In enterprise risk assessment of the quantitative risk environment, the concept of uncertainty is associated with the Likelihood (L) of an event happening in the future. The uncertainties of repetitive events observed in nature over a long period of time can sometimes become predictable but usually not with absolute certainty. Such observances can be associated with mathematical functions that reflect the statistical properties of something likely to occur at a future time.
The risk of an event occurring is connected to two parameters: the Impact (I) caused by an uncertain event and the probability of an event occurring or its Likelihood (L). Given some known probability of a risk event occurring, the higher the impact, the greater the risk. If the impact is zero, the risk will be zero even though the event has a high probability of occurring. The reverse argument is also true. If the probability of a risk event occurring is equal to zero, the risk is zero (this is an environment of pure certainty), regardless of the magnitude of the impact.
In other words, uncertainty is measured in terms of Likelihood of occurrence, and unless there is some financial or non-economic but observable Impact, there is no risk, just uncertainty.
Within the realm of Eletrobrás, the concept of Vulnerability (V) is associated with the risk of an event. Put another way, Vulnerability is associated with an organization’s susceptibility to the consequences of a risk event. Risk is reduced through the mitigation of risk, either by decreasing the Likelihood of an event occurring (e.g., rather than leaving the car parked on a deserted street at night, put it in a garage under camera surveillance) or by reducing its Impact (e.g., purchasing auto theft insurance) to protect your capital.
The mitigation of the risk consequences can be scaled according to the predictable value of risk. For example, say we have a specific risk event where its maximum financial impact is valued at $100, with a 10% probability of occurring. Further suppose that there is a minimum or residual value of $5 with 90% probability, which implies that there is an expected value of $14.5. Thus, mitigation measures can be designed to try to neutralize this exposure. Clearly, there are two ways to reduce the risk: reduce the Impact or reduce the Likelihood.
Impact reduction means taking preventive measures (e.g., entering into contractual agreements to reduce legal liability), and Likelihood reduction may mean changing organizational processes and behaviors (e.g., changing processes that have a high probability of disaster). Nevertheless, regardless of the steps used to reduce the Likelihood or Impact, if the possibility still exists of the risk event occurring, the risk should be assessed on two levels: the mitigated risk and the residual risk. Mitigation measures are meant to reduce the first level of risk to its residual risk whenever possible.