[Business Impact Analysis] [Critical Business Function] [T1] Part 1
CBF 9: IT & Cyber Resilience
Identification of Business Functions
![[BCM] [CAAS] [E3] [BIA] [T1] [CBF] [9] IT & Cyber Resilience](https://no-cache.hubspot.com/cta/default/3893111/205c35be-6bb6-45c3-8d47-81ef80651678.png)
In an era where air transport operations are increasingly digitalised, the Civil Aviation Authority of Singapore (CAAS) recognises the strategic importance of IT and cyber resilience in safeguarding the integrity, availability, and confidentiality of mission-critical systems.
These systems underpin national airspace safety, regulatory compliance, service delivery, and stakeholder trust.
As such, the Critical Business Function (CBF-9) — IT & Cyber Resilience — encompasses key technological enablers essential to maintaining uninterrupted operations, even in the face of cyber threats, system failures, or major disasters.
This chapter identifies and outlines the Sub-Critical Business Functions (Sub-CBFs) under CBF-9, describes their operational roles, and defines each Business Unit's Minimum Business Continuity Objective (MBCO) — the minimum acceptable level of service or functionality that must be maintained or recovered within a defined time frame to avoid significant impact.
Table 1-1: [BIA] [P1] Identification of Business Functions for CBF 1: Air Navigation Services (Sub-CBF)
Business Unit MBCO
|
Sub-CBF Code |
Sub-Critical Business Function |
Description of CBF |
Business Unit Minimum Business Continuity Objective (BU MBCO) |
|
CBF-1.1 |
Air Traffic Management (ATM) Systems Resilience |
Ensures continuous operability and recovery of core ATM systems supporting flight navigation, surveillance, and communications. |
Maintain 100% availability of primary ATM systems with hot-standby failover within 30 minutes of disruption. |
|
CBF-1.2 |
Cybersecurity Monitoring & Threat Response |
Monitors real-time threats and coordinates cyber incident response and containment across CAAS digital assets and infrastructure. |
Threat monitoring must resume within 15 minutes; containment and response actions must be initiated within 1 hour of incident detection. |
|
CBF-1.3 |
Critical System Backup & Data Recovery |
Manages backups and ensures the integrity of critical data to support timely system recovery in case of outages or breaches. |
Daily backups of critical systems with recovery points within 4 hours; restoration capabilities within 2 hours for Tier-1 systems. |
|
CBF-1.4 |
Enterprise IT Infrastructure Continuity |
Supports the resilience of CAAS’s core IT infrastructure, including servers, network equipment, and data centres. |
Maintain 80% uptime for non-critical services; critical infrastructure must be restored within 2 hours. |
|
CBF-1.5 |
Digital Aviation Services Platform (DASP) Resilience |
Ensures continued operation of DASP, which supports digital interactions with stakeholders (e.g., e-services, permits, applications). |
Core DASP functions must be operational within 4 hours; data integrity to be fully restored within 24 hours. |
|
CBF-1.6 |
Cloud and Third-Party Service Continuity |
Manages continuity of outsourced or cloud-based services supporting CAAS's operations, ensuring SLAs and security postures are maintained. |
Critical cloud services must have a recovery plan with activation within 2 hours; vendor SLAs must meet RTO ≤ 4 hours. |
|
CBF-1.7 |
IT Governance & Compliance Management |
Maintains IT policies, compliance, audits, and risk management frameworks to ensure regulatory alignment and control effectiveness. |
Ensure continuity of regulatory and compliance monitoring with no more than 24 hours of disruption to prevent audit gaps or reporting delays. |
|
CBF-1.8 |
Disaster Recovery Planning and Testing |
Designs, maintains, and tests the IT disaster recovery plans to ensure readiness and alignment with business continuity strategies. |
DR planning documentation must remain accessible within 1 hour; post-disaster tests must be performed within 7 days following a major disruption. |
Summing Up ... for Part 1
The resilience of CAAS’s digital environment is vital to maintaining Singapore’s global aviation leadership and operational safety. The Sub-CBFs identified within CBF-9 — from ATM systems to cloud service continuity — form the foundation of a robust IT and cyber resilience strategy.
Establishing well-defined MBCOs ensures that CAAS can sustain its operations at a minimum acceptable level during disruptive events while working toward full recovery.
As we proceed through the BCM planning methodology, these foundational elements will guide the alignment of technical capabilities with organisational priorities, compliance requirements, and stakeholder expectations.
[Business Impact Analysis] [Critical Business Function] [T1] Part 2
CBF 9: IT & Cyber Resilience
Impact Area of Business Functions
In today’s aviation landscape, the digital backbone of air traffic operations, surveillance systems, and aviation platforms must remain uninterrupted and secure.
The Civil Aviation Authority of Singapore (CAAS), as a key aviation regulator and operator, is heavily reliant on robust and resilient IT and cybersecurity functions to maintain safety, security, and continuity in its operations.
This chapter identifies and assesses the potential impact areas on CAAS’s Minimum Business Continuity Objectives (MBCO) when disruptions occur within Critical Business Function 9 (CBF-9): IT & Cyber Resilience.
Using the structured approach from BCMpedia's Impact Area framework, we evaluate the consequences of failures or disruptions to each Sub-CBF, examining potential financial loss, impact on service delivery, and compliance obligations.
The goal is to understand which IT and cybersecurity functions have the highest criticality and require prioritised recovery planning aligned to the MBCO.
Table 2-1: [BIA] [P2] Impact Area Of Business Functions for CBF 1: Air Navigation Services
|
Sub-CBF Code |
Sub-CBF |
Impact Area |
Financial Impact – Monetary Loss (Estimated) |
Financial Impact – Calculation of Monetary Loss |
Impact on MBCO – Affect MBCO |
Impact on MBCO – Impact |
Remarks – Description |
|
CBF-1.1 |
Air Traffic Management (ATM) Systems Resilience |
Safety, Operational, Reputational, Legal & Regulatory |
SGD 10M–50M |
(No. of Flights Affected) × (Average Penalty + Cost per Delay) |
Yes |
Severe |
Disruption affects radar tracking, flight separation, and real-time navigation—posing national safety risks. |
|
CBF-1.2 |
Cybersecurity Monitoring & Threat Response |
Security, Legal & Regulatory, Reputational |
SGD 5M–20M |
(Estimated No. of Breaches) × (Average Loss per Incident) + Regulatory Fines |
Yes |
High |
Loss of real-time threat visibility may lead to breaches, compromising aviation and passenger data. |
|
CBF-1.3 |
Critical System Backup & Data Recovery |
Operational, Reputational |
SGD 3M–10M |
(Data Recovery Hours) × (Ops Cost/Hour) × (No. of Systems) |
Yes |
Moderate |
Data loss or unavailability delays key decisions and impacts compliance with aviation standards. |
|
CBF-1.4 |
Enterprise IT Infrastructure Continuity |
Operational |
SGD 2M–8M |
(Downtime in Hours) × (No. of Impacted Users) × (Average Hourly Wage/Cost) |
Yes |
Moderate |
Internal operations (HR, finance, administration) are affected but don’t impact external services directly. |
|
CBF-1.5 |
Digital Aviation Services Platform (DASP) Resilience |
Operational, Customer Service, Reputational |
SGD 5M–15M |
(Users Affected) × (Average Delay Cost/User) + (Penalty Fees) |
Yes |
High |
DASP links CAAS to airlines and other aviation stakeholders; its failure disrupts coordination and service delivery. |
|
CBF-1.6 |
Cloud and Third-Party Service Continuity |
Contractual, Operational, Legal & Regulatory |
SGD 3M–12M |
(Services Affected) × (Monthly Subscription Cost + SLA Penalty) |
Yes |
High |
Dependency on external vendors for data hosting and analytics increases operational vulnerability. |
|
CBF-1.7 |
IT Governance & Compliance Management |
Legal & Regulatory |
SGD 1M–5M |
(No. of Non-Compliance Cases) × (Avg Fine/Penalty) |
Yes |
Moderate |
Affects audit readiness and CAAS’s ability to demonstrate regulatory alignment (e.g., ISO, ICAO). |
|
CBF-1.8 |
Disaster Recovery Planning and Testing |
Operational |
SGD 500K–2M |
(Testing Gaps) × (Estimated Risk Exposure per Gap) |
Yes |
Moderate |
Inadequate testing leads to failed recovery in a real incident; impacts all dependent systems. |
|
CBF-1.11 |
Training & Certification of ATS Personnel |
Human Resource, Compliance |
SGD 20,000 – 50,000 |
No. of uncertified staff x Lost productivity x Training delay cost |
No |
Low – Operational continuity can be maintained in the short term; however, certification gaps will likely emerge. |
Essential for long-term sustainability and staff readiness. |
Notes:
- Monetary loss is estimated based on industry-standard impacts of disruption, such as delays, penalties, and reputational harm.
- Affect on MBCO = Yes means the Sub-CBF must be resumed within its recovery timeframe to meet the BU’s Minimum Business Continuity Objective.
- Formulas can be tailored further with CAAS-specific data, such as aircraft movement volume or ATC system costs.
Summing Up ... for Part 2
The integrity and availability of IT and cybersecurity systems are essential for CAAS to uphold its regulatory mandate and operational responsibilities.
The assessment of Sub-CBFs under CBF-9 reveals that any compromise—especially to Air Traffic Management Systems, Cybersecurity Threat Response, or Digital Aviation Platforms—can result in severe financial, safety, and reputational consequences.
A strong business continuity strategy, including defined RTOs, recovery tiers, and system dependencies, is critical to mitigate these risks.
This impact-based approach provides CAAS with clear prioritisation for resource allocation, risk mitigation, and testing strategies aligned to its MBCOs, ensuring sustained operational resilience in an increasingly digital and interconnected aviation ecosystem.
![[BCM] [CAAS] [E3] [RAR] [T1] List of Threats](https://no-cache.hubspot.com/cta/default/3893111/638600be-d908-40a0-9168-d5cc6eef1926.png)
![[BCM] [CAAS] [E3] [RAR] [T2] Treatment and Control](https://no-cache.hubspot.com/cta/default/3893111/0df84fd2-d151-43eb-bd67-e8de11e820a7.png)
![[BCM] [CAAS] [E3] [RAR] [T3] Risk Impact and Likelihood Assessment](https://no-cache.hubspot.com/cta/default/3893111/00fedd72-3ce2-4a52-8aee-e18e5bac5d56.png)
![[BCM] [CAAS] [E3] [BCS] [T1] Mitigation Strategies and Justification](https://no-cache.hubspot.com/cta/default/3893111/17350a9e-771a-404d-9740-5c8d3a9d509d.png)
![[BCM] [CAAS] [E3] [BIA] [T2] [CBF] [9] IT & Cyber Resilience](https://no-cache.hubspot.com/cta/default/3893111/49fa98f3-188b-41d3-9245-869918317926.png)
![BCM] [CAAS] [E3] [BIA] [T3] [CBF] [9] IT & Cyber Resilience](https://no-cache.hubspot.com/cta/default/3893111/bb87c891-2812-43e5-aadb-9f4f97254055.png)
![[BCM] [CAAS] [E3] [BCS] [T2] [CBF] [9] Recovery Strategies](https://no-cache.hubspot.com/cta/default/3893111/d7b8a6d3-33f9-40b6-9619-4c9f7e050850.png)
![[BCM] [CAAS] [E3] [BCS] [T3] [CBF] [9] Minimum Resources Required during a Disaster](https://no-cache.hubspot.com/cta/default/3893111/de745a68-c821-4b0f-baa4-4785f18ddfa0.png)
![[BCM] [CAAS] [E3] [PD] [CBF] [9] IT & Cyber Resilience](https://no-cache.hubspot.com/cta/default/3893111/be43aeec-6049-442e-889c-043930b32b3d.png)
More Information About Business Continuity Management Courses
To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].
![Register [BL-B-3]*](https://no-cache.hubspot.com/cta/default/3893111/ac6cf073-4cdd-4541-91ed-889f731d5076.png)
![FAQ [BL-B-3]](https://no-cache.hubspot.com/cta/default/3893111/b3824ba1-7aa1-4eb6-bef8-94f57121c5ae.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
