Browse Risk Management

Turnbull Report

Turnbull Report is a risk-governance concept used to assign oversight, accountability, and risk-management responsibilities.

The Turnbull Report, officially titled “Internal Control: Guidance for Directors on the Combined Code,” was first issued in 1999. Prepared by a working party of the Institute of Chartered Accountants in England and Wales (ICAEW) and endorsed by the London Stock Exchange, this report provides essential guidance to the directors of UK-listed companies regarding risk management and internal controls.

Key Revisions

  • 2005: The guidelines were revised to incorporate feedback and evolving practices in corporate governance.
  • 2014: The Financial Reporting Council (FRC) issued an expanded document that superseded the Turnbull Report, providing a more comprehensive set of guidelines.

Risk Management

Risk management encompasses identifying, evaluating, and managing risks to achieve business objectives. The Turnbull Report stresses a proactive approach to risk management, urging companies to integrate it into their strategic planning processes.

Internal Controls

Internal controls are mechanisms put in place to ensure the integrity of financial reporting, compliance with laws and regulations, and effective and efficient operations. The report emphasizes that directors should regularly review the effectiveness of these controls.

Risk Management Cycle

The risk management cycle includes identification, assessment, response, monitoring, and reporting.

Internal Control Components

According to the Turnbull Report, effective internal control systems should have the following components:

  • Control Environment: The overall atmosphere created by an organization’s governance and management.
  • Risk Assessment: Identifying and analyzing risks that may prevent achieving objectives.
  • Control Activities: Policies and procedures to address risks.
  • Information and Communication: Ensuring relevant information is communicated in a timely manner.
  • Monitoring: Regularly assessing the performance of internal controls.

Importance

The Turnbull Report remains crucial for the following reasons:

  • Enhancing Corporate Governance: It provides a structured framework to ensure accountability and transparency.
  • Risk Mitigation: By offering guidelines on risk management, the report helps companies anticipate and address potential issues.
  • Regulatory Compliance: Helps companies stay compliant with statutory requirements, thus avoiding penalties.

Practical Implementation

Companies such as Tesco and Barclays have adopted the Turnbull principles to strengthen their internal control systems, resulting in improved governance and reduced incidents of fraud and financial misstatement.

Considerations

While implementing the Turnbull guidelines, companies should consider:

  • Tailoring to Organizational Size: Customizing the guidance based on company size and complexity.
  • Regular Reviews: Continuously updating risk management and internal control practices to adapt to changing business environments.

Turnbull Report vs. Sarbanes-Oxley Act (SOX)

While both documents aim to improve corporate governance, the Sarbanes-Oxley Act is a US federal law with mandatory provisions, whereas the Turnbull Report is a set of guidelines for UK companies.

What To Verify

Verify Turnbull Report against exposure reports, loss history, limits, control tests, hedge files, stress cases, and escalation records. Turnbull Report matters when probability, severity, concentration, capital, reserves, or the response threshold changes.

Control Point

The control point for Turnbull Report is the risk response it triggers: limit, control, hedge, reserve, capital, monitoring, escalation, or disclosure. Turnbull Report matters when exposure changes enough to require a different owner, metric, threshold, or mitigation step. Before relying on Turnbull Report, identify the risk register, limit framework, scenario, and escalation path affected. If no response changes, keep it as taxonomy rather than a live risk-management input.

Use Boundary

The use boundary for Turnbull Report is reached when exposure, metric, limit, hedge, reserve, capital, monitoring, escalation, and disclosure are unchanged. In that case, keep the term as risk taxonomy rather than a reason to change controls.

The evidence link for Turnbull Report is the exposure report, limit file, control test, hedge record, scenario analysis, reserve support, escalation log, or disclosure workpaper. Without that link, Turnbull Report should not support a changed risk response.

Risk Check

The risk check for Turnbull Report is whether a risk label has an owner and trigger. Test exposure measure, limit, control effectiveness, hedge coverage, reserve support, escalation path, reporting cadence, and whether management would act when the metric moves.

Decision Evidence

Decision evidence for Turnbull Report should show exposure measure, limit, owner, control test, hedge record, scenario result, escalation path, and reporting cadence. Turnbull Report can change risk management only when those facts alter the response or monitoring threshold.

Review Evidence

Review evidence for Turnbull Report should make the risk-management evidence traceable, not just definitional. For Turnbull Report, tie the evidence to the exposure report, model output, limit framework, incident record, and control assessment and explain why that evidence is reliable enough for the finance decision.

Before relying on Turnbull Report, document the decision context: the measurement date, stress window, lookback period, and scenario assumptions. Keep the Turnbull Report evidence trail visible: model validation, limit approval, escalation record, hedge documentation, and residual-risk owner. In Risk Management work, Turnbull Report matters when it changes loss estimates, capital allocation, hedging decisions, liquidity planning, or control priorities.

  • Source: cite the record, filing, contract, model input, system log, or policy that supports Turnbull Report.
  • Timing: record when Turnbull Report is measured: date, period, jurisdiction, market condition, or processing window that could change the financial conclusion.
  • Boundary: distinguish Turnbull Report from nearby concepts that require different evidence or support a different finance decision.
  • Decision use: identify the approval, valuation input, allocation step, control, disclosure, or risk decision affected if the evidence for Turnbull Report were different.

The practical risk for Turnbull Report is that risk-management terms can hide model and control assumptions unless evidence identifies exposure, horizon, severity, and ownership. If those facts are unavailable, keep Turnbull Report in the explanatory layer instead of treating it as decision-grade evidence.

Decision Workflow

Use Turnbull Report as a decision workflow, not a static glossary label: define the finance meaning, verify the evidence, and identify which conclusion changes. Start by linking Turnbull Report to exposure, model assumption, loss horizon, limit use, control owner, and escalation trigger. Only after those checks should Turnbull Report influence a risk decision.

For Turnbull Report, confirm the source record, the date or jurisdiction that could change the answer, and the finance decision affected if the evidence were wrong. If those checks are incomplete, keep Turnbull Report as explanatory context rather than a decisive input.

FAQs

What is the main purpose of the Turnbull Report?

To provide guidance on risk management and internal control practices for UK-listed companies, ensuring robust corporate governance.

How often should companies review their internal controls?

The Turnbull Report recommends regular reviews to ensure effectiveness and responsiveness to changing risks and business environments.

Practical Use

Risk teams use Turnbull Report to identify exposures, controls, limits, stress scenarios, capital needs, insurance or hedging choices, and reporting responsibilities.

Practical Example

A risk review would map Turnbull Report to the source of exposure, loss pathway, control owner, measurement method, escalation trigger, and mitigation option.

Decision Check

Ask whether Turnbull Report changes probability of loss, severity, control effectiveness, capital requirement, hedge need, or reporting obligation.

Watch For

Risk terms can describe either the exposure or the control. Distinguish the source of risk from the tool used to measure or mitigate it.

Interpretation Note

Interpret Turnbull Report as decision evidence, not just a definition. Its weight depends on the transaction, measurement date, jurisdiction, market conditions, and whether Turnbull Report changes cash flow, risk allocation, reported performance, controls, or investor behavior.

Finance Context

The finance relevance comes from loss probability, severity, controls, capital, hedging, liquidity, reporting, and governance.

Common Confusion

Do not confuse Turnbull Report with risk elimination. Most risk-management tools change measurement, transfer, monitoring, or mitigation, not the existence of uncertainty.

Where It Shows Up

Turnbull Report appears in risk registers, stress tests, limit frameworks, model documentation, insurance reviews, hedge memos, and board risk reports.

Analyst Takeaway

Treat Turnbull Report as decision-useful only when it changes a forecast, contractual right, accounting result, tax outcome, market price, liquidity need, or risk-control action. If those items do not change, Turnbull Report is descriptive rather than analytical evidence.

  • Combined Code: The initial set of principles and guidelines on corporate governance for UK companies.
  • Cadbury Report: A precursor to the Turnbull Report, focusing on corporate governance best practices.
  • Financial Reporting Council (FRC): The UK regulatory body that oversees corporate governance and financial reporting.
Revised on Sunday, June 21, 2026