ENTERPRISE RISK MANAGEMENT (STEP 1)
The evolution of ERM toward strategic risk management is represented in Exhibit 6.2. Strategic risk was missing from the ERM portfolio until 2006.
To fix this, based on his then 25 years of LEGO experience and a request from the CFO, Hans Læssøe started looking at strategic risk management. "I was a corporate strategic controller who had never heard the term until then," he says. The company had embedded risk management in its processes. Operational risk – minor disruptions – was handled by planning and production. Employee health and safety was OHSAS18001 certified. Hazards were managed through explicit insurance programs in close collaboration with the company's partners (insurance companies and brokers). Information technology (IT) security risk was a defined functional area. Financial risk covered currencies and energy hedging as well as credit risks. And legal was actively pursuing trademark violations as well as document and contract management. But strategic risks weren't handled explicitly or systematically, so the CFO charged Hans with ensuring they would be from then on. This became a fulltime position in 2007, and Hans added one employee in 2009 and another in 2011.
Exhibit 6.2 The LEGO ERM Umbrella: Adding Strategic Risk
Strategic Risk Management Lab Commentary
The 2006 situation is common. Even though strategic risks need to be integrated with risk management, many organizations don't explicitly assess and manage strategic risks within strategic decision-making processes and strategy execution. A recent study by the Corporate Executive Board found that strategic risks have the greatest negative impact on enterprise value: "strategic risk caused 68 percent of severe market capitalization declines." But the LEGO Group's approach shows how strategic risk management can be a key to increasing the value of ERM within an organization. It also shows how executive leadership from the CFO played an important role in the evolution of ERM as a valuable management process. Finally, Hans came from the business side and had the attributes necessary to lead the initiative: broad knowledge of the business and its core strategies, strong relationships with directors and executive management, strong communication and facilitation skills, knowledge of the organization's risks, and broad acceptance and credibility across the organization. (For more, see Mark L. Frigo and Richard J. Anderson, Embracing ERM: Practical Approaches for Getting Started, at coso.org/guidance.htm, p. 4.)
Also, the risk owner concept at LEGO provides a good example of the importance of understanding who owns the risks as well as defining the role of risk management in the organization. The idea of "risk owners" was important to ensure action and accountability. Hans's charge was to develop strategic risk management and make sure the LEGO Group had processes and capabilities in place to do this. But as senior director of strategic risk management, Hans doesn't own the risk. He can't own the risk, because this essentially would mean he would own the strategy, and each line of business owns the pertinent strategic risks. Hans trains, leads, and drives line management to apply a systematic process to deal with risk. The mission of Hans's strategic risk management team is to "drive conscious choices." This is just like budgeting functions: They don't earn the money or spend the money, but they support management to deliver on the budget or compare performance against the budget.
-  Also see Hans Læssøe, Venkat Ramaswamy, and Mark L. Frigo, "Strategic Risk Management in the Co-Creative Enterprise," Working Paper, Strategic Risk Management Lab, DePaul University, 2014.