Using FRAP for Risk Assessment

This week, a number of folks asked me how a quick, in-house risk assessment and analysis might occur. My thoughts immediately jumped to FRAP, and I wanted to share the brief overview I provided to help them understand how they might get started.

What is FRAP?

FRAP stands for “Facilitated Risk Analysis Process.” It is a formal methodology that is designed to be fast and simple. Foundational steps include:

  • A brainstorming session to list threats,
  • The assignment of a simple probability (i.e. High/Medium/Low) to each threat,
  • The assignment of simple impact (i.e. High/Medium/Low) to each threat,
  • The identification of controls for the listed threats, and
  • A management summary.

What is the value of FRAP?

FRAP allows you to conduct a full risk analysis in hours or days by providing a prioritized list of threats and controls. It quickly enables executives to make decisions on project and budget approvals, provides valid reasons for implementing cost-effective controls to limit exposure, and often times surfaces resource and skill needs.

Who participates in a FRAP?

The key to any quick process is a small, tightly controlled group. In addition to a dedicated facilitator and scribe, there should be a small set of subject matter experts (SMEs) (not necessarily leaders) who represent the entire constituency.

How does the FRAP session play out?

The Facilitator is key; they must keep the SMEs on topic and on-time. They must:

  • Recognize all input; encourage participation,
  • Observe non-verbal responses,
  • Listen and involve the team; they cannot lecture,
  • Keep the objective at the forefront, and
  • Stay neutral.

There are many sources of information available on FRAP, so do not be afraid to do some Google-ing. Good luck!

Need assistance with your risk assessment? Learn more about our Strategic Consulting & Advisory services.

Share:
Share on facebook
Share on twitter
Share on linkedin