Part 2: RAR – Treatment and Control
This section outlines Credit Guarantee Corporation Malaysia’s approach to managing and mitigating the key risks identified in Part 1: RAR – List of Threats.
It focuses on categorising threats by their nature, such as natural disasters, man-made disruptions, personnel shortages, supply chain interruptions, and IT system failures, and documenting the specific treatments and controls in place to address each.
Using the principles of risk management, this chapter evaluates CGC’s existing strategies across four standard risk treatment categories: Risk Avoidance, Risk Reduction, Risk Transference, and Risk Acceptance. The aim is to ensure that the Corporation can sustain critical operations during disruptions and resume normal functioning within acceptable timeframes.
The treatments and controls detailed in this section reflect both current measures and forward-looking plans that strengthen CGC’s operational resilience and business continuity preparedness. This comprehensive risk treatment framework is aligned with best practices, including those defined in ISO 22301 and BCM Institute’s RAR methodology.
Here’s a filled template for Part 2: RAR – Treatment and Control tailored for Credit Guarantee Corporation Malaysia (CGC), based on the threats identified in Part 1: RAR – List of Threats and the BCM Institute RAR framework
|
Threat |
Existing Risk Treatment – Risk Avoidance |
Risk Reduction |
Risk Transference |
Risk Acceptance |
Existing Controls |
Additional (Planned) Controls |
|
Denial of Access – Natural Disaster (e.g. flood, earthquake) |
Partial (site selection/mapping) |
✔️ Hazard-resistant building design; dual‑site operations |
✔️ Insurance coverage for asset losses |
– |
On‑site flood barriers, backup generator, periodic drills, and evacuation plan |
Install permanent dry‑raised assembly area; regular inspection of water‑tight seals |
|
Denial of Access – Man‑made Disaster (e.g. fire, vandalism) |
– |
✔️ Fire alarm/suppression systems; CCTV surveillance |
✔️ Property & third‑party liability insurance |
– |
Fire extinguishers, automatic sprinklers, security patrols, and maintenance checks |
Conduct quarterly fire drills; upgrade CCTV with AI detection |
|
Unavailability of People (e.g. pandemic, labour strike) |
– |
✔️ Remote work capacity; cross‑trained staff; flexible scheduling |
✔️ Outsourced back‑office support contracts |
– |
VPN access, HR succession planning, pandemic hygiene protocols |
Formalize staff rotation plans; establish standby contract with temp agency |
|
Disruption to the Supply Chain (e.g. vendor failure, transport delay) |
✔️ Multi-sourced critical supplies |
✔️ Inventory buffers; vendor performance tracking |
✔️ Supply‑chain insurance, where feasible |
– |
Approved vendor lists, regular audits, KPI monitoring, and contractual SLAs |
Develop alternative local supplier network; annual stress tests of vendor chain |
|
Equipment & IT‑Related Disruption (e.g. server crash, hardware failure) |
– |
✔️ Scheduled maintenance; hardware redundancy; patching |
✔️ IT outage insurance (cyber, hardware) |
– |
Dual‑site data replication, UPS, backup tapes, and change management policies |
Deploy cloud‑based failover; monthly disaster‑recovery drills; annual penetration tests |
Notes & Methodology
- The threat column aligns directly with the categories from Part 1: RAR – List of Threats, such as “Denial of Access – Natural Disaster,” “Unavailability of People,” etc.
- Existing Risk Treatment columns denote whether CGC currently adopts each of the four classic treatments: Avoidance, Reduction, Transference, and Acceptance.
- Existing Controls list measures currently in place
- Additional (Planned) Controls propose enhancements or new controls to further mitigate each tto mitigate each further
- This structure follows the BCM Institute's "Part 2: RAR – Treatment and Control" template, with each threat mapped across all risk treatment strategies and controls
How to Proceed
- Populate the table with specific details about CGC’s current controls (e.g., actual vendor names, insurance providers, and evacuation site coordinates).
- Validate the status of each treatment option with senior management to ensure it aligns with CGC’s risk appetite.
- Review and Prioritise the additional planned controls—assess cost, impact, and implementation feasibility.
- Embed this table into your chapter, Part 2: RAR – Treatment and Control, as a central tool for illustrating CGC’s risk posture and planned enhancements.
Summing Up ...
In summary, CGC has adopted a multi-faceted and proactive approach to risk treatment, ensuring that business continuity measures are embedded across operational, technological, and strategic layers. The treatments and controls outlined in this chapter form the foundation of a resilient organisation, capable of withstanding and recovering from a broad spectrum of threats.
While many effective measures are already in place, ranging from backup infrastructure to vendor diversification, several additional controls have been identified for future implementation. These will further enhance CGC’s ability to mitigate risks and uphold service delivery under adverse conditions.
Continued review, testing, and refinement of these risk treatments are critical to ensuring their relevance and effectiveness. Moving forward, CGC remains committed to strengthening its risk posture through continuous improvement and a strong culture of resilience.
More Information About Business Continuity Management Courses
To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].
![Register [BL-B-3]*](https://no-cache.hubspot.com/cta/default/3893111/ac6cf073-4cdd-4541-91ed-889f731d5076.png)
![FAQ [BL-B-3]](https://no-cache.hubspot.com/cta/default/3893111/b3824ba1-7aa1-4eb6-bef8-94f57121c5ae.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
