This chapter forms part of the Risk Analysis and Review (RAR) phase within the eBook "Implementing Business Continuity Management for the Gambling Regulatory Authority (GRA): A Practical Guide to Organisational Resilience, Service Continuity, and Regulatory Excellence."
Following the identification of threats and the establishment of risk treatment measures, the next step is to assess the likelihood and potential impact of each threat.
The objective of risk analysis is to determine which threats pose the greatest risk to GRA's ability to perform its regulatory responsibilities and to prioritise resources accordingly.
For the purpose of this assessment, a five-point scale is used:
|
Score |
Impact / Likelihood Description |
|
1 |
Very Low |
|
2 |
Low |
|
3 |
Moderate |
|
4 |
High |
|
5 |
Very High |
Risk Rating = Highest Impact Score × Likelihood Score
Risk Levels are defined as:
|
Risk Rating |
Risk Level |
|
1 – 5 |
Low |
|
6 – 10 |
Moderate |
|
11 – 15 |
High |
|
16 – 25 |
Extreme |
The assessment below reflects the operational environment, regulatory responsibilities, technology dependencies, and stakeholder expectations of GRA.
Table T3: Risk Impact and Likelihood Assessment
|
Threat |
Finance |
Operations |
Legal & Regulatory |
Reputation & Image |
Social Responsibility |
People |
Assets / IT Systems / Information |
Highest Impact Score |
Likelihood |
Risk Rating |
Risk Level |
Expected Period of Disruption |
|
Flood |
2 |
4 |
2 |
3 |
2 |
3 |
3 |
4 |
2 |
8 |
Moderate |
1–5 Days |
|
Pandemic / Infectious Disease Outbreak |
3 |
5 |
4 |
4 |
5 |
5 |
2 |
5 |
4 |
20 |
Extreme |
Several Weeks to Months |
|
Severe Haze Incident |
2 |
3 |
1 |
2 |
3 |
3 |
1 |
3 |
3 |
9 |
Moderate |
Several Days |
|
Extreme Weather Event |
2 |
3 |
2 |
2 |
2 |
2 |
2 |
3 |
3 |
9 |
Moderate |
1–3 Days |
|
Fire |
4 |
5 |
3 |
4 |
3 |
4 |
5 |
5 |
2 |
10 |
Moderate |
Several Days to Weeks |
|
Terrorist Incident |
4 |
5 |
5 |
5 |
5 |
5 |
4 |
5 |
2 |
10 |
Moderate |
Several Days to Weeks |
|
Civil Disturbance |
2 |
3 |
2 |
3 |
3 |
3 |
1 |
3 |
2 |
6 |
Moderate |
1–3 Days |
|
Building Structural Failure |
4 |
4 |
2 |
3 |
2 |
3 |
3 |
4 |
2 |
8 |
Moderate |
Several Weeks |
|
Hazardous Material Incident |
3 |
4 |
3 |
3 |
4 |
4 |
2 |
4 |
2 |
8 |
Moderate |
Several Days |
|
Loss of Key Personnel |
2 |
4 |
4 |
3 |
2 |
5 |
1 |
5 |
3 |
15 |
High |
Several Weeks |
|
Travel Restrictions |
2 |
3 |
2 |
2 |
2 |
3 |
1 |
3 |
3 |
9 |
Moderate |
Several Days to Weeks |
|
Mass Casualty Incident |
3 |
5 |
4 |
4 |
5 |
5 |
2 |
5 |
2 |
10 |
Moderate |
Several Weeks |
|
Telecommunications Provider Failure |
3 |
5 |
4 |
4 |
3 |
3 |
5 |
5 |
3 |
15 |
High |
Several Hours to Days |
|
Cloud Service Provider Outage |
3 |
5 |
4 |
4 |
2 |
2 |
5 |
5 |
4 |
20 |
Extreme |
Several Hours to Days |
|
Power Supply Failure |
3 |
5 |
3 |
3 |
2 |
2 |
5 |
5 |
3 |
15 |
High |
Several Hours to Days |
|
Vendor Failure |
3 |
4 |
3 |
3 |
2 |
2 |
4 |
4 |
3 |
12 |
High |
Several Days |
|
Data Centre Outage |
4 |
5 |
4 |
4 |
2 |
2 |
5 |
5 |
3 |
15 |
High |
Several Hours to Days |
|
Cyberattack / Ransomware |
4 |
5 |
5 |
5 |
4 |
3 |
5 |
5 |
5 |
25 |
Extreme |
Several Days to Weeks |
|
Data Breach |
4 |
4 |
5 |
5 |
4 |
2 |
5 |
5 |
4 |
20 |
Extreme |
Several Days to Weeks |
|
Network Failure |
2 |
5 |
3 |
3 |
2 |
2 |
5 |
5 |
4 |
20 |
Extreme |
Several Hours |
|
Hardware Failure |
2 |
4 |
2 |
2 |
1 |
1 |
5 |
5 |
3 |
15 |
High |
Several Hours to Days |
|
Software Failure |
2 |
4 |
3 |
3 |
1 |
1 |
5 |
5 |
4 |
20 |
Extreme |
Several Hours to Days |
|
Database Corruption |
3 |
5 |
4 |
4 |
2 |
1 |
5 |
5 |
4 |
20 |
Extreme |
Several Hours to Days |
|
Insider Threat |
4 |
4 |
5 |
5 |
4 |
3 |
5 |
5 |
3 |
15 |
High |
Several Days to Weeks |
|
AI-Enabled Threats |
4 |
4 |
5 |
5 |
4 |
2 |
5 |
5 |
4 |
20 |
Extreme |
Several Days |
|
Distributed Denial of Service (DDoS) Attack |
3 |
5 |
4 |
4 |
2 |
1 |
5 |
5 |
4 |
20 |
Extreme |
Several Hours to Days |
|
Failure of Regulatory Information Systems |
4 |
5 |
5 |
5 |
4 |
2 |
5 |
5 |
4 |
20 |
Extreme |
Several Hours to Days |
The following threats are assessed as Extreme Risks and should receive priority management attention:
|
Threat |
Risk Rating |
Risk Level |
|
Cyberattack / Ransomware |
25 |
Extreme |
|
Pandemic / Infectious Disease Outbreak |
20 |
Extreme |
|
Cloud Service Provider Outage |
20 |
Extreme |
|
Data Breach |
20 |
Extreme |
|
Network Failure |
20 |
Extreme |
|
Software Failure |
20 |
Extreme |
|
Database Corruption |
20 |
Extreme |
|
AI-Enabled Threats |
20 |
Extreme |
|
DDoS Attack |
20 |
Extreme |
|
Failure of Regulatory Information Systems |
20 |
Extreme |
These threats have the greatest potential to disrupt GRA's critical regulatory functions and therefore require enhanced controls, continuity strategies, and recovery planning.
The assessment indicates that the highest risks arise from:
Any prolonged disruption affecting:
may result in significant regulatory and reputational consequences.
Reliance on:
creates additional operational resilience challenges that must be managed proactively.
Although technology risks dominate, workforce-related threats, such as pandemics and the loss of key personnel, continue to pose significant operational challenges.
Risk Impact and Likelihood Assessment provides a structured approach for evaluating threats affecting the Gambling Regulatory Authority (GRA) and prioritising risk treatment activities. By assessing the impact of each threat across financial, operational, legal, reputational, social responsibility, people, and information asset dimensions, GRA can identify those risks that pose the greatest threat to its ability to fulfil its regulatory mandate.
The results of this assessment highlight the increasing importance of cybersecurity, technology resilience, data protection, third-party risk management, and workforce preparedness. These findings provide valuable input into the subsequent Business Continuity Management phases, particularly Business Impact Analysis, Business Continuity Strategy development, and recovery planning. Through regular review and reassessment of risks, GRA can maintain an up-to-date understanding of its threat landscape and strengthen its overall organisational resilience in alignment with ISO 22301 and regulatory best practices.
| eBook 3: Starting Your BCM Implementation |
||||||
| MBCO | P&S | RAR T1 | RAR T2 | RAR T3 | BCS T1 | CBF |
To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].
|
Please feel free to send us a note if you have any questions. |
||