This week, a number of folks asked me how a quick, in-house risk assessment and analysis might occur. My thoughts immediately jumped to FRAP, and I wanted to share the brief overview I provided to help them understand how they might get started.
What is FRAP?
FRAP stands for “Facilitated Risk Analysis Process.” It is a formal methodology that is designed to be fast and simple. Foundational steps include:
- A brainstorming session to list threats,
- The assignment of a simple probability (i.e. High/Medium/Low) to each threat,
- The assignment of simple impact (i.e. High/Medium/Low) to each threat,
- The identification of controls for the listed threats, and
- A management summary.
What is the value of FRAP?
FRAP allows you to conduct a full risk analysis in hours or days by providing a prioritized list of threats and controls. It quickly enables executives to make decisions on project and budget approvals, provides valid reasons for implementing cost-effective controls to limit exposure, and often times surfaces resource and skill needs.
Who participates in a FRAP?
The key to any quick process is a small, tightly controlled group. In addition to a dedicated facilitator and scribe, there should be a small set of subject matter experts (SMEs) (not necessarily leaders) who represent the entire constituency.
How does the FRAP session play out?
The Facilitator is key; they must keep the SMEs on topic and on-time. They must:
- Recognize all input; encourage participation,
- Observe non-verbal responses,
- Listen and involve the team; they cannot lecture,
- Keep the objective at the forefront, and
- Stay neutral.
There are many sources of information available on FRAP, so do not be afraid to do some Google-ing. Good luck!