Facilitated Risk Analysis for Business and Security

Tom Peltier

The implementation of controls without understanding inherent risks is an ineffective use of scarce organizational resources.

This workshop will provide attendees with the tools necessary to implement an efficient risk analysis process. Facilitated Risk Analysis Process (FRAP) is a formal methodology driven by the owner of the application and/or system, conducted by a facilitator. It is a subjective process that obtains results by asking questions and will help organizations conduct application, network, system or business process risk analysis in a matter of hours. The result of the FRAP is a comprehensive document that has identified threats, established a risk level (priority), and identified controls that can reduce the risk priority to an acceptable level.

Day One

Risk Analysis Basics - Most organizations have tight budgets for security. Senior management must ensure that the enterprise has the capabilities needed to accomplish its mission. To get the best bang for the security buck, management needs a process to determine spending. Risk analysis and risk management are the processes that allow business managers to balance operational and economic costs of protective measures, and achieve gains in mission capability by protecting business processes that support the business objectives of the enterprise.

FRAP Benefits - Using a qualitative risk analysis approach and the results from the pre-screening (which will be discussed later), attendees will examine the most popular method of risk analysis in use today. The Facilitated Risk Analysis Process (FRAP) will be reviewed and attendees will conduct their own case study FRAP. Each attendee will examine and critique the process. The instructor will assist the attendees in customizing it for their own organization.

Day Two

Practical Application - Case Study - Under the instructor’s guidance, each group will have the opportunity to prepare and conduct a FRAP based on their chosen statement of opportunity and objectives, while the other groups observe the process. At the conclusion, each group will go through a debriefing to review the process, identifying strong points as well as areas that may need additional work.

Pre-Screening Subjects - Not every subject needs a formal risk analysis, but every subject needs to be formally reviewed to determine its needs. By establishing a quick review of the application, system or business process, the organization can determine where to expend its limited resources. Attendees will be shown examples of pre-screening methods and how they are used in different organizations, and work an exercise to reinforce these concepts.

Business Impact Analysis (BIA) - Using all of the techniques discussed, the attendees will study a facilitated process to review the impact on customer business process if that resource becomes unavailable. The BIA is used by organizations to determine critical resources. Once the critical resources are scored, the organization can then identify appropriate controls to ensure that the business continues to meet its business objectives or mission. The attendees will then break into groups and develop a draft BIA to meet their organization’s needs.