# Enterprise risk management: building the ERM framework
In August 2003, Lego reported a loss of DKK 1.4 billion on revenues of DKK 6.7 billion, roughly $230 million in red ink for a company that had been the world's most admired toymaker. The Danish family-owned firm was burning through DKK 1 million in cash *per day*. Twenty-three years later, Lego is the world's most profitable toy company, with 2024 revenues of DKK 74.3 billion and an operating margin north of 25%. The turnaround had many fathers, but the one most CFOs ignore is the radical rebuild of Lego's enterprise risk management function under CFO Jesper Ovesen and his successor Knudstorp. They didn't bolt ERM onto strategy. They *fused* the two. That is the lesson of this module.
Most companies that "implement COSO ERM" produce a 47-tab heat mapmapUsing software to automate repetitive marketing tasks and campaigns, enabling personalisation at scale across channels like email, web, and social.Voir la définition complète →, a quarterly risk committee that rubber-stamps it, and an internal audit team that ticks the box. The framework becomes bureaucratic theater. Meanwhile, the risks that actually kill enterprises, strategic obsolescence, geopolitical shocks, supply chain fragility, AI-driven business model disruption, never appear on the heat map until they're in the 10-'s litigation reserve note.
This lesson teaches you how to build ERM that drives capital allocation, not compliance reports.
The COSO ERM framework, updated in 2017 and refreshed for ESG integration in 2023, is built on five interconnected components: Governance & Culture, Strategy & Objective-Setting, Performance, Review & Revision, and Information, Communication & Reporting. Anyone can recite this. What separates value-creating ERM from compliance ERM is *where you place the function in the decision chain*.
In a compliance-mode company, ERM operates downstream of strategy. The CEO and CFO set the plan; risk officers then catalog what could go wrong. The heat mapmapUsing software to automate repetitive marketing tasks and campaigns, enabling personalisation at scale across channels like email, web, and social.Voir la définition complète → gets presented to the audit committee. Nothing changes.
In a value-mode company, ERM operates *upstream* and *inside* strategy. Risk appetite statements drive capital allocation thresholds. Scenario analysis precedes M&A approval. Risk-adjusted return on capital (RAROC) is computed for every business unit and used in compensation.
The empirical evidence is brutal. A 2024 McKinsey survey of 1,200 large-cap companies found that firms with what they classified as "strategically integrated ERM" outperformed compliance-mode peers by 380 basis points of ROIC over the prior decade. The gap widened during the 2020-2022 supply chain crisis, integrated-ERM firms recovered margin 14 months faster on average.
The Institute of Internal Auditors' "Three Lines Model" (revised 2020) remains the operational backbone:
What's changed in 2026 is that the second line now typically includes a dedicated scenario analysis function that reports jointly to the CFO and CROCROConversion Rate Optimization (CRO) is the systematic practice of increasing the percentage of users who complete a desired action, using data, testing, and user research.Voir la définition complète →. This is a direct response to CSRD's mandatory double-materiality assessments and the SEC's climate disclosure rules (after the 2024 court resolution). Pillar Two compliance has also forced risk functions to model tax-rate scenarios across jurisdictions, a problem ERM teams didn't own five years ago.
When Jørgen Vig Knudstorp took over as CEO in October 2004 (he was 35, a former McKinsey consultant, and the first non-family CEO in the company's history), Lego had no functioning ERM. It had something worse: a culture of "creative risk-taking" that had spawned theme parks, video games, branded clothing lines, and a Darwin-themed product line that no child wanted. The portfolio had ballooned to 12,900 unique components, each one a working-capital sinkhole.
Knudstorp and CFO Jesper Ovesen rebuilt risk management around three principles that any CFO can apply on Monday morning.
Lego established a hard rule: no product, project, or acquisition could consume capital that would, in a 1-in-20 downside scenario, breach a specific liquidity threshold. This wasn't a vague "moderate risk appetite" statement, it was a DKK figure, updated quarterly, that every business unit lead knew.
When Lego considered the Lego Movie partnership with Warner Bros. in 2010, the risk appetite framework forced an explicit trade-off analysis. The downside scenario (movie flops, brand dilution) was modeled against base and upside cases. The deal was structured so Lego's downside was capped at marketing co-investment. The movie generated over $468 million at the box office and added an estimated DKK 3 billion in incremental sales over three years.
Compare this to Mattel's 2014-2017 period, where the absence of disciplined risk-adjusted capital allocation contributed to Barbie and Fisher-Price line extensions that destroyed roughly $1.3 billion in shareholder value before activist investors forced a reset.
The single most common ERM failure is point estimates of probability. "There's a 15% chance of a major supply disruption." This is meaningless. What matters is: *what is the magnitude and our resilience under specific, named scenarios?*
Lego pioneered what they call "extreme scenario stress tests" for its top 10 strategic risks. Each scenario is narratively constructed, not a number, but a story: "China launches a domestically-favored toy safety regime that requires 18 months of recertification." The finance team then models cash flow, working capitalworking capitalWorking capital is the difference between a company's current assets and current liabilities, measuring short-term liquidity and the funds available to run daily operations.Voir la définition complète →, and covenant impact under that scenario. Mitigation options are pre-staged.
This approach, by the way, mirrors what the European Central Bank now requires under its 2025 climate stress testing for banks, narrative scenarios over probabilities. The OECD has effectively endorsed it for tax risk management under Pillar Two as well.
At most companies, the risk committee is advisory. At Lego, the Executive Risk Committee (chaired by the CFO, includes the COO, CHRO, General Counsel, and Group CROCROConversion Rate Optimization (CRO) is the systematic practice of increasing the percentage of users who complete a desired action, using data, testing, and user research.Voir la définition complète →) has veto power over any investment above DKK 100 million and any new market entry. This is unusual, and it's the reason it works.
In 2022, when Lego was considering accelerating its Vietnam manufacturing facility build-out (eventually a $1 billion investment, opening 2024), the risk committee forced a geopolitical scenario analysis covering Taiwan Strait contingencies, ASEAN trade fragmentation, and Vietnam-specific labor risks. The result wasn't to kill the project, it was to phase the capexcapexCapital Expenditure (CapEx) is money spent to acquire, upgrade, or extend long-lived assets like equipment, property, or software that deliver value over multiple years.Voir la définition complète → over 36 months instead of 24, preserving optionality. That decision saved an estimated DKK 1.8 billion in trapped capital when 2023's macroeconomic environment tightened.
Vérification des acquis
1. According to the lesson, what was the magnitude of Lego's cash burn during its 2003 crisis?
2. The lesson argues that the defining difference between value-creating ERM and compliance ERM is:
3. The COSO ERM framework referenced in the lesson was originally updated in 2017 and then refreshed in 2023 specifically to integrate:
4. Select ALL correct answers about the symptoms of 'compliance-mode' ERM as described in the lesson:
Sélectionnez toutes les réponses correctes.
5. Select ALL correct answers about the five interconnected components of the COSO ERM framework:
Sélectionnez toutes les réponses correctes.
You will not rebuild your ERM function in a quarter. You can, however, make structural changes within 90 days that move it from compliance to value mode.
Use the COSO maturity model, but stress-test it with one question: *In the last 24 months, has any strategic decision been changed because of risk function input?* If the answer is no, your ERM is decorative.
PwC's 2025 Global Risk Survey found that 67% of CFOs admitted their risk function had not influenced a major strategic decision in the prior two years. That number should be your benchmark for embarrassment.
Vague statements like "we have a moderate appetite for operational risk" are useless. Convert every risk category into either:
When Microsoft's CFO Amy Hood and her team rebuilt their risk framework around the Activision acquisition in 2022-2023, every regulatory scenario was attached to a specific cash and earnings impact. When the UK CMA initially blocked the deal, Microsoft had already pre-modeled the structural remedies and could pivot in days, not months. The $69 billion deal closed in October 2023.
Every capital request above your materiality threshold should require:
1. A base case, upside, and 1-in-20 downside cash flow
2. A named scenario stress (geopolitical, regulatory, technology disruption)
3. A risk-adjusted IRRIRRThe Internal Rate of Return is the discount rate that makes a project's net present value equal zero. It expresses an investment's expected annualized return.Voir la définition complète →, not just nominal IRRIRRThe Internal Rate of Return is the discount rate that makes a project's net present value equal zero. It expresses an investment's expected annualized return.Voir la définition complète →
4. A pre-staged mitigation plan with named accountabilities
Maersk's CFO Patrick Jany has publicly described how the company's 2023-2024 supply chain pivot (decoupling certain Asia-Europe routes after Red Sea disruptions) was executed in roughly 11 days because scenario plays were pre-staged. The company maintained operating margins while competitors burned $400+ million in unplanned rerouting costs.
This is where most CFOs flinch. If risk-adjusted returns don't enter the LTI calculation for business unit heads, your ERM is still decorative. Banks have done this for 20 years via RAROC. Industrial companies are now following, Siemens introduced risk-adjusted capital charges into divisional P&Ls in 2023, which CFO Ralf Thomas credited with the 110-basis-point margin expansion in Smart Infrastructure in FY24.
Top-quartile ERM functions now maintain a separate "emerging risk" register distinct from the operational heat mapmapUsing software to automate repetitive marketing tasks and campaigns, enabling personalisation at scale across channels like email, web, and social.Voir la définition complète →. This register addresses:
The emerging risk register should be reviewed by the board's risk committee at least quarterly. It should never be more than 12 items, any longer and you've reverted to a heat mapmapUsing software to automate repetitive marketing tasks and campaigns, enabling personalisation at scale across channels like email, web, and social.Voir la définition complète →.
1. Within 30 days: Conduct the "strategic influence audit." Pull the last eight board-level decisions. Document which involved formal risk function input that *changed* the outcome. If fewer than three, you have a structural problem, not a process problem.
2. Within 60 days: Rewrite your risk appetite statement so that every category has a numerical threshold (dollars, days, or ratios