In this chapter, we assess the risks identified in Part 1: List of Threats / Crisis Scenarios using the BCM Institute’s RAR (Risk Analysis & Review) framework. The goal is to evaluate both the impact and the likelihood of each threat or crisis scenario, so that OCBC Bank can prioritize its risk treatment efforts.
Following BCMpedia’s Part 3: Risk Impact and Likelihood Assessment methodology, we classify impact across seven areas (finance; operations; legal & regulatory; reputation & image; social responsibility; people; assets/IT/information) and assign numeric scores.
We also assess the probability (likelihood) of each crisis occurring, compute a risk rating, and derive a risk level. Finally, we estimate the expected period of disruption, considering existing controls.
This structured assessment helps OCBC’s BCM (Business Continuity Management) and Crisis Management teams to:
Here is a sample table using representative crisis types from BCMpedia + hypothetical assessment for OCBC Bank. (You should adjust scores, likelihood, and disruption durations based on OCBC’s internal risk analysis.)
|
Crisis Type |
Type of Crisis Scenario |
Impact – Finance (1–5) |
Impact – Operations (1–5) |
Impact – Legal & Regulatory (1–5) |
Impact – Reputation & Image (1–5) |
Impact – Social Responsibility (1–5) |
Impact – People (1–5) |
Impact – Assets/IT/Information (1–5) |
Risk Impact Area (Highest Numeric Score) |
Risk Likelihood (1–5) |
Risk Rating (Impact × Likelihood) |
Risk Level (Very Low / Low / Medium / High / Very High) |
Expected Period of Disruption (hours/days) |
|
Natural |
Flood |
3 |
3 |
1 |
2 |
1 |
1 |
2 |
3 |
2 |
6 |
Medium |
1–2 days |
|
Natural |
Tropical Storm / Typhoon |
4 |
4 |
1 |
3 |
2 |
2 |
3 |
4 |
2 |
8 |
High |
2–3 days |
|
Technological |
Equipment Failure (e.g., data centre UPS failure) |
4 |
4 |
2 |
3 |
1 |
2 |
5 |
5 |
3 |
15 |
Very High |
1 day |
|
Technological |
IT Failure / Cyberattack |
5 |
4 |
3 |
5 |
1 |
3 |
5 |
4 |
4 |
20 |
Very High |
1–2 days |
|
Confrontation |
Internal strike or boycott |
3 |
4 |
2 |
4 |
1 |
3 |
1 |
4 |
1 |
4 |
Low |
12–24 hours |
|
Malevolence |
Kidnapping of a key executive |
2 |
2 |
3 |
4 |
2 |
5 |
1 |
5 |
1 |
5 |
Low |
days (depending) |
|
Organizational Misconduct |
Management deception/misconduct |
4 |
3 |
4 |
5 |
3 |
2 |
1 |
5 |
1 |
5 |
Low |
days to weeks |
|
Rumours |
Fake news / false rumors harming the brand |
2 |
1 |
1 |
5 |
2 |
1 |
1 |
5 |
3 |
15 |
High |
hours to 1 day |
|
Lack of Funds |
Liquidity crisis/insolvency concern |
5 |
3 |
4 |
5 |
2 |
2 |
1 |
5 |
1 |
5 |
Low |
days to weeks |
In summary, this risk impact and likelihood assessment (Part 3) provides a structured, quantitative way to prioritize crisis scenarios for OCBC Bank.
By mapping each identified threat to its probable impact across multiple domains and combining that with the likelihood of occurrence, OCBC can clearly see which risks demand urgent mitigation, which require monitoring, and which are acceptable given current controls.
Moving forward, OCBC should use the outputs of this analysis to:
Leading Through Crisis: Implementing Crisis Management at OCBC Bank |
|||
| eBook 3: Starting Your CM Implementation | |||
|
[RAR] [T1-1] |
[RAR] [T1-2] |
[RAR] [T1-2] [Technology] |
[RAR] [T2] |
|
[RAR] [T3] |
[CMS] [T1] |
[CMS] [T2] |
[PD] [CS] [1] |
To learn more about the course and schedule, click the buttons below for the CM-300 Crisis Management Implementer [CM-3] and the CM-5000 Crisis Management Expert Implementer [CM-5].
|
Please feel free to send us a note if you have any questions. |
||