[BCM] [GRA] [E3] [RAR] [T2] Treatment and Control

Introduction

Summary of Risk Treatment Approaches

Key Risk Treatment Priorities for GRA

More Information About Business Continuity Management Courses

Technology and Cybersecurity Risks

Workforce Risks

Third-Party Risks

Operational Risks

Following the identification of threats in Part 1: RAR – List of Threats, the next step in the Risk Analysis and Review (RAR) process is to determine the appropriate risk treatment options and controls. The objective is to reduce the likelihood of disruption, minimise business impact, and strengthen GRA's ability to continue its regulatory responsibilities during adverse events.

ISO 22301 and BCM best practices recommend that organisations consider four primary risk treatment approaches:

Risk Avoidance – Eliminating activities that create the risk.
Risk Reduction – Implementing measures to reduce likelihood or impact.
Risk Transference – Sharing risk through contracts, insurance, or outsourcing arrangements.
Risk Acceptance – Accepting residual risk where treatment is impractical or cost-prohibitive.

This chapter provides examples of how GRA may treat and control identified threats affecting its critical regulatory functions, technology systems, personnel, facilities, and supporting services.

Table T2: Treatment and Control

Threat	Existing Risk Treatment – Risk Avoidance	Existing Risk Treatment – Risk Reduction	Existing Risk Treatment – Risk Transference	Existing Risk Treatment – Risk Acceptance	Existing Controls	Additional (Planned) Controls
Flood	Avoid locating critical equipment in flood-prone areas	Install drainage protection and alternate work arrangements	Building insurance coverage	Accept temporary localised disruption	Emergency response procedures, remote work capability	Enhanced flood monitoring and alternate recovery site
Pandemic / Infectious Disease Outbreak	Avoid unnecessary physical gatherings	Hybrid work arrangements, health protocols	Medical insurance and healthcare support	Accept limited workforce reduction	Work-from-home capability, split team arrangements	Automated workforce availability monitoring
Severe Haze Incident	Avoid outdoor activities during severe haze periods	Air filtration systems and flexible work arrangements	Health insurance coverage	Accept minor productivity impact	Indoor work arrangements	Enhanced remote work readiness
Extreme Weather Event	Avoid scheduling critical activities during severe weather alerts	Business continuity procedures	Property and business interruption insurance	Accept short-term disruption	Emergency communication systems	Real-time weather alert integration
Fire	Avoid storage of hazardous materials	Fire detection and suppression systems	Property insurance	Accept residual facility risk	Fire drills, evacuation plans	Smart building monitoring systems
Terrorist Incident	Avoid conducting operations in high-risk environments	Security screening and access controls	Government security partnerships	Accept residual national security risks	Crisis management plans	Enhanced threat intelligence monitoring
Civil Disturbance	Avoid non-essential travel to affected areas	Alternative work arrangements	Security service agreements	Accept localised access disruptions	Employee safety procedures	Dynamic workforce relocation capability
Building Structural Failure	Avoid occupation of unsafe facilities	Building inspections and preventive maintenance	Property insurance	Accept residual infrastructure risk	Facilities management programme	Alternate office recovery facilities
Hazardous Material Incident	Avoid proximity to hazardous storage areas	Environmental monitoring and emergency procedures	Specialist emergency response contracts	Accept low probability occurrence	Evacuation procedures	Automated environmental alert systems
Loss of Key Personnel	Avoid single-person dependency	Succession planning and cross-training	Recruitment and staffing contracts	Accept unavoidable staff turnover	Skills inventory, knowledge documentation	Enhanced succession management programme
Travel Restrictions	Avoid dependence on physical travel	Virtual collaboration tools	Travel insurance	Accept limitations on mobility	Remote meeting capability	Expanded digital collaboration platforms
Mass Casualty Incident	Avoid unnecessary exposure to high-risk events	Emergency preparedness and employee assistance programmes	Insurance coverage	Accept low-frequency occurrence	Crisis management framework	Enhanced employee welfare support
Telecommunications Provider Failure	Avoid sole-provider dependency	Multiple telecommunications providers	Service Level Agreements (SLAs)	Accept brief service degradation	Redundant connectivity	Additional telecommunications failover capability
Cloud Service Provider Outage	Avoid dependence on a single cloud provider	Multi-region deployment and backups	Cloud provider contractual guarantees	Accept short-term service interruption	Cloud resilience architecture	Multi-cloud recovery strategy
Power Supply Failure	Avoid reliance on a single power source	UPS and backup generators	Utility service agreements	Accept short-duration outage	Backup power systems	Extended generator capacity
Vendor Failure	Avoid overdependence on a single vendor	Vendor assessments and alternate suppliers	Supplier contracts	Accept manageable disruptions	Third-party risk management programme	Secondary supplier arrangements
Data Centre Outage	Avoid concentration of systems in a single location	Secondary recovery site	Hosting agreements	Accept residual infrastructure risk	Disaster recovery facilities	Geographically separated recovery environment
Cyberattack / Ransomware	Avoid unsafe computing practices	Multi-layer cybersecurity controls	Cyber insurance	Accept residual cyber risk	Security operations monitoring, MFA, EDR solutions	Zero Trust architecture implementation
Data Breach	Avoid unnecessary retention of sensitive information	Encryption, access controls, monitoring	Cyber insurance	Accept residual information security risk	Data protection policies	Data Loss Prevention (DLP) technologies
Network Failure	Avoid dependence on a single network path	Network redundancy	Telecommunications contracts	Accept temporary degradation	Dual network infrastructure	Software-defined networking resilience
Hardware Failure	Avoid use of obsolete equipment	Preventive maintenance and redundancy	Vendor maintenance agreements	Accept isolated failures	Hardware lifecycle management	Predictive hardware monitoring
Software Failure	Avoid unsupported applications	Testing, patching, and change management	Vendor support contracts	Accept minor application issues	Application monitoring systems	Automated failover applications
Database Corruption	Avoid unauthorised database modifications	Database replication and backup controls	Vendor support agreements	Accept minimal residual risk	Backup and recovery procedures	Continuous database integrity monitoring
Insider Threat	Avoid excessive privileged access	Segregation of duties and monitoring	Employee fidelity insurance	Accept low residual risk	User activity monitoring, background screening	Behavioural analytics monitoring
AI-Enabled Threats	Avoid unrestricted use of unapproved AI tools	AI governance framework and cybersecurity controls	Specialist cyber advisory services	Accept emerging technology risk	AI usage policies	AI threat detection and monitoring programme
Distributed Denial of Service (DDoS) Attack	Avoid unnecessary exposure of public-facing systems	DDoS mitigation services	Internet service provider protection services	Accept temporary service degradation	Network security controls	Advanced traffic filtering solutions
Failure of Regulatory Information Systems	Avoid dependence on a single system environment	High availability and disaster recovery architecture	Vendor maintenance agreements	Accept limited residual downtime	System monitoring and recovery procedures	Real-time failover environment

Risk Treatment Method	Purpose	Example within GRA
Risk Avoidance	Eliminate activities that create unnecessary risk	Reducing dependency on single points of failure
Risk Reduction	Reduce likelihood and impact of threats	Cybersecurity controls, redundancy, training
Risk Transference	Transfer financial or operational risk to third parties	Insurance policies, vendor contracts, SLAs
Risk Acceptance	Accept residual risk after controls are implemented	Low-likelihood threats with manageable consequences

The following areas should receive continuous management attention:

Cyberattacks and ransomware.
Data breaches.
Regulatory system outages.
Cloud service disruptions.

Loss of key personnel.
Pandemic-related workforce disruptions.
Skills shortages.

Telecommunications failures.
Vendor disruptions.
Data centre outages.
Cloud service provider dependencies.

Regulatory service disruptions.
Stakeholder communication failures.
Loss of access to facilities.

These risks have the greatest potential to affect GRA's ability to fulfil its regulatory responsibilities and maintain public confidence.

Risk treatment and control are essential components of the Risk Analysis and Review process because they transform identified threats into manageable risks. By applying the principles of risk avoidance, risk reduction, risk transference, and risk acceptance, the Gambling Regulatory Authority (GRA) can strengthen its resilience against disruptions affecting its people, facilities, technology, information, and critical regulatory functions.

The controls identified in this chapter should not be viewed as static measures. As the threat landscape evolves and GRA's operational environment changes, risk treatments and controls should be regularly reviewed, tested, and enhanced. Through continuous improvement, GRA can maintain a robust BCM programme that supports regulatory effectiveness, protects critical services, and aligns with ISO 22301 requirements and organisational resilience objectives.

eBook 3: Starting Your BCM Implementation

RAR T1

RAR T2

RAR T3

BCS T1

To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].