The completion of the Project Management (PM) and Risk Analysis and Review (RAR) phases, the next critical phase in the Business Continuity Management (BCM) Planning Methodology is the Business Impact Analysis (BIA).
The purpose of the BIA is to identify and evaluate the impact that disruptions may have on GRA's critical business functions, products, services, stakeholders, regulatory responsibilities, and organisational objectives.
The BIA provides the foundation for determining recovery priorities, Minimum Business Continuity Objectives (MBCOs), Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), resource requirements, and continuity strategies.
It enables management to understand which functions are most critical to GRA's mission and how quickly they must be restored following a disruption.
For GRA, the BIA is particularly important because interruptions to regulatory oversight, enforcement, licensing, intelligence gathering, cybersecurity monitoring, and stakeholder communications may significantly affect public confidence, regulatory effectiveness, and the integrity of Singapore's gambling regulatory framework.
The objectives of the BIA are to:
The BIA helps ensure that recovery efforts are prioritised based on business needs rather than assumptions.
The BIA process typically consists of the following steps:
Determine the activities necessary to achieve GRA's statutory and operational objectives.
Determine the products and services delivered by each business function.
Evaluate the consequences of disruptions over time.
Establish recovery priorities, MBCOs, RTOs, and RPOs.
Identify the resources required to perform critical business functions.
Review and approve BIA results with business owners and management.
The following critical business functions form the basis of the BIA.
|
CBF Code |
Critical Business Function |
|
1 |
Gambling Licensing and Approval |
|
2 |
Regulatory Oversight and Supervision |
|
3 |
Compliance Monitoring and Inspection |
|
4 |
Enforcement and Investigation |
|
5 |
Responsible Gambling and Harm Prevention |
|
6 |
Regulatory Intelligence and Risk Assessment |
|
7 |
Incident and Crisis Management |
|
8 |
Stakeholder Communication and Public Affairs |
|
9 |
Legal and Regulatory Advisory |
|
10 |
Policy Development and Regulatory Framework Management |
|
11 |
Information and Case Management Systems |
|
12 |
Cybersecurity and Information Protection |
|
13 |
ICT Infrastructure and Technology Services |
|
14 |
Human Resource Management |
|
15 |
Finance, Procurement, and Vendor Management |
|
16 |
Third-Party and Service Provider Oversight |
|
17 |
Records and Information Management |
|
18 |
Business Continuity and Organisational Resilience Management |
|
19 |
Inter-Agency Coordination and Government Liaison |
|
20 |
Executive Leadership and Governance |
The BIA should assess the impact of disruptions across several impact areas.
|
Impact Area |
Description |
|
Regulatory Impact |
Inability to fulfil statutory obligations |
|
Operational Impact |
Interruption to critical services |
|
Financial Impact |
Increased costs and financial losses |
|
Reputation Impact |
Loss of stakeholder confidence |
|
Legal Impact |
Non-compliance with legal requirements |
|
Social Impact |
Harm to public interest and stakeholders |
|
Technology Impact |
Loss of systems, data, and information |
|
Critical Business Function |
Maximum Tolerable Period of Disruption (MTPD) |
Recovery Priority |
|
Regulatory Oversight and Supervision |
24 Hours |
Priority 1 |
|
Enforcement and Investigation |
24 Hours |
Priority 1 |
|
Regulatory Intelligence and Risk Assessment |
24 Hours |
Priority 1 |
|
Incident and Crisis Management |
Immediate |
Priority 1 |
|
Cybersecurity and Information Protection |
Immediate |
Priority 1 |
|
ICT Infrastructure and Technology Services |
4 Hours |
Priority 1 |
|
Gambling Licensing and Approval |
3 Days |
Priority 2 |
|
Compliance Monitoring and Inspection |
3 Days |
Priority 2 |
|
Stakeholder Communication and Public Affairs |
4 Hours |
Priority 2 |
|
Inter-Agency Coordination and Government Liaison |
24 Hours |
Priority 2 |
|
Legal and Regulatory Advisory |
5 Days |
Priority 3 |
|
Finance, Procurement, and Vendor Management |
5 Days |
Priority 3 |
|
Human Resource Management |
5 Days |
Priority 3 |
The Recovery Time Objective defines the maximum acceptable downtime for a business function.
|
Critical Business Function |
RTO |
|
Incident and Crisis Management |
1 Hour |
|
Cybersecurity and Information Protection |
1 Hour |
|
ICT Infrastructure and Technology Services |
4 Hours |
|
Regulatory Oversight and Supervision |
24 Hours |
|
Enforcement and Investigation |
24 Hours |
|
Gambling Licensing and Approval |
72 Hours |
|
Human Resource Management |
5 Days |
These targets guide recovery planning and resource allocation.
The Recovery Point Objective defines the maximum acceptable amount of data loss.
|
Information Asset |
RPO |
|
Licensing Database |
15 Minutes |
|
Regulatory Case Management System |
30 Minutes |
|
Investigation Records |
30 Minutes |
|
Regulatory Intelligence Repository |
1 Hour |
|
Financial Systems |
4 Hours |
|
Human Resource Systems |
24 Hours |
The RPO determines backup and data recovery requirements.
Each critical business function depends on specific resources.
|
Resource Type |
Examples |
|
People |
Regulatory officers, investigators, IT personnel |
|
Facilities |
Offices, recovery sites |
|
Technology |
Applications, servers, networks |
|
Information |
Regulatory databases, records |
|
Suppliers |
Telecommunications, cloud providers |
|
Equipment |
Laptops, mobile devices, communications equipment |
The Enforcement and Investigation function may depend on:
Understanding dependencies helps identify potential vulnerabilities.
To support its regulatory mandate, GRA should ensure that the BIA:
Including:
Including:
Including:
Including:
These requirements reflect the unique responsibilities of GRA as a national regulator.
The outputs of the BIA include:
|
Deliverable |
Purpose |
|
Critical Business Function Register |
Identifies prioritised activities |
|
Products and Services Register |
Identifies services requiring continuity |
|
Impact Assessment Report |
Documents disruption impacts |
|
MBCO Register |
Defines minimum service levels |
|
Recovery Priority List |
Supports recovery sequencing |
|
RTO and RPO Register |
Defines recovery objectives |
|
Resource Dependency Analysis |
Identifies supporting resources |
These deliverables provide essential inputs to the Business Continuity Strategy phase.
The BIA enables GRA to:
The BIA transforms business continuity planning from assumption-based decisions into evidence-based recovery planning.
The Business Impact Analysis Phase is one of the most important components of the Business Continuity Management Planning Methodology because it establishes the recovery priorities that drive all subsequent continuity activities.
By identifying critical business functions, assessing disruption impacts, determining recovery objectives, and analysing resource dependencies, the Gambling Regulatory Authority (GRA) can ensure that its most essential regulatory services remain protected during incidents, emergencies, and disasters.
The outputs of the BIA provide the foundation for developing effective continuity and recovery strategies that align with GRA's statutory responsibilities, stakeholder expectations, and operational resilience objectives.
Through a comprehensive and regularly updated BIA process, GRA can strengthen its preparedness, improve decision-making during disruptions, and maintain confidence in Singapore's gambling regulatory framework while fulfilling the requirements of ISO 22301 and international BCM best practices.
| eBook 2: Implementing Business Continuity Management for GRA | ||||
| C1 | C2 | C3 | C4 | C5 |
| C7 | C8 | C9 | C10 | C11 |
To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].
|
Please feel free to send us a note if you have any questions. |
||