eBook CM

[CM] [SIT] [E3] [CRA] [P3] Risk Impact and Likelihood Assessment

Written by Moh Heng Goh | Aug 15, 2025 11:20:04 AM

Introduction

Building upon the identified threats and crisis scenarios outlined in [CRA] Part 1-1: List of Threats, this chapter systematically evaluates each scenario based on its potential impact across multiple organisational dimensions and its likelihood of occurrence.

This structured assessment enables SIT to move beyond qualitative risk identification to a quantitative, prioritised understanding of exposure, aligned with established BCM methodologies.

In the context of a higher learning institution such as SIT—operating within Singapore’s highly digitalised and interconnected environment—the impact of disruptions extends beyond financial loss to include academic continuity, regulatory compliance, student well-being, and institutional reputation.

By analysing impact areas such as Finance, Operations, Legal & Regulatory, Reputation, Social Responsibility, People, and IT/Information assets, this chapter provides a holistic view of organisational vulnerability.

The incorporation of likelihood ratings and risk scoring further supports the identification of high and extreme risks that require immediate attention in subsequent phases, such as strategy development, mitigation planning, and resilience testing.

Below is the [CRA] Part 3: Risk Impact and Likelihood Assessment table for the Singapore Institute of Technology, derived from the earlier [CRA] Part 1-1: List of Threats and aligned with BCM Institute / BCMpedia risk analysis methodology.

 Table Below:  Notes for BCM Institute's Course Participants: This is the template for completing the "[CRA] Part 3: Risk Impact and Likelihood Assessment." 

Table: [CRA] Part 3: Risk Impact and Likelihood Assessment (Categorised by Crisis Types)

 

Crisis Type

Type of Crisis Scenario

Finance

Operations

Legal & Regulatory

Reputation & Image

Social Responsibility

People

Assets / IT / Info

Highest Impact Score

Likelihood

Risk Rating

Risk Level

Expected Period of Disruption

Denial of Access – Natural Disaster

Flood affecting campus (e.g., Punggol Digital District)

4

5

3

4

4

5

4

5

3

15

Medium

Days to Weeks

Denial of Access – Natural Disaster

Pandemic outbreak (e.g., COVID-like)

5

5

5

4

5

5

3

5

4

20

High

Weeks to Months

Denial of Access – Man-made Disaster

Fire in a campus building

4

5

4

4

4

5

5

5

3

15

Medium

Days to Weeks

Denial of Access – Man-made Disaster

Terrorist threat/ bomb scare

4

5

5

5

5

5

3

5

2

10

Low

Hours to Days

Unavailability of People

Mass staff/student absenteeism

4

5

3

3

4

5

2

5

4

20

Medium

Days to Weeks

Unavailability of People

Key personnel loss (critical faculty/IT admin)

3

4

3

3

3

5

3

5

3

15

Low

Days

Supply Chain Disruption

Failure of outsourced IT/ cloud provider

5

5

4

5

4

4

5

5

4

20

High

Hours to Days

Supply Chain Disruption

Disruption to facility management/vendor services

3

4

3

3

3

4

3

4

3

12

Low

Days

Equipment / IT Disruption

Cyberattack (ransomware on student systems)

5

5

5

5

4

4

5

5

4

20

High

Days to Weeks

Equipment / IT Disruption

Network outage/ system downtime (LMS failure)

4

5

3

4

3

4

5

5

4

20

High

Hours to Days

Equipment / IT Disruption

Data breach (student/ staff personal data)

5

4

5

5

4

4

5

5

3

15

Low

Weeks

Equipment / IT Disruption

Failure of critical lab equipment

3

4

2

3

3

3

4

4

3

12

Low

Days

 

Risk Rating Guide

Risk Level bands (example guidance notes based on BCM Institute)

  • Very Low: 1–5
  • Low: 6–9
  • Medium: 10–14
  • High: 15–19
  • Very High: ≥20

How to use this template

  1. Impact Area Ratings: Score each of the seven categories from 1 (Very Low) to 5 (Very High).
  2. Highest Impact: Select the highest score among those seven.
  3. Likelihood: Assign a 1–5 rating based on your organisation's experience/frequency
  4. Assign Risk Level based on the rating’s band.
  5. Expected Disruption: Estimate downtime using organisational intelligence and context

 

Key Observations and Insights

1. Concentration of Extreme (Very High) Risks

 

The following crisis scenarios fall into the Extreme Risk category, requiring priority mitigation and resilience strategies:

  • Pandemic outbreak
  • Mass absenteeism
  • Cyberattack (ransomware)
  • IT/cloud service provider failure
  • Network/LMS outage

These risks share a common dependency on digital infrastructure and people availability, which are critical to SIT’s academic delivery model.

 

2. Technology as a Critical Risk Driver

 

A significant proportion of high-to-extreme risks are linked to:

  • IT systems (LMS, student systems, cloud platforms)
  • Cybersecurity threats
  • Data protection obligations

This reinforces the need for strong Cyber Resilience and ICT Continuity integration within SIT’s Crisis Management framework.

 

3. People-Centric Risk Exposure

 

Scenarios such as:

  • Pandemic
  • Mass absenteeism
  • Key personnel loss

demonstrate that human capital is a single point of failure, particularly in teaching delivery, research continuity, and IT operations.

 

4. Regulatory and Reputation Sensitivity

 

Events like:

  • Data breaches
  • Cyberattacks
  • Terror threats

have high Legal & Regulatory and Reputation impacts, especially within Singapore’s strict regulatory environment (e.g., PDPA compliance).

 

5. Disruption Duration Patterns

 

  • Short-term disruptions (hours–days): IT outages, bomb threats
  • Medium-term (days–weeks): Fire, cyberattacks
  • Long-term (weeks–months): Pandemic

This supports the need for tiered recovery strategies (RTO/RPO alignment).

 

The Risk Impact and Likelihood Assessment provides the Singapore Institute of Technology with a clear, prioritised risk landscape, enabling informed decision-making in crisis management and operational resilience planning.

By quantifying both the severity of potential impacts and the probability of occurrence, SIT is able to differentiate between routine operational risks and critical threats that could significantly disrupt its academic mission and stakeholder obligations.

This prioritisation is essential for allocating resources effectively and ensuring that the most severe and probable risks are addressed with appropriate urgency.

While natural and man-made disasters remain relevant, the most severe threats arise from cyber incidents, system outages, and large-scale workforce disruption, reflecting SIT’s reliance on technology-enabled education and interconnected service delivery.

To strengthen resilience, SIT should prioritise:

  • Integrated IT Disaster Recovery and Cyber Resilience capabilities
  • Workforce continuity planning (e.g., hybrid teaching, cross-training)
  • Third-party risk management for critical vendors
  • Scenario-based testing for high-impact events

The findings from this chapter highlight the increasing importance of technology resilience, people continuity, and third-party dependencies in SIT’s operating model.

As the institution advances into subsequent phases—such as Business Impact Analysis (BIA), Crisis Management Strategy, and Testing & Exercising—this assessment serves as a foundational reference point.

Ultimately, it ensures that SIT’s crisis management framework is risk-informed, data-driven, and aligned with international best practices, strengthening its ability to respond to, recover from, and adapt to disruptions in an increasingly complex risk environment.

 

 

 

eBook 3: Starting Your Crisis Management Implementation
       

More Information About Crisis Management Blended/ Hybrid Learning Courses

To learn more about the course and schedule, click the buttons below for the  CM-300 Crisis Management Implementer [CM-3] and the CM-5000 Crisis Management Expert Implementer [CM-5].

Please feel free to send us a note if you have any questions.
View full post