[BCM] [SCS] [E1] [C9] Assessing Risks and Threats

Chapter 9 What are the Types of Threats for Business Continuity Management and the Types of Crisis Scenarios for Crisis Management to the Family Service Centre?

Business Continuity Management (BCM) under ISO 22301 requires an organisation to identify threats (risks of disruptive incidents) that can affect its ability to deliver its services, assess their likelihood and impact (through risk assessment and business impact analysis), and plan how to respond, recover, and resume operations.

Crisis Management complements BCM by addressing crises when they occur, particularly those that affect reputation, stakeholder trust, and legal or ethical standing, especially for social service organisations.

For Singapore Children’s Society (SCS), which provides child protection, youth and family services, research and advocacy, these threats and crises are not only operational and technical but also ethical, relational, reputational, and regulatory.

Below are typical threat types for BCM and crisis scenario categories for Crisis Management, tailored to SCS’s context.

These are illustrative; SCS should validate and prioritise via its own risk assessment and business impact analysis.

Types of Threats for Business Continuity Management (BCM)

These are threats (or, for BCM, "disasters") that may disrupt or degrade SCS’s ability to perform its critical activities.

Under ISO 22301, threats are events (internal or external) that, if they materialise, will cause disruption and require mitigation, response, and recovery. Some of them may overlap with crisis scenarios (below), but here the focus is on continuity.

Threat Type	Examples Relevant to SCS	Possible Impacts
Natural / Environmental	• Severe weather: heavy rainfall, floods, flash floods, storms. • Heatwaves, haze (transboundary smoke pollution). • Earthquakes (less frequent) or infrastructure damage from environmental causes. • Disease epidemics / pandemics (e.g., COVID-19, influenza, dengue surges).	Physical damage to facilities; inability of staff/clients to travel; temporarily closing centres; increased absenteeism; increased demand for services; health risks to staff & clients.
Utility / Infrastructure Failure	Power outage; water supply disruption; telecommunications or internet outage; transport disruptions (e.g. MRT, bus disruptions, road blockages).	Loss of operations (IT systems, communication); inability to contact or serve clients; delays in service provision; safety risks if sheltering children.
Technological / Cyber Threats	IT system failures; data loss or corruption; cyberattacks/ransomware; loss of critical digital platforms (case management systems, client data); teleconferencing failures.	Breach of confidentiality; legal/regulatory non-compliance (e.g. under PDPA); disruption to casework, service delivery; reputational harm; loss of trust.
Staffing and Human Resource Risks	Loss of key personnel (resignations, illness); mass absenteeism (pandemic or other cause); burnout; insufficient skills or training; labour disputes.	Delays in service delivery; overwork/stress; loss of institutional knowledge; diminished quality of care; inability to fulfil statutory or regulatory obligations.
Supply Chain / Vendor Dependencies	Disruption in supplies needed for programmes (e.g., shelters, food, medical supplies, hygiene); vendors failing to deliver; dependency on external partners (government, funders, service providers).	Program interruptions; inability to support clients; increased costs or delays; reputational issues if services promised cannot be delivered.
Regulatory / Legal / Compliance Risk	Changes in government policy; licensing/accreditation issues; failure to comply with child protection laws; non-compliance with data protection (PDPA); audits failing; funding conditions not met.	Legal liability; loss of funding; regulatory sanctions; reputational damage; loss of public trust.
Reputational / Ethical Threats	Incidents of child abuse (whether at SCS or partner organisations); allegations of misconduct; media or public scandals; failure to safeguard confidentiality; misuse or perceived misuse of donor funds; privacy breach.	Loss of trust by the public, donors, families; investigations, regulatory scrutiny; reduced donations or funding; staff morale issues.
Financial Risks	Sudden drop in funding (government, donations, grants); unanticipated expense; economic downturn; cost inflation (rent, utilities, salaries).	Budget shortfalls; inability to sustain programmes; cutbacks; risk to ongoing commitments; possibly scaling back services.
Health & Safety Threats	Infectious diseases; physical hazards on premises (slips, trips, fires); mental health issues amongst staff or clients; emergencies, such as accidents on premises.	Harm to staff or clients; legal exposures; need to close premises temporarily; loss of capacity; reputational damage.
Security & External Threats	Terrorism, bomb threats (less likely but part of the national framework); vandalism or break-ins; theft of property or information; malicious acts; protests. Also, threats arise from social unrest or civil disturbances.	Damage or loss to premises or assets; service disruptions; safety threats; insurance issues; reputational damage.
Creeping / Incremental Risks	Gradual decline in quality (due to funding constraints, staff turnover, ageing facilities); cyber-security threats evolving; regulatory or policy changes over time; climate change effects.	Long-term erosion of capacity; increasing costs; reduced resilience; possible cumulative vulnerabilities.

Types of Crisis Scenarios for Crisis Management

Crisis Management deals not only with continuity, but also with large-scale or high-impact incidents which threaten the reputation, legal standing, clients’ safety, or the mission of SCS.

Crisis scenarios are more severe/disruptive, often involving media scrutiny, external stakeholders, legal/regulatory action, or moral/ethical dilemmas.

Below are categories of crisis scenarios, drawing from BCM-/CM-related taxonomies (see e.g. types of crisis scenarios from BCM Institute), adapted to SCS.

Crisis Scenario Category	Specific Scenarios for SCS	Stakeholders Affected / Key Risks
Natural / Public Health Crises	• Pandemic/epidemic outbreak (e.g. COVID-19, influenza, dengue) leading to widespread staff or client illness. • Outbreak of disease among children in a residential shelter or programme. • Severe weather event / natural disaster damaging premises, cutting off access.	Staff, clients, families; service interruptions; potential harm to children; health authorities; reputational risk; increased costs; regulatory oversight.
Technological / Cyber Crisis	• Major data breach exposing client records and child protection cases. • Ransomware or malware attack that encrypts core systems. • System outage of case management or client communications platform. • Failure of backup systems during a critical incident.	Legal/regulatory exposure (PDPA, social services regulation); loss of service or delays; stakeholder trust; privacy; financial loss; senior management accountability.
Ethical / Safeguarding Crisis	• Child abuse or neglect occurring under SCS’s watch, or misconduct by partner or staff. • Failure to respond appropriately to signs of abuse (e.g. delayed reporting), leading to harm. • Allegations of misuse of funds or resources. • Breach of ethical norms in research or advocacy work.	Client harm; legal liability; damage to reputation; loss of donor confidence; regulatory sanction; internal morale issues. Notably, the Megan Khung case showed how systemic failures and delayed/missed interventions can become a crisis.
Regulatory / Policy / Funding Crisis	• Sudden withdrawal or reduction of government grants; changes in regulations making ongoing programmes non-compliant; funding conditions not met. • Legal challenges, accreditation issues, licensing problems for service centres/preschools. • Audits reveal non-compliance or mismanagement.	Financial strain; programme cutbacks; need to rework processes; public scrutiny; stakeholders (govt, donors) concerned; loss of trust.
Operational Incident	• Fire, flood, structural damage in premises; building safety issues. • Utility failure (power/water). • Transport disruptions are preventing staff or clients from arriving. • Mass staff absence (illness, industrial action).	Disruption of operations; client service interruptions; safety risks; possible need to relocate; repair costs; insurance issues.
Reputation / Communication Crisis	• Negative media coverage (e.g. for failure in child protection, lack of transparency). • Rumours or misinformation about SCS work or conduct. • Social media scandal or public backlash. • Stakeholders (donors, community) are losing trust due to perceived mismanagement.	Public trust loss; donor withdrawal; regulatory scrutiny; impact on staff morale; difficulty in recruiting or retaining staff; long-term reputational damage.
Security / Malicious Acts	• Vandalism, break-ins, theft of assets or information. • Threats to staff or clients. • Cyber attacks as acts of malevolence. • Terrorism or arson (unlikely but must be considered under national frameworks).	Safety risk; loss or damage to property or data; service disruption; legal/police involvement; reputational implications.
Crisis of Governance / Leadership	• Management misconduct or failure of leadership (e.g. negligence, ethical lapses). • Board-level conflicts, conflict of interest that becomes public. • Failure in internal controls or oversight. • Communications breakdown between senior leadership and staff.	Damage to credibility; disruption to decision-making; possible legal exposure; erosion of staff confidence; risk to organisational mission.
Financial / Economic Crisis	• Major economic downturn forcing donors to cut back or reduce fundraising. • Unexpected expense spikes (inflation, higher rents, utilities). • Financial mismanagement or fraud. • Currency fluctuations affecting imported supplies or funding.	Program cancellations or scaling down; inability to sustain staffing; failure to meet client obligations; donor relations harmed; possibly an insolvency risk.

Alignment with Singapore Government BCM Policy & ISO 22301

To ensure SCS’s business continuity planning and crisis management are robust, the following principles and policy alignments should be observed:

Risk Assessment & Business Impact Analysis (BIA)

Under ISO 22301, SCS must systematically identify threats (as above), assess their likelihood and severity, and perform BIAs to understand which functions are critical, what the acceptable recovery time objectives (RTO) and recovery point objectives (RPO) are, what resources are needed, and what dependencies (e.g. third-party partners, vendor, ICT, utilities) exist.

Governance & Leadership Commitment

Senior leadership and the Board must own the BCM and Crisis Management agendas, allocate resources, set policies, and ensure that crisis and continuity roles are well defined and staffed.

Policy & Procedures

SCS should have policies covering disaster response, crisis communications, safeguarding, data protection, health & safety, and procedures for activating BC/crisis plans.

Preparedness & Prevention (Mitigation)

Mitigate threats before they materialise: e.g., regular maintenance of premises; fire drills; staff training (especially in child protection and data privacy); redundancy (alternate sites, backup systems); supplier and vendor management; preventive health and safety; good governance & ethical culture.

Response & Recovery Planning

Crisis Response Plans (for ethical crises, safeguarding failures, regulatory breaches), Business Continuity Plans (for disruptions to operations), and recovery strategies (temporary relocation, remote work, alternate partners).

Communication & Stakeholder Management

Clear communication plans in crisis: internal (staff, clients), external (donors, government, media, public). Transparency, timely updates, and maintaining trust.

Testing, Maintenance & Review

Regular exercises, tabletop drills, and simulations for plausible crisis scenarios. After action reviews. Updating plans as the environment changes (laws, technology, external risks).

Compliance with National Frameworks & Laws

SCS operates in Singapore: must align with public health frameworks (e.g., the Pandemic Preparedness & Response Framework), the Communicable Diseases Agency, national emergency planning, and respect public policy on safety and coalition response (e.g., SGSecure, civil defence, etc.).

Also, PDPA, child protection laws, regulations from the Ministry of Social and Family Development (MSF) and the Early Childhood Development Agency (ECDA), etc.

Whole-of-Organisation Approach and Awareness

Embedding BCMS and crisis readiness into culture; training across all levels; ensuring that everyone understands their roles, not just crisis/risk teams but frontline staff, social workers, and volunteers.

Suggested Critical Scenarios for SCS’s Crisis Management Plan

Based on combining the threat types & crisis categories with SCS’s mission and operations, here are some critical specific scenarios that SCS should ensure are planned for in its Crisis Management Plan.

These are suggestions; you may choose a subset for deeper planning based on your risk assessment.

Scenario	Triggers / Conditions	Key Challenges
Pandemic among staff or clients	A contagious disease outbreak, staff absences, health authority closures, and government-safe management restrictions.	Continuity of services; health/safety of clients; alternative delivery modes (remote/digital / home-based); communication; ensuring funding and resources; supply of PPE or hygiene materials.
Significant data breach / cyber compromise	Phishing, malware, ransomware; insider threat, poor cybersecurity hygiene; third-party breach.	Restoring systems; maintaining confidentiality; legal obligations; quick communication to affected individuals; media handling; credibility; possibly investigations.
Safeguarding failure or allegation of child abuse	Allegations from client, public, media; failure of reporting; staff or partner misconduct; oversight lapse.	Protecting the child; coordinating with authorities; considering a legal/regulatory response; assessing reputational consequences; managing internal and external communications; supporting staff; reviewing policies.
Loss of key facility or damage (fire, flood, structural damage)	Fire, flooding, leaking ceiling, earthquake, electrical failure, and HVAC failure.	Relocation of affected programmes; continuity of critical services; safety; repair costs; insurance; stakeholder communication.
Regulatory change affecting service delivery	New legislation, changes in licensing, new policies from MSF or ECDA, and changes in funding conditions.	Adapting programmes; liaising with regulators; considering a pause or redesign; potential financial strain; ensuring staff understand and are retrained as needed.
Funding crisis	Donor withdrawal, economic downturn, cost overruns, unexpected expenses, and delays in grant disbursements.	Prioritisation of core programmes; communication with funders; cost control; scenario planning for scaling down; avoiding compromise of service quality.
Reputation/ media crisis/ misinformation	False allegations, adverse media reports, public perception that SCS is at fault, social media misinformation, and disclosure of negative internal findings.	Crisis communications; public & stakeholder engagement; accurate and rapid response; legal/PR guidance; preserving trust.
Staff crisis (mass absenteeism/burnout / industrial action)	Outbreak, stress or mental health issues; sudden resignations; conflict between staff; union risk (if applicable).	Maintaining minimal staffing, reallocating staff, temporary hiring, protecting well-being, and preventing service breakdowns.

Prioritisation & Risk Treatment for SCS

In line with ISO 22301, once threats and scenarios are identified, SCS should prioritise them by combining likelihood and impact (including “severity” in terms of harm to clients, legal/regulatory consequences, cost, and reputational effects).

SCS’s Business Impact Analysis should define what “critical services” are (e.g. shelters, child protection reporting, emergency family support, etc.), their RTO and acceptable downtime.

Then, risk treatment plans should be developed, which include mitigation, reduction, acceptance, transfer (insurance or partnerships), or avoidance.

For the Singapore Children’s Society, because its mission involves some of the most vulnerable in society (children, youth, families), the stakes are high: failures can cause harm, and reputation, trust, and legal standing are essential.

A robust Business Continuity Management System (BCMS) per ISO 22301, together with a well-structured Crisis Management Plan, carefully considered threat inventory, and realistic crisis scenario planning, are essential for SCS to remain resilient.

More Information About Business Continuity Management Courses

To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [B-3] course and the BCM-5000 Business Continuity Management Expert Implementer [B-5].