[BCM] [GRA] [E2] [C3] Risk Analysis and Review

eBook 2: Chapter 3

Introduction

As Singapore's national regulator for gambling activities, GRA is responsible for licensing, regulating, monitoring, and enforcing compliance across various forms of gambling.

The Authority also plays a critical role in safeguarding public interest, maintaining the integrity of gambling operations, and ensuring that gambling-related activities do not adversely impact society.

To fulfil these responsibilities effectively, GRA must be prepared for a wide range of disruptions that could affect its ability to regulate, monitor, investigate, and communicate with stakeholders.

Business Continuity Management (BCM), therefore, begins with a thorough understanding of risks that may threaten critical operations.

Under ISO 22301, the Risk Analysis and Review (RAR) phase is a key component of the BCM Planning Methodology.

Its purpose is to identify threats, assess vulnerabilities, evaluate potential consequences, and determine appropriate measures to reduce risks to acceptable levels.

The outcome of the RAR phase provides valuable input into the Business Impact Analysis (BIA) and subsequent BCM planning activities.

This chapter explains the four key steps in conducting a Risk Analysis and Review for GRA:

1. Identifying Risks
2. Assessing Risks
3. Mitigating Risks
4. Continuous Review

Identifying Risks

Risk identification is the process of recognising events or conditions that could disrupt GRA's ability to perform its regulatory responsibilities.

The objective is to identify all credible threats that may impact people, processes, technology, facilities, information, and external stakeholders.

Sources of Risk

Risks can originate from both internal and external sources.

Internal Risks

Examples include:

• Human errors in regulatory processing.
• Inadequate staffing levels.
• Failure of critical applications.
• Loss of key personnel.
• Internal fraud or misconduct.
• Data handling mistakes.

External Risks

Examples include:

• Cyber-attacks.
• Power outages.
• Telecommunications failures.
• Public health emergencies.
• Natural disasters.
• Third-party service provider failures.
• Regulatory or legislative changes.
• Reputational incidents affecting public trust.

GRA Example: Risk Identification

The BCM team identifies the following risks affecting GRA's operations:

The identified risks are documented in a Risk Register for further analysis.

 

Assessing Risks

Once risks have been identified, GRA must assess the likelihood of occurrence and the potential impact on its operations.

The purpose of risk assessment is to prioritise risks and allocate resources effectively.

Risk Assessment Criteria

Likelihood

Likelihood measures the probability that a risk event will occur.

Examples:

Likelihood Rating	Description
Very High	Expected to occur frequently
High	Likely to occur
Medium	May occur occasionally
Low	Unlikely to occur
Very Low	Rare occurrence

Impact

Impact measures the severity of consequences if the risk materialises.

Potential impacts include:

• Regulatory impact.
• Operational disruption.
• Financial loss.
• Reputational damage.
• Legal consequences.
• Public confidence issues.

GRA Example: Cyberattack Assessment

A ransomware attack targeting GRA's regulatory systems may be assessed as follows:

Factor	Assessment
Likelihood	High
Operational Impact	High
Regulatory Impact	High
Reputational Impact	High
Overall Risk Rating	Critical

The assessment indicates that the risk requires immediate management attention and mitigation measures.

Risk Matrix

A Risk Matrix can be used to prioritise risks:

 

Impact / Likelihood	Low	Medium	High
Low Impact	Low	Low	Medium
Medium Impact	Low	Medium	High
High Impact	Medium	High	Critical

Risks classified as High or Critical should be prioritised for treatment.

 

Mitigating Risks

Risk mitigation involves implementing preventive, detective, and corrective controls to reduce risks to an acceptable level.

The objective is not necessarily to eliminate all risks but to minimise the likelihood of occurrence and reduce potential impacts.

Types of Risk Controls

Preventive Controls

Preventive controls aim to stop incidents from occurring.

Examples include:

• Cybersecurity protection measures.
• Staff awareness training.
• Access control systems.
• Segregation of duties.
• Vendor due diligence.

Detective Controls

Detective controls identify incidents quickly.

Examples include:

• Security monitoring systems.
• Audit reviews.
• Regulatory compliance checks.
• Intrusion detection systems.
• Performance monitoring tools.

Corrective Controls

Corrective controls support recovery after an incident.

Examples include:

• Backup and recovery systems.
• Business continuity plans.
• Disaster recovery arrangements.
• Crisis management procedures.
• Alternative work arrangements.

GRA Example: Mitigating Cyber Risks

To reduce the risk of cyber disruption, GRA may implement:

Risk	Mitigation Measure
Ransomware attack	Multi-factor authentication
Data breach	Encryption of sensitive information
System compromise	Security monitoring and threat detection
Application failure	High-availability infrastructure
Data loss	Regular backups and recovery testing
Human error	Cybersecurity awareness training

These measures reduce the likelihood and impact of technology-related disruptions.

Residual Risk

After implementing controls, some risk remains.

This remaining exposure is known as Residual Risk.

Senior management should determine whether the residual risk falls within GRA's acceptable risk tolerance levels.

Continuous Review

Risk management is not a one-time activity.

The threat landscape, technology environment, regulatory requirements, and operational processes continue to evolve. Consequently, GRA must regularly review and update its risk profile.

Review Activities

Regular review activities include:

• Annual BCM risk assessments.
• Reviews the following major incidents.
• Reviews after testing and exercising activities.
• Assessments following organisational changes.
• Reviews of new technology implementations.
• Monitoring emerging threats and vulnerabilities.

GRA Example: Emerging Risks

New forms of gambling technology, digital payment platforms, artificial intelligence applications, and cloud-based services may introduce risks that were previously not considered.

For example:

• AI-generated fraud schemes.
• Sophisticated cyber threats.
• Cross-border regulatory challenges.
• Dependence on cloud infrastructure.
• Third-party data security risks.

GRA should periodically reassess these risks to ensure continuity plans remain effective and relevant.

Maintaining the Risk Register

The Risk Register should be updated whenever:

• New threats emerge.
• Existing controls change.
• Significant incidents occur.
• Business processes are modified.
• Regulatory requirements change.

A current and accurate Risk Register provides a reliable foundation for future BCM activities.

 

Integrating Risk Analysis and Review with ISO 22301

The outputs from the Risk Analysis and Review phase support subsequent BCM activities by:

• Identifying threats that require continuity planning.
• Highlighting vulnerable processes and resources.
• Supporting Business Impact Analysis activities.
• Guiding continuity strategy development.
• Supporting testing and exercising scenarios.
• Facilitating continual improvement.

RAR therefore serves as the foundation for all other BCM planning activities.

 

The Risk Analysis and Review phase underpins MOM’s Business Continuity Management by transforming raw organisational vulnerabilities into actionable intelligence.

Through systematic identification, rigorous assessment, targeted mitigation, and ongoing review, MOM enhances its ability to sustain core functions and protect Singapore’s workforce ecosystem amid uncertainty.

This structured approach not only satisfies ISO 22301 requirements but also reinforces MOM’s commitment to resilient public service delivery, ensuring that even during disruption, its mission to support a thriving, safe, and adaptable workforce continues uninterrupted.

 

eBook 2: Implementing Business Continuity Management for GRA
C1	C2	C3	C4	C5
C7	C8	C9	C10	C11

 

---

More Information About Business Continuity Management Courses

To learn more about the course and schedule, click the buttons below for the  BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].

	Please feel free to send us a note if you have any questions.