1 PURPOSEbcm-planning-methodology-rar

  1. To determine adverse threats affecting organisational assets and provide a risk treatment strategy to them.
  2. To identify external and internal threats to the organisational assets.
  3. To identify existing and potential disaster-mitigating systems/procedures.

2 SCOPE

  1. This procedure is applied to the Organization BCM Coordinator and Business Unit BCM Coordinators.

3 RESPONSIBILITY

  1. The Organization BCM Coordinator is responsible for knowing how much the potential threats can affect the organization and to provide a risk treatment.
  2. The BCM Steering Committee is responsible for reviewing findings and recommendations of risk analysis efforts. For each identified risk, the committee shall deliberate and select appropriate cost-effective risk treatment(s).

4 PROCEDURE (FOR RISK IDENTIFICATION)

Note: The risk identification procedure is made in accordance with ISO 31000.

4.1 List of Threats

Each business unit should identify the Risks it faces from the List of Threats which is applicable to the organisation, especially those occurring in the following categories: policies, processes, people and infrastructure. The impact of these risks on each of the primary and support activities of the organisation should then be deliberated upon and determined. This is the list which has been identified:

  1. Flood
  2. Pandemic Outbreak
  3. Theft (Physical, Data)
  4. Absence of Key Staff
  5.  Loss of Key Personnel
  6. Loss of Key Suppliers
  7. Regulatory or Legal; Violation (WSH/MOM)
  8. Fire (Building)
  9. Workplace Injury
  10. Power Failure (Building)
  11. Equipment Failure
  12. Facilities Failure (air-con, HVAC, UPS, generator)
  13. Water Leakage (data centre, toilet, chilled water)
  14. Human Error (IT & non-IT)
  15. Physical Security Breaches
  16. Telecommunications Failure
  17. IT Failure (hardware, software, data, the web)

4.2 Risk Treatment

  1. It is important to identify the risk as different risk have a different impact of the people/process/infrastructure which will give different methods of Risk Treatment.

4.3 Risk Likelihood of the event

  1. The likelihood of the event will show how serious the risk is in some locations/area/country.

4.4 Risk Impact on people/ process/ infrastructure (APPENDIX I)

  1. How a risk can impact the people/ process/ infrastructure is severe as it will affect how the business still the process.

4.5 Estimated disruption period

  1. By estimating the process, one will be able to identify how long should we reacted on the outcome.

4.6 Scaling

  1. Scaling is used to identify the danger level of the risk which will affect the organisation.

4.7 Risk Rating

  1.  The Risk Rating is the result of the multiplication of the assigned value for Risk Likelihood against the assigned value of Risk Impact.

5 PROCEDURE (FOR RISK APPETITE)

5.1 Risk Appetite

  1. The Risk Appetite is the willingness of an organisation to accept a defined level of risk to conduct its business cost-effectively.
  2. The Risk Appetite for BCM Institute is described as the description and financial values found in the Impact Rating scale of “3” and impact descriptor as “Medium.”
  3. The risk that is deemed not acceptable by not acceptable are as follows:
  • Financial:
    • For example, the loss of more than SGD 100,000
  • Processes (Business Operations):
    • For example, the inability to resume the scheduled course within one working day or 3 calendar day; the provision for a candidate to undertake his online examination within 24 hours (as he or she is not a residence of Singapore)
  • Legal and Regulatory:
    • For example, being investigated by IDA for CITREP funding process inadequacy; being investigated by WDA for WSQ process funding inadequacy, and being sanction by MOM for inadequate workplace safety enforcement and manpower violation.
  • Reputation and Image:
    • For example, being highlighted on Channel News Asia or local newspaper for misappropriating actions.
  • People:
    • The injury was resulting in being hospitalised during duty.
  • Assets/ ICT Systems/ Information:
    • For example, Website not available for more than one working day; vTiger CRM not available for more than three working days; and online examination not available on the day of the scheduled examination (should there be a foreigner attending the course).

6 DEFINITIONS

  1. Risk Likelihood
  2. Risk Impact
  3. Risk Rating
  4. Organization BCM Coordinator
  5. Business Unit BCM Coordinator
  6. Risk
  7. Risk Treatment

7 RELATED DOCUMENT

  1. Explanatory Notes for Part 1 Threats and Impact
  2. Explanatory Notes for Part 2 Risks and Controls
  3. Explanatory Notes for Part 3 Disruption Due to Threats
  4. Guidance Notes

8 RECORDS

  1. Record of Risk Analysis and Review

9 APPENDICES

  1. Descriptor: List of Threats
  2. Descriptor: Impact Rating
  3. Descriptor: Risk Treatment
  4. Descriptor: Risk Likelihood
  5. Descriptor: Risk Ratings and Levels