THE IMPLICATIONS OF THE TURNBULL REPORT FOR BUSINESS CONTINUITY MANAGEMENT
What is Turnbull? Why?
Turnbull recommends adopting a risk-based approach to creating and reviewing the effectiveness of an internal control system. Internal financial control is not enough, by itself. A “tick in the box” approach to risk just creates paperwork for little benefit. However, a vigorous, comprehensive and committed risk management approach protects assets and stakeholders and creates an environment for business success.
Directors need to set business targets to be achieved within different timeframes. They also need to consider risks to the achievement of those objectives. Companies that identify risks early, and take appropriate action, will adapt, survive and prosper. While the concept of risk management may seem negative, identification of risks may lead to identification and exploitation of opportunities. A risk approach identifies market changes, delivery mechanisms and operational process requirements and permits the company to respond to them swiftly, to grasp new opportunities promptly, and so maintain – or increase – competitive edge.
The Turnbull approach is connected, through the Combined Code on Corporate Governance, to the Listing Rule disclosure requirements of the London Stock Exchange. Non-compliance with Turnbull would result in a disclosure on the annual report that could quickly attract adverse media comment and affect share price and credit rating.
The risk management approach supported by Turnbull is equally appropriate to smaller listed companies. New and small companies are challenged to create and maintain a high market capitalisation and attract funds – both made easier by being able to prove strong risk management and internal control.
Its implications for Business Continuity management are profound: it helps further to legitimise and embed many of the processes that BC professionals have been advocating over the years.
The Turnbull Process
High level business goals need to be broken down into, effectively, very specific critical success factors and key performance indicators that can be monitored. However, by the time one identifies that a key performance indicator has not been achieved, it can be too late. So these higher level indicators need to be cascaded down into very specific performance and risk markers. Early warning and reporting mechanisms need to be put in place immediately to highlight any deviation from the performance necessary to achieve the goals.
The focus should be on fulfilling business objectives through improved risk management. Turnbull advocates focus on significant risks – those that could prevent mission and goal achievement. The guidance emphasises a combination of a “top down” approach together with company-wide consultation and a basis of sound risk management and internal control processes and methods.
Where a company is part of a group, “top down” and “bottom up” processes should be synchronised for best effect. Primary focus should be on risks that are significant to the whole group, while also addressing risks that are also significant to each subsidiary.
Turnbull also addresses joint ventures and associates and expects disclosure where these have not been dealt with as part of the group. International operations need to consider cross-border risk.
There are a few keys to success
- Make Turnbull an integral part of the way the business works
- Define clear business objectives – identify specific performance markers
- Focus on significant risks and relevant controls
- Prioritise objectives
- Establish clear risk management policies, methods and controls
- Win commitment at all levels from all involved – consult business-wide
- Allocate risk management responsibilities to individuals
- Continuously monitor actual performance against the performance markers
- Keep Board reports short and simple
- Implement a risk approach as a project
- create a documented project plan
- with a clearly designated individual or team
- Keep things simple
- Once the initial project is over, the Turnbull programme needs to be maintained, continued and developed.
The Risk Assessment
Turnbull and its interpreters advocate a simple methodology for identifying and assessing risk. Risk can be categorised as Business, Financial. Compliance, Operational. Examples of risks in the Financial category could include Liquidity, Market, Overtrading, Interest, Currency, Fraud, Treasury etc. Risks can be priorities by categorising them as:
- High impact, high likelihood
- High impact, low likelihood
- Low impact, High likelihood
- Low impact, low likelihood.
The Board can then determine
- The level of risk they find acceptable, depending on the risk / reward ratio
- The control strategy to avoid or mitigate the risk
- Who is accountable for managing the risk and maintaining controls
- What is the residual risk
- What is the early warning mechanism.
While the Board is overall responsible for a company’s internal control system and policies, Turnbull makes it clear that management is responsible for implementing policies adopted by the Board. Turnbull also refers to board committees (e.g. audit, risk) that could receive and review risk and control reports. It is responsibility of management to identify and manage risks, while a board committee could be responsible for monitoring risk and control, based on reports to them from management.
Many of the basics of good risk management and internal control may have already been put in place by Business Continuity Managers, Risk Managers, Compliance, Operational Risk and Internal Audit functions, among others. But what Turnbull brings to the party is the increasing emphasis on a holistic approach to risk – an acceleration of what, last year we were calling “the emergence of convergence” of the various risk management activities into a single integrated whole. That has to be good news for business continuity – and therefore for those companies that embrace Turnbull in spirit as well as letter.
© Andrew Hiles 2001