Lego is one of the largest and most popular toy manufacturers in the world—a building blocks empire built in 1949 by Ole Kirk Christiansen of Denmark. Over time, the privately held company has gone from a simple manufacturer of wood-based play sets to a conglomerate of plastic toys, theme parks, retail stores, board games and books.
The Lego Group’s motto is “det bedste er ikke for godt,” which translates, in literal terms, to “the best is never too good.” Christiansen, who penned the motto, believed strongly in the value of a quality product—a sentiment he instilled in all employees. That attitude is still in place at Lego’s headquarters in Denmark, a fact illustrated by the company’s reputation for world-class risk management.
We talked with Hans Læssøe, senior director of strategic risk management for Lego, to find out how the toy company plays well with risks.
RM: How did Lego become one of the biggest champions of the risk management discipline?
Hans Læssøe: I didn’t know we were, but the status we have has been driven by several factors. I have been given all the time and resources I wanted to develop this [risk management process within Lego]. I have 100% buy-in on processes and tools from the CEO and corporate management. I know the company—I currently have 31 years of seniority—as well as who to talk to for further insights. I keep it simple. If I can’t explain what I do or what I want and why in five minutes, I redo the asking. Those I ask have other tasks as well.
RM: How does Lego approach strategic risk management?
Læssøe: We apply strategic risk management in three key approaches for three different things. On strategy definition, we have a scenario-based process where we focus on making management “think the unthinkable” and hence identify strategic issues they would not have seen had they regarded 2018 as an extrapolation of 2013. These issues are then systematically prioritized and embedded in the strategy description.
On strategy implementation we have a defined tool and process for active risk and opportunity planning and management, which is mandatory for major business projects, and strategy implementation. On strategy execution, we have a major ERM database where we collect and document risks and their assessments and handling. The database enables us to define an overall risk exposure vs. the defined risk tolerance.
RM: Why do some firms feel SRM is more complicated than it actually is?
Læssøe: Well for some, it may be driven by their fear that this is another step of [Sarbanes-Oxley] compliance controlling. Or maybe they just need an ignorant practitioner to drive the project—like myself.
RM: You once said, “If everything is under control, you’re moving too slow.” Can you explain this?
Læssøe: It is a Mario Andretti quote, and I use it to separate risk management from risk aversion. At least in the beginning, a lot of people thought it was my job to avoid risks. It isn’t. It is my job to balance risks and opportunities. Just like parenting. As a parent it is not your job to ensure that your children don’t get hurt, but only to ensure they don’t suffer permanent injuries. Cynical perhaps, but being hurt from time to time is the only way to learn and grow.
So, would I approve of a massive project that could cost us $100 million? Sure, if the upside was sufficiently large and the likelihood of losing sufficiently small. What I will not accept is bulldozing a project without due consideration to the risks and opportunities involved.
RM: What is your take on ERM vs. SRM?
Læssøe: To me, ERM is everything and SRM is just the strategic part. So, ERM includes currency hedging, [environmental health and safety], insurance programs, IT security, operational disruptions and so on, as well as SRM, which covers the risks that force us to change our strategy or the way we implement it.
RM: How does Monte Carlo simulation aid Lego in managing risk?
Læssøe: I see Monte Carlo simulation as a vital tool and the only way to validly consolidate a risk portfolio. It has given us insight into volatilities as well as the overall one-number risk tolerance metric, which is a good gauge but not the full story, as we know.
It did help me some years ago, where I, just one or two years after I started [as SRM director], presented an analysis based on the Monte Carlo simulation tool to our corporate management. My CEO, who holds a Ph.D. in mathematics, acknowledged the analysis and approach and then stated that now we can, as he said, stop discussing whether or not my efforts create value to the company. This supported the buy-in and backing of our C-suite.
RM: If your boss or the board were to ask you to prove that Lego has been successful in risk preparation, risk avoidance and dealing with risks as they occur, what would you tell them or show them?
Læssøe: First of all, there is no such thing as proof. A cynical colleague once stated, “there is no such thing as a successful risk manager—the good ones get out in time.”
I would show what is called a back test, or look at what actually happened over the past number of years and compare this to the risk portfolio, answering three questions: Were we hit by anything severely which we had not foreseen? Of the things that did hit us, and that we had foreseen, was the impact somewhat in range with what we expected? Of the risks we would have expected to materialize over a three-to-five-year period, which [risks] did not hit us—and do we know why not?
I actually did a back test based on 2006 to 2008, as we changed strategic direction by the end of 2008. I am doing a second one now, looking at 2009 to 2012. Both of these indicate—this is anecdotal and hence not proof—that the risk management system is indeed comprehensive enough to match real-life incidents.