Following the identification of threats in Part 1: RAR – List of Threats, the next step in the Risk Analysis and Review (RAR) process is to determine the appropriate risk treatment options and controls. The objective is to reduce the likelihood of disruption, minimise business impact, and strengthen GRA's ability to continue its regulatory responsibilities during adverse events.
ISO 22301 and BCM best practices recommend that organisations consider four primary risk treatment approaches:
This chapter provides examples of how GRA may treat and control identified threats affecting its critical regulatory functions, technology systems, personnel, facilities, and supporting services.
Table T2: Treatment and Control
|
Threat |
Existing Risk Treatment – Risk Avoidance |
Existing Risk Treatment – Risk Reduction |
Existing Risk Treatment – Risk Transference |
Existing Risk Treatment – Risk Acceptance |
Existing Controls |
Additional (Planned) Controls |
|
Flood |
Avoid locating critical equipment in flood-prone areas |
Install drainage protection and alternate work arrangements |
Building insurance coverage |
Accept temporary localised disruption |
Emergency response procedures, remote work capability |
Enhanced flood monitoring and alternate recovery site |
|
Pandemic / Infectious Disease Outbreak |
Avoid unnecessary physical gatherings |
Hybrid work arrangements, health protocols |
Medical insurance and healthcare support |
Accept limited workforce reduction |
Work-from-home capability, split team arrangements |
Automated workforce availability monitoring |
|
Severe Haze Incident |
Avoid outdoor activities during severe haze periods |
Air filtration systems and flexible work arrangements |
Health insurance coverage |
Accept minor productivity impact |
Indoor work arrangements |
Enhanced remote work readiness |
|
Extreme Weather Event |
Avoid scheduling critical activities during severe weather alerts |
Business continuity procedures |
Property and business interruption insurance |
Accept short-term disruption |
Emergency communication systems |
Real-time weather alert integration |
|
Fire |
Avoid storage of hazardous materials |
Fire detection and suppression systems |
Property insurance |
Accept residual facility risk |
Fire drills, evacuation plans |
Smart building monitoring systems |
|
Terrorist Incident |
Avoid conducting operations in high-risk environments |
Security screening and access controls |
Government security partnerships |
Accept residual national security risks |
Crisis management plans |
Enhanced threat intelligence monitoring |
|
Civil Disturbance |
Avoid non-essential travel to affected areas |
Alternative work arrangements |
Security service agreements |
Accept localised access disruptions |
Employee safety procedures |
Dynamic workforce relocation capability |
|
Building Structural Failure |
Avoid occupation of unsafe facilities |
Building inspections and preventive maintenance |
Property insurance |
Accept residual infrastructure risk |
Facilities management programme |
Alternate office recovery facilities |
|
Hazardous Material Incident |
Avoid proximity to hazardous storage areas |
Environmental monitoring and emergency procedures |
Specialist emergency response contracts |
Accept low probability occurrence |
Evacuation procedures |
Automated environmental alert systems |
|
Loss of Key Personnel |
Avoid single-person dependency |
Succession planning and cross-training |
Recruitment and staffing contracts |
Accept unavoidable staff turnover |
Skills inventory, knowledge documentation |
Enhanced succession management programme |
|
Travel Restrictions |
Avoid dependence on physical travel |
Virtual collaboration tools |
Travel insurance |
Accept limitations on mobility |
Remote meeting capability |
Expanded digital collaboration platforms |
|
Mass Casualty Incident |
Avoid unnecessary exposure to high-risk events |
Emergency preparedness and employee assistance programmes |
Insurance coverage |
Accept low-frequency occurrence |
Crisis management framework |
Enhanced employee welfare support |
|
Telecommunications Provider Failure |
Avoid sole-provider dependency |
Multiple telecommunications providers |
Service Level Agreements (SLAs) |
Accept brief service degradation |
Redundant connectivity |
Additional telecommunications failover capability |
|
Cloud Service Provider Outage |
Avoid dependence on a single cloud provider |
Multi-region deployment and backups |
Cloud provider contractual guarantees |
Accept short-term service interruption |
Cloud resilience architecture |
Multi-cloud recovery strategy |
|
Power Supply Failure |
Avoid reliance on a single power source |
UPS and backup generators |
Utility service agreements |
Accept short-duration outage |
Backup power systems |
Extended generator capacity |
|
Vendor Failure |
Avoid overdependence on a single vendor |
Vendor assessments and alternate suppliers |
Supplier contracts |
Accept manageable disruptions |
Third-party risk management programme |
Secondary supplier arrangements |
|
Data Centre Outage |
Avoid concentration of systems in a single location |
Secondary recovery site |
Hosting agreements |
Accept residual infrastructure risk |
Disaster recovery facilities |
Geographically separated recovery environment |
|
Cyberattack / Ransomware |
Avoid unsafe computing practices |
Multi-layer cybersecurity controls |
Cyber insurance |
Accept residual cyber risk |
Security operations monitoring, MFA, EDR solutions |
Zero Trust architecture implementation |
|
Data Breach |
Avoid unnecessary retention of sensitive information |
Encryption, access controls, monitoring |
Cyber insurance |
Accept residual information security risk |
Data protection policies |
Data Loss Prevention (DLP) technologies |
|
Network Failure |
Avoid dependence on a single network path |
Network redundancy |
Telecommunications contracts |
Accept temporary degradation |
Dual network infrastructure |
Software-defined networking resilience |
|
Hardware Failure |
Avoid use of obsolete equipment |
Preventive maintenance and redundancy |
Vendor maintenance agreements |
Accept isolated failures |
Hardware lifecycle management |
Predictive hardware monitoring |
|
Software Failure |
Avoid unsupported applications |
Testing, patching, and change management |
Vendor support contracts |
Accept minor application issues |
Application monitoring systems |
Automated failover applications |
|
Database Corruption |
Avoid unauthorised database modifications |
Database replication and backup controls |
Vendor support agreements |
Accept minimal residual risk |
Backup and recovery procedures |
Continuous database integrity monitoring |
|
Insider Threat |
Avoid excessive privileged access |
Segregation of duties and monitoring |
Employee fidelity insurance |
Accept low residual risk |
User activity monitoring, background screening |
Behavioural analytics monitoring |
|
AI-Enabled Threats |
Avoid unrestricted use of unapproved AI tools |
AI governance framework and cybersecurity controls |
Specialist cyber advisory services |
Accept emerging technology risk |
AI usage policies |
AI threat detection and monitoring programme |
|
Distributed Denial of Service (DDoS) Attack |
Avoid unnecessary exposure of public-facing systems |
DDoS mitigation services |
Internet service provider protection services |
Accept temporary service degradation |
Network security controls |
Advanced traffic filtering solutions |
|
Failure of Regulatory Information Systems |
Avoid dependence on a single system environment |
High availability and disaster recovery architecture |
Vendor maintenance agreements |
Accept limited residual downtime |
System monitoring and recovery procedures |
Real-time failover environment |
|
Risk Treatment Method |
Purpose |
Example within GRA |
|
Risk Avoidance |
Eliminate activities that create unnecessary risk |
Reducing dependency on single points of failure |
|
Risk Reduction |
Reduce likelihood and impact of threats |
Cybersecurity controls, redundancy, training |
|
Risk Transference |
Transfer financial or operational risk to third parties |
Insurance policies, vendor contracts, SLAs |
|
Risk Acceptance |
Accept residual risk after controls are implemented |
Low-likelihood threats with manageable consequences |
The following areas should receive continuous management attention:
These risks have the greatest potential to affect GRA's ability to fulfil its regulatory responsibilities and maintain public confidence.
Risk treatment and control are essential components of the Risk Analysis and Review process because they transform identified threats into manageable risks. By applying the principles of risk avoidance, risk reduction, risk transference, and risk acceptance, the Gambling Regulatory Authority (GRA) can strengthen its resilience against disruptions affecting its people, facilities, technology, information, and critical regulatory functions.
The controls identified in this chapter should not be viewed as static measures. As the threat landscape evolves and GRA's operational environment changes, risk treatments and controls should be regularly reviewed, tested, and enhanced. Through continuous improvement, GRA can maintain a robust BCM programme that supports regulatory effectiveness, protects critical services, and aligns with ISO 22301 requirements and organisational resilience objectives.
| eBook 3: Starting Your BCM Implementation |
||||||
| MBCO | P&S | RAR T1 | RAR T2 | RAR T3 | BCS T1 | CBF |
To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].
|
Please feel free to send us a note if you have any questions. |
||