So, briefly, we contented ourselves with referring to the imminent report as
Turnbull 2. Now that we’ve had a good look at it, even that might be too
ambitious a title.
Instead, you could easily refer to it as Turnbull 1.1 – a subtle upgrade that
gets rid of a few inconsistencies with other codes and amends some of the
wording. And thank goodness for that. Including the contents page and the
preface, the draft Turnbull revision is about 11 pages long in plain English,
and it covers all internal controls. Compare that with Sarbanes-Oxley and all
the related regulations, which run to hundreds of pages, are unintelligible and
only concerned with controls on external financial reporting.
The reports produced by the review group make clear that the Turnbull
guidance has worked. Not everything in the risk management garden is wonderful,
of course. Quite a number of companies are in danger of treating their annual
risk reviews and the updating of their risk registers as semi-automatic
processes that are increasingly routine and decreasingly useful. Some have
embedded their risk systems to the point where they are failing to ask
themselves, what risks do we face now? What are we missing?
But that can’t be legislated away – it’s human nature. More to the point,
compare that shortcoming with what Financial Reporting Council chief executive
Paul Boyle referred to as “the true horror of Sarbanes-Oxley”. It’s far better
to have guidelines that are sufficiently succinct that directors can reread from
time to time to help focus the mind on their obligations as board members. It’s
about governance, not compliance, and in this vein the FRC’s view is that the
best regulator is a well-informed market. Boyle says there is a business
backlash against Sarbanes-Oxley in the US. But while we are unlikely to see an
imminent unwinding of the US legislation, we can be comforted that it’s not
Andrew Sawers, editor.