Notes for BCM Institute's Course Participants: This is the template for completing the "Part 2: RAR – Treatment and Control."
By implementing and continually refining these risk management measures, Bandtree ensures alignment with best practices in business continuity management (BCM).
It demonstrates its commitment to delivering sustainable, secure, and reliable services.
| Existing Risk Treatment |
||||
|
Threat |
Risk Avoidance |
Risk Reduction |
Risk Transference |
Risk Acceptance |
|
Denial of Access – Natural Disaster (e.g. flood, earthquake) |
Avoid development in flood-prone areas or geologically unstable zones. |
Elevated building design, stormwater drainage system, and emergency power backup (generators). |
Insurance coverage for natural disasters impacting assets. |
Accept limited downtime in less critical sites. |
|
Denial of Access – Man-made Disaster (e.g. fire, terrorism) |
Avoid hosting high-risk tenants or operations in politically sensitive areas. |
Fire suppression systems, fire-resistant materials, 24/7 CCTV monitoring, and physical access control. |
Property and liability insurance. |
Accept short-term disruptions in the event of isolated incidents. |
|
Unavailability of People (e.g. pandemic, strikes) |
Avoid overreliance on critical staff by cross-training personnel to ensure continuity of operations. |
Implement flexible work arrangements, health protocols, vaccination drives, and remote work infrastructure (VPN, collaboration tools). |
Outsourcing of non-core functions or temporary manpower sourcing. |
Accept a temporary drop in productivity during extreme cases. |
|
Disruption to the Supply Chain (e.g. vendors, spare parts) |
Avoid single-vendor dependencies. |
Maintain a buffer stock of critical supplies, conduct periodic vendor risk assessments, and utilise a diversified supplier base. |
Vendor contracts with performance and penalty clauses. |
Accept minor delays in low-impact services. |
|
Equipment and IT-Related Disruption (e.g. server failure) |
Avoid unsupported or legacy systems. |
Regular IT maintenance, scheduled backups, asset lifecycle management, disaster recovery planning, and power surge protectors. |
IT support service contracts with third-party providers. |
Accept tolerable downtime for non-critical systems. |
|
Threat |
Existing Controls |
Additional (Planned) Controls |
|
Denial of Access – Natural Disaster (e.g. flood, earthquake) |
Business Continuity Plan (BCP), structural safety audits, emergency evacuation plans. |
Installation of early warning systems, remote work readiness drills, periodic flood risk mapping, and elevated storage for critical records. |
|
Denial of Access – Man-made Disaster (e.g. fire, terrorism) |
Emergency response team (ERT), fire drills, access logs, secure ID access, and collaboration with the fire department. |
Conduct biannual fire safety audits, implement biometric access, upgrade to innovative security systems, and enhance incident communication protocols. |
|
Unavailability of People (e.g. pandemic, strikes) |
HR contingency plans, succession planning, regular staff wellness checks, and flexible leave policies. |
Invest in workforce management systems, maintain a standby pool of trained temps, and strengthen telecommuting policies. |
|
Disruption to the Supply Chain (e.g. vendors, spare parts) |
Approved Vendor List (AVL), quarterly vendor reviews, and critical supplier SLAs. |
Establish an alternative supplier framework, digitise inventory tracking, and enhance visibility into Tier 2 vendors. |
|
Equipment and IT-Related Disruption (e.g. server failure) |
Antivirus software, network monitoring, firewalls, and redundant connectivity. |
Migrate core systems to cloud infrastructure, conduct annual disaster recovery (DR) testing, enhance endpoint security, and install uninterruptible power supplies (UPS) for all workstations. |
The RAR Treatment and Control framework presented in this chapter provides a comprehensive overview of Bandtree's proactive stance in addressing potential threats to its operations.
Through a balanced combination of risk avoidance, reduction, transference, and acceptance, Bandtree strengthens its organisational resilience and safeguards its core mission in supporting Brunei’s infrastructure and real estate development.
While existing controls form a solid foundation, the inclusion of planned enhancements reflects a forward-looking strategy that embraces continuous improvement.
These efforts ensure that Bandtree remains adaptable in the face of evolving risks and regulatory expectations.
Ultimately, the effectiveness of this risk treatment approach lies in its integration across the organisation, from operational planning to strategic decision-making, ensuring that Bandtree remains not only operationally robust but also trusted as a critical national asset.
Implementing Business Continuity Management for Bandtree: A Practical Guide |
||||||
| eBook 3: Starting Your BCM Implementation |
||||||
| MBCO | P&S | RAR T1 | RAR T2 | RAR T3 | BCS T1 | CBF |
| CBF 1: Asset and Facilities Management | ||||||
| DP | BIAQ T1 | BIAQ T2 | BIAQ T3 | BCS T2 | BCS T3 | PD |
To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].