Companies will have to institute a risk-based approach to internal controls if the latest corporate governance code is accepted, writes Peter Williams. They have until 14 June to respond to the consultation paper on the internal control element of the Combined Code. The Turnbull committee, which is chaired by Rank Group FD Nigel Turnbull, has taken the issue of internal controls wider than many had expected. It hopes to avoid criticism by linking internal control with risk management. According to the Turnbull report this approach “mirrors good business practice and allows the emphasis to be placed on the key controls a company should maintain.” The alternative would have been to develop a pro-forma list of controls that all companies should operate irrespective of their importance to the business. Under the code, companies will have to ensure the internal control system is embedded into their operations, is capable of responding to changing risks and includes procedures for reporting weaknesses to senior management. Companies will have to formally identify, evaluate and manage all their key risks – not just the financial ones – and assess how they are controlled. The board will have to provide disclosure on internal control in the annual report. Included in this will be a discussion of where internal control weakness has resulted in material losses or contingencies. In those cases, the directors should describe what action they have taken, or intend to take, or they should explain why they believe that no changes are considered necessary. This may inject some fun back into annual reports, as directors seek to explain away where things have gone awry. Turnbull said: “We have sought to produce practical guidance that will help companies ensure they have effective risk management and internal control systems.” The full text of the report is available on www.icaew.co.uk/internalcontrol.