Using FRAP for risk assessment

This week, a number of folks asked me how a quick, in-house risk assessment and analysis might occur. My thoughts immediately jumped to FRAP for risk assessment, and I wanted to share the brief overview I provided to help them understand how they might get started.

What is a FRAP Risk Assessment?

FRAP stands for “Facilitated Risk Analysis Process.” It is a formal methodology that is designed to be fast and simple. Foundational steps include:

• A brainstorming session to list threats,
• The assignment of a simple probability (i.e. High/Medium/Low) to each threat,
• The assignment of simple impact (i.e. High/Medium/Low) to each threat,
• The identification of controls for the listed threats, and
• A management summary.

What is the Value of FRAP?

FRAP allows you to conduct a full risk analysis in hours or days by providing a prioritized list of threats and controls. It quickly enables executives to make decisions on project and budget approvals, provides valid reasons for implementing cost-effective controls to limit exposure, and often times surfaces resource and skill needs.

Who Participates in a FRAP Risk Assessment?

The key to any quick process is a small, tightly controlled group. In addition to a dedicated facilitator and scribe, there should be a small set of subject matter experts (SMEs) (not necessarily leaders) who represent the entire constituency.

How Does the FRAP Session Play Out?

The Facilitator is key; they must keep the SMEs on topic and on-time. They must:

• Recognize all input; encourage participation,
• Observe non-verbal responses,
• Listen and involve the team; they cannot lecture,
• Keep the objective at the forefront, and
• Stay neutral.

There are many sources of information available on FRAP, so do not be afraid to do some Google-ing. Alternatively, reach out to our team of experts today to get started on your FRAP journey. We’ll guide you through the entire process, from implementation to maintenance.