[BCM] [GRA] [E2] [C8] Program Management

Program Management Phase for BCM Planning Methodology for Gambling Regulatory Authority (GRA)

 

Introduction

The successful completion of the Project Management, Risk Analysis and Review, Business Impact Analysis, Business Continuity Strategy, Plan Development, and Testing and Exercising phases does not mark the end of the Business Continuity Management (BCM) journey.

Business continuity is an ongoing management discipline that requires continuous oversight, maintenance, improvement, and governance.

The purpose of the Programme Management (PgM) Phase is to ensure that GRA's BCM programme remains effective, relevant, and aligned with organisational objectives, regulatory responsibilities, emerging risks, and ISO 22301 requirements.

Programme Management transforms BCM from a one-time project into a sustainable management system that continually enhances organisational resilience.

For GRA, effective programme management is essential because changes in technology, regulatory requirements, gambling industry trends, stakeholder expectations, and threat landscapes can significantly affect business continuity preparedness. Therefore, BCM must be actively governed and continuously improved.

Purpose of Programme Management

Programme Management ensures that:

• BCM remains aligned with organisational objectives.
• Business continuity plans remain accurate and current.
• Recovery capabilities are maintained.
• Personnel remain trained and prepared.
• Risks are continuously monitored.
• Lessons learned are incorporated into the BCM programme.
• Compliance with ISO 22301 is maintained.
• Organisational resilience continues to improve.

The Programme Management phase serves as the governance and continual improvement component of the BCMS.

 

BCM Governance Structure

Strong governance is fundamental to sustaining an effective BCM programme.

 

BCM Governance Objectives

The governance structure should:

• Establish accountability.
• Provide management oversight.
• Allocate resources.
• Monitor programme effectiveness.
• Drive continual improvement.

 

GRA BCM Governance Structure

A typical governance structure for GRA may include:

Governance Level	Responsibilities
Executive Management	Strategic direction, policy approval, resource allocation
BCM Steering Committee	Oversight of BCM programme implementation and performance
BCM Manager	Day-to-day management of the BCM programme
Business Unit Heads	Ownership of business continuity plans and recovery capabilities
BCM Coordinators	Plan maintenance, training, and exercise coordination
Recovery Teams	Operational response and recovery activities

This governance structure ensures BCM responsibilities are clearly assigned throughout the organisation.

 

BCM Policy Management

The BCM Policy provides the foundation for the BCMS and communicates management's commitment to business continuity.

 

Policy Requirements

The BCM Policy should:

• Define BCM objectives.
• Establish scope and applicability.
• Assign responsibilities.
• Specify compliance requirements.
• Support continual improvement.

 

GRA-Specific Requirement

The BCM Policy should explicitly support GRA's responsibility to:

• Maintain regulatory oversight of gambling activities.
• Ensure continuity of licensing and permit administration.
• Sustain enforcement and investigation capabilities.
• Protect regulatory information and records.
• Maintain communications with government agencies, gambling operators, and stakeholders during disruptions.

The policy should be reviewed at least annually or whenever significant organisational changes occur.

 

Plan Maintenance and Review

Business continuity plans must remain accurate and relevant.

 

Review Triggers

Plans should be reviewed when:

• Organisational structures change.
• New technologies are introduced.
• Critical business functions change.
• Recovery strategies are modified.
• Regulatory requirements are updated.
• Significant incidents occur.

 

GRA-Specific Requirement

All BC Plans supporting:

• Licensing Operations.
• Regulatory Compliance Monitoring.
• Enforcement and Investigation Activities.
• Regulatory Intelligence Functions.
• Stakeholder Communications.
• Information Technology Services.

should undergo formal review at least annually.

 

Training and Awareness Programme

Employees must understand their roles during a disruption.

 

Objectives

Training and awareness programmes should:

• Increase BCM knowledge.
• Improve preparedness.
• Familiarise personnel with plans.
• Reinforce recovery responsibilities.

 

Types of Training

Training Type	Target Audience
BCM Awareness Training	All employees
Recovery Team Training	Recovery team members
Crisis Management Training	Senior management
Exercise Participation Training	Business unit personnel
Specialist Recovery Training	IT and technical recovery teams

GRA Example

New employees joining the Licensing Division should receive BCM awareness training covering:

• Recovery procedures.
• Alternate work arrangements.
• Escalation procedures.
• Communication protocols.

This ensures continuity knowledge is maintained despite staff turnover.

 

Testing and Exercising Management

Testing and exercising should be managed as an ongoing programme rather than an isolated activity.

Annual Exercise Programme

GRA should establish an annual exercise calendar covering:

• Component tests.
• Call notification tests.
• Walkthrough exercises.
• Integrated tests.
• Simulation exercises.
• Live recovery exercises.

GRA-Specific Requirement

At least one annual exercise should involve a scenario affecting critical regulatory services such as:

• Licensing system outages.
• Cybersecurity incidents.
• Data breaches.
• Enforcement operation disruptions.
• Regulatory communications failures.

Exercise outcomes should be reported to senior management.

 

Incident and Exercise Lessons Learned

Continuous improvement depends on learning from both real incidents and exercises.

Post-Incident Reviews

Following significant incidents, GRA should conduct:

• Root cause analysis.
• Recovery performance assessment.
• Gap identification.
• Corrective action planning.

Post-Exercise Reviews

Exercise reviews should evaluate:

• Plan effectiveness.
• Recovery team performance.
• Communication effectiveness.
• Achievement of recovery objectives.

GRA Example

Following a simulation involving a cyberattack on regulatory systems, lessons learned may identify:

• Delays in escalation procedures.
• Incomplete contact information.
• Technology recovery gaps.
• Additional training needs.

These findings should be incorporated into future programme improvements.

 

Performance Monitoring and Measurement

Programme performance should be measured using defined Key Performance Indicators (KPIs).

Sample BCM KPIs

KPI	Target
Annual Plan Review Completion	100%
BCM Training Completion Rate	95% or higher
Exercise Completion Rate	100%
Corrective Action Closure Rate	90% or higher
Recovery Objective Achievement	100% during exercises

Performance metrics provide management with visibility into programme effectiveness.

 

Audit and Compliance Management

Regular reviews provide assurance that the BCM programme remains effective.

Internal Audits

Internal BCM audits should evaluate:

• Compliance with BCM policies.
• Plan quality.
• Exercise effectiveness.
• Training records.
• Governance effectiveness.

ISO 22301 Compliance Reviews

Periodic reviews should assess compliance with:

• ISO 22301 requirements.
• Government directives.
• Internal policies and procedures.

GRA-Specific Requirement

Audit reviews should include critical regulatory functions and supporting technology platforms to ensure recovery capabilities remain effective.

 

Risk Monitoring and Environmental Scanning

The BCM programme should continuously monitor emerging risks.

Areas to Monitor

• Cybersecurity threats.
• Technology changes.
• Regulatory developments.
• Third-party dependencies.
• Workforce risks.
• Physical security threats.

GRA Example

Emerging risks that may require BCM review include:

• New online gambling technologies.
• Artificial intelligence-enabled threats.
• Changes in gambling legislation.
• Increased reliance on cloud services.
• Sophisticated cybercrime targeting regulators.

Monitoring these developments helps keep the BCM programme relevant.

 

Management Review

ISO 22301 requires top management to periodically review the BCMS.

Review Topics

Management reviews should consider:

• Audit results.
• Exercise outcomes.
• Incident reports.
• KPI performance.
• Resource requirements.
• Improvement opportunities.

GRA-Specific Requirement

The BCM Steering Committee should present an annual BCM performance report to senior management summarising:

• Programme status.
• Major risks.
• Exercise results.
• Corrective actions.
• Improvement initiatives.

This enables informed decision-making and continued executive support.

Continual Improvement

Continual improvement is a core principle of ISO 22301.

GRA should use the Plan-Do-Check-Act (PDCA) approach to:

• Identify improvement opportunities.
• Implement enhancements.
• Measure effectiveness.
• Update BCM arrangements.

Improvement initiatives should be prioritised based on risk, business impact, and organisational objectives.

 

Programme Management Deliverables

Key deliverables from the Programme Management phase include:

Deliverable	Purpose
BCM Policy	Strategic direction and governance
BCM Governance Framework	Accountability and oversight
Annual BCM Programme Plan	Programme activities and objectives
Training and Awareness Records	Evidence of competency development
Exercise Reports	Validation of recovery capabilities
Audit Reports	Compliance and effectiveness assessment
Corrective Action Register	Tracking improvement activities
Management Review Reports	Executive oversight and decision-making

These deliverables support the ongoing effectiveness of the BCMS.