Risk Advisory · Governance, Risk & Compliance (GRC)
Enterprise Risk Management (ERM)
Most Indian companies discover their real risk exposure the hard way — a key customer concentration that suddenly unravels, a cyber incident that halts operations, a regulatory change that catches the business flat-footed, or a related-party transaction that draws board and auditor scrutiny at the worst possible moment.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Most Indian companies discover their real risk exposure the hard way — a key customer concentration that suddenly unravels, a cyber incident that halts operations, a regulatory change that catches the business flat-footed, or a related-party transaction that draws board and auditor scrutiny at the worst possible moment. Enterprise Risk Management (ERM) is the discipline that surfaces these exposures before they become crises — and gives the Board, the Audit Committee, and management a shared, structured view of what could go wrong, how likely it is, and what the organisation is doing about it. At PNPC Global, we design and implement ERM frameworks aligned to ISO 31000:2018 and the COSO ERM Integrated Framework (2017), calibrated to your sector, your governance maturity, and — where applicable — the Listing Obligations and Disclosure Requirements (LODR) Regulations that make Risk Management Committee oversight mandatory for the top 1,000 listed companies by market capitalisation. We build risk registers that get used, not filed away.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
Enterprise Risk Management is a structured, organisation-wide discipline for identifying, assessing, treating, monitoring, and reporting the risks that could affect an entity's ability to achieve its objectives — spanning strategic, operational, financial, compliance, reputational, and technology risk categories. Unlike traditional risk management, which historically operated in silos (insurance risk sat with finance, IT risk sat with IT, compliance risk sat with legal), ERM takes an integrated, enterprise-wide view — recognising that risks interact, correlate, and can compound across functions. The two globally recognised reference frameworks are ISO 31000:2018, which provides principles and generic guidelines applicable to any organisation regardless of size or sector, and the COSO ERM Integrated Framework (2017), titled 'Enterprise Risk Management — Integrating with Strategy and Performance', which explicitly links risk management to strategy-setting and performance measurement. Both are principles-based rather than prescriptive — they describe what a sound ERM programme should achieve, not a fixed checklist to complete.
In India, ERM has moved from a voluntary governance practice to a regulatory expectation for a defined class of companies. Regulation 21 of the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 mandates a Board-level Risk Management Committee for the top 1,000 listed entities by market capitalisation, with a majority of members from the Board of Directors, and requires the Committee to review and approve the risk management policy, monitor and review the risk management plan, and report to the Board at defined intervals. Schedule V of the LODR Regulations requires disclosure of risk management practices in the annual Corporate Governance Report. Separately, Section 134(3)(n) of the Companies Act 2013 requires every listed company's Board's Report to include a statement indicating the development and implementation of a risk management policy, including identification of elements of risk that may threaten the existence of the company. For companies not yet crossing these statutory thresholds, an increasing number of private equity investors, lenders, and rating agencies expect a documented risk register and risk governance structure as part of standard due diligence — well before any listing event.
A mature ERM programme rests on a small number of core building blocks: a risk management policy approved by the Board, defining risk appetite and tolerance; a risk universe and taxonomy specific to the entity's sector and business model; a risk register that captures identified risks with likelihood and impact ratings, existing controls, residual risk scores, and named risk owners; a risk assessment methodology applied consistently across the organisation (typically a combination of qualitative workshops and, where data permits, quantitative modelling); a governance structure — Risk Management Committee, Chief Risk Officer or equivalent, and a defined escalation path to the Audit Committee and Board; and a reporting cadence that keeps the risk register a living document rather than an annual compliance artefact. Emerging risk categories that increasingly dominate board agendas include cybersecurity and data privacy (heightened by the Digital Personal Data Protection Act, 2023), climate and ESG-related risk (relevant to BRSR reporting for the top 1,000 listed entities), third-party and vendor concentration risk, and geopolitical/supply-chain risk.
ERM is deliberately distinct from — but closely related to — internal audit, internal financial controls (IFC) review, and business continuity planning. Internal audit tests whether controls actually operate as designed across a sample of transactions; ERM identifies and prioritises the risks that controls exist to mitigate in the first place, and typically informs the internal audit plan rather than being performed by the same function in isolation. IFC review under Section 134(5)(e) focuses specifically on financial reporting controls; ERM covers the full risk universe, of which financial reporting risk is only one category. Getting the distinction right — and the sequencing right — determines whether an organisation ends up with a risk register that genuinely drives decisions, or a document produced once a year to satisfy a disclosure requirement and never opened again.
When a structured ERM framework becomes essential
Listed company falling within the top 1,000 by market capitalisation — a Board-level Risk Management Committee and a documented risk management policy are mandatory under Regulation 21 of SEBI LODR
Private equity or venture capital investors on the cap table, or an active fundraising process — institutional investors increasingly expect a documented risk register and risk governance structure as part of due diligence and ongoing reporting covenants
Rapid growth, new geography entry, or a new product line that has outpaced the organisation's informal, ad hoc approach to identifying and managing risk
Recent exposure to a risk event — cyber incident, key-customer loss, regulatory penalty, fraud, or supply-chain disruption — that has prompted the Board to ask 'what else haven't we identified?'
Preparing for an IPO, where SEBI ICDR disclosure requirements and post-listing LODR obligations make a functioning risk governance structure a pre-listing necessity, not a post-listing add-on
Group structures with multiple subsidiaries, JVs, or cross-border entities where risk exposure in one entity can cascade to the parent or group — requiring a consolidated, enterprise-wide view rather than entity-by-entity silos
Banking covenants, credit rating reviews, or insurance renewal processes that specifically evaluate the maturity of the borrower's or insured's risk management practices
Board or Audit Committee seeking a defensible, documented basis for the Section 134(3)(n) statement on risk management policy in the Board's Report
Sector-specific regulatory expectations — RBI's risk-based supervision framework for NBFCs and banks, IRDAI's ERM guidelines for insurers, or SEBI's risk management framework for market intermediaries
When a lighter-touch approach may be more proportionate
Very early-stage startup with a handful of employees, no institutional investors, and a founder who can personally track the handful of risks that matter — a structured ERM programme is premature; a simple founder-level risk list often suffices for now
Small private company well below all statutory thresholds, with straightforward single-location operations and no near-term fundraising or listing plans — a lighter risk discussion as part of annual strategic planning may be adequate
Organisation needs help with a single, narrow risk domain — for example, only IT/cybersecurity risk, or only fraud risk — where a scoped assessment in that domain is more efficient than standing up a full enterprise-wide framework
Business primarily needs internal financial controls documented for statutory audit purposes — an IFC design and testing engagement under Section 134(5)(e) is the more precise fit than a full ERM programme, though the two are natural complements
The immediate need is business continuity or disaster recovery planning for a specific event (e.g., a facility, a key vendor, a system) — a focused BCP/DR engagement addresses this faster than a ground-up ERM build
Enterprise Risk Management vs related risk, controls, and assurance functions
| Feature | Enterprise Risk Management (ERM) | Internal Audit | Internal Financial Controls (IFC) Review | Business Continuity Planning (BCP) | Compliance Management |
|---|---|---|---|---|---|
| Primary objective | Identify, assess, prioritise, and treat risks to strategic and business objectives | Test whether existing controls are designed and operating effectively | Assess controls specifically over financial reporting accuracy | Ensure critical operations can continue or recover after a disruptive event | Ensure ongoing adherence to applicable laws, regulations, and licence conditions |
| Governing framework | ISO 31000:2018, COSO ERM (2017), SEBI LODR Reg. 21 | Section 138 + Rule 13, Standards on Internal Audit (ICAI) | Section 134(5)(e), COSO Internal Control Integrated Framework | ISO 22301:2019, sector-specific regulatory guidance | Sector and law-specific — no single unifying statute |
| Who owns it | Risk Management Committee / CRO, reporting to the Board | Internal Audit function, reporting to Audit Committee | CFO function, tested by internal audit and statutory auditor | Operations / IT, sponsored by senior management | Compliance officer or company secretary function |
| Scope | Enterprise-wide — strategic, operational, financial, compliance, reputational, technology risk | Risk-based testing of processes and controls per the approved audit plan | Financial reporting processes and controls only | Critical business processes, systems, and facilities | Applicable statutory and regulatory obligations across functions |
| Typical output | Board-approved risk policy, risk register, heat map, mitigation plans | Rated findings report with management action plan, presented to Audit Committee | Control matrix, gaps identified, remediation plan, management certification | Business continuity plan, recovery time objectives, tested runbooks | Compliance calendar, tracker, and periodic certification to the Board |
| Mandatory for | Top 1,000 listed companies by market cap under SEBI LODR Reg. 21; expected practice for others | Listed cos; public/private cos above Rule 13 thresholds | Listed companies under Section 134(5)(e); auditor's IFC opinion under Section 143(3)(i)/CARO applies more broadly, subject to size-based exemptions | Not universally mandated; sector-specific (e.g., BFSI, critical infrastructure) | Applicable wherever the underlying law applies — near-universal in some form |
| Frequency | Continuous monitoring; formal review and Board reporting typically quarterly | Continuous / quarterly cycles per approved annual plan | Annual, aligned to statutory audit cycle | Reviewed and tested periodically, typically annually | Continuous, tracked against a rolling compliance calendar |
| Relationship to ERM | — | Often informed by and validates the ERM risk register through control testing | A specialised subset of the operational/financial risk category within ERM | A risk treatment/mitigation response to specific high-impact operational risks identified in ERM | Compliance risk is one category within the ERM risk universe |
These functions are complementary, not substitutable — a mature governance framework typically runs ERM as the umbrella discipline that identifies and prioritises risk, with internal audit, IFC review, BCP, and compliance management each addressing a specific risk category or providing assurance over specific controls. The right combination and sequencing for your organisation should be confirmed with a practising CA based on your listing status, sector, and governance maturity.
| # | Stage & What PNPC Does | What Generic Providers Skip | Timeline |
|---|---|---|---|
| 1 | Applicability & Maturity Assessment | We first establish whether a Board-level Risk Management Committee is mandatory for your company under SEBI LODR Regulation 21 (top 1,000 listed entities by market cap), and separately assess the case for a structured ERM programme even where not mandatory — based on investor base, lending covenants, sector risk profile, and governance ambitions. We also benchmark your current risk management maturity honestly, rather than assuming a blank slate or overstating existing practices. | Week 1–2 |
| 2 | Stakeholder Interviews & Risk Universe Mapping | Structured interviews across the Board, CXOs, and function heads to surface the risks each part of the business actually sees day to day — not just the risks that are easy to write about. We build a risk taxonomy specific to your sector (manufacturing, NBFC, real estate, IT/ITES, trading, healthcare) rather than reusing a generic template that misses sector-specific exposures like RBI regulatory risk for NBFCs or RERA project risk for real estate developers. | Week 2–4 |
| 3 | Risk Identification Workshops | Facilitated workshops with cross-functional teams to identify risks across strategic, operational, financial, compliance, reputational, and technology categories — using structured techniques (SWOT, scenario analysis, bow-tie analysis) rather than an open brainstorm that tends to surface only the risks already on everyone's mind. | Week 3–5 |
| 4 | Risk Assessment — Likelihood & Impact Scoring | Each identified risk is scored on likelihood and impact using a consistent, Board-approved scale — producing a defensible, comparable risk ranking rather than a subjective list ordered by whoever spoke loudest in the workshop. Where financial data supports it, quantitative techniques (Value-at-Risk style modelling, scenario-based financial impact) supplement the qualitative scoring for the highest-priority risks. | Week 4–6 |
| 5 | Risk Appetite & Tolerance Definition | We work with the Board to articulate risk appetite — how much risk the organisation is willing to accept in pursuit of its objectives — and translate this into tolerance thresholds for key risk categories. Without this step, a risk register has no yardstick for deciding which risks require immediate treatment versus ongoing monitoring, and this is the step most frequently skipped by template-driven providers. | Week 5–6 |
| 6 | Risk Register & Heat Map Development | A structured risk register is built — each risk with a description, category, owner, inherent risk score, existing controls, residual risk score, and treatment plan — visualised as a heat map for Board and Committee presentation. The register is built as a living document in a format your team can actually maintain, not a one-time consultant deliverable that goes stale within a quarter. | Week 6–7 |
| 7 | Risk Treatment & Mitigation Planning | For every risk above the tolerance threshold, we work with the risk owner to define a specific treatment plan — accept, avoid, transfer (insurance), or mitigate — with named actions, owners, and target dates. Generic ERM deliverables often stop at identification and scoring; the treatment plan is where the framework actually changes business outcomes. | Week 7–8 |
| 8 | Risk Management Policy & Governance Charter | We draft the Board-approved Risk Management Policy required for Corporate Governance Report disclosure under LODR Schedule V, along with the Risk Management Committee's terms of reference, reporting lines, and escalation protocol — ensuring the governance structure has the standing and documented mandate to function effectively, not just exist on paper. | Week 7–8 |
| 9 | Risk Management Committee Formation & First Meeting | For companies where the Committee is newly constituted, we support composition planning (majority Board members, as required), draft the first meeting agenda, and present the initial risk register and heat map for Committee review and approval — establishing the reporting rhythm from the outset. | Week 8–9 |
| 10 | Integration with Internal Audit Plan | Where an internal audit function exists or is being stood up in parallel, we ensure the highest-priority risks from the ERM register directly inform the internal audit universe and annual audit plan — so audit hours are allocated to the risks that matter most, rather than the two functions operating in disconnected silos. | Week 9–10 |
| 11 | Board & Audit Committee Reporting Cadence | We establish the quarterly (or Board-determined) reporting cadence — a standard reporting pack that tracks risk register changes, treatment plan progress, newly emerged risks, and key risk indicators (KRIs) — so risk reporting becomes a recurring governance rhythm rather than an annual exercise. | Week 10 |
| 12 | Key Risk Indicator (KRI) Dashboard Setup | For the highest-priority risks, we define measurable Key Risk Indicators — early-warning metrics that signal a risk is trending toward materialisation before it actually crystallises — and set up a simple, sustainable dashboard for ongoing monitoring by risk owners. | Week 10–12 |
| 13 | Annual Refresh & Continuous Monitoring Support | The risk register, appetite statement, and heat map are formally refreshed at least annually — incorporating the year's actual risk events, business changes, and emerging risk categories (cyber, ESG, geopolitical) — with PNPC available on an ongoing advisory basis between formal refresh cycles as new risks surface. | Annually, plus ongoing advisory |
Realistic timeline: a first-generation ERM framework — from stakeholder interviews through Board-approved risk policy and an operational risk register — typically takes 8–12 weeks for a single-entity company, longer for multi-entity groups or where risk data and process documentation are not readily available. Ongoing risk monitoring and quarterly reporting support continues thereafter as a recurring advisory engagement.
Certificate of Incorporation, Memorandum & Articles of Association, and group/holding structure chart including all subsidiaries and associate entities within scope
Board and Committee composition — including any existing Risk Management Committee, Audit Committee, and their terms of reference
Minutes of the last 4–6 Board and Committee meetings, particularly any prior discussion of risk-related matters
Existing risk management policy, risk register, or risk-related documentation, if any, along with any prior year's Corporate Governance Report risk disclosures
Delegation of Authority (DOA) matrix — approval limits by role, transaction type, and value
Board-approved business plan, annual budget, and 3–5 year strategic plan, to align risk identification with actual strategic objectives
Latest annual report and investor presentation, if listed or fundraising, to understand how risk is currently being communicated externally
Organisation chart with reporting lines for key business functions and geographies
Details of any new markets, products, or business lines launched or planned in the next 12–24 months
Competitor and industry risk landscape information, where available, particularly for regulated or high-risk sectors
Latest audited financial statements and management accounts for the most recent 2–3 years
Details of major contracts, customer concentration, and vendor/supplier concentration (top 10 by value)
Outstanding loan agreements, credit facility terms, and any financial covenants
Insurance policy schedule — coverage types, sums insured, and any recent claims history
Details of any litigation, arbitration, show-cause notices, or regulatory correspondence in the past 3 years
List of all licences, registrations, and regulatory approvals applicable to the entity's sector and locations
Compliance tracker or calendar, if one exists, along with any instances of non-compliance or penalties in recent years
Sector-specific regulatory correspondence — RBI, SEBI, IRDAI, or other regulator communications, as applicable
Data privacy and cybersecurity policy documents, if any, particularly in light of the Digital Personal Data Protection Act, 2023
List of key IT systems, ERP, and business applications, with hosting environment details (on-premise/cloud)
Existing IT security policy, access control framework, and any recent cybersecurity incident history
Business continuity and disaster recovery documentation, if any exists
Details of critical third-party/vendor dependencies for IT infrastructure and outsourced processes
Prior internal audit reports and their findings, where an internal audit function already exists
Statutory auditor's management letter and Internal Financial Controls (IFC) observations from the most recent audit
Any prior third-party risk assessment, due diligence report, or credit rating agency risk commentary
Details of past risk events — near-misses, actual incidents, financial losses — that the organisation is aware of, even if not formally documented
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Framework Design (Month 1–3) | Decision to formalise ERM or statutory LODR threshold crossed | Stakeholder interviews, risk universe mapping, risk assessment methodology, appetite and tolerance definition, and a Board-approved risk management policy built around your actual sector and business model — not a generic template. | A policy adopted purely for disclosure compliance, disconnected from actual business decisions — provides no real protection and creates a documentation gap the Audit Committee or a regulator can question. |
| Governance Stand-Up (Month 2–4) | Risk Management Committee constitution required or desired | Committee composition, terms of reference, reporting lines to the Board, and the first formal risk register and heat map presentation — establishing the reporting rhythm from Day 1. | A Committee that exists on paper but does not meet or receive substantive reporting — fails to satisfy the substance of LODR Regulation 21, even if technically constituted. |
| Operationalisation (Month 3–6) | Risk register approved | Named risk owners, treatment plans for above-tolerance risks, Key Risk Indicator dashboards, and integration with the internal audit plan so audit resources focus on the risks that matter most. | A risk register that is identified but never treated — risks remain on the register year after year with no owner accountability or measurable progress, undermining the credibility of the entire exercise. |
| Quarterly Reporting Cycle (Ongoing) | Board/Committee meeting calendar | A standard reporting pack tracking risk register changes, KRI trends, treatment plan progress, and newly emerged risks — presented consistently each quarter so the Board sees risk management as a living function. | Risk reporting becomes an annual, backward-looking exercise — the Board has no real-time visibility and discovers emerging risks only after they have materialised. |
| Annual Refresh (Every Year) | Financial year-end / Corporate Governance Report preparation | Formal refresh of the risk register, appetite statement, and heat map incorporating the year's actual risk events and business changes, alongside the Section 134(3)(n) Board's Report statement and LODR Schedule V Corporate Governance Report disclosure. | Stale disclosures that do not reflect the organisation's actual current risk profile — creates a governance gap that becomes visible during due diligence, a rating review, or regulatory scrutiny. |
| Emerging Risk Integration | New regulation, technology shift, or market event (e.g., DPDP Act, ESG/BRSR, geopolitical shock) | Proactive assessment of new and emerging risk categories — cybersecurity, data privacy, ESG/climate, third-party concentration, geopolitical — and their integration into the existing risk taxonomy rather than treated as one-off add-ons. | Blind spots on emerging risk categories that regulators, investors, and rating agencies increasingly scrutinise — a static risk register that only reflects yesterday's risk landscape. |
| Crisis / Risk Event Response | Actual risk materialisation — cyber incident, key-customer loss, regulatory action, fraud discovery | Post-event review against the existing risk register and treatment plan — assessing whether the risk was identified in advance, whether the treatment plan was adequate, and updating the register and controls based on lessons learned. | The same risk category recurs because root-cause lessons were never fed back into the framework — repeat incidents erode Board and investor confidence in the risk function. |
| Scale-Up / Listing Event | IPO preparation, new fundraising round, or crossing the LODR Regulation 21 threshold | Acceleration of ERM maturity to meet the more stringent governance expectations of public markets or new institutional investors — including formal Committee reporting, SEBI ICDR disclosure alignment, and third-party assurance readiness. | Governance gaps surfacing during IPO due diligence or investor diligence at the worst possible time — causing valuation adjustments, delayed timelines, or deal-structure changes. |
What exactly is Enterprise Risk Management, in plain terms?
It is a structured way for an organisation to answer three questions on an ongoing basis: what could go wrong across the business (not just in finance, but strategy, operations, compliance, technology, and reputation), how likely and how damaging is each of those risks, and what is the organisation actually doing about the ones that matter most. Instead of each department worrying about its own risks in isolation, ERM gives the Board and management one integrated view — typically captured in a risk register and reported through a Risk Management Committee.
Is Enterprise Risk Management mandatory for my company?
A Board-level Risk Management Committee and a documented risk management policy are mandatory under Regulation 21 of the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015, for the top 1,000 listed companies by market capitalisation. Separately, Section 134(3)(n) of the Companies Act 2013 requires every listed company's Board's Report to include a statement on the development and implementation of a risk management policy. Companies outside these thresholds are not statutorily required to run a formal ERM programme, but increasingly face expectations from investors, lenders, rating agencies, and — for regulated sectors like NBFCs, banks, and insurers — sector regulators.
What is the difference between ISO 31000 and the COSO ERM framework — do I need to pick one?
Both are internationally recognised, principles-based reference frameworks rather than rigid checklists. ISO 31000:2018 is a generic risk management standard applicable to any organisation, structured around principles, a framework, and a process (identify, analyse, evaluate, treat, monitor). COSO ERM (2017) is more explicitly linked to strategy and performance, and is widely used by companies with US-linked governance expectations or those benchmarking against COSO's earlier Internal Control Integrated Framework used for IFC purposes. Neither is mandated by Indian law by name — SEBI and the Companies Act require the outcome (a documented, Board-approved risk management policy and process) without prescribing a specific named framework.
How is ERM different from Internal Audit — don't they do the same thing?
No — they are complementary but distinct. ERM identifies, assesses, and prioritises the full universe of risks the organisation faces and defines how those risks will be treated. Internal Audit independently tests whether the controls that exist to manage specific risks are actually designed correctly and operating effectively, and reports rated findings to the Audit Committee. In a mature governance structure, the ERM risk register directly informs the internal audit plan — audit hours get allocated to the highest-priority risk areas identified through ERM, rather than the two functions working from separate, disconnected risk views.
What is a Risk Management Committee and who needs to be on it?
Under Regulation 21 of SEBI LODR, the Risk Management Committee must have a majority of members from the Board of Directors, with the Chairperson being a member of the Board. The Committee is responsible for formulating and approving the risk management policy, ensuring the policy addresses cybersecurity risk specifically, monitoring and reviewing the risk management plan, and reporting to the Board at intervals it determines. For companies not statutorily required to constitute this Committee, a management-level risk committee reporting into the Audit Committee is a common lighter-touch alternative.
What is a risk register and what should it actually contain?
A risk register is the structured, working document at the heart of any ERM programme. At minimum, each entry should include: a clear risk description, the risk category (strategic, operational, financial, compliance, reputational, technology), the risk owner (a named individual, not a department), the inherent risk score (likelihood x impact before controls), a description of existing controls, the residual risk score (after existing controls), and a treatment plan with actions, owner, and target date for any risk above the organisation's tolerance threshold.
How do you set risk appetite and tolerance — isn't that subjective?
Risk appetite is inherently a Board-level judgement about how much risk the organisation is willing to accept in pursuit of its objectives — it cannot be derived purely mathematically. However, the process of setting it can and should be structured: facilitated Board discussion informed by the organisation's financial capacity to absorb loss, regulatory constraints, stakeholder expectations, and strategic priorities, translated into concrete tolerance thresholds (for example, maximum acceptable customer concentration, or a defined threshold for cybersecurity incident impact) that then anchor the likelihood/impact scoring scale used across the risk register.
We are a private company with no listing plans — is ERM still worth doing?
It depends on your investor base, lending relationships, and growth trajectory rather than listing status alone. Private equity and venture capital investors increasingly expect a documented risk register as part of governance reporting, even pre-IPO. Lenders and rating agencies factor risk management maturity into credit assessments. And practically, a structured risk view helps management make better resource-allocation decisions regardless of any external requirement. For a small, single-location private company with no institutional capital and no near-term listing or fundraising plans, a full ERM programme is often disproportionate — a lighter annual risk discussion as part of strategic planning may suffice.
What is a Key Risk Indicator (KRI) and how is it different from a KPI?
A Key Performance Indicator (KPI) measures how well the organisation is performing against its objectives. A Key Risk Indicator (KRI) is an early-warning metric that signals a specific risk is trending toward materialisation — for example, rising customer concentration percentage, increasing days-sales-outstanding as an early signal of credit risk, or a rising rate of failed login attempts as a cybersecurity indicator. KRIs are deliberately forward-looking and tied to specific risks in the register, giving management a chance to intervene before the risk actually crystallises into a loss event.
How does the Digital Personal Data Protection Act, 2023 factor into ERM?
The DPDP Act, 2023 creates new compliance obligations around personal data processing, consent, data breach notification, and significant penalties for non-compliance, making data privacy and cybersecurity a materially heightened risk category within any current ERM framework. Organisations processing personal data at scale should specifically assess data privacy risk — including third-party data processor risk — as part of the risk universe, with rules and detailed compliance timelines being operationalised progressively. We build DPDP-related risk assessment into current ERM engagements rather than treating it as a separate compliance exercise.
Does ERM cover ESG and climate risk?
Increasingly, yes. SEBI's Business Responsibility and Sustainability Reporting (BRSR) framework applies to the top 1,000 listed companies by market capitalisation, requiring disclosure across environmental, social, and governance parameters, and climate-related risk (physical and transition risk) is now a recognised category within a comprehensive ERM risk universe for applicable companies. For companies not currently subject to BRSR, we typically still recommend identifying material ESG-linked risks — such as regulatory tightening, supply-chain sustainability expectations from large customers, or physical climate exposure for asset-heavy businesses — as part of a forward-looking risk register.
How long does it take to build a first ERM framework from scratch?
For a single-entity company with reasonably available process documentation, a realistic timeline from initial stakeholder interviews through a Board-approved risk management policy and an operational risk register is 8-12 weeks. Multi-entity groups, cross-border operations, or organisations with limited existing documentation typically take longer. The framework itself is not a one-time deliverable — ongoing quarterly reporting, KRI monitoring, and an annual formal refresh are what make the difference between a framework that is used and one that becomes a filed document.
What does a typical ERM engagement cost?
Cost depends materially on company size, number of entities and locations in scope, sector complexity, and whether a Risk Management Committee and reporting cadence need to be stood up from scratch or already exist in some form. PNPC agrees a fixed, written scope and fee before any engagement begins — covering the framework design phase distinctly from any ongoing quarterly support retainer, so you know exactly what is included at each stage.
Who should own the risk register day to day — should we hire a Chief Risk Officer?
For companies within the top 1,000 listed entities or those with a genuinely complex risk profile, a dedicated Chief Risk Officer or equivalent full-time risk function is common practice. For most mid-sized and smaller companies, day-to-day risk register ownership can sit with an existing function — often the CFO, Company Secretary, or Head of Internal Audit — supported by named risk owners across the business for individual risks, with PNPC providing periodic advisory support and facilitation for the formal review cycles rather than a full-time in-house hire.
How does ERM interact with our statutory auditor's work?
The statutory auditor's primary responsibility is an opinion on whether the financial statements present a true and fair view, and — as part of that — an assessment of Internal Financial Controls over financial reporting under Section 143(3)(i). A well-documented ERM framework and risk register can support the statutory audit process by demonstrating Board-level risk oversight and providing context for the auditor's own risk assessment, but ERM is a broader, forward-looking management discipline, not a substitute for the auditor's independent testing.
What happens if we adopt a risk management policy but the Board doesn't actually engage with the risk register?
This is one of the most common failure modes in ERM implementations — a policy is adopted and a register is built to satisfy the Section 134(3)(n) disclosure requirement, but the Board treats quarterly risk reporting as a formality rather than substantively engaging with it. Beyond the governance weakness this creates, it exposes the company to criticism during due diligence, rating reviews, or — in a worst case — after an actual risk event materialises and it becomes evident the risk was on the register but never meaningfully treated.
Can ERM help during fundraising or an IPO process?
Yes, materially. Institutional investors and IPO due diligence teams routinely review risk governance maturity as part of their assessment — a documented risk register, evidence of Board-level risk oversight, and a track record of quarterly reporting all demonstrate governance readiness and can reduce the scope of investor-side risk queries during diligence. Conversely, the absence of any documented risk process, discovered for the first time during diligence, often triggers additional queries, extended timelines, or valuation-related conversations.
What sector-specific risk considerations does PNPC build into an NBFC's ERM framework?
For NBFCs, the risk universe must specifically address RBI's risk-based supervision expectations, asset-liability mismatch risk, credit concentration risk, provisioning adequacy under Ind AS 109 (Expected Credit Loss model), liquidity risk, and — depending on the NBFC's scale-based regulatory layer under RBI's Scale Based Regulation framework — enhanced governance requirements including a mandatory Risk Management Committee for upper-layer NBFCs.
How does ERM apply to a real estate developer subject to RERA?
For RERA-registered developers, the risk universe should specifically address project completion and delay risk, escrow account compliance under Section 4(2)(l)(D) of the RERA Act (70% of project receivables to be maintained in a designated account for project costs), title and approval risk, and litigation risk from homebuyer associations — categories that a generic, non-sector-specific ERM template typically misses entirely.
Does ERM cover fraud risk specifically, or is that a separate exercise?
Fraud risk is one category within the broader ERM risk universe, typically assessed through a structured fraud risk assessment covering opportunity, pressure, and rationalisation factors (the fraud triangle), and mapped against existing anti-fraud controls, whistle-blower mechanisms, and segregation-of-duties design. Where a specific fraud is suspected or has occurred, that requires a separate, targeted forensic investigation — ERM's fraud risk assessment is preventive and diagnostic, not investigative.
What is the relationship between ERM and cyber insurance?
A documented cybersecurity risk assessment — part of the technology risk category within ERM — directly supports the cyber insurance underwriting process, since insurers increasingly require evidence of the applicant's risk management maturity, existing controls, and incident response readiness before quoting or renewing cover. A well-articulated risk register and treatment plan for cyber risk can materially influence both the availability and the pricing of cyber insurance cover.
How often should the risk register be updated?
The risk register should be a living document, ideally reviewed at every quarterly Risk Management Committee or management risk committee meeting for material changes, with a comprehensive formal refresh — reassessing the full risk universe, appetite statement, and heat map — at least annually, and immediately following any significant risk event, acquisition, new market entry, or major regulatory change.
Can PNPC support ERM for our UAE entity as well as our Indian entity?
Yes. PNPC operates from Chennai, Bangalore, Hyderabad, and Dubai. For groups with both Indian and UAE entities, we build a consolidated, group-level risk view that captures cross-border risk correlation — currency and FEMA/ODI-related risk, UAE Corporate Tax and VAT compliance risk, and jurisdiction-specific regulatory risk — rather than running two disconnected, entity-level frameworks that miss how risk in one jurisdiction can affect the other.
What is 'residual risk' and why does it matter more than 'inherent risk'?
Inherent risk is the level of risk before considering any existing controls or mitigations. Residual risk is what remains after existing controls are factored in. The distinction matters because a risk with very high inherent severity but strong, well-tested existing controls may have low residual risk and require only monitoring — while a risk with moderate inherent severity but weak or absent controls may have high residual risk and require urgent treatment. Prioritising treatment purely on inherent risk, without assessing residual risk, misdirects resources toward risks that are already well-managed.
Our Board already reviews risks informally in every meeting — do we still need a formal framework?
Informal Board-level risk discussion is valuable but is not a substitute for a structured framework, for three reasons: it typically covers only the risks that happen to be top-of-mind that quarter, it lacks a consistent scoring methodology that allows risks to be compared and prioritised objectively, and — for companies within the LODR Regulation 21 threshold — it does not satisfy the specific governance and disclosure requirements around a constituted Risk Management Committee and documented policy.
What is a 'bow-tie analysis' and when do you use it in ERM?
Bow-tie analysis is a visual risk assessment technique that maps a specific risk event at the centre, with the causes (threats) leading into it on one side and the consequences leading out of it on the other, alongside the preventive controls (addressing causes) and mitigating controls (limiting consequences) at each point. It is particularly useful for a small number of high-severity, well-defined risks — such as a major cybersecurity breach or a critical facility failure — where understanding the full causal chain and control points in detail adds more value than a simple likelihood/impact score.
Does a smaller, unlisted company need a written risk management policy at all?
There is no statutory requirement for an unlisted company below the relevant thresholds to have a written risk management policy. That said, a concise, Board-discussed risk policy — even a few pages — creates useful discipline: it forces agreement on what categories of risk matter most, who owns identifying and escalating them, and what the Board expects to be told and when. Many of our unlisted clients adopt a lighter-weight version of the same structure used for listed clients, scaled to their governance maturity.
How does ERM handle risks that span multiple categories, like a key-customer loss that is both a financial and a strategic risk?
Most well-designed risk registers allow a single risk to be tagged against a primary category with cross-references to secondary categories it touches, rather than forcing an artificial single classification. The more important discipline is ensuring the risk owner and treatment plan account for the full breadth of impact — a key-customer concentration risk, for example, should have its financial impact (revenue loss), strategic impact (market positioning), and operational impact (capacity planning) all considered in the treatment plan, even if it is tracked under a single primary heading for reporting simplicity.
What is the typical output the Board actually sees each quarter?
A concise reporting pack — typically the top-tier risk heat map, a summary of any newly identified or materially changed risks since the last review, progress against open treatment plans for high-priority risks, relevant Key Risk Indicator trends, and any risk events that occurred in the period along with lessons incorporated into the register. This is deliberately shorter than the full underlying risk register, which management retains and maintains between formal Board cycles.
Can PNPC take on an ongoing risk advisory role, or is this a one-time framework build?
Both models are available. Many clients engage PNPC for the initial framework design as a defined project, then transition to a lighter-touch quarterly advisory retainer — supporting Committee meeting preparation, KRI dashboard review, and the annual comprehensive refresh — while day-to-day risk register maintenance is handled internally. Some clients, particularly those without an internal risk function, prefer PNPC to remain more actively involved in ongoing risk register updates between formal cycles.
Is ERM only relevant for large companies, or does it apply to mid-sized businesses too?
ERM principles scale down meaningfully — the core discipline of identifying, prioritising, and treating risk with named ownership is valuable for a mid-sized business, even without the full Committee governance structure that applies to large listed companies. The practical difference is in scope and formality: a mid-sized private company might run a lighter annual risk workshop and a management-level (rather than Board sub-committee) review, while retaining the same underlying rigour in how risks are identified and tracked.
What is the single most common mistake companies make when first setting up ERM?
Treating it as a one-time documentation exercise to satisfy a disclosure requirement rather than a living management tool. The symptoms are consistent: a risk register produced once, presented once, and never substantively revisited; generic risks copied from a template rather than reflecting the organisation's actual exposure; and no named ownership or treatment plan attached to identified risks. The framework technically exists, satisfies the paperwork, and delivers essentially no risk-management value.
How PNPC's ERM engagement compares to alternatives
| Feature | Generic Consulting Template | In-House Only | PNPC Global |
|---|---|---|---|
| Framework customisation | Generic risk taxonomy reused across clients regardless of sector | Depends entirely on internal team's prior ERM exposure — often limited | Sector-specific risk universe built from stakeholder interviews and CA-level regulatory knowledge |
| Regulatory grounding | General references to ISO 31000/COSO without India-specific mapping | Variable — depends on internal compliance team's regulatory currency | Direct mapping to SEBI LODR Reg. 21, Section 134(3)(n), sector regulator requirements (RBI, IRDAI, RERA) |
| Sustainability of the register | One-time deliverable, often unmaintained after the engagement ends | Depends on internal bandwidth and continuity of ownership | Living register with quarterly reporting cadence and annual refresh built into the engagement design |
| Integration with other assurance functions | Standalone deliverable, disconnected from internal audit or IFC work | Requires internal coordination across functions, often informal | ERM directly informs internal audit planning and IFC review scope, coordinated by the same CA firm |
| Cross-border / group capability | Single-jurisdiction focus, typically India-only | Limited to internal team's jurisdictional exposure | Consolidated India-UAE group risk view from offices in both jurisdictions |
| Cost structure | Often a large upfront project fee with limited ongoing support | No external fee, but hidden cost of internal time and expertise gaps | Fixed, written fee for framework design; scoped retainer for ongoing support — no surprises |
| Board/Committee readiness | Template Committee charter, generic reporting pack format | Varies with internal governance maturity | Committee terms of reference, reporting pack, and escalation protocol built for your actual Board composition |
What the PNPC package includes
- 01
Applicability and risk governance maturity assessment against SEBI LODR Regulation 21 and sector-specific requirements
- 02
Sector-specific risk universe mapping through structured stakeholder interviews across the Board and function heads
- 03
Facilitated risk identification workshops covering strategic, operational, financial, compliance, reputational, and technology risk
- 04
Risk assessment methodology design with consistent likelihood/impact scoring and Board-facilitated risk appetite definition
- 05
Risk register and heat map development, built as a living, sustainably maintainable document
- 06
Risk treatment planning with named owners, actions, and target dates for every above-tolerance risk
- 07
Board-approved Risk Management Policy drafting for LODR Schedule V Corporate Governance Report disclosure
- 08
Risk Management Committee terms of reference, composition guidance, and first-meeting facilitation
- 09
Key Risk Indicator dashboard design for early-warning monitoring of top-tier risks
- 10
Integration of the ERM risk register with the internal audit plan and IFC review scope where those functions also exist
- 11
Quarterly Board/Committee reporting pack preparation and presentation support
- 12
Annual comprehensive risk register, appetite, and heat map refresh, timed to the Corporate Governance Report cycle
- 13
Consolidated India-UAE group risk view for clients with cross-border operations, coordinated from Chennai, Bangalore, Hyderabad, and Dubai
- 14
Direct access to a practising CA for ad hoc risk advisory between formal review cycles
A risk register that sits in a folder protects no one. Talk to PNPC Global about building an Enterprise Risk Management framework your Board will actually use.