The Turnbull Report
Anthony Carey, of the Institute of Chartered Accountants in England
and Wales, describes the impact of the Tunbull Report on risk
management.
T
he day before Christmas Eve, when every-
one’s attention was on the forthcoming fes-
tivities and the potential threat posed by the
Millenium Bug, the Turnbull Report came quietly
into effect. However, since the publication at the
end of September of the final report of the Institute’s
Internal Control Working Party, chaired by Nigel
Turnbull, there has been much discussion in the
business community and the media about its likely
impact in the coming years. Moreover, whilst its
primary purpose is to provide guidance to help list-
ed companies implement the internal control
requirements of the Combined Code on Corporate
Governance, the report can also be used as a catalyst
for performance improvement in the public and
not-for-profit sectors as well.
The Turnbull guidance reflects good business practice in the
areas of risk management and internal control. It emphasis-
es that a company’s internal control system has a key role to
play in the management of risks that are significant to the ful-
filment of its business objectives. To implement the report
successfully, an organisation therefore needs a clear under-
standing of its objectives. These should be expressed around
the future, not the past or present, in order to assist the organ-
isation in meeting the key challenges that lie ahead.
Secondly, the focus should be on the significant risks that
could blow it off course. It is not about identifying 1,001 risks
regardless of the likelihood that they will occur or the impact
they would have if they did materialise. Thirdly, the control
system must be linked to managing in an effective manner
the risks an organisation consciously decides to carry; the
report is not about eliminating risk, per se.
The guidance also stresses that the internal control system
should be: firmly embedded in the organisation’s operations;
be capable of responding quickly to changes in its risk profile,
whether arising from changes within the business or in its
external environment; and should include procedures for
immediately reporting significant control failings or weak-
nesses to appropriate levels of management.
The Benefits of Managing Risk Effectively
What, then, are the potential benefits of effective risk man-
agement and internal control? Boards of directors (and their
124
equivalents in non-commercial entities) are concerned with
the long-term direction of their organisations. They need to
set goals with varying timeframes. The impact of various risks
crystallising can be that the organisation’s realised goals are
very different from the intended, desired ones.
Managing risk effectively can make an organisation more
flexible and responsive to its external environment, enabling
it to satisfy customers’ ever-changing needs more fully.
Organisations can also gain an early-mover advantage by
adapting more quickly than their rivals to new circumstances
(eg in taking advantage of the opportunities offered by e-
commerce), leading to an enhanced reputation in the medi-
um and long term. Effective risk management and internal
control can also be used to manage change, to involve every-
one in the organisation in helping meet its business objec-
tives, and to improve an operation’s ability to raise funds in
the future. In addition, it can lead to fewer sudden shocks
and unwelcome surprises, and as a result less management
time spent ‘firefighting’.
It is important that managers move away from a merely
downside-based approach to managing risk. Risk is not only
about ‘bad things happening’, it is equally about ‘good things
not happening’, ie missed opportunities.
Identifying the Risks
Organisations should try to avoid ‘risk identification over-
load’, as this can prevent the significant risks being given
appropriate attention. If lots of risks have traditionally been
identified, they can usefully be analysed on the basis of rele-
vance to meeting the business objectives and to highlighting
areas where new objectives may be needed.
A recent survey by the accounting firm Deloitte and Touche
revealed that the risks which were often of most concern to
organisations included: a failure to manage major projects
(especially of a technological nature); a failure of strategy; a
failure to innovate; poor reputation or brand management;
and a lack of employee motivation and poor performance.
Care should be taken to avoid merely selecting risks from a
generic matrix. The risks need to be specific to the relevant
sector and the individual circumstances of the organisation.
It is particularly useful to relate them to the likely obstacles to
achieving the critical success factors associated with the
achievement of the organisation’s objectives.
Useful questions to ask include:
• How is change affecting the risks we face and the risks we
have chosen to take (this is because change areas are often
the biggest areas of risk for an entity)?
• What would we be reluctant to see reported in the press?
• What problems or near misses have already happened to
us or our competitors in recent years?
• What are the types of fraud and business probity issues to
which the organisation could be particularly susceptible?
• What are the major regulatory and legal risks to which the
business is exposed?
• What risks arise from the organisation’s processes?
Prioritising the Risks
The following ‘two by two’ matrix (or a variant on it) (see
Figure 1) is widely used to help prioritise risks. First the gross
risk associated with an event is assessed, that is the probabili-
ty and impact of an event happening on the assumption that
control processes are very weak or non-existent. Risks are
then prioritised according to their impact and likelihood of
occurrence. On a number of occasions an A, B, C or D rating
will suffice, which can be interpreted as:
• A - immediate action
• B - consider action and have a contingency plan
• C - consider action
• D - keep under periodic review.
High Impact High Impact
Low likelihood High likelihood
Impact of risk
B A
Low Impact Low Impact
Low likelihood High likelihood
D C
Likelihood of risk occurring
Figure 1: How to prioritise risks
The impact should be considered not merely in financial
terms but more importantly in terms of potential effect on
the achievement of the organisation’s objectives. Naturally,
not all risks will be identified as significant. Non-significant
risks should be reviewed regularly, particularly in the light of
changing external events, to check that they remain non-sig-
nificant. As a rough guide, some commentators suggest an
organisation could face around 15-25 residual risks which are
significant to it as a whole.
Managing the Significant Risks
Having identified and then prioritised the significant risks in
gross terms, it is then helpful to determine for each of them
125
• Do the directors wish to accept this risk?
• What is the control strategy to avoid or mitigate the gross
risk?
• Who is accountable for managing the risk and maintain-
ing and monitoring the controls?
• What is the residual risk, that is the risk remaining after the
application of the control processes?
• What is the early warning mechanism?
Control strategies include:
• Accepting the risk.
• Transferring the risk (eg passing it to another party by
changing contractual terms).
• Elimination (by adopting an exit strategy).
• Control (by building control into the operational process,
additional quality control).
• Involving your best people in managing it.
• Sharing the risk with another party.
• Insuring against some or all of the risk.
• Avoiding the risk in other ways.
An Organisational-Wide Issue
Delegation of responsibility for the totality of risk manage-
ment should not be allocated to a single individual. Rather,
it should ideally be spread across those responsible for man-
aging different organisational activities. Risk management is
an issue for all employees, not a specialist few within the
organisation. Its importance should be communicated to all
levels of staff, who should have the necessary knowledge,
skills, information and authority to fulfil their responsibili-
ties.
At the top, the board should set appropriate internal control
policies and seek regular assurance that the control system is
functioning effectively. It is for the board (or equivalent) to
decide upon the organisation’s risk appetite.
The board should regularly review reports on internal control.
These should provide a balanced assessment of the effective-
ness of the control system in the areas covered by them and
discuss any significant control failings or weaknesses identi-
fied, along with their impact and the remedial action being
taken. Management’s job is to design, operate and monitor a
system that reflects the board’s policies.
Concluding Remarks
Good risk management has the potential to re-orient the
whole organisation around performance improvement.
Turnbull provides the opportunity to improve, not only the
management of risk, but also the organisation as a whole.
Anthony Carey
Director, Centre for Business Performance
Institute of Chartered Accountants in England & Wales
Tel: 020 7920 8624
Fax: 020 7638 6009