Author: Frigo, Mark L
Date published: February 1, 2012
In this article we describe strategic risk management at the LEGO Group, which is based on an initiative started in late 2006 and led by Hans Læ ssøe, senior director of strategic risk management at LEGO System A/S. It's also part of the continuing work of the Strategic Risk Management Lab at DePaul University, which is identifying and developing leading practices in integrating risk management with strategy development and strategy execution.
The LEGO Group Strategy
To understand strategic risk management at the LEGO Group, you need to understand the company's strategy. This is consistent with the first step in developing strategic risk management in an organization: to understand the business strategy and the related risks as described in the Strategic Risk Assessment process (see Mark L. Frigo and Richard J. Anderson, "Strategic Risk Assessment," Strategic Finance, December 2009).
The LEGO Group's mission is "Inspire and develop the builders of tomorrow." Its vision is "Inventing the future of play." To help accomplish them, the company uses a growth strategy and an innovation strategy.
Growth Strategy: The LEGO Group has chosen a strategy that's based on a number of growth drivers. One is to increase the market share in the United States.Many Americans may think they buy a lot of LEGO products, but they buy only about a third of what Germans buy, for example. Thus there are potential growth opportunities in the U.S. market.
The LEGO Group also wants to increase market share in Eastern Europe, where the toy market is growing very rapidly. In addition, it wants to invest in emerging markets, but cautiously. The toy industry isn't the first one to move in new, emerging markets, so the LEGO Group will invest at appropriate levels and be ready for when those markets do move. It will also expand direct-to-consumer activities (sales through LEGO-owned retail stores), online sales, and online activities (such as online games for children).
Innovation Strategy: On the product side, the LEGO Group focuses on creating innovative new products from concepts developed under the title "Obviously LEGO, never seen before." The company plans to come up with such concepts every two to three years. The latest example is LEGO Games System, which is family board games (a new way of playing with LEGO bricks) with a LEGO attitude of changeability (obviously LEGO). The company also intends to expand LEGO Education, its division that works with schools and kindergartens. And it will develop its digital business as the difference between the physical world and the digital world becomes more and more blurred and less and less relevant for children.
Now let's look at the development of LEGO strategic risk management.
LEGO Strategic Risk Management The LEGO Group developed risk management in four steps, as shown in Figure 1:
Step 1. Enterprise Risk Management was traditional ERM in which financial, operational, hazard, and other risks were later supplemented by explicit handling of strategic risks.
Step 2. Monte Carlo Simulations were added to understand the financial performance volatility (which proved to be significant) and the drivers behind it to integrate risk management into the budgeting and reporting processes.
Those two steps were seen mostly as "damage control." To get ahead of the decision process and have risk awareness impact future decisions as well, LEGO risk management added:
Step 3. Active Risk and Opportunity Planning (AROP), where business projects go through a systematic risk and opportunity process as part of preparing the business case before final decisions about the projects have been made.
Step 4. Preparing for Uncertainty, where management tries to ensure that long-term strategies are relevant for and resilient to future changes that may very well differ from those planned for. Scenarios help them envision a set of different yet plausible futures to test the strategy for resilience and relevance.
These last two steps were designed to move "upstream"-or getting involved earlier in strategy development and the strategic planning and implementation process.
Strategic Risk Management Lab Commentary: This four-step approach is a good illustration of how organizations can develop their risk management capabilities and processes in incremental steps. It represents an example of how to evolve beyond traditional ERM and integrate risk management into the strategic decision making of an organization. This approach positions risk management as a value-creating element of the strategic decision-making process and the strategy-execution process.
In our research on high-performance companies, we've found that companies like the LEGO Group achieve sustainable high performance and create stakeholder value by consistently executing the strategic activities in the Return Driven Strategy framework (for example, the focus on innovating its offerings toward changing customer needs) while co-creating value through its engagement platforms (the online community, including its My LEGO Network, which engages more than 400 million people and helps its product development process). Its strategic risk management processes incorporate distinct elements of co-creation by engaging its employees (internal stakeholders) throughout the strategic decisionmaking, planning, and execution processes, as well as engaging external stakeholders (suppliers, partners, customers). The LEGO Group's approach is a good example of how an organization can engage stakeholders in cocreating strategic risk-return management (see Mark L. Frigo and Venkat Ramaswamy, "Co-Creating Strategic Risk-Return Management," Strategic Finance,May 2009, and Venkat Ramaswamy and Francis Gouillart, The Power of Co-Creation, 2010).
Step 1: Enterprise Risk Management
The evolution of ERM toward strategic risk management is represented in Figure 2. Strategic risk was missing from the ERM portfolio until 2006.
To fix this, based on his then 25 years of LEGO experience and a request from the CFO, Hans Læ ssøe started looking at strategic risk management. "I was a corporate strategic controller who had never heard the term until then," he says. The company had embedded risk management in its processes. Operational risk-minor disruptions-was handled by planning and production. Employee health and safety was ISO 18001 certified. Hazards were managed through explicit insurance programs in close collaboration with the company's partners (insurance companies and brokers). IT security risk was a defined functional area. Financial risk covered currencies and energy hedging. And legal was actively pursuing trademark violations as well as document and contract management. But strategic risks weren't handled explicitly or systematically, so the CFO charged Hans with ensuring they would be from then on. This became a full-time position in 2007, and Hans added one employee in 2009 and another in 2011.
Strategic Risk Management Lab Commentary: The 2006 situation is common. Even though strategic risks need to be integrated with risk management, many organizations don't explicitly assess and manage strategic risks within strategic decision-making processes and strategy execution. But the LEGO Group's approach shows how strategic risk management can be a key to increasing the value of ERM within an organization. It also shows how executive leadership from the CFO played an important role in the evolution of ERM as a valuable management process. Finally, Hans came from the business side and had the attributes necessary to lead the initiative: broad knowledge of the business and its core strategies, strong relationships with directors and executive management, strong communication and facilitation skills, knowledge of the organization's risks, and broad acceptance and credibility across the organization. (For more, see Mark L. Frigo and Richard J. Anderson, "Embracing ERM: Practical Approaches for Getting Started," published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) at www.coso.org/guidance.htm, 2011, p. 4.)
Also, the risk-owner concept at LEGO provides a good example of the importance of understanding who owns the risks as well as defining the role of risk management in the organization. The idea of "risk owners" was important to ensure action and accountability. Hans's charge was to develop strategic risk management and make sure the LEGO Group had processes and capabilities in place to do this. But as senior director of strategic risk management, Hans doesn't own the risk. He can't own the risk because this essentially would mean he would own the strategy, and each line of business owns the pertinent strategic risks. Hans trains, leads, and supports line management to apply a systematic process to deal with risk. This is just like budgeting functions: They don't earn the money or spend the money, but they support management to deliver on the budget or compare performance against the budget.
Step 2: Monte Carlo Simulation
In 2008, Hans introduced Monte Carlo simulation to the process. A mathematician by education (M.Sc. in engineering), he started defining how Monte Carlo simulation could be used in risk management. Now it's being used for three areas:
Budget Simulation. The business controllers are asked for their input about volatility, which is combined with analyses based on past performance of budget accuracy. Management says this helps them understand the financial volatility, so it's now part of the financial and budget reporting. In fact, the first analyses directed top management's attention to a sales volatility that was known but that proved to be much more significant than everyone intuitively believed.
Credit Risk Portfolio. The LEGO Group uses a similar approach to look at its credit risk portfolio so it can have a more professional "conversation" with a credit risk insurance partner.
Consolidation of Risk Exposure. You could multiply the probability and impact of each risk and add the whole thing up. But this is seen as an almost "systemic" error in risk consolidation because it would give an average loss over "a million years." Risk management isn't about averages (if it were, no one would take out an insurance policy on anything).With a Monte Carlo simulation, the LEGO Group can "calculate" the 5% worst-case loss compared to budget and use that to define risk appetite and risk report exposure vis à vis this risk appetite, as shown in Figure 3.
Risk Appetite: A privately held company, the LEGO Group can't look at stock values, so it looks at the amount of earnings the company is likely to lose compared to budget if the worst-case combined scenarios happen. Not all risks will materialize in any one year because some of them are mutually exclusive, but a huge number may happen in any one year as we have seen during the global financial crisis. Hans computes a "net earnings at risk," and corporate management and later the board of directors use that net earnings at risk to define their risk appetite. They have said that the 5% worst-case loss may not exceed a certain percentage of the budgeted earnings (the percentage is not 100). That guides management toward understanding and "sizing" the risk exposure. This process has helped the LEGO Group take more risks and be more aggressive than it otherwise would have dared to be and grow faster than it otherwise could have done.
Strategic Risk Management Lab Commentary: Risk appetite is a difficult area for organizations to address. The approach used at the LEGO Group provides a good example of deriving risk appetite in an actionable and systematic way. It also shows an approach that fosters intelligent risk taking and that avoids being too risk averse while maintaining discipline on the amount of risk undertaken.
What we've discussed so far is more or less "damage control" because it's about managing risks already taken by approving strategies and initiating business projects. Hans decided he wanted to move beyond damage control and be more proactive so he could create real value as a risk manager. He came up with a process he calls Active Risk and Opportunity Planning for business projects.
Step 3: AROP: Risk Assessment of Business Projects
When the LEGO organization implements business projects of a defined minimum size or level of complexity, it's mandatory that the business case includes an explicit definition and method of handling both risks and opportu- nities. Hans says that the LEGO Group has created a supporting tool (a spreadsheet) with which to do this, and it differs from the former approach to project risk management in several areas:
Identification, "where we call upon more stakeholders, look at opportunities as well as risks, and look at risks both to the project and from the project (i.e., potential project impact on the entire business system)."
Assessment, "where we define explicit scales and agree what 'high' means to avoid different people agreeing on an impact being high without having a shared understanding of the exposure."
Handling, "where we systematically assign risk owners to ensure action and accountability and include the use of early-warning indicators where relevant."
Re-assessment, "where we define the net-risk exposure to ensure that we have an exposure we know we can accept."
Follow-up, "where we keep the risk portfolio of the project updated for gate and milestone sessions."
Reporting, "which is done automatically and fully standardized based on the data."
Common Language and Common Framework: The most important point is that the people who address and work with risks get a systematic approach so they can use the same approach from Project A to Project B. The one element that project managers really like is having the data in a database. They don't receive just a spreadsheet model. Data is entered into the spreadsheet as a database, and all the required reporting on risk management is collected from that data, so project managers don't have to develop a report-they can just cut and paste from one of the three reporting sheets that are embedded in the tool. All the reports are standardized. That's good for the project managers, but it's also good for the people on the steering committees because they now receive a standardized report on risks. They don't have a change between layouts of probability/impact risk maps or when somebody comes up with severity or whatever from project to project. Everyone has the same kind of formula, the same way of doing it.
Strategic Risk Management Lab Commentary: The AROP process is a great example of integrating risk assessment in terms of upside and downside risks in the strategic decision-making process. This balanced approach to strategic risk management allows organizations to create more stakeholder value while intelligently managing risk.
Step 4: Preparing for Uncertainty: Defining and Testing Strategies
To get further ahead in the decision process, the LEGO Group has added a systematic approach to defining and testing strategies. As Hans notes, "We are going one step further upstream in the decision process with what we call 'Prepare for Uncertainty.' This is a strategy process, and we're looking at the trends of the world. The industry is moving; the world is moving quite rapidly. I just saw a presentation that indicated that the changes the world will see between 2010 and 2020 will be somewhere between 10 and 80 times the changes the world saw in the 20th Century, compressed into a decade."
He offers the following story to illustrate the forces of change the company is facing: "My seven-year-old granddaughter came to me and asked, 'Granddad, why do you have a wire on your phone?' She didn't understand that. She's never seen a wire on a phone before.We need to address that level of change and do it proactively."
Four Strategic Scenarios: A group of insightful staff people (Hans and a few from the Consumer Insight function) defined a set of four strategic scenarios based on the well-documented megatrends defined by the World Economic Forum in 2008 for the Davos meetings (see Figure 4). Hans commented:
u"We presented and discussed these with senior management in 2009, prior to their definition of 2015 strate- gies, to support that they would look at the potential world of 2015 when defining strategies and not 'just' extrapolate presentday conditions.
u"Having done that, we then prepared to revisit each key strategy vis à vis all four scenarios to identify issues (i.e., risks and opportunities) for that particular strategy if the world looks like this particular scenario.
"This list of issues is then addressed via a PAPA model whereby a strategic response is defined and embedded in the strategy.
u"This way, we believe that we have reasonably ensured our strategies will be relevant if/when the world changes in other ways than we originally planned for.
"Once we have decided on the strategy and defined what we're going to do, we test the strategy for resilience.We very simply take that particular strategy and, together with the strategy owner, discuss: If this scenario happens, what will happen to the strategy? Some of these issues will be highly probable, and some of them will be less probable. Some of them will happen very fast; some others will happen very slowly. This is where the PAPA model comes in."
The PAPA Model
When looking at the scenarios, the LEGO Group uses what it calls a Park, Adapt, Prepare, Act (PAPA) model, as shown in Figure 5. Hans explains:
Park: The slow things that have a low probability of happening, we park.We do not forget about them.
Adapt: The slow things that we know will happen or are highly likely to happen-we adapt to those trends. In our case, this is a lot around demographics.We know children's play is changing, we know demographics are changing, we know the buying power between the different realms or the different parts of the world is changing. We also know it does not happen fast. So we adjust, systematically monitoring what direction it's moving in and following that trend.
Prepare: The things that have a low probability of happening, but, if they do, they materialize fast-we need to be prepared for. In fact, this is where we identify most of the risks that we need to put into our ERM risk database, make sure that we have contingency plans for them, apply early warnings and whatever mitigation we can put in place to make sure that we can cover these should they materialize, but they are not expected to.
Act: Finally, we have the high probability and fastmoving things that we need to act on now in order to make sure the strategy will be relevant. In our case, anything that has to do with the concept of connectivity- i.e., mobile phones, Internet, that world-if we can see it, move on it.We know that is changing so fast, and it's changing the way kids play. It's changing their concepts and their view of the world.
This way, we have a kind of prioritization model of what we do because we shouldn't, of course, be betting on every horse in the race. That's not profitable, and it isn't even doable.
Strategic Risk Management Lab Commentary: One of the challenges of risk management is to find ways to prioritize risks that make business sense. The PAPA model provides a good example of a framework that can prioritize risks and set the stage for the appropriate actions. Our research on high-performance companies (see Mark L. Frigo and Joel Litman, DRIVEN: Business Strategy, Human Actions and the Creation of Wealth, 2008) found that companies who demonstrate sustainable high performance exhibit a "vigilance to forces of change" that allows them to manage the threats and opportunities in the uncertainties and changes better than other companies. The approach used at LEGO is a great example of embedding this vigilance to forces of change in its strategy development and strategy execution processes.
Strategic Risk Management Return on Investment
A great deal has happened in the LEGO Group's approach to risk management based on strong support from top management, all the time needed to develop processes and methodologies, and a strong focus. They have demonstrated value from the efforts they've made. They also have explicitly embedded risk management in most of the key planning processes used to "run" the company:
u The Strategic and Financial Management Process- Monte Carlo and Scenarios
u The LEGO Development Process-AROP in projects
u The Customer Business Planning Process-AROP in collaboration
u The Sales & Operations Planning Process-Tactical scenarios
u The Performance Management Process-Bonus based on results, not efforts
"All of this has worked,"Hans says. "Based on actual data, we have had a 20% average growth from the period between 2006 and 2010 in a market that grows between 2% and 3% a year. Beyond that, our profitability has developed quite significantly as well.We've grown from a 17% return on sales to a 31% return on sales in 2010. And it goes beyond that. If you go back a couple more years, in 2004 we were in dire straits and had a negative return on sales of 15%.We changed a number of strategies.
"Risk management is not the driver of these changes. I'm not even sure it's a big part. But it's one part. It's a part that has allowed us to take bigger risks and make bigger investments than we otherwise would have seen. The Monte Carlo simulation has shown us what the uncertainty is. The risk appetite has shown us how much risk we can afford to take, and are prepared to take, between the board of directors and the corporate management team. This has meant that we have been prepared to make bigger supply chain investments than we otherwise would have done and have been able to achieve a bigger growth than we ever imagined we could have."
Strategic Risk Management Lab Commentary: The development of strategic risk management at the LEGO Group provides a great example of how organizations can develop their ERM programs to incorporate strategic risk and make strategic risk management a discipline and core competency within. One of the key elements was "integration." During discussions with LEGO management, when Hans was asked about the ongoing development of risk management at the LEGO Group, he replied that it was "naturally integrated." It is this integration of risk management in strategy and strategy execution, and the integration of strategy in risk management, that can elevate the value of ERM in an organization.
One Last Note
We want to emphasize that risk management is not about risk aversion. If, or rather when, you want/need to take bigger chances than your competitors-and get away with it (succeed)-you need to be better prepared. The fastest race cars in the world have the best brakes and the best steering to enable them to be driven faster, not slower. Risk management should enable organizations to take the risks necessary to grow and create value. To quote racing legend Mario Andretti: "If everything's under control, you're going too slow." SF
By Mark L. Frigo, CMA, CPA, and Hans Læ ssøe
Mark L. Frigo, Ph.D., CMA, CPA, is director of the Center for Strategy, Execution and Valuation; the Strategic Risk Management Lab; and the CFO Leadership Initiative in the Kellstadt Graduate School of Business at DePaul University in Chicago. He also is Ledger & Quill Alumni Foundation Distinguished Professor there and is an advisor to executive teams and boards in the area of strategy development, execution, and strategic risk management. And he is an IMA member. You can reach Mark at firstname.lastname@example.org.
Hans Læ ssøe is senior director of strategic risk management at the LEGO Group and has spent his entire career with LEGO in a number of areas, including portfolio management and as a business and strategic controller. In 2006, he was charged with establishing and managing LEGO's formal Strategic Risk Management function for which he has received several European awards. You can reach Hans at Hans.Laessoe@LEGO.com.
Note: Mark and Hans presented an earlier version of this case at the RIMS (Risk and Insurance Management Society) Conference. Both serve as members of the RIMS Strategic Risk Management Development Council.