[BCM] [GRA] [E3] [RAR] [T3] Risk Impact and Likelihood Assessment

Introduction

Highest Risk Threats for GRA

Key Risk Analysis Observations

More Information About Business Continuity Management Courses

Technology and Information Risks Dominate

Regulatory Impact is Significant

Third-Party Dependencies Increase Exposure

Workforce Resilience Remains Important

Part 3: RAR - Risk Impact and Likelihood Assessment

This chapter forms part of the Risk Analysis and Review (RAR) phase within the eBook "Implementing Business Continuity Management for the Gambling Regulatory Authority (GRA): A Practical Guide to Organisational Resilience, Service Continuity, and Regulatory Excellence."

Following the identification of threats and the establishment of risk treatment measures, the next step is to assess the likelihood and potential impact of each threat.

The objective of risk analysis is to determine which threats pose the greatest risk to GRA's ability to perform its regulatory responsibilities and to prioritise resources accordingly.

For the purpose of this assessment, a five-point scale is used:

Score	Impact / Likelihood Description
1	Very Low
2	Low
3	Moderate
4	High
5	Very High

Risk Rating = Highest Impact Score × Likelihood Score

Risk Levels are defined as:

Risk Rating	Risk Level
1 – 5	Low
6 – 10	Moderate
11 – 15	High
16 – 25	Extreme

The assessment below reflects the operational environment, regulatory responsibilities, technology dependencies, and stakeholder expectations of GRA.

Table T3: Risk Impact and Likelihood Assessment

Threat	Finance	Operations	Legal & Regulatory	Reputation & Image	Social Responsibility	People	Assets / IT Systems / Information	Highest Impact Score	Likelihood	Risk Rating	Risk Level	Expected Period of Disruption
Flood	2	4	2	3	2	3	3	4	2	8	Moderate	1–5 Days
Pandemic / Infectious Disease Outbreak	3	5	4	4	5	5	2	5	4	20	Extreme	Several Weeks to Months
Severe Haze Incident	2	3	1	2	3	3	1	3	3	9	Moderate	Several Days
Extreme Weather Event	2	3	2	2	2	2	2	3	3	9	Moderate	1–3 Days
Fire	4	5	3	4	3	4	5	5	2	10	Moderate	Several Days to Weeks
Terrorist Incident	4	5	5	5	5	5	4	5	2	10	Moderate	Several Days to Weeks
Civil Disturbance	2	3	2	3	3	3	1	3	2	6	Moderate	1–3 Days
Building Structural Failure	4	4	2	3	2	3	3	4	2	8	Moderate	Several Weeks
Hazardous Material Incident	3	4	3	3	4	4	2	4	2	8	Moderate	Several Days
Loss of Key Personnel	2	4	4	3	2	5	1	5	3	15	High	Several Weeks
Travel Restrictions	2	3	2	2	2	3	1	3	3	9	Moderate	Several Days to Weeks
Mass Casualty Incident	3	5	4	4	5	5	2	5	2	10	Moderate	Several Weeks
Telecommunications Provider Failure	3	5	4	4	3	3	5	5	3	15	High	Several Hours to Days
Cloud Service Provider Outage	3	5	4	4	2	2	5	5	4	20	Extreme	Several Hours to Days
Power Supply Failure	3	5	3	3	2	2	5	5	3	15	High	Several Hours to Days
Vendor Failure	3	4	3	3	2	2	4	4	3	12	High	Several Days
Data Centre Outage	4	5	4	4	2	2	5	5	3	15	High	Several Hours to Days
Cyberattack / Ransomware	4	5	5	5	4	3	5	5	5	25	Extreme	Several Days to Weeks
Data Breach	4	4	5	5	4	2	5	5	4	20	Extreme	Several Days to Weeks
Network Failure	2	5	3	3	2	2	5	5	4	20	Extreme	Several Hours
Hardware Failure	2	4	2	2	1	1	5	5	3	15	High	Several Hours to Days
Software Failure	2	4	3	3	1	1	5	5	4	20	Extreme	Several Hours to Days
Database Corruption	3	5	4	4	2	1	5	5	4	20	Extreme	Several Hours to Days
Insider Threat	4	4	5	5	4	3	5	5	3	15	High	Several Days to Weeks
AI-Enabled Threats	4	4	5	5	4	2	5	5	4	20	Extreme	Several Days
Distributed Denial of Service (DDoS) Attack	3	5	4	4	2	1	5	5	4	20	Extreme	Several Hours to Days
Failure of Regulatory Information Systems	4	5	5	5	4	2	5	5	4	20	Extreme	Several Hours to Days

The following threats are assessed as Extreme Risks and should receive priority management attention:

Threat	Risk Rating	Risk Level
Cyberattack / Ransomware	25	Extreme
Pandemic / Infectious Disease Outbreak	20	Extreme
Cloud Service Provider Outage	20	Extreme
Data Breach	20	Extreme
Network Failure	20	Extreme
Software Failure	20	Extreme
Database Corruption	20	Extreme
AI-Enabled Threats	20	Extreme
DDoS Attack	20	Extreme
Failure of Regulatory Information Systems	20	Extreme

These threats have the greatest potential to disrupt GRA's critical regulatory functions and therefore require enhanced controls, continuity strategies, and recovery planning.

The assessment indicates that the highest risks arise from:

Cybersecurity incidents.
Regulatory system outages.
Data integrity failures.
Cloud and telecommunications dependencies.

Any prolonged disruption affecting:

Licensing functions.
Regulatory monitoring.
Enforcement operations.
Regulatory intelligence activities.

may result in significant regulatory and reputational consequences.

Reliance on:

Telecommunications providers.
Cloud service providers.
Data centre operators.
Technology vendors.

creates additional operational resilience challenges that must be managed proactively.

Although technology risks dominate, workforce-related threats, such as pandemics and the loss of key personnel, continue to pose significant operational challenges.

Risk Impact and Likelihood Assessment provides a structured approach for evaluating threats affecting the Gambling Regulatory Authority (GRA) and prioritising risk treatment activities. By assessing the impact of each threat across financial, operational, legal, reputational, social responsibility, people, and information asset dimensions, GRA can identify those risks that pose the greatest threat to its ability to fulfil its regulatory mandate.

The results of this assessment highlight the increasing importance of cybersecurity, technology resilience, data protection, third-party risk management, and workforce preparedness. These findings provide valuable input into the subsequent Business Continuity Management phases, particularly Business Impact Analysis, Business Continuity Strategy development, and recovery planning. Through regular review and reassessment of risks, GRA can maintain an up-to-date understanding of its threat landscape and strengthen its overall organisational resilience in alignment with ISO 22301 and regulatory best practices.

eBook 3: Starting Your BCM Implementation

RAR T1

RAR T2

RAR T3

BCS T1

To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].