Operational risk management has been a key part of the LEGO Group’s strategy for many years. The approach is used to handle issues including supply disruptions, demand volatility, currencies, employee health and safety, and product quality and safety.
Today, the sophistication of LEGO’s Enterprise Risk Management (ERM) framework is widely recognised. It is one of the foremost companies to use Monte Carlo simulation to quantify risk and present key risk information to its board of directors for decision-making purposes. @RISK from Palisade helps the LEGO Group to manage much of the risk it faces. This gives the company a true understanding of the volatility that it believes is inherent in its activities, in order that it can act to pre-empt it.
The LEGO Group uses @RISK to consolidate its risk portfolio. The standard way to calculate overall risk is to multiply the likelihood with the impact for each risk, and add up the total for the portfolio giving an average loss. The LEGO Group however takes a more strategic approach, in the belief that risk management is about extremes, not averages. It wants to know what will happen in the 10% chance that something does occur, not the 90% chance that it doesn’t.
LEGO Risk Management therefore identifies all risks it faces which include factors such as competitor infringements, currency risk and vendor breakdown (if a packaging vendor suffers a strike or a fire, for example, this impacts LEGO’s ability to do business). It then quantifies the risks with @RISK so that each risk is assessed in terms of the chance of it happening and the cost / impact if it does.
Once management has defined figures for all risk factors, it adds up the total exposure that it faces using a Monte Carlo simulation. From this the 5% worst-case exposure is looked at, and compared to the risk tolerance that the company has set itself, based on its earnings, to see if this is acceptable. If it is above the risk exposure, risk handling needs to be addressed to reduce the risk. If it is below, the company is allowed to follow a more aggressive – or ‘risky’ – policy.
Knowing its risk tolerance and consolidated exposure against its actual tolerance enables management to make informed and intelligent decisions about its capacity to take on more risks or be more cautious.
Defining and addressing strategic and operational risks enable the company’s managers to take prudent and proactive mitigating actions, which result in better performance.