Ebook

[BCM] [SHINE] [E4] [R] [RAR] Report

Written by Dr Goh Moh Heng | Dec 29, 2025 9:41:47 AM

Summary for Management Approval

Purpose of RAR Report

This report presents the consolidated results of the Risk Analysis and Review (RAR) conducted for SHINE’s twelve Critical Business Functions.

The Objective is to:

  • Identify and validate key threats and vulnerabilities affecting SHINE’s mission-critical services
  • Assess the effectiveness of existing controls and treatments
  • Evaluate Risk impact and likelihood to determine priority risk areas
  • Obtain management approval to accept, mitigate, or further treat identified risks

RAR Structure and Approach


The RAR was conducted using a three-part structured approach, documented in the following reference blogs:

 

RAR Part

Description

Reference

Part 1

Identification of Threats

[RAR T1] List of Threats

Part 2

Existing Treatment and Control Measures

[RAR T2] Treatment and Control

Part 3

Risk Impact and Likelihood Assessment

[RAR T3] Risk Impact & Likelihood

This approach ensures risks are assessed end-to-end, from threat identification through to residual risk evaluation/.

Key Findings – Executive Summary

Overall Risk Posture
  • SHINE’s overall risk posture is assessed as Moderate, with no extreme or unacceptable risks identified.
  • The majority of high-impact risks are operational and people-centric, rather than financial or reputational.
  • Most risks are manageable with existing controls, provided they are consistently applied and periodically reviewed.

Part 1: RAR - List of Threats

SHINE Children and Youth Services (SHINE) provides vital support to children and youth in Singapore.

To maintain operational continuity during unexpected events, it is essential to identify potential threats that could disrupt services.  

Threats may arise from natural disasters, human activities, or internal operational challenges. 

Part 1 provides a detailed assessment of threats at both the country and organisational levels to assist in risk management and business continuity planning.
The threats are categorised according to internationally recognised business continuity threat classifications: Denial of Access – Natural Disaster, Denial of Access – Man-made Disaster, Unavailability of People, Disruption to the Supply Chain, and Equipment and IT-Related Disruption.

The comprehensive identification of threats in this section forms the foundation for subsequent risk analysis, mitigation planning, and recovery strategy development for SHINE’s operations.

Part 2: RAR - Treatment and Control

Part 2 maps each key threat category to the corresponding existing and proposed controls, demonstrating SHINE’s readiness and ongoing efforts to mitigate operational and strategic risks.
 
Effectiveness of Existing Controls (Part 2 – Treatment and Control)

Existing treatments include policies, SOPs, professional guidelines, governance oversight, IT controls, and contractual arrangements.

    • Controls are generally adequate, particularly in:
        ○ Client safeguarding
        ○ Professional ethics and supervision
        ○ Governance and compliance reporting

    • Opportunities for improvement were identified in:
        ○ Cross-training and role redundancy
        ○ Formalisation of backup arrangements
        ○ Documentation consistency across programmes

Integration between BCM, IT DR, and operational procedures
 

Part 3: RAR - Risk Impact and Likelihood Assessment

Part 3: RAR – Risk Impact and Likelihood Assessment, builds on the threat identification phase by evaluating each threat in terms of its potential consequences and likelihood of occurrence.
Risk Impact and Likelihood Assessment (Part 3)

Risks with high impact but lower likelihood are mainly associated with:

        ○ Prolonged staff unavailability
        ○ Major IT system outages
        ○ Loss of critical facilities

Risks with moderate impact and higher likelihood are linked to:
        ○ Short-term manpower constraints
        ○ Increased service demand
        ○ Coordination challenges with partners

Residual risks are assessed as acceptable, subject to continued monitoring and planned improvements.

This structured assessment enables the organisation to systematically prioritise risks and allocate resources efficiently for mitigation and response planning.

Using a standardised scoring methodology across seven key impact areas—Finance, Operations, Legal & Regulatory, Reputation & Image, Social Responsibility, People, and Assets/ IT Systems/ Information — each threat is measured and analysed to determine its overall risk rating and level.

The result is a clear, data-driven foundation for informed decision-making and the strengthening of SHINE’s business continuity and resilience posture.

By recognising specific threats arising from Singapore’s environmental, geopolitical, and operational landscape, SHINE can better anticipate risks, assess their potential impact, and prioritise mitigation resources.

This threat profile will support SHINE in developing appropriate recovery strategies, enhancing risk awareness, and reinforcing preparedness across departments.

The following sections will build on this threat landscape to develop tailored risk treatment measures, control activities, and business continuity strategies to safeguard SHINE’s corporate management responsibilities and ensure service delivery under all circumstances.

 

Continuity of Care: Ensuring SHINE’s Mission Through Effective BCM
eBook 4: Consolidate and Report Your BCM Implementation
Report RAR T1 RAR T2 RAR T3

More Information About Business Continuity Management Courses

 

To learn more about the course and schedule, click the buttons below for the  BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].

 

Please feel free to send us a note if you have any questions.
 
View full post