Académique Documents
Professionnel Documents
Culture Documents
JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide
range of content in a trusted digital archive. We use information technology and tools to increase productivity and
facilitate new forms of scholarship. For more information about JSTOR, please contact support@jstor.org.
Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at
http://about.jstor.org/terms
Palgrave Macmillan Journals is collaborating with JSTOR to digitize, preserve and extend
access to Risk Management
This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
Risk Management: An International Journal
Introduction
Any lingering doubts in UK corporate boardrooms about the necessity of risk management as an
integral part of normal governance processes has just been removed by the Turbull Report (1999)
on Internal Control: Guidance for Directors on the Combined Code 1.2 This 'Turnbull Guidance'
on corporate governance (recently issued by the Institute of Chartered Accountants in England and
Wales (ICAEW) working party, chasired by Nigel Tumbull) now requires UK listed companies to
develop an organisation-wide, risk management approach to internal control as an integral part of
corporate governance policies and systems. The report aims to provide guidance to assist directors
and managers of companies in implementing principle D2 of the Combined Code on Corporate
Governance.3 It replaces the previous 'Rutterman' guidance on Internal Control and Financial
Reporting.
The Guidance uses interal control systems to protect shareholders' interests. But, while the report
focuses on a risk-based approach to interal control systems, the real thrust is about embedding risk
management within corporate governance processes. The Guidance clarifies and prescribes the
respective roles of the board, its committees and management in implementing risk management
through internal control policies and systems. It crystallises the boardroom responsibilities for risk
management, risk control and systems effectiveness reporting alluded to in the ICAEW's 'Cadbury
Code' (1994) and outlined in the Stock Exchange Listing Rules (the 'Yellow Book').4 Tumbull
This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
Risk Management: An International Journal
embodies the principle that boards and managers are directly accountable to shareholders for the
effective management and control of their corporate risk exposures.
The control of corporate exposure to risks in various areas is a well-established practice. Risk
assessment of outcome variability under alternative investment strategies is a long-standing feature
of investment appraisals. Similarly, the duty of care placed on organisations and individuals in
the health and safety area has forced systematic reviews of potential workplace hazards and the
precise definition of responsibilities. In recent years, cost and time overruns in project management
have forced the development of techniques for the systematic management of project risk,
particularly in the defence industry.
None of this is new, but the Turbull requirement for a holistic approach that integrates these
separate areas, under a corporate risk management policy, into core corporate governance processes
is a regulatory innovation. Past practice has often lacked the application of organisation-wide
risk management policies-a top-down approach that starts at board level and integrates all
levels and areas of risk management throughout the organisation. The Turbull Guidance provides
a timely opportunity to redress the balance and create competitive advantage.
This article looks at how Turnbull interprets the specific requirements and compliance
responsibilities of directors and managers, in respect of risk management, under the provisions
of the Combined Code. We explore the context and objectives of the Turnbull Report and identify
those responsibilities in relation to policy development, risk assessment and reporting. We then
identify four supplementary sources of guidance in compliance that directors and managers will
want to consult-especially in the area of reporting on risk management policies. Finally, we
examine Turnbull's innovative regulatory approach, one that attempts to align regulatory purposes
with corporate objectives and encourages an integrated approach to corporate risk management.
Although labelled 'Guidance for Directors', the Turnbull Report goes beyond suggestion to
definitive interpretation of the Code on several issues. It specifically defines directors'
responsibilities for risk management, and identifies the division of responsibilities between
directors and managers. Whereas the Code refers to general 'corporate responsibility' for
development, implementation and reporting on risk management policy, the Guidance identifies
specific responsibilities and requirements on directors and managers.
In addition, the scope of Turnbull goes beyond its specific context of the Code's requirement for
developing and reporting on risk-based approaches to internal control. The Guidance effectively
encompasses directors' and managers' responsibilities in the areas of corporate risk management
policy, strategy, practice and reporting, as reflected in Table 1 below.
The Guidance requires directors and managers to identify, evaluate and manage their significant
risks. They must regularly review the effectiveness of internal control systems in managing key
risks and report on this in their annual report.
In effect, Turnbull makes directors directly responsible for initiating the foundations of a systematic
approach to corporate risk management and of risk-based approaches to internal control, in four
areas. First, directors must ensure that an organisation-wide risk management policy is formulated,
then communicated, accepted and implemented as a corporate policy throughout the organisation.
Second, directors are also responsible for the implementation of these policies through internal
control systems that provide the capacity to monitor the corporate risk environment continuously.
This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
Risk Management: An International Journal
Third, they must then ensure periodic effectiveness reviews are carried out to quality-assure the
processes. Finally, directors are responsible for providing annual reports to shareholders, both on
the risk policies and on risk management effectiveness.
3. Periodic reviews of the risk-based IC systems (at least annually) to quality-assure on-going
effective control of organisation-wide risk in a dynamic environment.
4. Annual reports of compliance on risk management policies and effective risk management,
with reasons for any non-compliance.
Policy
In the Turnbull Guidance an integrated approach to risk management starts with the required
development of an organisation-wide policy for risk management and risk-based internal control.
Directors and managers now have a duty to develop and implement comprehensive, integrated
risk management policies as an integral part of corporate governance processes and associated
risk-based approaches to internal control systems. This policy will identify the fundamental
principles, requirements and practices that serve as a foundation for all risk management practice
throughout the organisation.
In a top-down approach to risk management, these common principles, requirements and standards
of practice then form a template for the design and development of risk policies in the various
areas of risk management that constitute the total, organisational risk management environment.
Turbull requires directors to consider a broad range of elements in shaping their risk management
policy (see Table 2 below).
4. The company's ability to reduce the incidence and impact of risks that materialise.
5. The relationship of risk management strategy to other management and governance strategies.
This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
Risk Management: An International Journal
38The integration aspect of policy operates at two levels. First, risk management and risk-
based approaches to internal control in all areas of corporate risk assessment must be
subsumed within an organisation-wide risk management policy and strategy. Second, these
policies must be integrated into the normal management and governance processes. From
January 2001, risk management will be an integral (and indispensable) part of expected
corporate governance processes for all companies listed on the London Stock Exchange.
Integrated policy development will not be easy for some companies that traditionally manage
their major risk exposures as separate operations. Skills development and compromise in
property rights are immediate challenges. Some companies may need to re-examine their
whole risk management philosophy in order to bring their diverse areas of risk control
together, under common principles, objectives and standards of practice that embrace the
whole organisation. But common principles, objectives and standards can be the basis of
consistent and dynamic risk control-a common foundation that engenders organisation-
wide confidence in very disparate areas of risk management. Risk managers have a greater
chance of innovation and dynamic control when consistent, clear ground rules and policy
support them.
Strategy
With risk management policy in place, directors and managers must then design their corporate
risk management strategies (long-term) and plans (immediate actions). Risk management
strategy refers to the implementation of all those measures necessary for determining a
reasonable and acceptable level of corporate risk, and then for managing corporate activities
so as to avoid exceeding that level. Risk management processes usually contain at least four
phases, as set out in Table 3 below.
Phase 1. Risk identification: identifying those risks which, associated with corporate
activities, may prevent or hinder achievement of corporate objectives.
Phase 2. Risk analysis: determining the probability of occurrence, likely impact and timing
of significant risks.
Phase 3. Risk planning: preparing plans for containing the level of risk, and assessing its
potential impact within reasonable and acceptable limits.
Phase 4. Risk management: carrying out the management activities required for effective
and efficient implementation of plans.
The risk management strategy defines the way in which risk management is to be conducted
throughout the firm and sets out the reasons for this. It also describes the inter-relationships
between a risk-based approach to internal control systems and the other management and
governance systems and policies within the firm. Thus it describes how the risk management and
internal control plans fit into the overall management and governance plans. Turnbull stresses
the need to manage risk against corporate policy benchmarks of acceptable risk levels.
This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
Risk Management: An International Journal
Flexibility in compliance
While Turnbull spells out the specific responsibilities of directors and management, the Guidance5
also retains the independence that the provisions of the Cadbury Code give to individual
companies;6 both the the 'Yellow Book'7 and the Guidance reflect this approach. The Guidance
allows directors maximum flexibility to develop corporate risk strategies, including self-assessment
of risks and risk control effectiveness.
The price for this self-assessment flexibility is an onus of proof on directors to show that their
policies and systems satisfy the London Stock Exchange compliance requirements, and that their
risk management strategies are adequate, appropriate and effective. Faced with these pressures,
directors will need to familiarise themselves with the provisions of the Turnbull Guidance and
the associated concepts and principles of corporate risk management. Given the critical need to
satisfy the investment stakeholder, this is likely to be a key incentive for directors to maintain or
improve corporate share prices.
Substantive compliance
Furthermore, directors will need to demonstrate substantive compliance with all the new Corporate
Governance Code requirements. The Guidance is meant to encourage best practice in risk
management and internal control by making directors and managers directly accountable for the
integration of risk management into corporate culture and governance processes. Attempts at
regulatory compliance with no substantive introduction of organisation-wide risk management
will not suffice. Static annual checklists of compliance are also insufficient. Risk management
must be a continuous monitoring process, capable of the identification, analysis and control of
changing patterns of corporate risk in dynamic organisational and operational environments.
Internal control systems must be capable of responding to changing risks both within and outside
the company.
Directors must ensure that the corporate risk management process and internal control systems
are regularly reviewed to ensure their effectiveness. Effectiveness is measured in terms of system
ability to 'control' risk. As a minimum, this concept requires that the internal control systems can
(a) identify, assess and prioritise risks, (b) compare them to predetermined levels of acceptable
risk, and (c) reduce the incidence and impact of the effects of actual risks on the achievement of
corporate objectives and shareholders' interests. The emphasis here is upon the ability of risk
management systems to monitor the internal and external corporate environment continually,
and to respond to dynamic changes in risk profiles and impacts caused by internal and external
changes in that environment-on an organisation-wide basis.
The Turnbull Guidance requires the submission of regular reports (usually annual) to shareholders,
but it does not prescribe the form or content of the annual statements to shareholders about risk
management compliance. Directors are free to explain their risk governance policies, and any
special circumstances that caused them to adopt a particular approach. An appendix to the Guidance
contains a list of broad-ranging questions for the board to consider and discuss with management
when carrying out its annual assessment of internal control. However, given the similarities
between the Turnbull Guidance and the ICAEW's recent discussion paper on the financial reporting
of risk,8 directors will reasonably assume that the 'Statements on Risk' templates in the ICEAW
document make an authoritative starting-point for their own statements.
This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
Risk Management: An International Journal
Turnbull emphasises the need for directors and managers to exercise judgement when developing
an integrated, organisation-wide approach to risk analysis and control. Comprehensive risk analysis
and control can be a costly process. Time and money spent preparing for a risk are often seen as
wasted if the risk in question fails to materialise. To minimise this likelihood, Turnbull expects
directors and managers to exercise judgement based on the cost/benefit trade-off between three
factors: the expected impact if the risk materialises, the probability of the risk occurring, and the
cost of underwriting (controlling) the risk.
For instance, selling stock-index options may insure corporate portfolio values against substantive
share market corrections. But options cover can be expensive-significant cover for a relatively
short period of time may cost up to five-seven per cent of portfolio value. Two or three repetitions
can seriously eat into investment profits if the correction does not materialise. So, rather than use
derivatives, corporate managers may use other, less costly means of protection, such as strategic
sector and market allocation.
The point is that risk management is inevitably a trade-off. Complete risk coverage or risk
elimination is uneconomic. Zero tolerance of risk is an impractical and unprofitable policy
objective. Turnbull stresses the need to manage risk against corporate policy benchmarks of
acceptable risk levels. Managers must decide what risk levels they will accept on a cost/benefit
basis, and then identify and prioritise risk exposures against these benchmarks, so that risk
management dollars can be concentrated into areas where the risk of loss is most significant.
The combination in Turbull of a corporate perspective on risk, and of almost complete flexibility
in risk management design, implementation and reporting, may leave many directors and managers
wondering how to deal with the specifics of an integrated risk management strategy. Fortunately,
the ICAEW has recently produced several papers and reports that will be required reading when
implementing the Turnbull recommendations.
This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
Risk Management: An International Journal
the reporting of corporate risk and risk management. The first is a discussion paper on proposals for
the financial reporting of risk, which suggests that business risk statements in annual reports should
identify, measure and prioritise risks, as well as describe the actions taken to manage each risk."
The paper sets out, in step-by-step form, a basic reporting framework to assist an enterprise
preparing a statement of business risk. The framework covers the considerations that are relevant
to reporting a company's key risks and to the actions taken to manage them. It suggests a process
of risk mapping and information filtering to identify and rank key risks and to determine what
information to report about them.
The position of these documents in compliance terms is likely to be substantive when directors and
managers put Tumbull into practice. Tumbull is quite prescriptive on what action should be taken
in a risk-based approach to internal control and on who should make sure such action is taken. But
Turbull's independence and flexibility where individual corporate risk management is concerned
mean that almost no guidance is given on how actions should be taken to ensure compliance.
These four publications can help. All four originate from the same accounting body that produced
the Turnbull Guidance, have been published in the last three years and so are reasonably
contemporaneous to Turnbull. It is reasonable to assume that they represent authoritative sources
of advice for directors and managers who seek guidance when exercising the flexibility that
Turnbull gives in the various areas of risk policy, practice and reporting.
Turnbull takes a broad perspective on risk. Risks are characterised as reasonably foreseeable
events or situations that prevent or hinder achievement of corporate objectives, or which pose
threats to shareholders' interests. They represent exposure to adverse consequences, financial or
physical, as a result of either corporate decision-making or the operational environment. This
definition reflects generally accepted concepts of the nature of business risks.13 Risks carry the
connotation of negative or adverse impacts for the organisation and shareholders, and Turnbull
identifies and focuses on three aspects of these impacts. When they occur, risk events may operate
(a) to reduce profitability, (b) to hinder the attainment of corporate objectives, and/or (c) to
reduce the value of shareholders' interests in some way. Risks may affect both the balance sheet
and/or the profit and loss situation.
But risks also offer opportunities for enterprise.'4 Turnbull also views risk-taking as an integral
part of profit-making activity; a willingness to undertake calculated risk and exposure to uncertainty
is often a pre-condition for corporate profit-making and for the attainment of corporate objectives.
The objective of risk management is risk containment rather than complete removal of all risk.
The eradication of business risk is both impractical and unprofitable. The major purpose of risk
management is not, therefore, the total elimination of all uncertain events. While avoidable risks need
This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
Risk Management: An International Journal
to be minimised, the essence of risk management is to control and insure against the adverse impact of
risk on the attainment of company objectives and on shareholders' interests. Turnbull identifies these
control objectives as:
The time and effort spent in developing risk management strategies along the lines that Turbull
suggests should have a positive benefit for corporate operations. According to Alnoor Kara, a risk
analysis specialist with KPMG, companies often expose themselves to unnecessary risks and limit
returns to shareholders because their specific risk analysis systems are not linked together or integrated
with general management systems.5 This separation can seriously limit risk management responsiveness
to changing external and internal business conditions, because, although each different risk category -
financial, operational, corporate, etc-may be handled well, the company fails to develop an overall
view of risk.
Such failure to develop a corporate-wide concept of risk and risk analysis can inhibit a risk management
system's ability to respond to the dynamic nature of corporate risk, which results from changing
external and internal business conditions. This limitation may, in turn, lead to a cautious approach,
with lower shareholder returns, and require additional capital reserves to cover unforeseen risk. A
common theme characterising reviews of disaster case studies is the need to develop a common
perception of the risks facing a corporation, and a common appreciation of risk management strategy
consistent with the organisation's internal control system and business strategy.
Turnbull offers firms the chance to develop integrated risk management processes for their own
corporate (and shareholders') benefit. The Guidance should not be viewed as yet another regulatory
hurdle of corporate governance. Power alludes to the Turnbull Guidance as reflecting an innovation
in regulatory style, which attempts to align corporate and managerial incentives with regulatory
objectives.16 Turbull moves away from a 'command and control' inspection regime to a more
participatory form of 'enforced self-regulation'. By targeting internal control systems as the
vehicle for risk management, Turnbull reflects a regulatory trend towards working through internal
corporate mechanisms.17 This 'internalisation of regulation' focuses on internal accountability
and responsibility structures as regulatory conduits. Internal agents (directors and managers) are
made directly responsible for specific aspects of risk management.
The process of compliance with Turnbull may provide the best avenue yet for firms to reap the
competitive rewards of an integrative approach to the 'new risk management' -a risk management
This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
Risk Management: An International Journal
style that Power characterises as integrative, internalised, anticipatory and self-regulating.18 Under
Turnbull, the integration may operate at two or more levels. First, separate domains and
processes of risk management are brought under the umbrella of organisation-wide risk
management policies. Second, this top-down approach to risk management must then be
integrated into corporate governance and management processes.
Turnbull also internalises risk management, in the sense of embedding the process of regulation
within the 'consciousness' of the organisation. Given the flexibility for design and
implementation of each firm's risk management policy that characterises Turnbull, each firm
must 'own' its own risk management policy and internal control processes. The directors and
managers of each firm are specifically responsible for designing the firm's own risk management
policy and practices, and for judging the efficiency of those processes for themselves. The
regulatory emphasis is on self-assessment of risk management effectiveness. Risk management
now becomes an integral part of corporate governance and management processes.
The regulatory approach of Turnbull may also allow for the view that 'risk' is often socially
constructed by the organisation. Risks and risk occurrence are tangible events. But the manner
in which those risks are conceptualised, described and communicated within the organisation
is unique to each firm. Risks and risk management may influence organisational processes,
but the dynamics of each corporate organisation will also condition organisational perception
and control of risk.
Turnbull also advocates an anticipatory style of risk management. The document emphasises
proactive risk management processes-the need to understand, analyse and control the causes
of adverse events within the firm before those events occur, rather than simply react in their
aftermath. Turnbull emphasises the identification, mapping and control of the causes of risk as
an essential factor in risk mitigation impact control.
Second, the Guidance says little about the actual process of mitigating the adverse impacts of
the risk events that do occur. While this silence may reflect the nature of the underlying corporate
governance Code requirements, it is hardly informative. Corporate flexibility in methods of
regulatory compliance is commendable, but lack of any direction about insurance and mitigation
processes is not. The Guidance is quite prescriptive about risk management and internal control,
but provides scant guidance on the process of protection and insurance. The implicit assumption
seems to be that firms will automatically have a good knowledge of the methods, processes
and products available to 'insure' themselves against negative risk impacts.
This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
Risk Management: An International Journal
In our view this is an unwarranted assumption. The process of hedging against negative risk
impact can be a difficult, potentially costly, and risky exercise for any firm. Things can go
disastrously wrong if minimum mitigation principles are not adhered to. The market for hedging
and insurance systems and products is characterised by innovation, diversity, integration and
flexibility. The range of insurance and risk-hedging products and instruments is expanding rapidly,
especially in the areas of futures, options, synthetic and exotic options, and multi-layered insurance
products. Specialist knowledge of insurance instruments is often required.
Perhaps the Turbull requirements as to integrated processes for the effective identification,
ranking and measuring of corporate risk and risk impacts need to be complemented by minimum
guidelines and principles on risk mitigation and insurance, if they are to result in actual protection
of shareholders' interests and in corporate competitive advantage.
Conclusion
Time spent on compliance is likely to be rewarding. Effective risk management can give
significant competitive advantage, and more than re-coup the costs of compliance. Firms th
and implement the Tumbull Guidance should develop an integrated, organisation-wide risk man
culture. Risk management needs to be characterised by: (a) a thorough knowledge of the co
risk environment; (b) an ability to identify, assess and deal with risks against commonly agr
of acceptable risk; (c) an understanding of how to control the impacts of actual risks when they
and (d) an ability to respond quickly to changing risk profiles in dynamic environments.
Notes
1 Michael McCrae is Visiting Professor (from the University of Wollongong, Australia) and Lee
Balthazor is Head of the Centre for Project and Quality Management at the Portsmouth Business
School, University of Portsmouth, Furze Lane, Southsea, Hampshire, P04 8LW. E-mail:
mccrae9@yahoo.com, balthazor@clara.co.uk.
2 Institute of Chartered Accountants in England and Wales (1999a) Internal Control: Guidance for
Directors on the Combined Code. London: ICAEW. The Guidance can be viewed on the ICAEW's
Centre for Business Performance web-site at http:/lwww.icaew.co.uk/internalcontroll. A brief review
of Turnbull can be found as a news item in Management Accounting (1999), Vol. 77, No. 11, p 62.
This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
Risk Management: An International Journal
3 Institute of Chartered Accountants in England and Wales (1994) Internal Control and Financial
Reporting: Guidancefor Directors of Limited Companies Registered in the UK (the Cadbury Code).
London: ICAEW.
4 Financial Services Authority (2000) FSA Listing Rules (the 'Yellow Book'). London: FSA
Publications.
8 Institute of Chartered Accountants in England and Wales (1999b) No Surprises: The Case for
Better Risk Reporting. Report of the Steering Group on the Financial Reporting of Risk. London:
ICAEW.
10 Institute of Chartered Accountants in England and Wales (1997a) Business Risk Managemen
Technical Focus Paper, Faculty of Business and Management. London: ICAEW.
11 Institute of Chartered Accountants in England and Wales (1997b) Financial Reporting of Ris
Proposals for a Statement of Business Risk. Discussion Paper, Steering Group on the Financia
Reporting of Risk. London: ICAEW.
13 Balthazor, L. (1998) Risk Management: Review of Current Practices and Trends. Paper presented
to the Royal Aeronautical Society Conference on Risk Management, London, March.
14 Ibid.
18 Power, op cit.
This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms