Ebook

[BCM] [GRA] [E2] [C3] Risk Analysis and Review

Written by Moh Heng Goh | Jun 18, 2026 4:59:10 AM

eBook 2: Chapter 3

 

Risk Analysis and Review Phase of the BCM Planning Methodology for 

Gambling Regulatory Authority (GRA)

  

Introduction

As Singapore's national regulator for gambling activities, GRA is responsible for licensing, regulating, monitoring, and enforcing compliance across various forms of gambling.

The Authority also plays a critical role in safeguarding public interest, maintaining the integrity of gambling operations, and ensuring that gambling-related activities do not adversely impact society.

To fulfil these responsibilities effectively, GRA must be prepared for a wide range of disruptions that could affect its ability to regulate, monitor, investigate, and communicate with stakeholders.

Business Continuity Management (BCM), therefore, begins with a thorough understanding of risks that may threaten critical operations.

Under ISO 22301, the Risk Analysis and Review (RAR) phase is a key component of the BCM Planning Methodology.

Its purpose is to identify threats, assess vulnerabilities, evaluate potential consequences, and determine appropriate measures to reduce risks to acceptable levels.

The outcome of the RAR phase provides valuable input into the Business Impact Analysis (BIA) and subsequent BCM planning activities.

This chapter explains the four key steps in conducting a Risk Analysis and Review for GRA:

  1. Identifying Risks
  2. Assessing Risks
  3. Mitigating Risks
  4. Continuous Review

 

Identifying Risks

Risk identification is the process of recognising events or conditions that could disrupt GRA's ability to perform its regulatory responsibilities.

The objective is to identify all credible threats that may impact people, processes, technology, facilities, information, and external stakeholders.

Sources of Risk

Risks can originate from both internal and external sources.

Internal Risks

Examples include:

  • Human errors in regulatory processing.
  • Inadequate staffing levels.
  • Failure of critical applications.
  • Loss of key personnel.
  • Internal fraud or misconduct.
  • Data handling mistakes.
External Risks

Examples include:

  • Cyber-attacks.
  • Power outages.
  • Telecommunications failures.
  • Public health emergencies.
  • Natural disasters.
  • Third-party service provider failures.
  • Regulatory or legislative changes.
  • Reputational incidents affecting public trust.
GRA Example: Risk Identification

The BCM team identifies the following risks affecting GRA's operations:

 

Risk Category

Example Threat

Technology

Cyberattack affecting licensing and regulatory systems

Information Security

Data breach involving regulated gambling operators

Human Resources

Loss of key investigators during a crisis

Facilities

Fire affecting the GRA office premises

Third Parties

Cloud service outage affecting regulatory databases

Regulatory Operations

Failure to process licensing applications within statutory timelines

Reputation

Public controversy involving a regulated gambling operator

National Events

Pandemic affecting workforce availability

The identified risks are documented in a Risk Register for further analysis.

 

Assessing Risks

Once risks have been identified, GRA must assess the likelihood of occurrence and the potential impact on its operations.

The purpose of risk assessment is to prioritise risks and allocate resources effectively.

Risk Assessment Criteria
Likelihood

Likelihood measures the probability that a risk event will occur.

Examples:

Likelihood Rating

Description

Very High

Expected to occur frequently

High

Likely to occur

Medium

May occur occasionally

Low

Unlikely to occur

Very Low

Rare occurrence
Impact

Impact measures the severity of consequences if the risk materialises.

Potential impacts include:

  • Regulatory impact.
  • Operational disruption.
  • Financial loss.
  • Reputational damage.
  • Legal consequences.
  • Public confidence issues.
GRA Example: Cyberattack Assessment

A ransomware attack targeting GRA's regulatory systems may be assessed as follows:

Factor

Assessment

Likelihood

High

Operational Impact

High

Regulatory Impact

High

Reputational Impact

High

Overall Risk Rating

Critical

The assessment indicates that the risk requires immediate management attention and mitigation measures.

Risk Matrix

A Risk Matrix can be used to prioritise risks:

 

Impact / Likelihood

Low

Medium

High

Low Impact

Low

Low

Medium

Medium Impact

Low

Medium

High

High Impact

Medium

High

Critical

Risks classified as High or Critical should be prioritised for treatment.

 

Mitigating Risks

Risk mitigation involves implementing preventive, detective, and corrective controls to reduce risks to an acceptable level.

The objective is not necessarily to eliminate all risks but to minimise the likelihood of occurrence and reduce potential impacts.

Types of Risk Controls

Preventive Controls

Preventive controls aim to stop incidents from occurring.

Examples include:

  • Cybersecurity protection measures.
  • Staff awareness training.
  • Access control systems.
  • Segregation of duties.
  • Vendor due diligence.
Detective Controls

Detective controls identify incidents quickly.

Examples include:

  • Security monitoring systems.
  • Audit reviews.
  • Regulatory compliance checks.
  • Intrusion detection systems.
  • Performance monitoring tools.
Corrective Controls

Corrective controls support recovery after an incident.

Examples include:

  • Backup and recovery systems.
  • Business continuity plans.
  • Disaster recovery arrangements.
  • Crisis management procedures.
  • Alternative work arrangements.
GRA Example: Mitigating Cyber Risks

To reduce the risk of cyber disruption, GRA may implement:

Risk

Mitigation Measure

Ransomware attack

Multi-factor authentication

Data breach

Encryption of sensitive information

System compromise

Security monitoring and threat detection

Application failure

High-availability infrastructure

Data loss

Regular backups and recovery testing

Human error

Cybersecurity awareness training

These measures reduce the likelihood and impact of technology-related disruptions.

Residual Risk

After implementing controls, some risk remains.

This remaining exposure is known as Residual Risk.

Senior management should determine whether the residual risk falls within GRA's acceptable risk tolerance levels.

Continuous Review

Risk management is not a one-time activity.

The threat landscape, technology environment, regulatory requirements, and operational processes continue to evolve. Consequently, GRA must regularly review and update its risk profile.

Review Activities

Regular review activities include:

  • Annual BCM risk assessments.
  • Reviews the following major incidents.
  • Reviews after testing and exercising activities.
  • Assessments following organisational changes.
  • Reviews of new technology implementations.
  • Monitoring emerging threats and vulnerabilities.
GRA Example: Emerging Risks

New forms of gambling technology, digital payment platforms, artificial intelligence applications, and cloud-based services may introduce risks that were previously not considered.

For example:

  • AI-generated fraud schemes.
  • Sophisticated cyber threats.
  • Cross-border regulatory challenges.
  • Dependence on cloud infrastructure.
  • Third-party data security risks.

GRA should periodically reassess these risks to ensure continuity plans remain effective and relevant.

Maintaining the Risk Register

The Risk Register should be updated whenever:

  • New threats emerge.
  • Existing controls change.
  • Significant incidents occur.
  • Business processes are modified.
  • Regulatory requirements change.

A current and accurate Risk Register provides a reliable foundation for future BCM activities.

 

Integrating Risk Analysis and Review with ISO 22301

The outputs from the Risk Analysis and Review phase support subsequent BCM activities by:

  • Identifying threats that require continuity planning.
  • Highlighting vulnerable processes and resources.
  • Supporting Business Impact Analysis activities.
  • Guiding continuity strategy development.
  • Supporting testing and exercising scenarios.
  • Facilitating continual improvement.

RAR therefore serves as the foundation for all other BCM planning activities.

 

The Risk Analysis and Review phase underpins MOM’s Business Continuity Management by transforming raw organisational vulnerabilities into actionable intelligence.

Through systematic identification, rigorous assessment, targeted mitigation, and ongoing review, MOM enhances its ability to sustain core functions and protect Singapore’s workforce ecosystem amid uncertainty.

This structured approach not only satisfies ISO 22301 requirements but also reinforces MOM’s commitment to resilient public service delivery, ensuring that even during disruption, its mission to support a thriving, safe, and adaptable workforce continues uninterrupted.

 

eBook 2: Implementing Business Continuity Management for GRA
C1 C2 C3 C4 C5
C7 C8 C9 C10 C11
 

 

More Information About Business Continuity Management Courses

To learn more about the course and schedule, click the buttons below for the  BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].

Please feel free to send us a note if you have any questions.
 
 
View full post