{"id":1012,"date":"2015-03-04T05:16:52","date_gmt":"2015-03-04T05:16:52","guid":{"rendered":"http:\/\/rovdownloads.com\/blog\/?p=1012"},"modified":"2015-03-12T09:57:29","modified_gmt":"2015-03-12T09:57:29","slug":"dynamic-evaluation-of-enterprise-risk-management-at-eletrobras-furnas-in-brazil1","status":"publish","type":"post","link":"https:\/\/rovdownloads.com\/blog\/dynamic-evaluation-of-enterprise-risk-management-at-eletrobras-furnas-in-brazil1\/","title":{"rendered":"Dynamic Evaluation of Enterprise Risk Management at Eletrobras Furnas in Brazil1<\/sup>"},"content":{"rendered":"

This white paper is intended to describe the methodology applied in automating Enterprise Risk Management (ERM) for Eletrobras Furnas, the largest utility company in Brazil. The ERM approach uses Real Options Valuation, Inc. (ROV) PEAT software\u2019s ERM module, and adapts the Risk Matrix model currently used by the Eletrobras group to the concept of expected value of risk, pushing the envelope from qualitative risk assessment to more quantitative risk management.<\/p>\n

Introduction<\/strong><\/p>\n

The PEAT ERM module was built according to the concept of Expected Risk, which uses the concept\u00a0of quantification of risks, enabling plans for risk mitigation, statistical evaluation, strategic real\u00a0options, and analysis of alternatives, as well as optimizing the portfolios of multiple projects. PEAT\u00a0has over 20 U.S. and international patents and patents pending protection on its sophisticated\u00a0analytics and approach to Integrated Risk Management methodologies. See the PEAT ERM\u00a0Whitepaper for more technical details on the software applications and functionalities.<\/p>\n

To get started, ERM requires a two\u2010dimensional input of Likelihood (L) or Frequency of a risk event\u00a0occurring and Impact (I) or the Severity in terms of financial, economic, and noneconomic effects of\u00a0the risk. \u00a0These L and I concepts are industry standard and used even in regulatory environments\u00a0such as the Basel II and Basel III Accords (initiated by the Bank of International Settlements in\u00a0Switzerland and accepted by most Central Banks around the world as regulatory reporting standards\u00a0for operational risks).<\/p>\n

However , Eletrobras is a utility company and is not subject to stringent banking and \u00a0financial\u00a0regulations; \u00a0therefore, in place of the probability scale of Likelihood or Frequency, Eletrobras uses\u00a0the concept of Vulnerability (V). Consequently, the typical ERM risk matrix is modified slightly as\u00a0shown in Figure1.<\/p>\n

\"Figure<\/p>\n

Using Likelihood or Vulnerability is similar and the choice of which to use is entirely up to the\u00a0organization. However, we do observe several advantages of using the concept of Vulnerability,\u00a0especially as it facilitates the existing audit activity in Eletrobras because the degree of vulnerability\u00a0metric within the company has already been associated with the evaluation of easily auditable\u00a0controls and has been in use for several years.<\/p>\n

This whitepaper explores how the PEAT ERM module was customized and applied at Eletrobras,\u00a0allowing its managers to not only document the major risk factors but to also push the envelope of\u00a0risk analytics and perform sensitivity analysis, Monte Carlo risk simulation, and quantitative\u00a0analytics and to assess the dynamics of its business risks, risk controls, and overall enterprise risk\u00a0management.\u00a0For the sole purpose of this whitepaper, we will adapt and use the concept of Vulnerability associated\u00a0with items related to internal control standards and guidelines already established in Brazil and\u00a0internationally (e.g., ISO\u201031000, COSO, COBIT, and SOX or Sarbanes\u2010Oxley Act). The purpose of this\u00a0customization is to make it possible to qualify and quantify the degree of implementation in each of\u00a0the Risk Elements (RE) attached to specific Eletrobras\u2019 companywide programs.<\/p>\n

Uncertainty, Risk, and Vulnerability<\/strong><\/p>\n

In enterprise risk assessment of the quantitative risk environment, the concept of uncertainty is\u00a0associated with the Likelihood (L) of an event happening in the future. The uncertainties of repetitive\u00a0events observed in nature over a long period of time can sometimes become predictable but usually\u00a0not with absolute certainty. Such observances can be associated with mathematical functions that\u00a0reflect the statistical properties of something likely to occur at a future time.<\/p>\n

The risk of an event occurring is connected to two parameters: the Impact (I) caused by an uncertain\u00a0event and the probability of an event occurring or its Likelihood (L). Given some known probability\u00a0of a risk event occurring, the higher the impact, the greater the risk. If the impact is zero, the risk will\u00a0be zero even though the event has a high probability of occurring. The reverse argument is also true.\u00a0If the probability of a risk event occurring is equal to zero, the risk is zero (this is an environment of\u00a0pure certainty), regardless of the magnitude of the impact.<\/p>\n

In other words, uncertainty is measured in terms of Likelihood of occurrence, and unless there is\u00a0some financial or noneconomic but observable Impact, there is no risk, just uncertainty.<\/p>\n

Within the realm of Eletrobras, the concept of Vulnerability (V) is associated with the risk of an event.\u00a0Put another way, Vulnerability is associated with an organization\u2019s susceptibility to the\u00a0consequences of a risk event. Risk is reduced through the mitigation of risk, either by decreasing the\u00a0Likelihood of an event occurring (e.g., rather than leaving the car parked on a deserted street at night,\u00a0put it in a garage under camera surveillance) or by reducing its Impact (e.g., purchasing auto theft\u00a0insurance) to protect your capital.<\/p>\n

The mitigation of the risk consequences can be scaled according to the predictable value of risk. For\u00a0example, say we have a specific risk event where its maximum financial impact is valued at $100,\u00a0with a 10% probability of occurring. Further suppose that there is a minimum or residual value of\u00a0$5 with 90% probability, which implies that there is an expected value of $14.5. Thus, mitigation\u00a0measures can be designed to try to neutralize this exposure. Clearly, there are two ways to reduce\u00a0the risk: reduce the Impact or reduce the Likelihood.<\/p>\n

Impact reduction means taking preventive measures (e.g., entering into contractual agreements to\u00a0reduce legal liability), and Likelihood reduction may mean changing organizational processes and\u00a0behaviors (e.g., changing processes that have a high probability of disaster). Nevertheless, regardless\u00a0of the steps used to reduce the Likelihood or Impact, if the possibility still exists of the risk event\u00a0occurring, the risk should be assessed on two levels: the mitigated risk and the residual risk.\u00a0Mitigation measures are meant to reduce the first level of risk to its residual risk whenever possible.<\/p>\n

Proposed Mechanism for Dynamic Risk Indicators<\/strong><\/p>\n

Institutional rules or guidelines that address business risk with only a qualitative view do not\u00a0indicate a method to evaluate this exposure quantitatively. In the traditional qualitative analysis, the\u00a0measure of the riskiness of a company is a snapshot at a point in time. Mitigation measures are\u00a0evaluated later, often from audits to verify the degree of compliance on previous snapshots. The\u00a0effort to implement these mitigation measures is typically not dynamically evaluated, nor are its\u00a0results compared to what was expected within the range of risks vis\u2010\u00e0\u2010vis the cost of mitigation.<\/p>\n

The PEAT ERM module intends not only to document the state of vulnerability of a company to the\u00a0events that may lead to risk losses, whether economic or noneconomic, but also to quantify and\u00a0measure the uncertainties of the risks and their mitigation costs. \u00a0All of this is done dynamically,\u00a0whereby the company may periodically make adjustments to achieve its targeted goals for reducing\u00a0exposure, and pushes the envelope from qualitative assessment to quantitative risk analysis.<\/p>\n

PEAT ERM allows dynamic assessments and measures the degree of vulnerability of the company\u00a0over time using the \u201c% Mitigation Completed\u201d parameter for each risk control and their respective\u00a0weights in the Risk Register window (see Figure 5), which assumes the function of the measurement\u00a0parameter of Vulnerability as applied within Eletrobras. This percentage parameter is interpreted\u00a0as \u201c% Mitigation Completed = 100% \u2212 % Vulnerability\u201d indicating a reduction in risk exposure due\u00a0to the company having implemented measures to reduce its exposure to the risks identified.<\/p>\n

This parameter ranges from 0% Complete (i.e., 100% Vulnerable), indicating that the company is\u00a0exposed to the Total Risk Value, up to 100%; whereas a 100% Complete indicates a 0% Vulnerability\u00a0measure, where the risk is reduced to an exposure at its minimum level, also known as the Residual\u00a0Value Risk.<\/p>\n

Accounting for Corporate Risk<\/strong><\/p>\n

The set of Key Risk Indicators (KRI) provides an overview of financial risk to which the company is\u00a0subject. Figure 2 shows an example of the residual risk exposure in PEAT ERM. In the following\u00a0example, we present the risk exposure of the Finance Department due to the Risk Element of Cost\u00a0Overrun. In the example, the Gross Value of Risk is $1,000,000 and its Residual Value is $500,000.\u00a0The Corporate Risk, composed of all the risk factors of the company, is $1,480,000.<\/p>\n

\"Figure<\/p>\n

 <\/p>\n

In this example, KRI Overrun is measured as (L = 4) * (I or V = 4) = (KRI = 16) and can be shown in\u00a0the Risk Matrix. In this case, it is classified as a Moderate Risk, and a reduction factor of 50% will\u00a0reduce the risk exposure to $750,000 or a KRI of 12.<\/p>\n

The model of dynamic measurement of exposure to corporate risk has the graphical representation\u00a0as shown in Figure 3.<\/p>\n

In this case, the company can assess its risk exposure dynamically by implementing the mitigation\u00a0of Risk Factors, which may be marked by international standards and controls (e.g., SOX, COBIT).\u00a0Thus, the Vulnerability used by Eletrobras is associated with compliance with the controls.\u00a0Dynamically this can be represented by Figure 4.<\/p>\n

\"Figure<\/p>\n

\"Figure<\/p>\n

By means of the audit, be it external or internal, the company can show the evolution of the measures taken to mitigate the risk and reduce the financial exposure of the company.<\/p>\n

Dynamic Assessment of Vulnerability: An Illustration<\/strong><\/p>\n

The Vulnerability Factor (VF) is associated with a set of controls (Cri,j), based on international\u00a0standards or internal rules that must be fulfilled to reduce the Risk Element REj to a level of residual\u00a0risk. Each control (Cri,j) by REj selected should be associated with a weight (wi,j) equal to one, two, or\u00a0four, depending on the degree of importance attached to it. The use of weights allows us to\u00a0distinguish between controls that are more difficult to be implemented or which would have a much\u00a0greater impact on risk mitigation. Our suggestion is to rank the controls by the degree of impact:\u00a0minor impact should be classified as having a weight identical to unity; the average impact of a\u00a0weight equal to 2 (two); and, finally, if any, high impact with weight 4 (four), providing a sense of\u00a0geometric growth.<\/p>\n

After an audit, controls may have different degrees of conformity (GCi,j), namely implemented (0%),\u00a0partially implemented (50%), and nondeployed (100%). The REj audited Vulnerability Factor (VFi,j)\u00a0is calculated using the following formula:<\/p>\n

\"Formula\"<\/p>\n

Case Illustration<\/strong><\/p>\n

Figure 5 illustrates a manual computation of several sample Risk Elements, their respective Risk\u00a0Controls, Weights, Vulnerability %, and the computed Vulnerability Factor (%VF) and Degree of Mitigation (%DM). It also shows a screen shot of the PEAT ERM Risk Register tab showing how these\u00a0assumptions can be entered and the subsequent simple steps to set up the ERM Risk Register.<\/p>\n

\"ERM<\/p>\n

\"FIGURE<\/p>\n

Explanation Details<\/strong><\/p>\n