Integrating Risk Management into Corporate Governance: The Turnbull Guidance

Author(s): Michael McCrae and Lee Balthazor

Source: Risk Management, Vol. 2, No. 3 (2000), pp. 35-45
Published by: Palgrave Macmillan Journals
Stable URL: http://www.jstor.org/stable/3867838
Accessed: 30-10-2017 04:18 UTC

JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide
range of content in a trusted digital archive. We use information technology and tools to increase productivity and
facilitate new forms of scholarship. For more information about JSTOR, please contact support@jstor.org.

Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at
http://about.jstor.org/terms

Palgrave Macmillan Journals is collaborating with JSTOR to digitize, preserve and extend
access to Risk Management

This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
 Risk Management: An International Journal

Integrating Risk Management into Corporate

Governance: The Turnbull Guidance

Michael McCrae and Lee Balthazorl

The Turnbull Guidancefor directors on corporate governance recently issued by the

Institute of Chartered Accountants of England and Wales (ICAEW) now requires
directors of UK listed companies to develop a corporate-wide, risk management
approach to internal control, as an integral part of corporate governance policies
and systems. Risk management is an established corporate governance feature in
many areas; but current practices in investment appraisal, project, and health and
safety management often lack integration, common guiding principles, and consistency
in standards or coverage. Turnbull aims to change this by making directors specifically
accountable for developing organisation-wide risk management policies and for
implementing integrated, inclusive and dynamic risk management strategies. In this
article, the objectives of the Turnbull Guidance and its approach to risk and risk
management are examined. The specific responsibilities placed upon directors and
managers are identified and discussed, andfour supplementary sources of authoritative
supportfor directors available from the ICAEW are suggested. Finally, it is suggested
that Turnbulls innovative approach to regulation and risk management may offer
substantive competitive advantage for complying corporations.

Key Words: Turnbull Report; corporate risk; corporate governance;

risk management; internal control

Introduction

Any lingering doubts in UK corporate boardrooms about the necessity of risk management as an
integral part of normal governance processes has just been removed by the Turbull Report (1999)
on Internal Control: Guidance for Directors on the Combined Code 1.2 This 'Turnbull Guidance'
on corporate governance (recently issued by the Institute of Chartered Accountants in England and
Wales (ICAEW) working party, chasired by Nigel Tumbull) now requires UK listed companies to
develop an organisation-wide, risk management approach to internal control as an integral part of
corporate governance policies and systems. The report aims to provide guidance to assist directors
and managers of companies in implementing principle D2 of the Combined Code on Corporate
Governance.3 It replaces the previous 'Rutterman' guidance on Internal Control and Financial
Reporting.

The Guidance uses interal control systems to protect shareholders' interests. But, while the report
focuses on a risk-based approach to interal control systems, the real thrust is about embedding risk
management within corporate governance processes. The Guidance clarifies and prescribes the
respective roles of the board, its committees and management in implementing risk management
through internal control policies and systems. It crystallises the boardroom responsibilities for risk
management, risk control and systems effectiveness reporting alluded to in the ICAEW's 'Cadbury
Code' (1994) and outlined in the Stock Exchange Listing Rules (the 'Yellow Book').4 Tumbull

Copyright © 2000 Perpetuity Press Ltd Page 35

This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
Risk Management: An International Journal

embodies the principle that boards and managers are directly accountable to shareholders for the
effective management and control of their corporate risk exposures.

The control of corporate exposure to risks in various areas is a well-established practice. Risk
assessment of outcome variability under alternative investment strategies is a long-standing feature
of investment appraisals. Similarly, the duty of care placed on organisations and individuals in
the health and safety area has forced systematic reviews of potential workplace hazards and the
precise definition of responsibilities. In recent years, cost and time overruns in project management
have forced the development of techniques for the systematic management of project risk,
particularly in the defence industry.

None of this is new, but the Turbull requirement for a holistic approach that integrates these
separate areas, under a corporate risk management policy, into core corporate governance processes
is a regulatory innovation. Past practice has often lacked the application of organisation-wide
risk management policies-a top-down approach that starts at board level and integrates all
levels and areas of risk management throughout the organisation. The Turbull Guidance provides
a timely opportunity to redress the balance and create competitive advantage.

This article looks at how Turnbull interprets the specific requirements and compliance
responsibilities of directors and managers, in respect of risk management, under the provisions
of the Combined Code. We explore the context and objectives of the Turnbull Report and identify
those responsibilities in relation to policy development, risk assessment and reporting. We then
identify four supplementary sources of guidance in compliance that directors and managers will
want to consult-especially in the area of reporting on risk management policies. Finally, we
examine Turnbull's innovative regulatory approach, one that attempts to align regulatory purposes
with corporate objectives and encourages an integrated approach to corporate risk management.

The specific responsibilities of directors and managers on risk management

Although labelled 'Guidance for Directors', the Turnbull Report goes beyond suggestion to
definitive interpretation of the Code on several issues. It specifically defines directors'
responsibilities for risk management, and identifies the division of responsibilities between
directors and managers. Whereas the Code refers to general 'corporate responsibility' for
development, implementation and reporting on risk management policy, the Guidance identifies
specific responsibilities and requirements on directors and managers.

In addition, the scope of Turnbull goes beyond its specific context of the Code's requirement for
developing and reporting on risk-based approaches to internal control. The Guidance effectively
encompasses directors' and managers' responsibilities in the areas of corporate risk management
policy, strategy, practice and reporting, as reflected in Table 1 below.

The Guidance requires directors and managers to identify, evaluate and manage their significant
risks. They must regularly review the effectiveness of internal control systems in managing key
risks and report on this in their annual report.

In effect, Turnbull makes directors directly responsible for initiating the foundations of a systematic
approach to corporate risk management and of risk-based approaches to internal control, in four
areas. First, directors must ensure that an organisation-wide risk management policy is formulated,
then communicated, accepted and implemented as a corporate policy throughout the organisation.
Second, directors are also responsible for the implementation of these policies through internal
control systems that provide the capacity to monitor the corporate risk environment continuously.

Page 36 Michael McCrae and Lee Balthazor

This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
 Risk Management: An International Journal

Third, they must then ensure periodic effectiveness reviews are carried out to quality-assure the
processes. Finally, directors are responsible for providing annual reports to shareholders, both on
the risk policies and on risk management effectiveness.

Table I. Required elements in acceptable approaches to corporate

risk management: the Turnbull Guidance

1. Development of accepted corporate policies for risk management.

2. Implementation of accepted risk management policies through risk-based internal control

systems capable of continuously monitoring the corporate internal and external risk
environment.

3. Periodic reviews of the risk-based IC systems (at least annually) to quality-assure on-going
effective control of organisation-wide risk in a dynamic environment.

4. Annual reports of compliance on risk management policies and effective risk management,
with reasons for any non-compliance.

Policy

In the Turnbull Guidance an integrated approach to risk management starts with the required
development of an organisation-wide policy for risk management and risk-based internal control.
Directors and managers now have a duty to develop and implement comprehensive, integrated
risk management policies as an integral part of corporate governance processes and associated
risk-based approaches to internal control systems. This policy will identify the fundamental
principles, requirements and practices that serve as a foundation for all risk management practice
throughout the organisation.

In a top-down approach to risk management, these common principles, requirements and standards
of practice then form a template for the design and development of risk policies in the various
areas of risk management that constitute the total, organisational risk management environment.
Turbull requires directors to consider a broad range of elements in shaping their risk management
policy (see Table 2 below).

Table 2. Elements for directors' consideration in forming risk management policy:

the Turnbull Guidance

1. The objectives of risk management.

2. The nature and extent of risks facing the company.

3. The level of acceptable risk.

4. The company's ability to reduce the incidence and impact of risks that materialise.

5. The relationship of risk management strategy to other management and governance strategies.

6. The major implementation methods for risk management.

7. The choice between risk mitigation alternatives.

8. The cost-benefit trade-offs of managing related risks.

Michael McCrae and Lee Balthazor Page 37

This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
Risk Management: An International Journal

38The integration aspect of policy operates at two levels. First, risk management and risk-
based approaches to internal control in all areas of corporate risk assessment must be
subsumed within an organisation-wide risk management policy and strategy. Second, these
policies must be integrated into the normal management and governance processes. From
January 2001, risk management will be an integral (and indispensable) part of expected
corporate governance processes for all companies listed on the London Stock Exchange.

Integrated policy development will not be easy for some companies that traditionally manage
their major risk exposures as separate operations. Skills development and compromise in
property rights are immediate challenges. Some companies may need to re-examine their
whole risk management philosophy in order to bring their diverse areas of risk control
together, under common principles, objectives and standards of practice that embrace the
whole organisation. But common principles, objectives and standards can be the basis of
consistent and dynamic risk control-a common foundation that engenders organisation-
wide confidence in very disparate areas of risk management. Risk managers have a greater
chance of innovation and dynamic control when consistent, clear ground rules and policy
support them.

Strategy

With risk management policy in place, directors and managers must then design their corporate
risk management strategies (long-term) and plans (immediate actions). Risk management
strategy refers to the implementation of all those measures necessary for determining a
reasonable and acceptable level of corporate risk, and then for managing corporate activities
so as to avoid exceeding that level. Risk management processes usually contain at least four
phases, as set out in Table 3 below.

Table 3. The four phases of risk management

Phase 1. Risk identification: identifying those risks which, associated with corporate
activities, may prevent or hinder achievement of corporate objectives.

Phase 2. Risk analysis: determining the probability of occurrence, likely impact and timing
of significant risks.

Phase 3. Risk planning: preparing plans for containing the level of risk, and assessing its
potential impact within reasonable and acceptable limits.

Phase 4. Risk management: carrying out the management activities required for effective
and efficient implementation of plans.

The risk management strategy defines the way in which risk management is to be conducted
throughout the firm and sets out the reasons for this. It also describes the inter-relationships
between a risk-based approach to internal control systems and the other management and
governance systems and policies within the firm. Thus it describes how the risk management and
internal control plans fit into the overall management and governance plans. Turnbull stresses
the need to manage risk against corporate policy benchmarks of acceptable risk levels.

Page 38 Michael McCrae and Lee Balthazor

This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
 Risk Management: An International Journal

Flexibility in compliance

While Turnbull spells out the specific responsibilities of directors and management, the Guidance5
also retains the independence that the provisions of the Cadbury Code give to individual
companies;6 both the the 'Yellow Book'7 and the Guidance reflect this approach. The Guidance
allows directors maximum flexibility to develop corporate risk strategies, including self-assessment
of risks and risk control effectiveness.

The price for this self-assessment flexibility is an onus of proof on directors to show that their
policies and systems satisfy the London Stock Exchange compliance requirements, and that their
risk management strategies are adequate, appropriate and effective. Faced with these pressures,
directors will need to familiarise themselves with the provisions of the Turnbull Guidance and
the associated concepts and principles of corporate risk management. Given the critical need to
satisfy the investment stakeholder, this is likely to be a key incentive for directors to maintain or
improve corporate share prices.

Substantive compliance

Furthermore, directors will need to demonstrate substantive compliance with all the new Corporate
Governance Code requirements. The Guidance is meant to encourage best practice in risk
management and internal control by making directors and managers directly accountable for the
integration of risk management into corporate culture and governance processes. Attempts at
regulatory compliance with no substantive introduction of organisation-wide risk management
will not suffice. Static annual checklists of compliance are also insufficient. Risk management
must be a continuous monitoring process, capable of the identification, analysis and control of
changing patterns of corporate risk in dynamic organisational and operational environments.
Internal control systems must be capable of responding to changing risks both within and outside
the company.

Effectiveness review and risk management reporting

Directors must ensure that the corporate risk management process and internal control systems
are regularly reviewed to ensure their effectiveness. Effectiveness is measured in terms of system
ability to 'control' risk. As a minimum, this concept requires that the internal control systems can
(a) identify, assess and prioritise risks, (b) compare them to predetermined levels of acceptable
risk, and (c) reduce the incidence and impact of the effects of actual risks on the achievement of
corporate objectives and shareholders' interests. The emphasis here is upon the ability of risk
management systems to monitor the internal and external corporate environment continually,
and to respond to dynamic changes in risk profiles and impacts caused by internal and external
changes in that environment-on an organisation-wide basis.

The Turnbull Guidance requires the submission of regular reports (usually annual) to shareholders,
but it does not prescribe the form or content of the annual statements to shareholders about risk
management compliance. Directors are free to explain their risk governance policies, and any
special circumstances that caused them to adopt a particular approach. An appendix to the Guidance
contains a list of broad-ranging questions for the board to consider and discuss with management
when carrying out its annual assessment of internal control. However, given the similarities
between the Turnbull Guidance and the ICAEW's recent discussion paper on the financial reporting
of risk,8 directors will reasonably assume that the 'Statements on Risk' templates in the ICEAW
document make an authoritative starting-point for their own statements.

Michael McCrae and Lee Balthazor Page 39

This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
Risk Management: An International Journal

Judgement by directors and managers

Turnbull emphasises the need for directors and managers to exercise judgement when developing
an integrated, organisation-wide approach to risk analysis and control. Comprehensive risk analysis
and control can be a costly process. Time and money spent preparing for a risk are often seen as
wasted if the risk in question fails to materialise. To minimise this likelihood, Turnbull expects
directors and managers to exercise judgement based on the cost/benefit trade-off between three
factors: the expected impact if the risk materialises, the probability of the risk occurring, and the
cost of underwriting (controlling) the risk.

For instance, selling stock-index options may insure corporate portfolio values against substantive
share market corrections. But options cover can be expensive-significant cover for a relatively
short period of time may cost up to five-seven per cent of portfolio value. Two or three repetitions
can seriously eat into investment profits if the correction does not materialise. So, rather than use
derivatives, corporate managers may use other, less costly means of protection, such as strategic
sector and market allocation.

The point is that risk management is inevitably a trade-off. Complete risk coverage or risk
elimination is uneconomic. Zero tolerance of risk is an impractical and unprofitable policy
objective. Turnbull stresses the need to manage risk against corporate policy benchmarks of
acceptable risk levels. Managers must decide what risk levels they will accept on a cost/benefit
basis, and then identify and prioritise risk exposures against these benchmarks, so that risk
management dollars can be concentrated into areas where the risk of loss is most significant.

Further assistance in implementing Turnbull

The combination in Turbull of a corporate perspective on risk, and of almost complete flexibility
in risk management design, implementation and reporting, may leave many directors and managers
wondering how to deal with the specifics of an integrated risk management strategy. Fortunately,
the ICAEW has recently produced several papers and reports that will be required reading when
implementing the Turnbull recommendations.

The ICAEW's Boardroom Briefing

As a direct supplement to Turbull, the ICAEW has published a briefing document,9 to be read in
conjunction with Turnbull, which sets out a number of practical, straightforward steps towards
implementing Turnbull and 'good' risk management practices. It contains a number of examples
and case studies that directly focus on smaller listed companies.

The ICAEW's Technical Focus paper

An introduction to the elements of an integrated approach to risk management are well set out in
a recent ICAEW paper on business risk management.'0 This paper provides advice on the process
of managing corporate risk. In particular, it examines the internal process a company needs to go
through to assess its management of risk.

ICAEW's proposals for risk reporting

Once this internal review process is worked through, the Turnbull Guidance specifies certain
minimum disclosure requirements aimed at providing high-level information on risk that does not
mislead. Two further ICAEW publications provide a valuable source of guidance on how to improve

Page 40 Michael McCrae and Lee Balthazor

This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
 Risk Management: An International Journal

the reporting of corporate risk and risk management. The first is a discussion paper on proposals for
the financial reporting of risk, which suggests that business risk statements in annual reports should
identify, measure and prioritise risks, as well as describe the actions taken to manage each risk."

The paper sets out, in step-by-step form, a basic reporting framework to assist an enterprise
preparing a statement of business risk. The framework covers the considerations that are relevant
to reporting a company's key risks and to the actions taken to manage them. It suggests a process
of risk mapping and information filtering to identify and rank key risks and to determine what
information to report about them.

ICAEW's No Surprises report

This second paper also provides useful material about reporting on corporate risk and risk
management policies and procedures.12 The report provides a comprehensive review of risk and
of current risk reporting practices reflected in the prospectuses of companies listed on the London
Stock Exchange during 1998. The report recommends that the risk management reporting standards
applied to prospectuses should also apply to disclosure in annual financial statements. It reviews
a sample of risk-related disclosures in corporate prospectuses, and then provides practical advice
on how listed companies might better report their corporate risks and risk management practices.

The position of these documents in compliance terms is likely to be substantive when directors and
managers put Tumbull into practice. Tumbull is quite prescriptive on what action should be taken
in a risk-based approach to internal control and on who should make sure such action is taken. But
Turbull's independence and flexibility where individual corporate risk management is concerned
mean that almost no guidance is given on how actions should be taken to ensure compliance.

These four publications can help. All four originate from the same accounting body that produced
the Turnbull Guidance, have been published in the last three years and so are reasonably
contemporaneous to Turnbull. It is reasonable to assume that they represent authoritative sources
of advice for directors and managers who seek guidance when exercising the flexibility that
Turnbull gives in the various areas of risk policy, practice and reporting.

Turning compliance to competitive advantage

Turnbull takes a broad perspective on risk. Risks are characterised as reasonably foreseeable
events or situations that prevent or hinder achievement of corporate objectives, or which pose
threats to shareholders' interests. They represent exposure to adverse consequences, financial or
physical, as a result of either corporate decision-making or the operational environment. This
definition reflects generally accepted concepts of the nature of business risks.13 Risks carry the
connotation of negative or adverse impacts for the organisation and shareholders, and Turnbull
identifies and focuses on three aspects of these impacts. When they occur, risk events may operate
(a) to reduce profitability, (b) to hinder the attainment of corporate objectives, and/or (c) to
reduce the value of shareholders' interests in some way. Risks may affect both the balance sheet
and/or the profit and loss situation.

But risks also offer opportunities for enterprise.'4 Turnbull also views risk-taking as an integral
part of profit-making activity; a willingness to undertake calculated risk and exposure to uncertainty
is often a pre-condition for corporate profit-making and for the attainment of corporate objectives.
The objective of risk management is risk containment rather than complete removal of all risk.
The eradication of business risk is both impractical and unprofitable. The major purpose of risk
management is not, therefore, the total elimination of all uncertain events. While avoidable risks need

Michael McCrae and Lee Balthazor Page 41

This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
Risk Management: An International Journal

to be minimised, the essence of risk management is to control and insure against the adverse impact of
risk on the attainment of company objectives and on shareholders' interests. Turnbull identifies these
control objectives as:

* safeguarding shareholders' investment and company assets;

* preventing and detecting fraud;

* avoiding unnecessary exposure to risks;

* identifying and managing liabilities.

Integrated risk management

The time and effort spent in developing risk management strategies along the lines that Turbull
suggests should have a positive benefit for corporate operations. According to Alnoor Kara, a risk
analysis specialist with KPMG, companies often expose themselves to unnecessary risks and limit
returns to shareholders because their specific risk analysis systems are not linked together or integrated
with general management systems.5 This separation can seriously limit risk management responsiveness
to changing external and internal business conditions, because, although each different risk category -
financial, operational, corporate, etc-may be handled well, the company fails to develop an overall
view of risk.

Such failure to develop a corporate-wide concept of risk and risk analysis can inhibit a risk management
system's ability to respond to the dynamic nature of corporate risk, which results from changing
external and internal business conditions. This limitation may, in turn, lead to a cautious approach,
with lower shareholder returns, and require additional capital reserves to cover unforeseen risk. A
common theme characterising reviews of disaster case studies is the need to develop a common
perception of the risks facing a corporation, and a common appreciation of risk management strategy
consistent with the organisation's internal control system and business strategy.

An innovative regulatory approach

Turnbull offers firms the chance to develop integrated risk management processes for their own
corporate (and shareholders') benefit. The Guidance should not be viewed as yet another regulatory
hurdle of corporate governance. Power alludes to the Turnbull Guidance as reflecting an innovation
in regulatory style, which attempts to align corporate and managerial incentives with regulatory
objectives.16 Turbull moves away from a 'command and control' inspection regime to a more
participatory form of 'enforced self-regulation'. By targeting internal control systems as the
vehicle for risk management, Turnbull reflects a regulatory trend towards working through internal
corporate mechanisms.17 This 'internalisation of regulation' focuses on internal accountability
and responsibility structures as regulatory conduits. Internal agents (directors and managers) are
made directly responsible for specific aspects of risk management.

Taking advantage of the new risk management

The process of compliance with Turnbull may provide the best avenue yet for firms to reap the
competitive rewards of an integrative approach to the 'new risk management' -a risk management

Page 42 Michael McCrae and Lee Balthazor

This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
 Risk Management: An International Journal

style that Power characterises as integrative, internalised, anticipatory and self-regulating.18 Under
Turnbull, the integration may operate at two or more levels. First, separate domains and
processes of risk management are brought under the umbrella of organisation-wide risk
management policies. Second, this top-down approach to risk management must then be
integrated into corporate governance and management processes.

Turnbull also internalises risk management, in the sense of embedding the process of regulation
within the 'consciousness' of the organisation. Given the flexibility for design and
implementation of each firm's risk management policy that characterises Turnbull, each firm
must 'own' its own risk management policy and internal control processes. The directors and
managers of each firm are specifically responsible for designing the firm's own risk management
policy and practices, and for judging the efficiency of those processes for themselves. The
regulatory emphasis is on self-assessment of risk management effectiveness. Risk management
now becomes an integral part of corporate governance and management processes.

The regulatory approach of Turnbull may also allow for the view that 'risk' is often socially
constructed by the organisation. Risks and risk occurrence are tangible events. But the manner
in which those risks are conceptualised, described and communicated within the organisation
is unique to each firm. Risks and risk management may influence organisational processes,
but the dynamics of each corporate organisation will also condition organisational perception
and control of risk.

Turnbull also advocates an anticipatory style of risk management. The document emphasises
proactive risk management processes-the need to understand, analyse and control the causes
of adverse events within the firm before those events occur, rather than simply react in their
aftermath. Turnbull emphasises the identification, mapping and control of the causes of risk as
an essential factor in risk mitigation impact control.

The risks of regulation

From an operational viewpoint, Turnbull is perhaps deficient in two areas-the competitive

advantage of compliance, and the process of risk impact mitigation. Little stress is laid on the
positive competitive advantages for the firm which develops an integrated approach to risk
management policy and strategy on an organisation-wide basis. The Guidance does not 'sell'
the operational and competitive benefits of risk-based approaches to internal control and risk
management. Despite the genesis of an alternative regulatory style contained in Turnbull, the
objective of the report seems to be on risk management compliance as an insurance against
negative impacts on shareholders' interests and on the achievement of company objectives.
The negative connotations are perhaps understandable in regulation aimed at establishing
minimum standards of corporate governance. Unfortunately, the Guidance largely neglects to
explain the substantial competitive advantage and enhanced achievement of corporate objectives
that make risk management worthwhile from a financial perspective.

Second, the Guidance says little about the actual process of mitigating the adverse impacts of
the risk events that do occur. While this silence may reflect the nature of the underlying corporate
governance Code requirements, it is hardly informative. Corporate flexibility in methods of
regulatory compliance is commendable, but lack of any direction about insurance and mitigation
processes is not. The Guidance is quite prescriptive about risk management and internal control,
but provides scant guidance on the process of protection and insurance. The implicit assumption
seems to be that firms will automatically have a good knowledge of the methods, processes
and products available to 'insure' themselves against negative risk impacts.

Michael McCrae and Lee Balthazor Page 43

This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
Risk Management: An International Journal

In our view this is an unwarranted assumption. The process of hedging against negative risk
impact can be a difficult, potentially costly, and risky exercise for any firm. Things can go
disastrously wrong if minimum mitigation principles are not adhered to. The market for hedging
and insurance systems and products is characterised by innovation, diversity, integration and
flexibility. The range of insurance and risk-hedging products and instruments is expanding rapidly,
especially in the areas of futures, options, synthetic and exotic options, and multi-layered insurance
products. Specialist knowledge of insurance instruments is often required.

Perhaps the Turbull requirements as to integrated processes for the effective identification,
ranking and measuring of corporate risk and risk impacts need to be complemented by minimum
guidelines and principles on risk mitigation and insurance, if they are to result in actual protection
of shareholders' interests and in corporate competitive advantage.

Conclusion

The compliance time-frame is short. Companies will be expected to establish procedu

risk-based internal control systems in respect of accounting periods ending on or after 23 D
1999, and to produce compliance reports a year later. Immediate risk management plan
required by directors and boards if they are to meet ICAEW and London Stock E
requirements for compliance with the Guidance.

Turbull reflects a distinctive regulatory approach to incorporating risk management into c

governance processes. The aim is to embed risk management practices in the culture and
an organisation, by creating an organisation-wide approach, through commonly agreed
that links together all areas of risk management. Flexibility and self-assessment in the com
regime aim at making individual firms 'own' responsibility for their risk management
The identification of specific responsibilities for directors and managers, and a focus on
control systems, further serve to achieve regulatory purposes through the internal organi
processes of the firm. Compliance will be no easy task for many firms, but the poten
increasing competitive advantage and profitability through integrated risk manageme
and practice may make the exercise attractive to many directors and general managers.

Time spent on compliance is likely to be rewarding. Effective risk management can give
significant competitive advantage, and more than re-coup the costs of compliance. Firms th
and implement the Tumbull Guidance should develop an integrated, organisation-wide risk man
culture. Risk management needs to be characterised by: (a) a thorough knowledge of the co
risk environment; (b) an ability to identify, assess and deal with risks against commonly agr
of acceptable risk; (c) an understanding of how to control the impacts of actual risks when they
and (d) an ability to respond quickly to changing risk profiles in dynamic environments.

Notes

1 Michael McCrae is Visiting Professor (from the University of Wollongong, Australia) and Lee
Balthazor is Head of the Centre for Project and Quality Management at the Portsmouth Business
School, University of Portsmouth, Furze Lane, Southsea, Hampshire, P04 8LW. E-mail:
mccrae9@yahoo.com, balthazor@clara.co.uk.

2 Institute of Chartered Accountants in England and Wales (1999a) Internal Control: Guidance for
Directors on the Combined Code. London: ICAEW. The Guidance can be viewed on the ICAEW's
Centre for Business Performance web-site at http:/lwww.icaew.co.uk/internalcontroll. A brief review
of Turnbull can be found as a news item in Management Accounting (1999), Vol. 77, No. 11, p 62.

Page 44 Michael McCrae and Lee Balthazor

This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms
 Risk Management: An International Journal

3 Institute of Chartered Accountants in England and Wales (1994) Internal Control and Financial
Reporting: Guidancefor Directors of Limited Companies Registered in the UK (the Cadbury Code).
London: ICAEW.

4 Financial Services Authority (2000) FSA Listing Rules (the 'Yellow Book'). London: FSA
Publications.

5 Institute of Chartered Accountants in England and Wales (1999a) op cit.

6 Institute of Chartered Accountants in England and Wales (1994) op cit.

7 Financial Services Authority, op cit.

8 Institute of Chartered Accountants in England and Wales (1999b) No Surprises: The Case for
Better Risk Reporting. Report of the Steering Group on the Financial Reporting of Risk. London:
ICAEW.

9 Institute of Chartered Accountants in England and Wales (1999c) Implementing Turnbull:

Boardroom Briefing. London: Centre for Business Performance, ICAEW.

10 Institute of Chartered Accountants in England and Wales (1997a) Business Risk Managemen
Technical Focus Paper, Faculty of Business and Management. London: ICAEW.

11 Institute of Chartered Accountants in England and Wales (1997b) Financial Reporting of Ris
Proposals for a Statement of Business Risk. Discussion Paper, Steering Group on the Financia
Reporting of Risk. London: ICAEW.

12 Institute of Chartered Accountants in England and Wales (1999b) op cit.

13 Balthazor, L. (1998) Risk Management: Review of Current Practices and Trends. Paper presented
to the Royal Aeronautical Society Conference on Risk Management, London, March.

14 Ibid.

15 Kara, A. (1999) Too Limited Risk Management? British Mana

p4.

16 Power, M. (1999) Inaugural Lecture, Centre for Risk and Regu

17 Hutter, B. and Power, M. (1999) Risk Management and Busines

Vol. 1, No. 1.

18 Power, op cit.

Michael McCrae and Lee Balthazor Page 45

This content downloaded from 152.118.117.199 on Mon, 30 Oct 2017 04:18:45 UTC
All use subject to http://about.jstor.org/terms