Turnbull Report is a risk-governance concept used to assign oversight, accountability, and risk-management responsibilities.
The Turnbull Report, officially titled “Internal Control: Guidance for Directors on the Combined Code,” was first issued in 1999. Prepared by a working party of the Institute of Chartered Accountants in England and Wales (ICAEW) and endorsed by the London Stock Exchange, this report provides essential guidance to the directors of UK-listed companies regarding risk management and internal controls.
Risk management encompasses identifying, evaluating, and managing risks to achieve business objectives. The Turnbull Report stresses a proactive approach to risk management, urging companies to integrate it into their strategic planning processes.
Internal controls are mechanisms put in place to ensure the integrity of financial reporting, compliance with laws and regulations, and effective and efficient operations. The report emphasizes that directors should regularly review the effectiveness of these controls.
The risk management cycle includes identification, assessment, response, monitoring, and reporting.
According to the Turnbull Report, effective internal control systems should have the following components:
The Turnbull Report remains crucial for the following reasons:
Companies such as Tesco and Barclays have adopted the Turnbull principles to strengthen their internal control systems, resulting in improved governance and reduced incidents of fraud and financial misstatement.
While implementing the Turnbull guidelines, companies should consider:
While both documents aim to improve corporate governance, the Sarbanes-Oxley Act is a US federal law with mandatory provisions, whereas the Turnbull Report is a set of guidelines for UK companies.
Verify Turnbull Report against exposure reports, loss history, limits, control tests, hedge files, stress cases, and escalation records. Turnbull Report matters when probability, severity, concentration, capital, reserves, or the response threshold changes.
The control point for Turnbull Report is the risk response it triggers: limit, control, hedge, reserve, capital, monitoring, escalation, or disclosure. Turnbull Report matters when exposure changes enough to require a different owner, metric, threshold, or mitigation step. Before relying on Turnbull Report, identify the risk register, limit framework, scenario, and escalation path affected. If no response changes, keep it as taxonomy rather than a live risk-management input.
The use boundary for Turnbull Report is reached when exposure, metric, limit, hedge, reserve, capital, monitoring, escalation, and disclosure are unchanged. In that case, keep the term as risk taxonomy rather than a reason to change controls.
The evidence link for Turnbull Report is the exposure report, limit file, control test, hedge record, scenario analysis, reserve support, escalation log, or disclosure workpaper. Without that link, Turnbull Report should not support a changed risk response.
The risk check for Turnbull Report is whether a risk label has an owner and trigger. Test exposure measure, limit, control effectiveness, hedge coverage, reserve support, escalation path, reporting cadence, and whether management would act when the metric moves.
Decision evidence for Turnbull Report should show exposure measure, limit, owner, control test, hedge record, scenario result, escalation path, and reporting cadence. Turnbull Report can change risk management only when those facts alter the response or monitoring threshold.
Review evidence for Turnbull Report should make the risk-management evidence traceable, not just definitional. For Turnbull Report, tie the evidence to the exposure report, model output, limit framework, incident record, and control assessment and explain why that evidence is reliable enough for the finance decision.
Before relying on Turnbull Report, document the decision context: the measurement date, stress window, lookback period, and scenario assumptions. Keep the Turnbull Report evidence trail visible: model validation, limit approval, escalation record, hedge documentation, and residual-risk owner. In Risk Management work, Turnbull Report matters when it changes loss estimates, capital allocation, hedging decisions, liquidity planning, or control priorities.
The practical risk for Turnbull Report is that risk-management terms can hide model and control assumptions unless evidence identifies exposure, horizon, severity, and ownership. If those facts are unavailable, keep Turnbull Report in the explanatory layer instead of treating it as decision-grade evidence.
Use Turnbull Report as a decision workflow, not a static glossary label: define the finance meaning, verify the evidence, and identify which conclusion changes. Start by linking Turnbull Report to exposure, model assumption, loss horizon, limit use, control owner, and escalation trigger. Only after those checks should Turnbull Report influence a risk decision.
For Turnbull Report, confirm the source record, the date or jurisdiction that could change the answer, and the finance decision affected if the evidence were wrong. If those checks are incomplete, keep Turnbull Report as explanatory context rather than a decisive input.
Risk teams use Turnbull Report to identify exposures, controls, limits, stress scenarios, capital needs, insurance or hedging choices, and reporting responsibilities.
A risk review would map Turnbull Report to the source of exposure, loss pathway, control owner, measurement method, escalation trigger, and mitigation option.
Ask whether Turnbull Report changes probability of loss, severity, control effectiveness, capital requirement, hedge need, or reporting obligation.
Risk terms can describe either the exposure or the control. Distinguish the source of risk from the tool used to measure or mitigate it.
Interpret Turnbull Report as decision evidence, not just a definition. Its weight depends on the transaction, measurement date, jurisdiction, market conditions, and whether Turnbull Report changes cash flow, risk allocation, reported performance, controls, or investor behavior.
The finance relevance comes from loss probability, severity, controls, capital, hedging, liquidity, reporting, and governance.
Do not confuse Turnbull Report with risk elimination. Most risk-management tools change measurement, transfer, monitoring, or mitigation, not the existence of uncertainty.
Turnbull Report appears in risk registers, stress tests, limit frameworks, model documentation, insurance reviews, hedge memos, and board risk reports.
Treat Turnbull Report as decision-useful only when it changes a forecast, contractual right, accounting result, tax outcome, market price, liquidity need, or risk-control action. If those items do not change, Turnbull Report is descriptive rather than analytical evidence.