Ebook

[BCM] [GRA] [E2] [C8] Program Management

Written by Moh Heng Goh | Jun 22, 2026 7:18:27 AM
 

eBook 2: Chapter 8

 

Program Management Phase for BCM Planning Methodology for Gambling Regulatory Authority (GRA)

 

Introduction

The successful completion of the Project Management, Risk Analysis and Review, Business Impact Analysis, Business Continuity Strategy, Plan Development, and Testing and Exercising phases does not mark the end of the Business Continuity Management (BCM) journey.

Business continuity is an ongoing management discipline that requires continuous oversight, maintenance, improvement, and governance.

The purpose of the Programme Management (PgM) Phase is to ensure that GRA's BCM programme remains effective, relevant, and aligned with organisational objectives, regulatory responsibilities, emerging risks, and ISO 22301 requirements.

Programme Management transforms BCM from a one-time project into a sustainable management system that continually enhances organisational resilience.

For GRA, effective programme management is essential because changes in technology, regulatory requirements, gambling industry trends, stakeholder expectations, and threat landscapes can significantly affect business continuity preparedness. Therefore, BCM must be actively governed and continuously improved.

Purpose of Programme Management

Programme Management ensures that:

  • BCM remains aligned with organisational objectives.
  • Business continuity plans remain accurate and current.
  • Recovery capabilities are maintained.
  • Personnel remain trained and prepared.
  • Risks are continuously monitored.
  • Lessons learned are incorporated into the BCM programme.
  • Compliance with ISO 22301 is maintained.
  • Organisational resilience continues to improve.

The Programme Management phase serves as the governance and continual improvement component of the BCMS.

 

BCM Governance Structure

Strong governance is fundamental to sustaining an effective BCM programme.

 

BCM Governance Objectives

The governance structure should:

  • Establish accountability.
  • Provide management oversight.
  • Allocate resources.
  • Monitor programme effectiveness.
  • Drive continual improvement.

 

GRA BCM Governance Structure

A typical governance structure for GRA may include:

Governance Level

Responsibilities

Executive Management

Strategic direction, policy approval, resource allocation

BCM Steering Committee

Oversight of BCM programme implementation and performance

BCM Manager

Day-to-day management of the BCM programme

Business Unit Heads

Ownership of business continuity plans and recovery capabilities

BCM Coordinators

Plan maintenance, training, and exercise coordination

Recovery Teams

Operational response and recovery activities

This governance structure ensures BCM responsibilities are clearly assigned throughout the organisation.

 

BCM Policy Management

The BCM Policy provides the foundation for the BCMS and communicates management's commitment to business continuity.

 

Policy Requirements

The BCM Policy should:

  • Define BCM objectives.
  • Establish scope and applicability.
  • Assign responsibilities.
  • Specify compliance requirements.
  • Support continual improvement.

 

GRA-Specific Requirement

The BCM Policy should explicitly support GRA's responsibility to:

  • Maintain regulatory oversight of gambling activities.
  • Ensure continuity of licensing and permit administration.
  • Sustain enforcement and investigation capabilities.
  • Protect regulatory information and records.
  • Maintain communications with government agencies, gambling operators, and stakeholders during disruptions.

The policy should be reviewed at least annually or whenever significant organisational changes occur.

 

Plan Maintenance and Review

Business continuity plans must remain accurate and relevant.

 

Review Triggers

Plans should be reviewed when:

  • Organisational structures change.
  • New technologies are introduced.
  • Critical business functions change.
  • Recovery strategies are modified.
  • Regulatory requirements are updated.
  • Significant incidents occur.

 

GRA-Specific Requirement

All BC Plans supporting:

  • Licensing Operations.
  • Regulatory Compliance Monitoring.
  • Enforcement and Investigation Activities.
  • Regulatory Intelligence Functions.
  • Stakeholder Communications.
  • Information Technology Services.

should undergo formal review at least annually.

 

Training and Awareness Programme

Employees must understand their roles during a disruption.

 

Objectives

Training and awareness programmes should:

  • Increase BCM knowledge.
  • Improve preparedness.
  • Familiarise personnel with plans.
  • Reinforce recovery responsibilities.

 

Types of Training

Training Type

Target Audience

BCM Awareness Training

All employees

Recovery Team Training

Recovery team members

Crisis Management Training

Senior management

Exercise Participation Training

Business unit personnel

Specialist Recovery Training

IT and technical recovery teams
GRA Example

New employees joining the Licensing Division should receive BCM awareness training covering:

  • Recovery procedures.
  • Alternate work arrangements.
  • Escalation procedures.
  • Communication protocols.

This ensures continuity knowledge is maintained despite staff turnover.

 

Testing and Exercising Management

Testing and exercising should be managed as an ongoing programme rather than an isolated activity.

Annual Exercise Programme

GRA should establish an annual exercise calendar covering:

  • Component tests.
  • Call notification tests.
  • Walkthrough exercises.
  • Integrated tests.
  • Simulation exercises.
  • Live recovery exercises.
GRA-Specific Requirement

At least one annual exercise should involve a scenario affecting critical regulatory services such as:

  • Licensing system outages.
  • Cybersecurity incidents.
  • Data breaches.
  • Enforcement operation disruptions.
  • Regulatory communications failures.

Exercise outcomes should be reported to senior management.

 

Incident and Exercise Lessons Learned

Continuous improvement depends on learning from both real incidents and exercises.

Post-Incident Reviews

Following significant incidents, GRA should conduct:

  • Root cause analysis.
  • Recovery performance assessment.
  • Gap identification.
  • Corrective action planning.
Post-Exercise Reviews

Exercise reviews should evaluate:

  • Plan effectiveness.
  • Recovery team performance.
  • Communication effectiveness.
  • Achievement of recovery objectives.
GRA Example

Following a simulation involving a cyberattack on regulatory systems, lessons learned may identify:

  • Delays in escalation procedures.
  • Incomplete contact information.
  • Technology recovery gaps.
  • Additional training needs.

These findings should be incorporated into future programme improvements.

 

Performance Monitoring and Measurement

Programme performance should be measured using defined Key Performance Indicators (KPIs).

Sample BCM KPIs

KPI

Target

Annual Plan Review Completion

100%

BCM Training Completion Rate

95% or higher

Exercise Completion Rate

100%

Corrective Action Closure Rate

90% or higher

Recovery Objective Achievement

100% during exercises

Performance metrics provide management with visibility into programme effectiveness.

 

Audit and Compliance Management

Regular reviews provide assurance that the BCM programme remains effective.

Internal Audits

Internal BCM audits should evaluate:

  • Compliance with BCM policies.
  • Plan quality.
  • Exercise effectiveness.
  • Training records.
  • Governance effectiveness.
ISO 22301 Compliance Reviews

Periodic reviews should assess compliance with:

  • ISO 22301 requirements.
  • Government directives.
  • Internal policies and procedures.
GRA-Specific Requirement

Audit reviews should include critical regulatory functions and supporting technology platforms to ensure recovery capabilities remain effective.

 

Risk Monitoring and Environmental Scanning

The BCM programme should continuously monitor emerging risks.

Areas to Monitor
  • Cybersecurity threats.
  • Technology changes.
  • Regulatory developments.
  • Third-party dependencies.
  • Workforce risks.
  • Physical security threats.
GRA Example

Emerging risks that may require BCM review include:

  • New online gambling technologies.
  • Artificial intelligence-enabled threats.
  • Changes in gambling legislation.
  • Increased reliance on cloud services.
  • Sophisticated cybercrime targeting regulators.

Monitoring these developments helps keep the BCM programme relevant.

 

Management Review

ISO 22301 requires top management to periodically review the BCMS.

Review Topics

Management reviews should consider:

  • Audit results.
  • Exercise outcomes.
  • Incident reports.
  • KPI performance.
  • Resource requirements.
  • Improvement opportunities.
GRA-Specific Requirement

The BCM Steering Committee should present an annual BCM performance report to senior management summarising:

  • Programme status.
  • Major risks.
  • Exercise results.
  • Corrective actions.
  • Improvement initiatives.

This enables informed decision-making and continued executive support.

Continual Improvement

Continual improvement is a core principle of ISO 22301.

GRA should use the Plan-Do-Check-Act (PDCA) approach to:

  • Identify improvement opportunities.
  • Implement enhancements.
  • Measure effectiveness.
  • Update BCM arrangements.

Improvement initiatives should be prioritised based on risk, business impact, and organisational objectives.

 

Programme Management Deliverables

Key deliverables from the Programme Management phase include:

Deliverable

Purpose

BCM Policy

Strategic direction and governance

BCM Governance Framework

Accountability and oversight

Annual BCM Programme Plan

Programme activities and objectives

Training and Awareness Records

Evidence of competency development

Exercise Reports

Validation of recovery capabilities

Audit Reports

Compliance and effectiveness assessment

Corrective Action Register

Tracking improvement activities

Management Review Reports

Executive oversight and decision-making

These deliverables support the ongoing effectiveness of the BCMS.

 

 

The Programme Management Phase is the final and most enduring phase of the Business Continuity Management Planning Methodology.

It ensures that GRA's BCM programme remains active, effective, and aligned with organisational priorities long after plans have been developed and tested.

Through robust governance, policy management, plan maintenance, training, exercising, auditing, performance monitoring, and continual improvement, GRA can sustain a mature and resilient BCMS.

For the Gambling Regulatory Authority, Programme Management is particularly important because of its responsibility to maintain regulatory oversight, licensing administration, enforcement activities, and stakeholder confidence within Singapore's gambling sector.

By embedding BCM into everyday management practices and continuously adapting to emerging threats and organisational changes, GRA can strengthen its operational resilience and maintain its ability to fulfil its critical regulatory mandate under all circumstances.

Effective Programme Management therefore, ensures that BCM becomes an integral part of organisational culture and supports long-term compliance with ISO 22301 and regulatory excellence.

eBook 2: Implementing Business Continuity Management for GRA
C1 C2 C3 C4 C5
C7 C8 C9 C10 C11
 

 

More Information About Business Continuity Management Courses

To learn more about the course and schedule, click the buttons below for the  BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].

Please feel free to send us a note if you have any questions.
 
 
View full post