[BCM] [MOM] [E2] [C3] Risk Analysis and Review

eBook 2: Chapter 3

Introduction

In the Business Continuity Management (BCM) lifecycle, the Risk Analysis and Review phase is foundational to strengthening organisational resilience.

For the Ministry of Manpower (MOM), this phase ensures that potential threats to critical functions—such as workforce regulation, workplace safety enforcement, manpower planning, and service delivery—are systematically identified and managed.

By aligning with ISO 22301, MOM can proactively identify risks, assess their impact, implement controls, and continuously refine its risk profile in response to evolving internal and external conditions.

1. Identifying Risks

Risk identification is the first critical step in the BCM process. It involves systematically uncovering events or conditions that could negatively affect MOM’s operations, stakeholders and reputation.

For MOM, risk sources include both internal operational factors and external environmental threats, such as:

Workplace Safety Incidents

• MOM’s core mandate includes enforcing workplace safety and health standards.
• High-risk industries (e.g., construction, manufacturing) can generate recurring safety issues that require inspection, regulatory action, and follow-up — all of which can strain resources if not anticipated.
• MOM’s inspections have uncovered thousands of safety breaches in recent years, underscoring persistent hazards that could disrupt routine enforcement operations.
  

Public Health Crises

• Pandemics or infectious disease outbreaks (e.g., COVID-19 and variants) can disrupt MOM personnel and stakeholder availability, affect service delivery, and require rapid activation of response measures.
• MOM previously issued guidance on reviewing business continuity plans for workforce absences during surges.

Cybersecurity and IT Disruptions

• As with most modern organisations, MOM depends heavily on digital systems for services such as employment pass processing and workplace safety data.
• System outages, data breaches or ransomware events can significantly hinder operations and stakeholder services.

Infrastructure and Facility Risks

• Natural events (e.g., severe haze, floods), major IT outages, or loss of access to office premises can interrupt MOM’s ability to conduct inspections, meetings, and client engagements.

Regulatory and Compliance Shifts

• Changes in labour law or safety regulations may require rapid adjustments to internal policies, training programs, and enforcement mechanisms, challenging continuity in policy implementation and communication.

By capturing a comprehensive set of risks — from workplace hazards to IT system failures — MOM builds a risk inventory that enables deeper evaluation and prioritisation.

2. Assessing Risks

Once potential threats are identified, the next step is to assess their likelihood and the impact on MOM’s critical functions.

MOM uses structured risk assessment methodologies to prioritise risks based on qualitative and quantitative metrics. Typical assessment considerations include:

• Likelihood of Occurrence: Frequency of past incidents (e.g., workplace safety breaches, system downtimes) and indicators of emerging risks.

• Impact Severity: The potential effect on manpower policy delivery, public trust, regulatory enforcement, and internal operations.

• Critical Function Disruption: Evaluation of how long key services (e.g., work pass issuance or safety inspections) could be hindered without mitigation.

For example, risk assessments for workplace safety enforcement may consider both the high number of safety breaches and their operational impact.

+In the first half of 2025, MOM uncovered nearly 7,000 safety breaches, which underscores the ongoing risk that workplace incidents pose to enforcement capacity and resource allocation.

Similarly, public health threats such as transmissible disease outbreaks are rated as high impact and moderate probability, given past pandemic responses, prompting adjustments to BC strategies, including split-team operations and telecommuting readiness.

Risk assessment results are documented in a risk register that ranks vulnerabilities and forms the basis for communicating priorities across divisions involved in BCM.

3. Mitigating Risks

Risk mitigation focuses on reducing the likelihood and/or impact of identified threats. For MOM, controls fall into preventive, detective, and corrective categories, tailored to specific risks.

Operational Controls

• Enhanced Safety Protocols: Strengthening workplace safety enforcement standards and collaborations with stakeholders to reduce hazardous incidents that divert inspection and enforcement resources.
  
  
• Training & Awareness: Regular capacity building for inspectors and frontline staff on emerging risk scenarios, safety standards, and continuity procedures.

Technical and IT Controls

• System Redundancy & Backup: Ensuring critical digital systems have failover capabilities and secure backup procedures to reduce the impact of IT outages.
  
  
• Cybersecurity Measures: Implementation of robust cyber defence mechanisms, frequent vulnerability scans and incident response protocols to mitigate cyber threats.

Policy and Procedural Controls

• Flexible Workforce Arrangements: Plans to enable remote work, split teams, and rotation schedules during health-related disruptions.
  
  
• Alternative Service Delivery: Identification of alternate venues or digital channels to deliver key services if primary facilities are inaccessible.

For example, risk mitigation for public health disruptions may include pre-planned safe management procedures and early triggers to activate work-from-home arrangements — lessons learned from prior pandemic advisories.

MOM’s crisis preparedness teams — such as those highlighted in crisis preparedness units — further embed risk mitigation into whole-of-government readiness efforts, ensuring organisational alignment and coordination during disruptions.