HomeServicesRisk AdvisoryEnterprise Risk Management (ERM)

Risk Advisory · Governance, Risk & Compliance (GRC)

Enterprise Risk Management (ERM)

Most Indian companies discover their real risk exposure the hard way — a key customer concentration that suddenly unravels, a cyber incident that halts operations, a regulatory change that catches the business flat-footed, or a related-party transaction that draws board and auditor scrutiny at the worst possible moment.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Most Indian companies discover their real risk exposure the hard way — a key customer concentration that suddenly unravels, a cyber incident that halts operations, a regulatory change that catches the business flat-footed, or a related-party transaction that draws board and auditor scrutiny at the worst possible moment. Enterprise Risk Management (ERM) is the discipline that surfaces these exposures before they become crises — and gives the Board, the Audit Committee, and management a shared, structured view of what could go wrong, how likely it is, and what the organisation is doing about it. At PNPC Global, we design and implement ERM frameworks aligned to ISO 31000:2018 and the COSO ERM Integrated Framework (2017), calibrated to your sector, your governance maturity, and — where applicable — the Listing Obligations and Disclosure Requirements (LODR) Regulations that make Risk Management Committee oversight mandatory for the top 1,000 listed companies by market capitalisation. We build risk registers that get used, not filed away.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Enterprise Risk Management (ERM) is

Enterprise Risk Management is a structured, organisation-wide discipline for identifying, assessing, treating, monitoring, and reporting the risks that could affect an entity's ability to achieve its objectives — spanning strategic, operational, financial, compliance, reputational, and technology risk categories. Unlike traditional risk management, which historically operated in silos (insurance risk sat with finance, IT risk sat with IT, compliance risk sat with legal), ERM takes an integrated, enterprise-wide view — recognising that risks interact, correlate, and can compound across functions. The two globally recognised reference frameworks are ISO 31000:2018, which provides principles and generic guidelines applicable to any organisation regardless of size or sector, and the COSO ERM Integrated Framework (2017), titled 'Enterprise Risk Management — Integrating with Strategy and Performance', which explicitly links risk management to strategy-setting and performance measurement. Both are principles-based rather than prescriptive — they describe what a sound ERM programme should achieve, not a fixed checklist to complete.

In India, ERM has moved from a voluntary governance practice to a regulatory expectation for a defined class of companies. Regulation 21 of the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 mandates a Board-level Risk Management Committee for the top 1,000 listed entities by market capitalisation, with a majority of members from the Board of Directors, and requires the Committee to review and approve the risk management policy, monitor and review the risk management plan, and report to the Board at defined intervals. Schedule V of the LODR Regulations requires disclosure of risk management practices in the annual Corporate Governance Report. Separately, Section 134(3)(n) of the Companies Act 2013 requires every listed company's Board's Report to include a statement indicating the development and implementation of a risk management policy, including identification of elements of risk that may threaten the existence of the company. For companies not yet crossing these statutory thresholds, an increasing number of private equity investors, lenders, and rating agencies expect a documented risk register and risk governance structure as part of standard due diligence — well before any listing event.

A mature ERM programme rests on a small number of core building blocks: a risk management policy approved by the Board, defining risk appetite and tolerance; a risk universe and taxonomy specific to the entity's sector and business model; a risk register that captures identified risks with likelihood and impact ratings, existing controls, residual risk scores, and named risk owners; a risk assessment methodology applied consistently across the organisation (typically a combination of qualitative workshops and, where data permits, quantitative modelling); a governance structure — Risk Management Committee, Chief Risk Officer or equivalent, and a defined escalation path to the Audit Committee and Board; and a reporting cadence that keeps the risk register a living document rather than an annual compliance artefact. Emerging risk categories that increasingly dominate board agendas include cybersecurity and data privacy (heightened by the Digital Personal Data Protection Act, 2023), climate and ESG-related risk (relevant to BRSR reporting for the top 1,000 listed entities), third-party and vendor concentration risk, and geopolitical/supply-chain risk.

ERM is deliberately distinct from — but closely related to — internal audit, internal financial controls (IFC) review, and business continuity planning. Internal audit tests whether controls actually operate as designed across a sample of transactions; ERM identifies and prioritises the risks that controls exist to mitigate in the first place, and typically informs the internal audit plan rather than being performed by the same function in isolation. IFC review under Section 134(5)(e) focuses specifically on financial reporting controls; ERM covers the full risk universe, of which financial reporting risk is only one category. Getting the distinction right — and the sequencing right — determines whether an organisation ends up with a risk register that genuinely drives decisions, or a document produced once a year to satisfy a disclosure requirement and never opened again.

When a structured ERM framework becomes essential

Listed company falling within the top 1,000 by market capitalisation — a Board-level Risk Management Committee and a documented risk management policy are mandatory under Regulation 21 of SEBI LODR

Private equity or venture capital investors on the cap table, or an active fundraising process — institutional investors increasingly expect a documented risk register and risk governance structure as part of due diligence and ongoing reporting covenants

Rapid growth, new geography entry, or a new product line that has outpaced the organisation's informal, ad hoc approach to identifying and managing risk

Recent exposure to a risk event — cyber incident, key-customer loss, regulatory penalty, fraud, or supply-chain disruption — that has prompted the Board to ask 'what else haven't we identified?'

Preparing for an IPO, where SEBI ICDR disclosure requirements and post-listing LODR obligations make a functioning risk governance structure a pre-listing necessity, not a post-listing add-on

Group structures with multiple subsidiaries, JVs, or cross-border entities where risk exposure in one entity can cascade to the parent or group — requiring a consolidated, enterprise-wide view rather than entity-by-entity silos

Banking covenants, credit rating reviews, or insurance renewal processes that specifically evaluate the maturity of the borrower's or insured's risk management practices

Board or Audit Committee seeking a defensible, documented basis for the Section 134(3)(n) statement on risk management policy in the Board's Report

Sector-specific regulatory expectations — RBI's risk-based supervision framework for NBFCs and banks, IRDAI's ERM guidelines for insurers, or SEBI's risk management framework for market intermediaries

When a lighter-touch approach may be more proportionate

Very early-stage startup with a handful of employees, no institutional investors, and a founder who can personally track the handful of risks that matter — a structured ERM programme is premature; a simple founder-level risk list often suffices for now

Small private company well below all statutory thresholds, with straightforward single-location operations and no near-term fundraising or listing plans — a lighter risk discussion as part of annual strategic planning may be adequate

Organisation needs help with a single, narrow risk domain — for example, only IT/cybersecurity risk, or only fraud risk — where a scoped assessment in that domain is more efficient than standing up a full enterprise-wide framework

Business primarily needs internal financial controls documented for statutory audit purposes — an IFC design and testing engagement under Section 134(5)(e) is the more precise fit than a full ERM programme, though the two are natural complements

The immediate need is business continuity or disaster recovery planning for a specific event (e.g., a facility, a key vendor, a system) — a focused BCP/DR engagement addresses this faster than a ground-up ERM build

Structure Comparison

Enterprise Risk Management vs related risk, controls, and assurance functions

FeatureEnterprise Risk Management (ERM)Internal AuditInternal Financial Controls (IFC) ReviewBusiness Continuity Planning (BCP)Compliance Management
Primary objectiveIdentify, assess, prioritise, and treat risks to strategic and business objectivesTest whether existing controls are designed and operating effectivelyAssess controls specifically over financial reporting accuracyEnsure critical operations can continue or recover after a disruptive eventEnsure ongoing adherence to applicable laws, regulations, and licence conditions
Governing frameworkISO 31000:2018, COSO ERM (2017), SEBI LODR Reg. 21Section 138 + Rule 13, Standards on Internal Audit (ICAI)Section 134(5)(e), COSO Internal Control Integrated FrameworkISO 22301:2019, sector-specific regulatory guidanceSector and law-specific — no single unifying statute
Who owns itRisk Management Committee / CRO, reporting to the BoardInternal Audit function, reporting to Audit CommitteeCFO function, tested by internal audit and statutory auditorOperations / IT, sponsored by senior managementCompliance officer or company secretary function
ScopeEnterprise-wide — strategic, operational, financial, compliance, reputational, technology riskRisk-based testing of processes and controls per the approved audit planFinancial reporting processes and controls onlyCritical business processes, systems, and facilitiesApplicable statutory and regulatory obligations across functions
Typical outputBoard-approved risk policy, risk register, heat map, mitigation plansRated findings report with management action plan, presented to Audit CommitteeControl matrix, gaps identified, remediation plan, management certificationBusiness continuity plan, recovery time objectives, tested runbooksCompliance calendar, tracker, and periodic certification to the Board
Mandatory forTop 1,000 listed companies by market cap under SEBI LODR Reg. 21; expected practice for othersListed cos; public/private cos above Rule 13 thresholdsListed companies under Section 134(5)(e); auditor's IFC opinion under Section 143(3)(i)/CARO applies more broadly, subject to size-based exemptionsNot universally mandated; sector-specific (e.g., BFSI, critical infrastructure)Applicable wherever the underlying law applies — near-universal in some form
FrequencyContinuous monitoring; formal review and Board reporting typically quarterlyContinuous / quarterly cycles per approved annual planAnnual, aligned to statutory audit cycleReviewed and tested periodically, typically annuallyContinuous, tracked against a rolling compliance calendar
Relationship to ERMOften informed by and validates the ERM risk register through control testingA specialised subset of the operational/financial risk category within ERMA risk treatment/mitigation response to specific high-impact operational risks identified in ERMCompliance risk is one category within the ERM risk universe

These functions are complementary, not substitutable — a mature governance framework typically runs ERM as the umbrella discipline that identifies and prioritises risk, with internal audit, IFC review, BCP, and compliance management each addressing a specific risk category or providing assurance over specific controls. The right combination and sequencing for your organisation should be confirmed with a practising CA based on your listing status, sector, and governance maturity.

How it works
#Stage & What PNPC DoesWhat Generic Providers SkipTimeline
1Applicability & Maturity AssessmentWe first establish whether a Board-level Risk Management Committee is mandatory for your company under SEBI LODR Regulation 21 (top 1,000 listed entities by market cap), and separately assess the case for a structured ERM programme even where not mandatory — based on investor base, lending covenants, sector risk profile, and governance ambitions. We also benchmark your current risk management maturity honestly, rather than assuming a blank slate or overstating existing practices.Week 1–2
2Stakeholder Interviews & Risk Universe MappingStructured interviews across the Board, CXOs, and function heads to surface the risks each part of the business actually sees day to day — not just the risks that are easy to write about. We build a risk taxonomy specific to your sector (manufacturing, NBFC, real estate, IT/ITES, trading, healthcare) rather than reusing a generic template that misses sector-specific exposures like RBI regulatory risk for NBFCs or RERA project risk for real estate developers.Week 2–4
3Risk Identification WorkshopsFacilitated workshops with cross-functional teams to identify risks across strategic, operational, financial, compliance, reputational, and technology categories — using structured techniques (SWOT, scenario analysis, bow-tie analysis) rather than an open brainstorm that tends to surface only the risks already on everyone's mind.Week 3–5
4Risk Assessment — Likelihood & Impact ScoringEach identified risk is scored on likelihood and impact using a consistent, Board-approved scale — producing a defensible, comparable risk ranking rather than a subjective list ordered by whoever spoke loudest in the workshop. Where financial data supports it, quantitative techniques (Value-at-Risk style modelling, scenario-based financial impact) supplement the qualitative scoring for the highest-priority risks.Week 4–6
5Risk Appetite & Tolerance DefinitionWe work with the Board to articulate risk appetite — how much risk the organisation is willing to accept in pursuit of its objectives — and translate this into tolerance thresholds for key risk categories. Without this step, a risk register has no yardstick for deciding which risks require immediate treatment versus ongoing monitoring, and this is the step most frequently skipped by template-driven providers.Week 5–6
6Risk Register & Heat Map DevelopmentA structured risk register is built — each risk with a description, category, owner, inherent risk score, existing controls, residual risk score, and treatment plan — visualised as a heat map for Board and Committee presentation. The register is built as a living document in a format your team can actually maintain, not a one-time consultant deliverable that goes stale within a quarter.Week 6–7
7Risk Treatment & Mitigation PlanningFor every risk above the tolerance threshold, we work with the risk owner to define a specific treatment plan — accept, avoid, transfer (insurance), or mitigate — with named actions, owners, and target dates. Generic ERM deliverables often stop at identification and scoring; the treatment plan is where the framework actually changes business outcomes.Week 7–8
8Risk Management Policy & Governance CharterWe draft the Board-approved Risk Management Policy required for Corporate Governance Report disclosure under LODR Schedule V, along with the Risk Management Committee's terms of reference, reporting lines, and escalation protocol — ensuring the governance structure has the standing and documented mandate to function effectively, not just exist on paper.Week 7–8
9Risk Management Committee Formation & First MeetingFor companies where the Committee is newly constituted, we support composition planning (majority Board members, as required), draft the first meeting agenda, and present the initial risk register and heat map for Committee review and approval — establishing the reporting rhythm from the outset.Week 8–9
10Integration with Internal Audit PlanWhere an internal audit function exists or is being stood up in parallel, we ensure the highest-priority risks from the ERM register directly inform the internal audit universe and annual audit plan — so audit hours are allocated to the risks that matter most, rather than the two functions operating in disconnected silos.Week 9–10
11Board & Audit Committee Reporting CadenceWe establish the quarterly (or Board-determined) reporting cadence — a standard reporting pack that tracks risk register changes, treatment plan progress, newly emerged risks, and key risk indicators (KRIs) — so risk reporting becomes a recurring governance rhythm rather than an annual exercise.Week 10
12Key Risk Indicator (KRI) Dashboard SetupFor the highest-priority risks, we define measurable Key Risk Indicators — early-warning metrics that signal a risk is trending toward materialisation before it actually crystallises — and set up a simple, sustainable dashboard for ongoing monitoring by risk owners.Week 10–12
13Annual Refresh & Continuous Monitoring SupportThe risk register, appetite statement, and heat map are formally refreshed at least annually — incorporating the year's actual risk events, business changes, and emerging risk categories (cyber, ESG, geopolitical) — with PNPC available on an ongoing advisory basis between formal refresh cycles as new risks surface.Annually, plus ongoing advisory

Realistic timeline: a first-generation ERM framework — from stakeholder interviews through Board-approved risk policy and an operational risk register — typically takes 8–12 weeks for a single-entity company, longer for multi-entity groups or where risk data and process documentation are not readily available. Ongoing risk monitoring and quarterly reporting support continues thereafter as a recurring advisory engagement.

Document Checklist
Corporate & Governance Documents

Certificate of Incorporation, Memorandum & Articles of Association, and group/holding structure chart including all subsidiaries and associate entities within scope

Board and Committee composition — including any existing Risk Management Committee, Audit Committee, and their terms of reference

Minutes of the last 4–6 Board and Committee meetings, particularly any prior discussion of risk-related matters

Existing risk management policy, risk register, or risk-related documentation, if any, along with any prior year's Corporate Governance Report risk disclosures

Delegation of Authority (DOA) matrix — approval limits by role, transaction type, and value

Strategic & Business Context

Board-approved business plan, annual budget, and 3–5 year strategic plan, to align risk identification with actual strategic objectives

Latest annual report and investor presentation, if listed or fundraising, to understand how risk is currently being communicated externally

Organisation chart with reporting lines for key business functions and geographies

Details of any new markets, products, or business lines launched or planned in the next 12–24 months

Competitor and industry risk landscape information, where available, particularly for regulated or high-risk sectors

Financial & Operational Records

Latest audited financial statements and management accounts for the most recent 2–3 years

Details of major contracts, customer concentration, and vendor/supplier concentration (top 10 by value)

Outstanding loan agreements, credit facility terms, and any financial covenants

Insurance policy schedule — coverage types, sums insured, and any recent claims history

Details of any litigation, arbitration, show-cause notices, or regulatory correspondence in the past 3 years

Compliance & Regulatory Records

List of all licences, registrations, and regulatory approvals applicable to the entity's sector and locations

Compliance tracker or calendar, if one exists, along with any instances of non-compliance or penalties in recent years

Sector-specific regulatory correspondence — RBI, SEBI, IRDAI, or other regulator communications, as applicable

Data privacy and cybersecurity policy documents, if any, particularly in light of the Digital Personal Data Protection Act, 2023

IT & Technology Environment

List of key IT systems, ERP, and business applications, with hosting environment details (on-premise/cloud)

Existing IT security policy, access control framework, and any recent cybersecurity incident history

Business continuity and disaster recovery documentation, if any exists

Details of critical third-party/vendor dependencies for IT infrastructure and outsourced processes

Prior Risk & Assurance Work

Prior internal audit reports and their findings, where an internal audit function already exists

Statutory auditor's management letter and Internal Financial Controls (IFC) observations from the most recent audit

Any prior third-party risk assessment, due diligence report, or credit rating agency risk commentary

Details of past risk events — near-misses, actual incidents, financial losses — that the organisation is aware of, even if not formally documented

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Framework Design (Month 1–3)Decision to formalise ERM or statutory LODR threshold crossedStakeholder interviews, risk universe mapping, risk assessment methodology, appetite and tolerance definition, and a Board-approved risk management policy built around your actual sector and business model — not a generic template.A policy adopted purely for disclosure compliance, disconnected from actual business decisions — provides no real protection and creates a documentation gap the Audit Committee or a regulator can question.
Governance Stand-Up (Month 2–4)Risk Management Committee constitution required or desiredCommittee composition, terms of reference, reporting lines to the Board, and the first formal risk register and heat map presentation — establishing the reporting rhythm from Day 1.A Committee that exists on paper but does not meet or receive substantive reporting — fails to satisfy the substance of LODR Regulation 21, even if technically constituted.
Operationalisation (Month 3–6)Risk register approvedNamed risk owners, treatment plans for above-tolerance risks, Key Risk Indicator dashboards, and integration with the internal audit plan so audit resources focus on the risks that matter most.A risk register that is identified but never treated — risks remain on the register year after year with no owner accountability or measurable progress, undermining the credibility of the entire exercise.
Quarterly Reporting Cycle (Ongoing)Board/Committee meeting calendarA standard reporting pack tracking risk register changes, KRI trends, treatment plan progress, and newly emerged risks — presented consistently each quarter so the Board sees risk management as a living function.Risk reporting becomes an annual, backward-looking exercise — the Board has no real-time visibility and discovers emerging risks only after they have materialised.
Annual Refresh (Every Year)Financial year-end / Corporate Governance Report preparationFormal refresh of the risk register, appetite statement, and heat map incorporating the year's actual risk events and business changes, alongside the Section 134(3)(n) Board's Report statement and LODR Schedule V Corporate Governance Report disclosure.Stale disclosures that do not reflect the organisation's actual current risk profile — creates a governance gap that becomes visible during due diligence, a rating review, or regulatory scrutiny.
Emerging Risk IntegrationNew regulation, technology shift, or market event (e.g., DPDP Act, ESG/BRSR, geopolitical shock)Proactive assessment of new and emerging risk categories — cybersecurity, data privacy, ESG/climate, third-party concentration, geopolitical — and their integration into the existing risk taxonomy rather than treated as one-off add-ons.Blind spots on emerging risk categories that regulators, investors, and rating agencies increasingly scrutinise — a static risk register that only reflects yesterday's risk landscape.
Crisis / Risk Event ResponseActual risk materialisation — cyber incident, key-customer loss, regulatory action, fraud discoveryPost-event review against the existing risk register and treatment plan — assessing whether the risk was identified in advance, whether the treatment plan was adequate, and updating the register and controls based on lessons learned.The same risk category recurs because root-cause lessons were never fed back into the framework — repeat incidents erode Board and investor confidence in the risk function.
Scale-Up / Listing EventIPO preparation, new fundraising round, or crossing the LODR Regulation 21 thresholdAcceleration of ERM maturity to meet the more stringent governance expectations of public markets or new institutional investors — including formal Committee reporting, SEBI ICDR disclosure alignment, and third-party assurance readiness.Governance gaps surfacing during IPO due diligence or investor diligence at the worst possible time — causing valuation adjustments, delayed timelines, or deal-structure changes.
Frequently asked
What exactly is Enterprise Risk Management, in plain terms?

It is a structured way for an organisation to answer three questions on an ongoing basis: what could go wrong across the business (not just in finance, but strategy, operations, compliance, technology, and reputation), how likely and how damaging is each of those risks, and what is the organisation actually doing about the ones that matter most. Instead of each department worrying about its own risks in isolation, ERM gives the Board and management one integrated view — typically captured in a risk register and reported through a Risk Management Committee.

Practitioner noteThe single biggest gap we see in first-time ERM engagements is a risk register that identifies risks but assigns no owner and no treatment plan — a list of worries, not a management tool. We insist on both from the first version of the register.
Is Enterprise Risk Management mandatory for my company?

A Board-level Risk Management Committee and a documented risk management policy are mandatory under Regulation 21 of the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015, for the top 1,000 listed companies by market capitalisation. Separately, Section 134(3)(n) of the Companies Act 2013 requires every listed company's Board's Report to include a statement on the development and implementation of a risk management policy. Companies outside these thresholds are not statutorily required to run a formal ERM programme, but increasingly face expectations from investors, lenders, rating agencies, and — for regulated sectors like NBFCs, banks, and insurers — sector regulators.

Practitioner noteWe check applicability precisely against market capitalisation ranking and listing status before recommending scope — a mid-sized listed company outside the top 1,000 is not statutorily obligated, but we still often recommend a lighter-touch framework given investor expectations.
What is the difference between ISO 31000 and the COSO ERM framework — do I need to pick one?

Both are internationally recognised, principles-based reference frameworks rather than rigid checklists. ISO 31000:2018 is a generic risk management standard applicable to any organisation, structured around principles, a framework, and a process (identify, analyse, evaluate, treat, monitor). COSO ERM (2017) is more explicitly linked to strategy and performance, and is widely used by companies with US-linked governance expectations or those benchmarking against COSO's earlier Internal Control Integrated Framework used for IFC purposes. Neither is mandated by Indian law by name — SEBI and the Companies Act require the outcome (a documented, Board-approved risk management policy and process) without prescribing a specific named framework.

Practitioner noteWe typically design around ISO 31000 principles for the risk process itself, while aligning the reporting and governance structure to COSO's five components where the company also has IFC obligations — this avoids running two disconnected frameworks side by side.
How is ERM different from Internal Audit — don't they do the same thing?

No — they are complementary but distinct. ERM identifies, assesses, and prioritises the full universe of risks the organisation faces and defines how those risks will be treated. Internal Audit independently tests whether the controls that exist to manage specific risks are actually designed correctly and operating effectively, and reports rated findings to the Audit Committee. In a mature governance structure, the ERM risk register directly informs the internal audit plan — audit hours get allocated to the highest-priority risk areas identified through ERM, rather than the two functions working from separate, disconnected risk views.

Practitioner noteWhere we run both functions for a client, we deliberately sequence ERM risk assessment ahead of the annual internal audit planning cycle — internal audit becomes measurably more targeted when it is built on a current risk register rather than repeating the same generic process areas every year.
What is a Risk Management Committee and who needs to be on it?

Under Regulation 21 of SEBI LODR, the Risk Management Committee must have a majority of members from the Board of Directors, with the Chairperson being a member of the Board. The Committee is responsible for formulating and approving the risk management policy, ensuring the policy addresses cybersecurity risk specifically, monitoring and reviewing the risk management plan, and reporting to the Board at intervals it determines. For companies not statutorily required to constitute this Committee, a management-level risk committee reporting into the Audit Committee is a common lighter-touch alternative.

Practitioner noteA Committee that exists in name but meets only once a year and receives a static presentation does not meet the substance of what Regulation 21 intends. We help clients set a realistic, sustainable meeting cadence — usually quarterly — rather than an ambitious schedule that gets abandoned after two meetings.
What is a risk register and what should it actually contain?

A risk register is the structured, working document at the heart of any ERM programme. At minimum, each entry should include: a clear risk description, the risk category (strategic, operational, financial, compliance, reputational, technology), the risk owner (a named individual, not a department), the inherent risk score (likelihood x impact before controls), a description of existing controls, the residual risk score (after existing controls), and a treatment plan with actions, owner, and target date for any risk above the organisation's tolerance threshold.

Practitioner noteWe deliberately avoid the trap of a 40-page risk register nobody maintains. A well-scoped register with 20-35 genuinely material risks, actively reviewed, beats a 150-line register that becomes stale within two quarters.
How do you set risk appetite and tolerance — isn't that subjective?

Risk appetite is inherently a Board-level judgement about how much risk the organisation is willing to accept in pursuit of its objectives — it cannot be derived purely mathematically. However, the process of setting it can and should be structured: facilitated Board discussion informed by the organisation's financial capacity to absorb loss, regulatory constraints, stakeholder expectations, and strategic priorities, translated into concrete tolerance thresholds (for example, maximum acceptable customer concentration, or a defined threshold for cybersecurity incident impact) that then anchor the likelihood/impact scoring scale used across the risk register.

Practitioner noteWe facilitate this as a structured Board workshop rather than asking directors to fill in a form individually — the discussion itself, and the disagreements it surfaces, is often more valuable than the resulting numbers.
We are a private company with no listing plans — is ERM still worth doing?

It depends on your investor base, lending relationships, and growth trajectory rather than listing status alone. Private equity and venture capital investors increasingly expect a documented risk register as part of governance reporting, even pre-IPO. Lenders and rating agencies factor risk management maturity into credit assessments. And practically, a structured risk view helps management make better resource-allocation decisions regardless of any external requirement. For a small, single-location private company with no institutional capital and no near-term listing or fundraising plans, a full ERM programme is often disproportionate — a lighter annual risk discussion as part of strategic planning may suffice.

Practitioner noteWe are candid with clients about proportionality. Not every business needs a Chief Risk Officer and a quarterly Committee cycle — we scope the framework to match actual governance maturity and stakeholder expectations, not a one-size-fits-all template.
What is a Key Risk Indicator (KRI) and how is it different from a KPI?

A Key Performance Indicator (KPI) measures how well the organisation is performing against its objectives. A Key Risk Indicator (KRI) is an early-warning metric that signals a specific risk is trending toward materialisation — for example, rising customer concentration percentage, increasing days-sales-outstanding as an early signal of credit risk, or a rising rate of failed login attempts as a cybersecurity indicator. KRIs are deliberately forward-looking and tied to specific risks in the register, giving management a chance to intervene before the risk actually crystallises into a loss event.

Practitioner noteWe limit KRI dashboards to a handful of genuinely predictive metrics per major risk — a dashboard with 50 indicators gets ignored within a month; one with 8-10 well-chosen indicators actually gets reviewed.
How does the Digital Personal Data Protection Act, 2023 factor into ERM?

The DPDP Act, 2023 creates new compliance obligations around personal data processing, consent, data breach notification, and significant penalties for non-compliance, making data privacy and cybersecurity a materially heightened risk category within any current ERM framework. Organisations processing personal data at scale should specifically assess data privacy risk — including third-party data processor risk — as part of the risk universe, with rules and detailed compliance timelines being operationalised progressively. We build DPDP-related risk assessment into current ERM engagements rather than treating it as a separate compliance exercise.

Practitioner noteMany clients still treat data privacy purely as an IT/legal compliance matter rather than a Board-level enterprise risk. Given the DPDP Act's penalty structure, we now flag this explicitly in every ERM risk universe discussion, regardless of sector.
Does ERM cover ESG and climate risk?

Increasingly, yes. SEBI's Business Responsibility and Sustainability Reporting (BRSR) framework applies to the top 1,000 listed companies by market capitalisation, requiring disclosure across environmental, social, and governance parameters, and climate-related risk (physical and transition risk) is now a recognised category within a comprehensive ERM risk universe for applicable companies. For companies not currently subject to BRSR, we typically still recommend identifying material ESG-linked risks — such as regulatory tightening, supply-chain sustainability expectations from large customers, or physical climate exposure for asset-heavy businesses — as part of a forward-looking risk register.

Practitioner noteESG risk assessment is one of the fastest-evolving areas of ERM scope right now. We keep this section of the risk register under more frequent review than the more stable, established risk categories.
How long does it take to build a first ERM framework from scratch?

For a single-entity company with reasonably available process documentation, a realistic timeline from initial stakeholder interviews through a Board-approved risk management policy and an operational risk register is 8-12 weeks. Multi-entity groups, cross-border operations, or organisations with limited existing documentation typically take longer. The framework itself is not a one-time deliverable — ongoing quarterly reporting, KRI monitoring, and an annual formal refresh are what make the difference between a framework that is used and one that becomes a filed document.

Practitioner noteWe resist compressing the risk identification and workshop phase to meet an aggressive timeline — a rushed risk universe mapping is the most common reason ERM frameworks end up missing the risks that later actually materialise.
What does a typical ERM engagement cost?

Cost depends materially on company size, number of entities and locations in scope, sector complexity, and whether a Risk Management Committee and reporting cadence need to be stood up from scratch or already exist in some form. PNPC agrees a fixed, written scope and fee before any engagement begins — covering the framework design phase distinctly from any ongoing quarterly support retainer, so you know exactly what is included at each stage.

Practitioner noteWe deliberately do not quote a headline number without first understanding scope — an ERM engagement for a single-location private company and one for a five-entity group with cross-border operations are simply not comparable pieces of work.
Who should own the risk register day to day — should we hire a Chief Risk Officer?

For companies within the top 1,000 listed entities or those with a genuinely complex risk profile, a dedicated Chief Risk Officer or equivalent full-time risk function is common practice. For most mid-sized and smaller companies, day-to-day risk register ownership can sit with an existing function — often the CFO, Company Secretary, or Head of Internal Audit — supported by named risk owners across the business for individual risks, with PNPC providing periodic advisory support and facilitation for the formal review cycles rather than a full-time in-house hire.

Practitioner noteWe are candid when a full-time CRO is not yet justified by the company's size or risk profile — recommending one prematurely adds cost without adding proportional value. We revisit this recommendation as the company scales.
How does ERM interact with our statutory auditor's work?

The statutory auditor's primary responsibility is an opinion on whether the financial statements present a true and fair view, and — as part of that — an assessment of Internal Financial Controls over financial reporting under Section 143(3)(i). A well-documented ERM framework and risk register can support the statutory audit process by demonstrating Board-level risk oversight and providing context for the auditor's own risk assessment, but ERM is a broader, forward-looking management discipline, not a substitute for the auditor's independent testing.

Practitioner noteAuditors increasingly ask to see the risk register and Risk Management Committee minutes as part of their own risk assessment procedures — clients with a well-maintained register often find the statutory audit process itself runs more smoothly.
What happens if we adopt a risk management policy but the Board doesn't actually engage with the risk register?

This is one of the most common failure modes in ERM implementations — a policy is adopted and a register is built to satisfy the Section 134(3)(n) disclosure requirement, but the Board treats quarterly risk reporting as a formality rather than substantively engaging with it. Beyond the governance weakness this creates, it exposes the company to criticism during due diligence, rating reviews, or — in a worst case — after an actual risk event materialises and it becomes evident the risk was on the register but never meaningfully treated.

Practitioner noteWe push clients toward a smaller, sharper Board reporting pack — the top 8-10 risks with real movement, not a mechanical restatement of the full register — specifically to keep genuine Board engagement rather than box-ticking.
Can ERM help during fundraising or an IPO process?

Yes, materially. Institutional investors and IPO due diligence teams routinely review risk governance maturity as part of their assessment — a documented risk register, evidence of Board-level risk oversight, and a track record of quarterly reporting all demonstrate governance readiness and can reduce the scope of investor-side risk queries during diligence. Conversely, the absence of any documented risk process, discovered for the first time during diligence, often triggers additional queries, extended timelines, or valuation-related conversations.

Practitioner noteWe recommend starting ERM framework design at least two to three quarters ahead of any planned fundraise or IPO process — building it under diligence time pressure produces a weaker framework and signals reactive rather than proactive governance.
What sector-specific risk considerations does PNPC build into an NBFC's ERM framework?

For NBFCs, the risk universe must specifically address RBI's risk-based supervision expectations, asset-liability mismatch risk, credit concentration risk, provisioning adequacy under Ind AS 109 (Expected Credit Loss model), liquidity risk, and — depending on the NBFC's scale-based regulatory layer under RBI's Scale Based Regulation framework — enhanced governance requirements including a mandatory Risk Management Committee for upper-layer NBFCs.

Practitioner noteRBI's Scale Based Regulation framework materially changes governance obligations as an NBFC moves between layers — we specifically flag this transition risk itself as a distinct item for growing NBFC clients, since crossing a layer threshold triggers new compliance obligations.
How does ERM apply to a real estate developer subject to RERA?

For RERA-registered developers, the risk universe should specifically address project completion and delay risk, escrow account compliance under Section 4(2)(l)(D) of the RERA Act (70% of project receivables to be maintained in a designated account for project costs), title and approval risk, and litigation risk from homebuyer associations — categories that a generic, non-sector-specific ERM template typically misses entirely.

Practitioner noteWe build a distinct 'project-level' risk register alongside the entity-level register for real estate clients with multiple ongoing RERA projects — treating each project's risk profile separately, since risks (and escrow compliance status) can vary materially project to project.
Does ERM cover fraud risk specifically, or is that a separate exercise?

Fraud risk is one category within the broader ERM risk universe, typically assessed through a structured fraud risk assessment covering opportunity, pressure, and rationalisation factors (the fraud triangle), and mapped against existing anti-fraud controls, whistle-blower mechanisms, and segregation-of-duties design. Where a specific fraud is suspected or has occurred, that requires a separate, targeted forensic investigation — ERM's fraud risk assessment is preventive and diagnostic, not investigative.

Practitioner noteWe routinely find that segregation-of-duties gaps identified during ERM fraud risk workshops are the same gaps that internal audit later confirms through control testing — the two exercises consistently validate each other when done well.
What is the relationship between ERM and cyber insurance?

A documented cybersecurity risk assessment — part of the technology risk category within ERM — directly supports the cyber insurance underwriting process, since insurers increasingly require evidence of the applicant's risk management maturity, existing controls, and incident response readiness before quoting or renewing cover. A well-articulated risk register and treatment plan for cyber risk can materially influence both the availability and the pricing of cyber insurance cover.

Practitioner noteWe have seen clients secure meaningfully better cyber insurance terms after formalising their risk assessment and control documentation — insurers respond to demonstrable risk management maturity, not just a completed proposal form.
How often should the risk register be updated?

The risk register should be a living document, ideally reviewed at every quarterly Risk Management Committee or management risk committee meeting for material changes, with a comprehensive formal refresh — reassessing the full risk universe, appetite statement, and heat map — at least annually, and immediately following any significant risk event, acquisition, new market entry, or major regulatory change.

Practitioner noteWe schedule the annual comprehensive refresh to precede the Corporate Governance Report preparation cycle for listed clients, so the disclosed risk management practices genuinely reflect the current risk landscape rather than being backdated to match a stale register.
Can PNPC support ERM for our UAE entity as well as our Indian entity?

Yes. PNPC operates from Chennai, Bangalore, Hyderabad, and Dubai. For groups with both Indian and UAE entities, we build a consolidated, group-level risk view that captures cross-border risk correlation — currency and FEMA/ODI-related risk, UAE Corporate Tax and VAT compliance risk, and jurisdiction-specific regulatory risk — rather than running two disconnected, entity-level frameworks that miss how risk in one jurisdiction can affect the other.

Practitioner noteGroup-level risk aggregation across India and UAE entities is a genuinely underserved area — most advisory firms operate in only one jurisdiction and cannot see the interaction. Our presence in both allows a coherent, single risk register at the group level.
What is 'residual risk' and why does it matter more than 'inherent risk'?

Inherent risk is the level of risk before considering any existing controls or mitigations. Residual risk is what remains after existing controls are factored in. The distinction matters because a risk with very high inherent severity but strong, well-tested existing controls may have low residual risk and require only monitoring — while a risk with moderate inherent severity but weak or absent controls may have high residual risk and require urgent treatment. Prioritising treatment purely on inherent risk, without assessing residual risk, misdirects resources toward risks that are already well-managed.

Practitioner noteWe insist on evidence-based control assessment for the residual risk score — not a management assertion that 'controls are adequate.' This is where ERM and internal audit's control testing genuinely reinforce each other.
Our Board already reviews risks informally in every meeting — do we still need a formal framework?

Informal Board-level risk discussion is valuable but is not a substitute for a structured framework, for three reasons: it typically covers only the risks that happen to be top-of-mind that quarter, it lacks a consistent scoring methodology that allows risks to be compared and prioritised objectively, and — for companies within the LODR Regulation 21 threshold — it does not satisfy the specific governance and disclosure requirements around a constituted Risk Management Committee and documented policy.

Practitioner noteWe often build on existing informal Board risk discussion rather than replacing it — the institutional knowledge from those conversations is genuinely valuable input into the first formal risk register, not wasted effort.
What is a 'bow-tie analysis' and when do you use it in ERM?

Bow-tie analysis is a visual risk assessment technique that maps a specific risk event at the centre, with the causes (threats) leading into it on one side and the consequences leading out of it on the other, alongside the preventive controls (addressing causes) and mitigating controls (limiting consequences) at each point. It is particularly useful for a small number of high-severity, well-defined risks — such as a major cybersecurity breach or a critical facility failure — where understanding the full causal chain and control points in detail adds more value than a simple likelihood/impact score.

Practitioner noteWe reserve bow-tie analysis for the handful of top-tier risks where the extra analytical depth is genuinely warranted — applying it across the entire risk register is disproportionate effort for lower-priority risks.
Does a smaller, unlisted company need a written risk management policy at all?

There is no statutory requirement for an unlisted company below the relevant thresholds to have a written risk management policy. That said, a concise, Board-discussed risk policy — even a few pages — creates useful discipline: it forces agreement on what categories of risk matter most, who owns identifying and escalating them, and what the Board expects to be told and when. Many of our unlisted clients adopt a lighter-weight version of the same structure used for listed clients, scaled to their governance maturity.

Practitioner noteWe often start unlisted clients with a one-page risk policy and a 15-20 line risk register rather than a full-scale framework — the discipline of a simple, used document beats an elaborate one that sits unopened.
How does ERM handle risks that span multiple categories, like a key-customer loss that is both a financial and a strategic risk?

Most well-designed risk registers allow a single risk to be tagged against a primary category with cross-references to secondary categories it touches, rather than forcing an artificial single classification. The more important discipline is ensuring the risk owner and treatment plan account for the full breadth of impact — a key-customer concentration risk, for example, should have its financial impact (revenue loss), strategic impact (market positioning), and operational impact (capacity planning) all considered in the treatment plan, even if it is tracked under a single primary heading for reporting simplicity.

Practitioner noteOver-engineering the classification taxonomy is a common early mistake — we keep primary categories to six or seven, with cross-referencing handled through risk descriptions and treatment plans rather than an elaborate multi-dimensional tagging system nobody maintains.
What is the typical output the Board actually sees each quarter?

A concise reporting pack — typically the top-tier risk heat map, a summary of any newly identified or materially changed risks since the last review, progress against open treatment plans for high-priority risks, relevant Key Risk Indicator trends, and any risk events that occurred in the period along with lessons incorporated into the register. This is deliberately shorter than the full underlying risk register, which management retains and maintains between formal Board cycles.

Practitioner noteWe calibrate the Board pack to roughly 8-12 pages for most clients — enough substance for genuine engagement, short enough that directors actually read it before the meeting rather than skimming it during.
Can PNPC take on an ongoing risk advisory role, or is this a one-time framework build?

Both models are available. Many clients engage PNPC for the initial framework design as a defined project, then transition to a lighter-touch quarterly advisory retainer — supporting Committee meeting preparation, KRI dashboard review, and the annual comprehensive refresh — while day-to-day risk register maintenance is handled internally. Some clients, particularly those without an internal risk function, prefer PNPC to remain more actively involved in ongoing risk register updates between formal cycles.

Practitioner noteWe scope this explicitly at the outset — a one-time framework build without any follow-on support tends to see the risk register quality degrade within 12-18 months as ownership and momentum fade internally without a structured push.
Is ERM only relevant for large companies, or does it apply to mid-sized businesses too?

ERM principles scale down meaningfully — the core discipline of identifying, prioritising, and treating risk with named ownership is valuable for a mid-sized business, even without the full Committee governance structure that applies to large listed companies. The practical difference is in scope and formality: a mid-sized private company might run a lighter annual risk workshop and a management-level (rather than Board sub-committee) review, while retaining the same underlying rigour in how risks are identified and tracked.

Practitioner noteWe have built proportionate, right-sized ERM frameworks for companies well below any statutory threshold, purely because the founders wanted better visibility into what could derail the business — the framework does not require statutory compulsion to be worth doing well.
What is the single most common mistake companies make when first setting up ERM?

Treating it as a one-time documentation exercise to satisfy a disclosure requirement rather than a living management tool. The symptoms are consistent: a risk register produced once, presented once, and never substantively revisited; generic risks copied from a template rather than reflecting the organisation's actual exposure; and no named ownership or treatment plan attached to identified risks. The framework technically exists, satisfies the paperwork, and delivers essentially no risk-management value.

Practitioner noteEvery element of how we scope and deliver ERM engagements — the sizing of the register, the quarterly reporting cadence, the annual refresh discipline — is designed specifically to avoid this failure mode. A smaller framework that is actually used consistently beats an elaborate one that is not.
Why PNPC Global

How PNPC's ERM engagement compares to alternatives

FeatureGeneric Consulting TemplateIn-House OnlyPNPC Global
Framework customisationGeneric risk taxonomy reused across clients regardless of sectorDepends entirely on internal team's prior ERM exposure — often limitedSector-specific risk universe built from stakeholder interviews and CA-level regulatory knowledge
Regulatory groundingGeneral references to ISO 31000/COSO without India-specific mappingVariable — depends on internal compliance team's regulatory currencyDirect mapping to SEBI LODR Reg. 21, Section 134(3)(n), sector regulator requirements (RBI, IRDAI, RERA)
Sustainability of the registerOne-time deliverable, often unmaintained after the engagement endsDepends on internal bandwidth and continuity of ownershipLiving register with quarterly reporting cadence and annual refresh built into the engagement design
Integration with other assurance functionsStandalone deliverable, disconnected from internal audit or IFC workRequires internal coordination across functions, often informalERM directly informs internal audit planning and IFC review scope, coordinated by the same CA firm
Cross-border / group capabilitySingle-jurisdiction focus, typically India-onlyLimited to internal team's jurisdictional exposureConsolidated India-UAE group risk view from offices in both jurisdictions
Cost structureOften a large upfront project fee with limited ongoing supportNo external fee, but hidden cost of internal time and expertise gapsFixed, written fee for framework design; scoped retainer for ongoing support — no surprises
Board/Committee readinessTemplate Committee charter, generic reporting pack formatVaries with internal governance maturityCommittee terms of reference, reporting pack, and escalation protocol built for your actual Board composition

What the PNPC package includes

  1. 01

    Applicability and risk governance maturity assessment against SEBI LODR Regulation 21 and sector-specific requirements

  2. 02

    Sector-specific risk universe mapping through structured stakeholder interviews across the Board and function heads

  3. 03

    Facilitated risk identification workshops covering strategic, operational, financial, compliance, reputational, and technology risk

  4. 04

    Risk assessment methodology design with consistent likelihood/impact scoring and Board-facilitated risk appetite definition

  5. 05

    Risk register and heat map development, built as a living, sustainably maintainable document

  6. 06

    Risk treatment planning with named owners, actions, and target dates for every above-tolerance risk

  7. 07

    Board-approved Risk Management Policy drafting for LODR Schedule V Corporate Governance Report disclosure

  8. 08

    Risk Management Committee terms of reference, composition guidance, and first-meeting facilitation

  9. 09

    Key Risk Indicator dashboard design for early-warning monitoring of top-tier risks

  10. 10

    Integration of the ERM risk register with the internal audit plan and IFC review scope where those functions also exist

  11. 11

    Quarterly Board/Committee reporting pack preparation and presentation support

  12. 12

    Annual comprehensive risk register, appetite, and heat map refresh, timed to the Corporate Governance Report cycle

  13. 13

    Consolidated India-UAE group risk view for clients with cross-border operations, coordinated from Chennai, Bangalore, Hyderabad, and Dubai

  14. 14

    Direct access to a practising CA for ad hoc risk advisory between formal review cycles

A risk register that sits in a folder protects no one. Talk to PNPC Global about building an Enterprise Risk Management framework your Board will actually use.

← Back to Risk Advisory
Talk to a CA