This case study was written by Dr. Nelson Albuquerque and Dr. Johnathan Mun, with the cooperation of Eletrobrás Furnas SA, which allowed us access to this enterprise risk management project and its officers, Welington Cristiano Lima and José Roberto Teixeira Nunes. We would like to also acknowledge the thorough review conducted by Professor Pedro Bello, also of Eletrobrás. It is intended to describe the methodology applied in automating Enterprise Risk Management (ERM) for Eletrobrás Furnas, the largest utility company in Brazil. The ERM approach uses Real Options Valuation, Inc. (ROV) PEAT software’s ERM module, and adapts the Risk Matrix model currently used by the Eletrobrás group to the concept of expected value of risk, pushing the envelope from qualitative risk assessment to more quantitative risk management.
The PEAT ERM module was built according to the concept of Expected Risk—which uses the concept of quantification of risks—enabling plans for risk mitigation, statistical evaluation, strategic real options, and analysis of alternatives, as well as optimizing the portfolios of multiple projects.
To get started, ERM requires a two-dimensional input of the Likelihood (L) or Frequency of a risk event occurring and the Impact (I) or the Severity in terms of financial, economic, and non-economic effects of the risk. These L and I concepts are industry standard and used even in regulatory environments such as the Basel III and Basel IV Accords (initiated by the Bank of International Settlements in Switzerland and accepted by most Central Banks around the world as regulatory reporting standards for operational risks).
However, Eletrobrás is a utility company and is not subject to stringent banking and financial regulations; therefore, in place of the probability scale of Likelihood or Frequency, Eletrobrás uses the concept of Vulnerability (V). Consequently, the typical ERM risk matrix is modified slightly as shown in Figure 4.1.
Figure 4.1: Modified Eletrobrás Risk Matrix
Using Likelihood or Vulnerability produces similar results and the choice of which to use is entirely up to the organization. However, we do observe several advantages to using the concept of Vulnerability, especially as it facilitates the existing audit activity in Eletrobrás because the degree of vulnerability metric within the company has already been associated with the evaluation of easily auditable controls and has been in use for several years.
This case study explores how the PEAT ERM module was customized and applied at Eletrobrás, allowing its managers to not only document the major risk factors but to also push the envelope of risk analytics and perform sensitivity analysis, Monte Carlo risk simulation, and quantitative analytics, as well as to assess the dynamics of its business risks, risk controls, and overall enterprise risk management.
For the sole purpose of this case study, we will adapt and use the concept of Vulnerability associated with items related to internal control standards and guidelines already established in Brazil and internationally (e.g., ISO-31000, COSO, COBIT, and SOX or the Sarbanes–Oxley Act). The purpose of this customization is to make it possible to qualify and quantify the degree of implementation in each of the Risk Elements (RE) attached to specific company-wide programs at Eletrobrás.