[BCM] [SIT] [E2] [C3] Risk Analysis and Review

eBook 2: Chapter 3

Risk Analysis and Review Phase of the BCM Planning Methodology for SIT

Introduction

This chapter addresses the Risk Analysis and Review phase of the Business Continuity Management (BCM) planning methodology as applied to the Singapore Institute of Technology (SIT).

It aligns with the requirements of ISO 22301 for identifying, analysing, mitigating, and continuously reviewing risks that could affect learning continuity, institutional operations and the student/staff experience.

1. Identifying Risks

In this first step, SIT recognises potential threats and hazards that could disrupt its core operations—teaching, learning, research, campus services, student support, and administrative functions.

The risk identification phase is crucial to ensure that the BCM framework covers all relevant risk sources (internal and external) and all critical processes of the institution.

Key aspects of risk identification for SIT

• Scope definition: SIT must clarify which operations are covered under its BCM scope — for example: the new Punggol campus operations, digital learning platforms, student support services, research labs and partner-industry collaborations.
  
  
• Threat categories: It is useful to classify risks under broad categories, such as:
  • Natural hazards (e.g., flooding in Singapore, storms, building damage)
  • Infrastructure/utility failures (e.g., power outage, water supply interruption, cooling failure in labs)
  • Information and cyber risks (e.g., cybersecurity breach, data loss, system downtime)
  • Human risks (e.g., pandemic/infectious disease outbreak, staff strike, mass absenteeism)
  • Supply-chain or external partner risk (e.g., partner university collaboration interruption, industrial placement disruption)
  • Campus security/safety risks (e.g., fire, chemical spill in engineering labs, campus intrusion)
  • Regulatory / compliance risk (e.g., changes in higher-education policy, accreditation issues, funding cuts)
    
    
• Critical process mapping: SIT must identify which processes are critical to the continuity of learning and operations. For example:
  • Delivery of lectures/tutorials (onsite & online)
  • Student assessment and grading systems
  • Research lab operations and applied research partnerships
  • Campus IT services and LMS (Learning Management Systems)
  • Communications to students and staff (alerts, notifications)
  • Administrative services (admissions, finance, HR)
    
    
• Risk identification methods: SIT can use techniques such as interviews with stakeholders (faculty, support staff, IT, facilities), brainstorming workshops, review of past incidents/near-misses, scenario planning, and reference to internal modules (for example, SIT offers modules on risk & decision analysis and on business continuity management).
  
  
• Documentation: All identified risks should be logged in a risk register/hazard log, with relevant metadata (risk owner, process affected, initial description).

Examples specific to SIT

• A major power outage at the Punggol campus during peak lecture hours – interrupting teaching, air-conditioning in labs, and network connectivity.
• A cyber-attack on SIT’s Learning Management System compromises student access to online lectures and assessment platforms.
• A pandemic outbreak led to the closure of large-scale campuses, forcing a sudden shift to remote teaching without adequate preparation.
• Delay or interruption of industrial placements (part of SIT’s applied learning emphasis) due to partner industry shutdown or external crisis.
• Flooding of critical campus facilities (e.g., the basements of research labs) can damage equipment, lose research data, and interrupt applied research projects.
• Regulatory change affecting funding or degree-granting status, impacting the long-term financial sustainability of programmes.

2. Assessing Risks

Once risks have been identified, SIT must assess them in terms of likelihood (how probable the event is) and impact (what consequences the event would have).

This enables prioritisation and focus on those risks that pose the greatest threat to continuity of operations and learning delivery.

Assessment framework

• Likelihood scale: e.g., Rare / Unlikely / Possible / Likely / Almost Certain
• Impact scale: for example: Minor / Moderate / Significant / Major / Catastrophic
• Risk scoring: Combine likelihood and impact (for instance, via a 5×5 risk matrix) to yield a risk rating (Low / Medium / High / Extreme).
• Consideration of interdependencies: Some risks may have a cascading effect (e.g., a power outage leads to a network failure, which in turn results in an inability to access online resources).
• Time-to-recover and time-to-impact: How quickly can operations recover, and how long before impact becomes critical for continuity?
• Risk acceptance tolerances: SIT leadership must define which levels of risk are acceptable, which require immediate mitigation, and which are show-stopper risks.
• Stakeholder impact criteria may include student safety, reputational damage, regulatory fines, financial loss, loss of accreditation, interruption of teaching, and research delays, among others.

SIT-specific assessment examples

• Cyber-attack on LMS: Likelihood = Possible (given global higher-ed cyber-threat environment); Impact = Major (students cannot access lectures/assessments, disruption of learning continuity, reputational damage). Risk rating = High.
• Pandemic/campus closure: Likelihood = Possible (though lower in Singapore now, still exists); Impact = Catastrophic (mass shift to remote learning, major disruption to applied learning, industry placements). Risk rating = Extreme.
• Power outage on Punggol campus: Likelihood = Unlikely (Singapore utilities are generally reliable), but not zero; Impact = Significant (lab disruption, student inconvenience, possible research delays). Risk rating = Medium-High.
• Industrial placement interruption: Likelihood = Possible (depends on industry sectors); Impact = Major (applied learning component compromised, student experience degraded). Risk rating = High.
• Regulatory/funding change: Likelihood = Unlikely to Possible; Impact = Significant to Major (affects programme viability). Risk rating = Medium to High.

Output of assessment

• A ranked risk register: listing each risk with its likelihood, impact, current risk rating, key affected processes, and risk owner.
• Identification of “top risks” that demand mitigation or monitoring.
• Baseline for mitigation planning and for setting residual risk target levels.

3. Mitigating Risks

With the assessed risks in place, SIT must now implement controls and treatments to reduce risks to an acceptable level (residual risk).

Mitigation supports the objective of safeguarding continuity of learning and operations, in line with ISO 22301’s requirement for risk treatment and continuity strategy.

Mitigation planning structure

• Preventive controls: Actions taken to reduce the likelihood of the risk event.
• Detective controls: Measures to identify when a risk event occurs (early warning, monitoring).
• Corrective / response controls: Plans to reduce the impact or recover from an event (contingency, business continuity procedures).
• Risk owner assignment: Each risk must have a designated owner responsible for implementing controls and monitoring their efficacy.
• Timeline and Resources: Specify when controls will be implemented and the required resources (staff, budget, technologies).
• Residual risk target: Define what an acceptable residual risk level is after mitigation.

SIT-specific mitigation examples

• Cyber-attack on LMS:

• Preventive: Harden LMS infrastructure, implement multi-factor authentication, regular vulnerability scanning, and staff/student cybersecurity awareness training.
• Detective: Real-time monitoring of network traffic, intrusion detection systems, and an incident response plan.
• Corrective: Backup of critical data, alternative teaching mode ready (e.g., use of a cloud-based platform), and a communications plan to inform students and staff.
• Residual risk target: reduce risk rating from High → Medium.

• Pandemic/campus closure:

• Preventive: Develop a hybrid teaching model, ensure online-capable infrastructure, training for faculty in remote delivery, stock of key supplies and health monitoring protocols.
• Detective: Monitoring of public health advisories, partnerships with health authorities, and an early alert system for infectious diseases.
• Corrective: Business continuity plan to switch to full remote operations, ensure students and staff can access remote systems, adjust assessment methods, and industry placement alternatives.
• Residual risk target: reduce from Extreme → High.

• Power outage at Punggol campus:

• Preventive: Ensure UPS and backup generators for critical labs/IT data centres, service contracts with utilities, and maintenance schedules.
• Detective: Fault-detection sensors, campus facility monitoring dashboard.
• Corrective: Rapid relocation of affected lectures to other campuses or online, pre-prepared alternate venues, and communication to affected students/staff.
• Residual risk target: from Medium-High → Medium.

• Industrial placement interruption:

• Preventive: Diversify industry partners, build contract clauses with backup options, and have virtual placement alternatives or simulation-based applied learning.
• Detective: Track partner industry risk indicators (business health, regulatory environment), monitor placement pipeline weekly.
• Corrective: Offer on-campus applied-learning simulations, adjust academic schedule to accommodate delay, and provide counselling to affected students.
• Residual risk target: from High → Medium.

• Regulatory/funding change:

• Preventative: Maintain active engagement with regulatory bodies, scenario planning for potential funding cuts, and establish diversified revenue streams (e.g., continuing education, industry research).
• Detective: Monitor policy-environment changes, early-warning mechanisms, and periodic review of funding assumptions.
• Corrective: Develop contingency budgets, programme rationalisation plan, communications to stakeholders (students, staff).
• Residual risk target: from Medium-High → Medium.

Monitoring and Governance

• Ensure that mitigation measures are incorporated into the BCM governance structure (e.g., BCM steering committee, internal audits).
• Document controls, monitor their implementation, and test as needed (e.g., simulation exercises, drills, review of incident response performance).
• Capture lessons learned from any crises or near-miss events, feeding back into the mitigation plan.

4. Continuous Review

Risk is dynamic. For SIT to maintain effective business continuity and fulfil ISO 22301 requirements, the risk profile must be regularly reviewed and updated in response to internal changes (new programmes, campus expansion, technology adoption) and external changes (new threats, regulatory shifts, global health crises).

Key activities under continuous review

• Scheduled reviews: Establish a cadence (e.g., quarterly, semi-annually) to revisit the risk register, assess changes in likelihood/impact, and update mitigation status.
• Trigger-based reviews: Undertake unscheduled reviews when major changes occur — for example, the opening of the Punggol Campus, introduction of a new digital learning platform, major industry disruption, or new regulation.
• Post-incident review/lessons-learned: After any disruption or near-miss, conduct a root-cause analysis, document findings, update the risk register and revise controls accordingly.
• Change management interface: Ensure that major organisational or IT changes (e.g., new research facility, major software rollout) feed into risk identification and assessment.
• Performance metrics: Define key risk indicators (KRIs) and key continuity performance indicators (KPIs) – e.g., the number of cybersecurity incidents, average system downtime, percentage of students impacted by disruption, and time to recovery of teaching operations.
• Reporting to governance: Periodic reporting of risk status, mitigation progress, and emerging risks to senior leadership and relevant committees (e.g., risk management committee or audit committee). Reference frameworks such as corporate best practice cite the need for board oversight. sid.org.sg+1
• Update acceptance criteria: As the institution matures, thresholds for acceptable residual risk may change. Reconfirm with SIT senior leadership the adequate risk appetite and tolerances.

SIT-specific continuous review examples

• With the move to the new SIT Punggol Campus and consolidation of multiple campuses, SIT must review risks associated with campus relocation (transport access, new facilities commissioning, and consolidation of services).
• Following the adoption of new online teaching platforms or hybrid learning models, SIT should reassess cyber-risks, staff/student digital readiness, and dependency on third-party vendors.
• Suppose SIT launches a new degree programme in a novel field (e.g., AI/5G/Robotics). In that case,  it must review the risks of insufficient industry placement partners, technology obsolescence, and regulatory accreditation risk.
• In light of global developments (e.g., new pandemics, supply chain disruptions, and geopolitical tensions affecting student mobility), SIT must reassess the likelihood of external disruptions to student intake, industry collaborations, and international partnerships.
• After any incident (e.g., a system outage, campus disruption), SIT should document the event, update the risk register (for example, if a medium-risk event proves to have a higher impact than expected), and adjust the mitigation accordingly.

In the Risk Analysis & Review phase of BCM at SIT:

• Identifying Risks ensures that SIT captures the full spectrum of potential threats to teaching, learning, research and campus operations.
• Assessing Risks allows SIT to prioritise and focus on those risks with the greatest likelihood/impact and to understand where resilience is most needed.
• Mitigating Risks translates into targeted controls, preventive/detective/response measures, assigned ownership and clear residual risk targets.
• Continuous Review ensures that SIT’s risk profile remains current, that mitigation is effective, and that emerging risks are captured in a timely fashion — all of which supports compliance with ISO 22301 and the institution’s aim of safeguarding learning continuity.

As SIT continues its applied-learning mission, leverages new digital/physical campuses, engages industry partners and supports its student community, embedding this risk-analysis discipline will reinforce resilience, enhance stakeholder confidence and contribute to uninterrupted delivery of its core mission.

Safeguarding Learning Continuity: The Business Continuity Management Journey of the Singapore Institute of Technology
eBook 2: Implementing Business Continuity Management for the Singapore Institute of Technology
C1	C2	C3	C4	C5
C6	C7	C8	C9	C10

 

More Information About Business Continuity Management Courses

To learn more about the course and schedule, click the buttons below for the  BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].

	Please feel free to send us a note if you have any questions.