency SOPs |
Medium (e.g., 9) |
Medium |
Risk Reduction / Avoidance |
|
4. ICT system outage |
Basic IT infrastructure, some redundancies, backup power |
Medium-High (e.g., 12) |
High |
Risk Reduction / Transfer |
|
5. Regulatory non‑compliance (building codes, safety) |
Periodic internal audits, staff awareness |
Medium (e.g., 9) |
Medium |
Risk Reduction |
|
6. Workplace accidents/injuries |
Basic PPE, incident reporting, and safety induction |
Medium (e.g., 9) |
Medium |
Risk Reduction |
|
Threat |
Additional Mitigation Strategy |
Justification for Selected Mitigation Strategy |
|
1. Fire outbreak in managed buildings |
Install automatic fire suppression (sprinklers), heat detectors, and integrate with 24/7 monitoring. |
Automatic systems significantly reduce fire spread, lower damage and loss of life—cost vs benefit supports reduction |
|
2. Theft/vandalism of assets |
Enhance perimeter fencing, install intruder detection sensors, and outsource advanced security services. |
Physical barriers, combined with technology and expert services, raise deterrence, facilitate faster crime detection, and share risk through outsourcing. |
|
3. Natural disaster (flooding, storms) |
Move critical servers to an off-site or cloud backup location; install flood sensors and backup generators. |
Off-site/cloud backup ensures data resilience; generators and sensors reduce downtime and damage. |
|
4. ICT system outage |
Implement fully redundant systems, establish an SLA with an external IT provider, and purchase technology insurance. |
Redundancy minimises downtime; outsourcing and insurance help transfer residual risk. |
|
5. Regulatory non‑compliance (building codes, safety) |
Contract third-party compliance audits annually; conduct recurring training sessions |
External audits increase objectivity; training ensures staff maintain up‑to‑date compliance awareness. |
|
6. Workplace accidents/injuries |
Regular safety drills, hire a certified safety officer, and periodic refresher training |
Professional safety oversight and training reduce the likelihood of accidents, making prevention a cost-effective measure. |
Explanations & References
Framework
This table follows BCMpedia’s Part 1 framework, which outlines key columns: threat, controls, risk ratings, treatment, mitigation, and justification.
Risk Treatment Options
- Reduction: minimising likelihood or impact
- Transfer: outsourcing or insurance
- Avoidance: removing the risk source
Four main treatments are listed in BCMpedia
BCM Institute's BCM Planning Methodology emphasises adding measures such as fire suppression, intrusion detection, outsourcing, insurance, and training.
Justification Criteria
Chosen strategies are evaluated on build-out cost, maintenance, skill availability, urgency, prevention benefits versus costs, fully aligned with BCM Institute's planning methodology.
Summing Up...
Effective risk mitigation is not solely about implementing controls—it is about selecting the right strategies, tailored to the organisation’s context, risk appetite, and operational dynamics.
This chapter has identified and analysed key threats faced by Bandtree and proposed targeted mitigation strategies to address them.
By leveraging both preventive and corrective measures—including technological upgrades, physical safeguards, outsourcing, and policy improvements—Bandtree can reduce the likelihood and impact of operational disruptions.
The justifications provided ensure that every proposed strategy is not only practical and cost-effective but also aligned with the organisation's strategic goals.
Moving forward, these mitigation strategies should be integrated into Bandtree’s broader Business Continuity Management (BCM) and Enterprise Risk Management (ERM) frameworks to enable adaptive, resilient, and informed decision-making at all levels of the company.
More Information About Business Continuity Management Courses
To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].
![Register [BL-B-3]*](https://blog.bcm-institute.org/hs-fs/hubfs/hub_generated/resized/19a8306f-6b76-45ff-8585-95111f393aeb.png?width=200&height=56&name=19a8306f-6b76-45ff-8585-95111f393aeb.png)
![FAQ [BL-B-3]](https://blog.bcm-institute.org/hs-fs/hubfs/hub_generated/resized/9b7f5669-8ad6-450b-a98f-5f5d49ebfc8e.png?width=150&height=150&name=9b7f5669-8ad6-450b-a98f-5f5d49ebfc8e.png)
![Email to Sales Team [BCM Institute]](https://blog.bcm-institute.org/hs-fs/hubfs/hub_generated/resized/83ae9ad3-affc-416e-8f51-64218d6d98f2.png?width=100&height=100&name=83ae9ad3-affc-416e-8f51-64218d6d98f2.png)
