HomeServicesRisk AdvisoryRisk Assessment Framework Design

Risk Advisory · Governance, Risk & Compliance (GRC)

Risk Assessment Framework Design

A risk register that sits in a shared drive and gets updated once a year before the board meeting is not a risk management framework — it is a compliance artefact.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

A risk register that sits in a shared drive and gets updated once a year before the board meeting is not a risk management framework — it is a compliance artefact. At PNPC Global, we design risk assessment frameworks that boards and audit committees actually use: a documented risk appetite, a working risk register tied to real business decisions, and a review rhythm that keeps pace with the business rather than a once-a-year ritual. Since 1986, we have sat on the advisory side of board rooms and audit committees across India and the UAE — we build frameworks that hold up under an auditor's, a regulator's, and an investor's scrutiny, not just a template that looks complete on paper.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Risk Assessment Framework Design is

A Risk Assessment Framework is the structured methodology an organisation uses to identify, assess, prioritise, respond to, and monitor the risks that could prevent it from achieving its objectives. It is not a single document — it is a system comprising a risk appetite statement (how much risk the board is willing to accept in pursuit of its objectives), a risk register (the living inventory of identified risks, their likelihood, impact, ownership, and mitigation status), a risk assessment methodology (how risks are scored and prioritised — typically a likelihood-times-impact matrix, sometimes supplemented by velocity and detectability factors), and a governance structure that assigns clear ownership for risk identification, escalation, and response at management and board level. Internationally recognised frameworks — COSO's Enterprise Risk Management (ERM) Integrated Framework and ISO 31000:2018 — provide the structural backbone that most Indian and UAE risk frameworks are built on, adapted to the specific regulatory, sectoral, and organisational context of the entity.

When your organisation needs a formal risk framework

Board or Audit Committee has flagged the absence of a structured risk management process, or an internal or statutory auditor has raised it as an observation in the audit report or management letter

Company falls within SEBI's Listed Entities framework where a Risk Management Committee is mandated under Regulation 21 of the SEBI (LODR) Regulations, 2015 for the top 1,000 listed entities by market capitalisation

Board is required to confirm, under Section 134(5)(e) of the Companies Act 2013, that it has laid down internal financial controls and that such controls are adequate and operating effectively — a confirmation that is difficult to make credibly without an underlying risk assessment

Organisation is preparing for institutional fundraising, private equity due diligence, or a strategic partnership where investors expect to see a documented risk management approach as part of governance readiness

Business has grown past the stage where risk can be managed informally in the founder's or CEO's head — multiple business lines, geographies, or regulatory regimes now create risk interactions that need a structured view

Recent adverse event — a fraud incident, a cybersecurity breach, a regulatory penalty, a key-person departure, a significant vendor failure — has exposed the absence of a systematic way to anticipate and respond to comparable risks

Organisation operates in a regulated sector (financial services, healthcare, infrastructure, listed company, or a company receiving foreign investment) where a documented risk framework is either an explicit regulatory expectation or a practical necessity for regulator and lender confidence

When a lighter-touch approach may be more appropriate

Very early-stage startup with a handful of employees and no institutional board — a founder-level risk discussion documented in board minutes is proportionate; a full COSO-aligned framework is premature and will not be maintained

Organisation has no board, audit committee, or external stakeholder (lender, investor, regulator) that requires evidence of formal risk governance — the cost of building and maintaining a framework should be weighed against who will actually use it

The business already has an internal audit function or a management assurance process that substantively covers risk identification and monitoring — in that case, the requirement may be to formalise and document the existing process rather than build one from scratch

Organisation needs a one-time risk assessment for a specific transaction (an M&A deal, a new product launch, a single large contract) rather than an ongoing enterprise-wide framework — a focused risk assessment exercise is more appropriate than a full framework build

Resource and bandwidth constraints mean the framework, once built, will not be reviewed, updated, or used to inform actual decisions — a framework nobody maintains creates false comfort and is arguably worse than acknowledging risk is being managed informally

Structure Comparison

Common risk management framework approaches — choosing the right fit for your organisation's stage and regulatory context

FeatureCOSO ERM FrameworkISO 31000:2018SEBI LODR-driven RMC FrameworkInformal / Ad-hoc Approach
Primary originUS-developed, widely adopted globally and in IndiaInternational standard, principles-based, sector-agnosticIndia-specific, driven by SEBI listing regulations for top listed entitiesNo external reference point
Best suited forOrganisations wanting a comprehensive, strategy-linked ERM structureOrganisations wanting a lean, principles-based, flexible structureListed companies within SEBI's mandated Risk Management Committee scopeVery early-stage or informally governed entities
Board / committee structure requiredRecommended — typically Audit Committee or dedicated Risk Committee oversightRecommended but flexible — governance structure adapted to entityMandatory Risk Management Committee under Regulation 21 for applicable listed entitiesNone
Risk appetite statementCentral, explicit componentCentral, explicit componentIncreasingly expected as part of RMC charter and disclosuresRarely documented
Documentation rigourHigh — objectives, components, principles all mappedModerate to high — principles and process documented, format flexibleModerate — policy, charter, and register typically required for complianceMinimal or none
Regulatory recognition in IndiaWidely referenced by auditors and audit committees as good practiceReferenced but no direct statutory mandateDirectly linked to SEBI (LODR) Regulations, 2015 complianceNo regulatory standing
Linkage to internal financial controls (IFC)Strong — COSO Internal Control framework is the common IFC reference under Section 134(5)(e)Indirect — ISO 31000 does not itself prescribe an IFC structureExpected to interface with IFC documentation for listed entitiesTypically absent, creating an IFC certification gap
Effort to implementHigher — comprehensive but resource-intensive to build properlyModerate — designed to be proportionate to organisation sizeModerate to high — policy, committee, charter, and reporting cycle requiredLow — but produces limited defensibility
Ongoing maintenance needContinuous — risk register review, KRI monitoring, board reportingContinuous but scalable to organisation's risk maturityContinuous — RMC must meet per LODR-prescribed frequency and report to boardAd-hoc, typically deteriorates without ownership
PNPC's typical recommendationFor companies preparing for institutional investment, listing, or complex multi-entity risk exposureFor mid-sized private companies wanting rigour without over-engineeringWhere mandated by SEBI LODR scope, or voluntarily adopted for listing readinessNot recommended once the organisation has a board, lenders, or external investors

This table gives directional guidance only. Most PNPC engagements are not a pure choice between frameworks — we typically build a COSO-aligned or ISO 31000-aligned structure, right-sized to the organisation, that also satisfies SEBI LODR Regulation 21 requirements where applicable. The right framework, its scope, and its rigour depend on your sector, regulatory obligations, ownership structure, and board expectations. A scoping conversation with a practising CA is the appropriate first step before any framework is drafted.

How it works
#Stage & What PNPC DoesCA Advice That Generic Consultants MissTimeline
1Scoping & Governance Context Review — Understanding your actual risk exposure and regulatory obligationsWe start by asking what a template provider never asks: Are you SEBI-listed and within Regulation 21's Risk Management Committee mandate? Do you have institutional investors expecting governance readiness? Is there a recent adverse event driving this engagement? What does your Section 134(5)(e) internal financial controls certification currently rest on? These answers determine the scope, rigour, and regulatory anchoring of the framework — a listed entity's RMC-compliant framework looks materially different from a pre-Series-A startup's board-level risk discussion.Week 1
2Risk Universe & Business Context Mapping — Structured workshops across business functionsA risk framework built solely from management's self-reported risks misses the risks nobody wants to surface — related-party exposure, key-person dependency, control gaps flagged in prior audits but not remediated. We run structured interviews across finance, operations, compliance, HR, and IT, and cross-reference against prior statutory audit observations, internal audit findings, and any regulatory correspondence — before drafting a single risk statement.Week 1–2
3Risk Appetite Statement Drafting — The board-level starting point most frameworks skipMost off-the-shelf frameworks jump straight to a risk register without a risk appetite statement — the board's explicit articulation of how much risk it is willing to accept in pursuit of objectives, by risk category (financial, operational, compliance, reputational, strategic). Without this anchor, risk scoring becomes arbitrary and the register cannot be prioritised meaningfully. We draft the risk appetite statement for board discussion and approval before the register is built.Week 2–3
4Risk Identification & Categorisation — Building the risk universe by categoryRisks are categorised — typically strategic, operational, financial, compliance/regulatory, reputational, and technology/cyber — and identified at a granularity that is actionable, not so broad it is meaningless ('economic risk') nor so narrow it is unmanageable (hundreds of micro-risks). We calibrate this to your organisation's actual scale and complexity.Week 3–4
5Likelihood-Impact Assessment & Scoring Methodology — Quantifying and prioritising the registerWe design a scoring matrix appropriate to your organisation — typically a 5x5 likelihood-impact grid, sometimes supplemented by velocity (how fast the risk could materialise) and detectability. Scoring criteria are defined in concrete, organisation-specific terms — a 'high impact' financial risk is defined against your actual revenue and capital base, not a generic template threshold.Week 4–5
6Mitigation & Control Mapping — Linking each risk to existing and required controlsFor every risk scored as material, we map the existing control environment — what is already in place — and identify control gaps. This is where the framework interfaces directly with your internal financial controls documentation under Section 134(5)(e) and, if applicable, your internal audit scope. A risk framework that does not map to actual controls is descriptive, not operational.Week 5–6
7Risk Ownership & RACI Assignment — Naming names, not departmentsEvery risk in the register is assigned a named owner accountable for monitoring and mitigation status — not a department. We have seen risk registers where 'Finance Team' is listed as owner for a dozen risks with no individual accountable; nothing gets actioned. PNPC assigns individual ownership with escalation paths to the Audit Committee or Risk Management Committee.Week 6
8Governance Structure & Charter Design — Committee, reporting lines, and escalation protocolFor SEBI-listed entities within Regulation 21 scope, we draft the Risk Management Committee charter — composition, meeting frequency (the LODR framework specifies minimum RMC meeting cadence for applicable entities), reporting lines to the Board, and the specific disclosures the RMC must make. For non-listed entities, we design a proportionate governance structure — often Audit Committee oversight with management-level risk review.Week 6–7
9Board & Audit Committee Presentation — Framework approval and buy-inA framework designed in isolation from the board is a framework that gets shelved after one review cycle. We present the draft risk appetite statement, register, and governance structure to the Board or Audit Committee, incorporate their input, and secure formal approval — creating both ownership and the documented board minute that evidences board-level risk oversight.Week 7–8
10Key Risk Indicator (KRI) Design — Early-warning metrics for material risksFor the highest-priority risks, we design Key Risk Indicators — quantifiable, trackable metrics that signal a risk is trending toward materialisation before it actually crystallises (e.g., customer concentration percentage, days sales outstanding trend, employee attrition in key roles, cybersecurity incident frequency). This converts the framework from a static document into an early-warning system.Week 8
11Documentation & Policy Finalisation — The complete framework document setWe finalise the Risk Management Policy document, the risk appetite statement, the risk register (typically delivered in a working spreadsheet or dashboard format your team can actually maintain), the RMC/committee charter, and a one-page risk heat map for board-level reporting. Every document is drafted to be usable by your team going forward — not a one-time consultant deliverable that nobody can update.Week 8–9
12Review Cadence & Handover Training — Making the framework self-sustainingA framework is only as good as its review discipline. We establish the review cadence (typically quarterly risk register review at management level, and at minimum the LODR-prescribed frequency at RMC/Board level for listed entities), train the internal risk owner or CFO's team on how to update and re-score the register, and hand over a framework the organisation can run without needing PNPC to touch it every quarter — though we remain available for periodic health checks and material risk events.Week 9–10
13Ongoing Advisory & Framework Refresh — CA guidance as risks evolveRisk frameworks decay if untouched — new risks emerge (a new regulation, a new geography, a cybersecurity threat vector), and old risks that were mitigated should be retired rather than cluttering the register. PNPC offers periodic framework health-check engagements — typically annual or aligned to major business events (fundraising, new market entry, M&A) — to keep the framework current and credible.Ongoing, as needed

Realistic timeline for a full framework build, from scoping to board approval: 8–10 weeks for a mid-sized organisation; longer for complex multi-entity or multi-jurisdiction groups, shorter for a lighter-touch framework at an early growth-stage company. The framework itself has no 'completion' date — it is designed to be a living system with a defined review cadence from Day 1.

Document Checklist
Organisational & Governance Documents

Latest Memorandum and Articles of Association — to understand the entity's objects, governance structure, and any existing board-level committee provisions

Board composition details and any existing Board or Audit Committee charters — to understand current governance maturity and where a Risk Management Committee would sit

Organisation chart across key functions — finance, operations, compliance, HR, IT/technology — to identify functional risk owners during the workshop phase

Details of listing status, if applicable — market capitalisation ranking and confirmation of SEBI (LODR) Regulation 21 applicability for Risk Management Committee requirements

Any existing risk policy, risk register, or informal risk notes — even outdated or incomplete documents help PNPC understand what has already been attempted and why it may not have been sustained

Financial & Operational Context

Latest audited financial statements (2–3 years if available) — to understand financial risk exposure, revenue concentration, and balance sheet structure

Latest statutory audit report and management letter — auditor observations frequently point directly at unaddressed risk and control gaps

Internal audit reports, if an internal audit function exists — a critical input for the risk universe and control-gap mapping

Details of major contracts, customer/vendor concentration, and any related-party transactions — key sources of operational and financial risk

Details of borrowings, guarantees, and any covenant obligations with lenders — a common but under-assessed risk category

Regulatory & Compliance History

Details of any regulatory notices, show-cause notices, penalties, or ongoing litigation in the last 3–5 years — across tax, corporate law, labour, environmental, or sector-specific regulators

List of all statutory registrations and licences held (GST, FEMA/RBI filings if applicable, sector-specific licences) and their current compliance status

Prior Section 134(5)(e) internal financial controls certification basis, if the company is required to make this confirmation and has done so previously

Any cybersecurity, data protection, or IT security policy currently in place, and details of any prior security incidents

For SEBI-Listed Entities (Additional)

Confirmation of market capitalisation ranking to establish Regulation 21 Risk Management Committee applicability

Existing Risk Management Committee composition and any prior RMC minutes, if a committee already exists in some form

Prior annual report risk disclosures and Business Responsibility and Sustainability Report (BRSR) risk-related content, if applicable

Details of the company's Related Party Transaction policy and Whistle Blower/Vigil Mechanism policy — both interface directly with the risk framework

Stakeholder & Workshop Inputs

Availability calendar for key management personnel across functions for risk identification workshops — typically 60–90 minutes per functional head

Board and Audit Committee meeting calendar — to schedule the framework presentation and approval session appropriately

Access to relevant management information system (MIS) reports or dashboards already used to track operational or financial performance — useful for KRI design

Name of the internal risk owner or coordinator (often the CFO, Company Secretary, or a designated risk officer) who will own the framework post-handover

Execution Documents (PNPC Prepares)

Risk Management Policy document — the master policy governing the framework's scope, methodology, and governance

Risk Appetite Statement — drafted for Board approval, articulating acceptable risk thresholds by category

Risk Register — the working document listing identified risks, scoring, ownership, mitigation status, and review dates

Risk Management Committee Charter (where applicable) — composition, mandate, meeting frequency, and reporting lines

Key Risk Indicator (KRI) dashboard template — for ongoing monitoring of the highest-priority risks

Board/Audit Committee presentation deck summarising the framework, key risks, and recommended mitigation priorities

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Framework Design (Week 1–10)Decision to formalise risk managementScoping against actual regulatory obligations, risk appetite statement drafting, structured risk identification workshops, likelihood-impact scoring methodology, control mapping, and governance charter design — built for your organisation's actual scale, not a generic template.A generic template framework that does not reflect the organisation's actual risk profile, gets shelved after one review, and provides no real defensibility if a regulator, auditor, or investor examines it.
Board AdoptionFramework presented for approvalPresentation to the Board or Audit Committee with the risk appetite statement, top-priority risks, and governance structure, securing a documented board resolution or minute approving the framework — the evidence that risk oversight is a board-level function, not a document nobody signed off on.No documented board approval means the framework has no governance standing — undermining the Section 134(5)(e) internal financial controls confirmation and any claim of board-level risk oversight in due diligence or regulatory scrutiny.
Quarterly Review CycleScheduled review cadenceRisk register re-scored quarterly at management level; KRIs monitored for early-warning signals; new risks added and mitigated risks retired; Risk Management Committee (or Audit Committee, where no separate RMC exists) briefed each cycle per the agreed cadence.A stale risk register that has not been updated in over a year is functionally useless — and, for listed entities within LODR scope, a lapsed RMC reporting cadence is itself a governance and disclosure gap.
Annual RefreshFinancial year-end / AGM cycleFull annual review of the risk appetite statement, risk universe (adding risks from new business lines, geographies, or regulatory changes), and the control environment — timed to align with the statutory audit cycle and annual report risk disclosures where applicable.Risk disclosures in the annual report or board's responsibility statement that do not reflect the organisation's actual current risk profile — a credibility and, for listed entities, a disclosure-accuracy concern.
Material Risk EventFraud, cyber incident, regulatory action, key-person exit, major litigationImmediate framework activation — the event is assessed against the existing risk register (was it identified? was the KRI signal missed? was the mitigation inadequate?), the register is updated, and root-cause learnings are fed back into the framework and control environment.Treating a material risk event as a one-off crisis rather than feeding it back into the framework means the same category of risk recurs, and the organisation cannot demonstrate to auditors, regulators, or investors that it has learned from the event.
Fundraising / Investor Due DiligenceTerm sheet or investor diligence requestFramework, risk register, and governance minutes packaged for investor review; gaps identified and remediated proactively before diligence begins rather than discovered mid-process; risk appetite statement and control mapping reviewed for consistency with representations made to investors.Investors uncovering an undocumented or inconsistent risk management approach during diligence creates valuation pressure, additional warranty and indemnity asks, and can delay or derail a funding round.
Scaling / New Business Line or GeographyBusiness expansion decisionRisk universe extended to the new business line, geography, or regulatory regime (including, where relevant, UAE or other overseas risk categories PNPC's Dubai office can advise on directly) before the expansion is executed — not retrofitted afterward.Expansion into a new geography or business line without an updated risk assessment routinely surfaces unanticipated regulatory, tax, or operational exposure that a pre-expansion risk review would have flagged.
Framework Maturity Review1–2 years post-implementation, or leadership changeIndependent health-check of the framework's actual use — is the register being updated, are KRIs tracked, is the RMC/Audit Committee cadence being met — with recommendations to refresh, simplify, or deepen the framework as the organisation's risk maturity evolves.A framework that was well-designed at inception but has drifted from actual practice provides false assurance to the board and external stakeholders that risk is being actively managed when it is not.
Frequently asked
What exactly is a Risk Assessment Framework, in plain terms?

It is the structured system your organisation uses to identify what could go wrong (risks), decide how much of that risk you are willing to accept (risk appetite), track and prioritise the risks that matter (a risk register), and assign clear ownership for managing them. It is not a one-time report — it is a recurring process with a governance structure (usually an Audit Committee or Risk Management Committee) that keeps it alive and relevant as the business changes.

Practitioner noteThe single biggest failure mode we see is organisations treating the risk register as a document to produce once for an audit or investor request, rather than a live tool. If nobody re-scores it after the first draft, it stops being useful within two quarters.
Is a formal risk management framework legally mandatory for my company?

It depends on your entity type and regulatory status. There is no blanket statutory requirement for every private company to maintain a COSO- or ISO 31000-aligned framework. However, under Section 134(5)(e) of the Companies Act 2013, the Board's responsibility statement (for listed companies, and in practice a good governance expectation for larger private companies) must confirm that internal financial controls are adequate and operating effectively — a confirmation that is difficult to make credibly without an underlying risk assessment process. For SEBI-listed entities within the top 1,000 by market capitalisation, Regulation 21 of the SEBI (LODR) Regulations, 2015 mandates a Risk Management Committee with a defined charter and reporting cadence.

Practitioner noteWe routinely see private companies without any listing obligation choose to build a lighter risk framework anyway — not because a specific section of law demands it, but because lenders, private equity investors, and large enterprise customers increasingly expect to see one during diligence.
What is a risk appetite statement and why does PNPC insist on drafting it first?

A risk appetite statement is the Board's explicit articulation of how much risk the organisation is willing to accept, by category (financial, operational, compliance, reputational, strategic, technology), in pursuit of its objectives. Without it, risk scoring in the register becomes subjective and inconsistent — one manager's 'high risk' is another's 'medium.' The risk appetite statement gives the scoring methodology an anchor and gives the Board a documented, defensible basis for its risk tolerance decisions.

Practitioner noteWe have reviewed risk registers built without a risk appetite statement — the scoring is almost always inconsistent across departments, because each function head is implicitly applying their own tolerance threshold. It looks complete but does not actually prioritise anything meaningfully.
COSO ERM or ISO 31000 — which framework should we adopt?

Both are internationally recognised and neither is mandated by Indian law for most private companies. COSO's Enterprise Risk Management Integrated Framework is more comprehensive and strategy-linked — commonly chosen by organisations preparing for institutional investment, listing readiness, or complex multi-entity risk exposure, and it aligns naturally with the internal financial controls documentation many boards must already maintain. ISO 31000:2018 is a leaner, principles-based international standard, more proportionate for mid-sized private companies that want rigour without over-engineering. In practice, most PNPC engagements borrow structural elements from both, calibrated to the organisation's size and regulatory context, rather than adopting either framework in its complete textbook form.

Practitioner noteDo not let the framework selection become the bottleneck. We have seen organisations spend months debating COSO versus ISO 31000 terminology while the actual risk register sits empty. The framework label matters far less than whether the underlying risk appetite statement, register, and governance cadence actually get built and used.
What is a Risk Management Committee (RMC) and who needs one under SEBI rules?

Under Regulation 21 of the SEBI (LODR) Regulations, 2015, a Risk Management Committee is mandatory for the top 1,000 listed entities determined on the basis of market capitalisation, as well as certain other categories of listed entities specified by SEBI from time to time. The RMC must have a defined composition (a majority of members being Board directors, including at least one independent director for applicable categories), a documented charter, and must meet at a prescribed minimum frequency, reporting to the Board on the risk management framework's effectiveness. Companies outside this mandated scope are not statutorily required to constitute a separate RMC, though many voluntarily route risk oversight through the Audit Committee.

Practitioner noteIf your company is approaching the market-capitalisation threshold that could bring it within RMC scope — or you are planning an IPO — it is worth building RMC-ready governance ahead of the requirement rather than scrambling to constitute one reactively once you cross the threshold.
How does a risk framework relate to internal financial controls (IFC) under Section 134(5)(e)?

Internal financial controls are the specific policies and procedures that ensure the orderly and efficient conduct of business, accuracy and completeness of accounting records, and timely preparation of reliable financial information. A risk assessment framework is broader — it covers financial, operational, compliance, reputational, and strategic risk — but the two are deeply linked: you cannot credibly assess whether your internal financial controls are 'adequate and operating effectively' (the Board's Section 134(5)(e) confirmation) without first identifying the financial risks those controls are meant to address. PNPC designs the risk framework to explicitly interface with, and support, the IFC documentation and testing that underpins this Board confirmation.

Practitioner noteWe frequently find that companies have an IFC matrix prepared by their statutory auditor in isolation from any broader risk framework. The two documents should talk to each other — the IFC matrix should trace back to risks identified in the register, not exist as a separate, disconnected compliance exercise.
We are a private, unlisted company with no immediate SEBI obligations. Do we still need this?

There is no statutory mandate specific to private unlisted companies to build a formal risk framework. Whether you need one is a business judgement, not a compliance requirement. Common triggers we see for unlisted private companies: preparing for institutional fundraising where investors expect governance readiness, a recent adverse event (fraud, major vendor failure, cybersecurity breach) that exposed the lack of a structured process, growth past the point where risk can be tracked informally by the founder or CEO, or a lender covenant or large enterprise customer contract that expects evidence of risk governance.

Practitioner noteWe advise founders not to build a heavyweight framework purely because a template or consultant suggests it is 'best practice.' If nobody on your team — board, CFO, or founder — will actually use and maintain it, a lighter, proportionate approach documented in board minutes is often more honest and more useful than an elaborate framework gathering dust.
How long does it take to build a full risk assessment framework from scratch?

For a mid-sized organisation, a realistic timeline from initial scoping to Board approval is 8 to 10 weeks — covering scoping, risk identification workshops across functions, risk appetite statement drafting, scoring methodology design, control mapping, governance charter drafting, and Board presentation. Complex multi-entity or multi-jurisdiction groups (including India-UAE structures) typically take longer given the need to map risk across each entity and regulatory regime. A lighter-touch framework for an early growth-stage company can be built faster, in proportion to its complexity.

Practitioner noteTimelines stretch most often not because of the framework design itself, but because scheduling risk identification workshops across busy function heads takes longer than clients expect. We recommend blocking workshop slots on the calendar in week 1 rather than trying to schedule them reactively.
What does a risk register actually look like — is it just a spreadsheet?

At its core, yes — a risk register is typically a structured spreadsheet or dashboard listing each identified risk, its category, likelihood score, impact score, overall risk rating, existing controls, control gaps, the named risk owner, planned mitigation actions, target dates, and current status. What separates a working register from a shelf document is not the tool (spreadsheet versus dedicated GRC software) but the discipline of updating it on a defined cadence and using it to drive actual management decisions and board reporting.

Practitioner noteWe deliberately deliver the register in a format your team can maintain without needing PNPC or expensive GRC software — usually a well-structured spreadsheet with clear conventions. Dedicated GRC platforms are valuable at larger scale, but we do not recommend clients buy software before they have proven they will maintain a spreadsheet-based register consistently.
How is likelihood and impact actually scored — is it subjective?

Scoring inevitably involves judgement, but a good framework reduces subjectivity by defining concrete, organisation-specific criteria for each score level before any risk is scored. For example, 'high impact' on a financial risk might be explicitly defined as 'potential loss exceeding X% of annual revenue or Y absolute rupee value' rather than left to individual interpretation. PNPC calibrates these thresholds to your organisation's actual financial scale during the framework design phase, and scoring is typically done collaboratively across function heads with a facilitator (PNPC, initially) to reduce inconsistency between departments.

Practitioner noteThe most common scoring error we see in self-built registers: every department rates its own risks as 'high' because there is no calibrated, cross-functional reference point. A facilitated scoring workshop in the first cycle resolves this far more effectively than a template with generic definitions.
What are Key Risk Indicators (KRIs) and how are they different from the risk register?

The risk register is a periodic (typically quarterly) point-in-time assessment. Key Risk Indicators are ongoing, trackable metrics designed to give an early warning that a specific high-priority risk is trending toward materialising, between formal review cycles. Examples include customer concentration percentage trending upward, days sales outstanding lengthening, employee attrition in key roles rising, or the frequency of near-miss cybersecurity incidents increasing. PNPC designs KRIs only for the highest-priority risks in the register — tracking too many KRIs dilutes attention and becomes unsustainable.

Practitioner noteKRIs are the component most frameworks skip because they require ongoing data discipline. We recommend starting with 3 to 5 KRIs tied to your top risks rather than attempting a comprehensive KRI dashboard on day one — a small number that is actually monitored beats a large dashboard that is not.
Who should own the risk register once PNPC hands it over?

There should be a single named internal coordinator — most commonly the CFO, Company Secretary, or a designated Chief Risk Officer / risk manager in larger organisations — responsible for maintaining the register, coordinating the periodic review cycle, and preparing the Board or Audit Committee/RMC reporting pack. Individual risks within the register are owned by the relevant function head, but the overall framework needs one accountable coordinator or it drifts.

Practitioner noteWe insist on identifying this named coordinator before the engagement concludes — not after. A framework handed over to 'the finance team' generically, with no individual accountable, predictably stalls within two review cycles.
How often should the risk register be reviewed and updated?

A common and reasonable cadence is quarterly review at the management level, with reporting to the Audit Committee or Risk Management Committee at a frequency consistent with your committee's meeting schedule — and for SEBI-listed entities within Regulation 21 scope, in line with the minimum frequency prescribed for RMC meetings. New risks (from a new business line, regulatory change, or major contract) should be added to the register as they emerge rather than waiting for the next scheduled quarterly cycle, and material risk events should trigger an immediate ad-hoc review.

Practitioner noteAnnual-only review is the most common shortfall we see — it technically satisfies a bare compliance checkbox but does not function as real risk management, because most operational and financial risks change meaningfully within a quarter, not a year.
We had a fraud incident. Would this framework have prevented it, and how do we prevent a recurrence?

A risk framework cannot guarantee prevention of every adverse event — its purpose is to systematically increase the likelihood that material risks are identified, monitored, and mitigated before they materialise, and to provide a structured process for learning from events that do occur. If a fraud incident has already happened, the immediate priority is root-cause analysis: was this risk category identified in any prior assessment? Was there a control gap that should have been flagged? PNPC treats a material risk event as a direct input into refreshing the framework and control environment — not a separate, one-off forensic exercise disconnected from ongoing risk management.

Practitioner noteOrganisations that engage us after a fraud or control-failure event get more value from the framework build than those doing it proactively, because the event itself surfaces exactly where the existing control environment failed — that evidence sharpens the resulting framework considerably.
Does PNPC also help with forensic investigation if a risk materialises into an actual fraud or loss event?

PNPC's risk advisory practice focuses on framework design, risk assessment, internal controls advisory, and governance structuring. Where a material event requires forensic investigation, quantification of loss, or litigation support, we scope that as a related but distinct engagement — often working alongside the risk framework refresh so that findings from the investigation directly inform the updated risk register and control recommendations.

Practitioner noteWe recommend engaging the same advisory team for both the investigation and the subsequent framework refresh where possible — continuity of context materially speeds up translating investigation findings into concrete control improvements.
How does risk assessment interact with our statutory audit?

Your statutory auditor independently performs a risk-based audit under Standards on Auditing, which includes their own assessment of risks of material misstatement in the financial statements — this is a distinct, auditor-owned process governed by auditing standards, not something PNPC's risk advisory engagement replaces or performs on the auditor's behalf. However, a well-documented enterprise risk framework — particularly the sections addressing financial and compliance risk and the internal control environment — is a valuable input the auditor will typically review, and it supports the Board's own Section 134(5)(e) internal financial controls confirmation, which is separate from the auditor's own risk assessment.

Practitioner noteWe are careful to keep this distinction clear with clients: PNPC's risk advisory engagement supports and complements the statutory audit process, and where PNPC also serves as statutory auditor for a client, independence considerations mean the risk framework advisory is scoped and delivered by a separate, appropriately independent team.
What is the difference between risk management and internal audit?

Risk management (the framework PNPC builds) is a forward-looking, management- and Board-owned process for identifying and responding to risks before they materialise. Internal audit is typically an independent assurance function — either an in-house team or an outsourced provider — that periodically tests whether the controls management has put in place (including those addressing risks in the register) are actually operating as designed. The two are complementary: the risk register often forms the basis for the internal audit plan, prioritising audit focus on the highest-risk areas, while internal audit findings feed back into refreshing the risk register.

Practitioner noteWe often recommend that the internal audit plan for the year be explicitly built off the top-rated risks in the register rather than a generic rotational audit calendar — it makes internal audit spend materially more relevant to what the Board actually cares about.
We are a group with an Indian company and a UAE entity. Does the risk framework cover both?

Yes — PNPC's risk advisory engagements for India-UAE groups build a consolidated framework that captures entity-specific and group-level risks, including cross-border risk categories: FEMA and RBI compliance risk on the India side, UAE Corporate Tax and regulatory compliance risk on the UAE side, transfer pricing exposure on intercompany transactions, and consolidated financial reporting risk where applicable. With operating offices in Chennai, Bangalore, Hyderabad, and Dubai, PNPC coordinates the framework build across both jurisdictions under a single engagement rather than requiring you to brief separate advisors in each country.

Practitioner noteCross-border groups routinely under-assess intercompany and transfer pricing risk because it falls between the India team's and the UAE team's usual scope. A unified framework with one advisory team catches this interaction that siloed advisors typically miss.
What does it cost to build a risk assessment framework with PNPC?

PNPC charges a fixed, agreed professional fee for a risk framework engagement, scoped after the initial conversation based on your organisation's size, number of business functions and entities involved, regulatory complexity (including any SEBI LODR RMC requirements), and whether workshops are needed across multiple locations or jurisdictions. The exact fee and scope are confirmed in writing before work begins — there is no standard 'off-the-shelf' price because the effort genuinely varies with organisational complexity.

Practitioner noteWe ask every prospective client for a short scoping call before quoting, precisely because a framework for a single-entity private company and a framework for a SEBI-regulated, multi-entity India-UAE group require materially different effort. Anyone quoting a fixed price without that conversation is likely quoting a shallow template exercise.
Can a small consulting firm or freelance GRC consultant do this instead of a CA firm?

Many risk framework engagements are delivered competently by dedicated GRC (Governance, Risk, Compliance) consultants or boutique risk advisory firms, and there is no legal requirement that this work be performed by a Chartered Accountant. The advantage of engaging a practising CA firm like PNPC is the direct interface with statutory compliance obligations that a pure GRC consultant may not have day-to-day familiarity with — Section 134(5)(e) internal financial controls, the statutory audit process, tax and regulatory risk specifics, and (for our clients) an existing understanding of your financial statements, compliance history, and business from other engagements.

Practitioner noteWhere clients already have an existing PNPC engagement (statutory audit, tax advisory, or compliance retainer), the risk framework build is materially faster and more accurate because we are not starting from zero on understanding the business — we already hold much of the financial and compliance context.
How does a risk framework help during private equity or venture capital due diligence?

Institutional investors' legal and financial due diligence processes routinely probe governance maturity — whether the Board has visibility into key risks, whether internal controls are documented and tested, and whether there is a structured process (rather than founder intuition alone) managing operational, financial, compliance, and reputational risk. A well-documented risk framework, with evidence of Board or Audit Committee engagement (minutes, review cycles), materially strengthens the governance narrative in diligence and can pre-empt additional warranty, indemnity, or valuation-discount asks that arise when investors perceive governance as immature.

Practitioner noteWe recommend building or refreshing the risk framework before a fundraising process begins, not during it — diligence timelines rarely allow enough runway to build a credible framework from scratch once term sheet discussions are already underway.
Does the risk framework need to be disclosed publicly or filed with any regulator?

For most private, unlisted companies, there is no requirement to file the risk framework itself with any regulator — it is an internal governance document, though the Board's confirmation on internal financial controls under Section 134(5)(e) is disclosed in the Board's report attached to the annual financial statements. For SEBI-listed entities, certain risk-related disclosures are required in the annual report and, where applicable, the Business Responsibility and Sustainability Report (BRSR) — though the full risk register and appetite statement themselves remain internal documents; only summarised risk disclosures are made public.

Practitioner noteWe advise clients to keep the full risk register as an internal working document and prepare a distinct, appropriately summarised risk disclosure for the annual report — conflating the two creates both an over-disclosure risk (revealing commercially sensitive detail) and a drafting burden.
What is the difference between inherent risk and residual risk in the register?

Inherent risk is the level of risk that exists before considering any mitigating controls — the raw exposure. Residual risk is the level of risk that remains after accounting for the controls and mitigation measures currently in place. A risk register that only scores inherent risk overstates the organisation's actual exposure and does not show where controls are working; a register that only scores residual risk can understate how serious a risk would be if a control failed. PNPC's framework scores both, so the Board can see the effectiveness of existing controls (the gap between inherent and residual) as well as the current actual exposure.

Practitioner noteScoring only residual risk is a common shortcut that flatters the risk profile — if a control were to fail (which does happen), the Board has no visibility into how exposed the organisation would then be. We insist on scoring both.
Our board meets only quarterly. How do we handle risks that emerge between meetings?

The governance structure PNPC designs typically includes a defined escalation protocol for risks that emerge or materially change between scheduled Board or Audit Committee meetings — usually a threshold-based trigger (a risk scored above a certain severity, or any risk event with actual or potential financial/reputational impact above an agreed threshold) that requires immediate escalation to the Committee Chair or Board Chair outside the regular cycle, rather than waiting for the next scheduled meeting.

Practitioner noteWe build this escalation protocol explicitly into the governance charter rather than leaving it implicit — an implicit 'use your judgement' escalation rule is the reason material risks sometimes sit unreported for a full quarter in organisations without a defined framework.
Can this framework help with cybersecurity and data protection risk specifically?

Yes — cybersecurity and technology risk is typically one of the standard risk categories within the framework (alongside strategic, operational, financial, compliance, and reputational risk), and is increasingly one of the highest-scored categories across most organisations given the rising frequency of cyber incidents. PNPC's framework identifies and scores cybersecurity and data protection risks at an enterprise-governance level — data breach exposure, third-party/vendor access risk, business continuity risk from a system outage — but for deep technical cybersecurity control implementation (network security architecture, penetration testing, technical remediation), we recommend a specialist technical security partner working alongside the risk framework, with PNPC ensuring the governance and Board-reporting layer stays connected to their technical findings.

Practitioner noteWe frequently see a gap where a technical cybersecurity vendor produces excellent findings that never make it into Board-level risk reporting because there is no framework connecting the two. We deliberately build that bridge.
Is a Risk Management Committee the same as an Audit Committee?

No, though they are related and, in smaller organisations, functions sometimes overlap. The Audit Committee, mandated under Section 177 of the Companies Act 2013 for specified classes of companies, has a statutorily defined mandate centred on financial reporting oversight, auditor recommendation and oversight, and related-party transaction approval. A Risk Management Committee, where mandated under SEBI (LODR) Regulation 21 or voluntarily constituted, has a broader mandate specifically focused on enterprise risk oversight across all risk categories, not solely financial reporting risk. Where a company is not required to have (or chooses not to constitute) a separate RMC, risk oversight responsibility is commonly routed through the existing Audit Committee.

Practitioner noteWe help clients decide, based on Board bandwidth and regulatory scope, whether a separate RMC is warranted or whether Audit Committee oversight of the risk framework is the more proportionate governance choice — this is a judgement call we walk through explicitly during scoping, not a default assumption.
What happens if we build the framework but the Board never actually reviews the risk register?

This is the most common way risk frameworks fail — not at the design stage, but at the sustained-use stage. A framework that is built, presented once, and then never revisited provides false assurance: on paper, governance looks mature; in practice, the Board has no current visibility into the organisation's actual risk exposure. This creates real exposure if a material risk event occurs and any subsequent inquiry (by an auditor, regulator, or in litigation) reveals the framework was not being used as represented.

Practitioner noteWe build the review cadence into the engagement itself — scheduling the first two or three review cycles as part of the original scope, rather than handing over a document and hoping the client maintains the habit unprompted. Institutionalising the first few cycles is what determines whether the framework survives past year one.
Does PNPC provide ongoing support after the framework is built, or is it a one-time engagement?

We offer both models depending on client need: a one-time framework build with handover and training for organisations that want to run the framework independently going forward, and an ongoing advisory retainer for organisations that want PNPC to facilitate the quarterly review cycles, refresh the register, and prepare Board/RMC reporting packs on a continuing basis. Many clients start with the former and move to the latter once they experience how much discipline the review cadence actually requires.

Practitioner noteWe are transparent that most self-run frameworks lose review discipline within 12 to 18 months without an external facilitator keeping the cadence on the calendar — not because the internal team is incapable, but because internal priorities compete with a recurring governance task that has no external deadline pressure. An ongoing retainer solves exactly this.
How does risk assessment framework design fit with PNPC's broader risk advisory and audit services?

Risk framework design sits within PNPC's Governance, Risk & Compliance (GRC) practice under our broader Risk Advisory pillar, which also covers internal audit, internal financial controls testing, fraud risk assessment, and regulatory compliance advisory. For clients where PNPC also serves as statutory auditor, tax advisor, or compliance retainer client, the risk framework engagement benefits from — but is delivered independently of, where auditor-independence rules require it — the institutional knowledge PNPC already holds about the business.

Practitioner noteWe map out, at the start of every risk advisory engagement, exactly which PNPC teams are involved and where independence walls need to apply — particularly for statutory audit clients — so there is no ambiguity about roles.
Why should we engage PNPC rather than a generic risk consulting firm or build the framework in-house?

A generic risk consulting firm can deliver a technically sound framework but typically lacks the day-to-day statutory compliance context — how the framework interfaces with Section 134(5)(e) internal financial controls certification, the statutory audit process, or India-UAE cross-border regulatory risk. Building in-house without external facilitation is possible but commonly stalls at the risk appetite statement stage (a genuinely difficult document to draft objectively from inside the organisation) and rarely sustains the review cadence without external accountability. PNPC combines CA-level regulatory and financial fluency with dedicated risk framework methodology, and — because we are a practising firm present since 1986 across India and the UAE — we remain available for the ongoing review cycles, not just the initial build.

Practitioner noteThe clients who get the most value from this engagement are the ones who treat the framework as a living governance tool from day one, not a compliance checkbox — we structure the engagement to nudge every client in that direction, including by building the first few review cycles into the original scope.
Why PNPC Global
FeatureGeneric Risk Template / SoftwareBoutique GRC ConsultantPNPC Global
Regulatory anchoringGeneric — not mapped to Companies Act or SEBI LODR specificsOften strong on GRC methodology, may lack day-to-day statutory compliance depthFramework explicitly mapped to Section 134(5)(e), Section 177, and SEBI LODR Regulation 21 where applicable
Risk appetite statementGeneric boilerplate wording — not calibrated to your revenue, capital base, or actual risk categoriesUsually included, methodology variesFacilitated Board-level drafting anchored to your actual financial scale and objectives
Understanding of your financialsNone — generic inputs onlyLimited unless separately engaged for financial diligenceWhere PNPC serves as auditor/advisor, deep pre-existing financial and compliance context (with independence walls respected)
India-UAE cross-border riskNot addressedRarely covered unless a specialist cross-border firmNative coverage from Chennai/Bangalore/Hyderabad AND Dubai offices under one engagement
Sustained review cadenceNo support after purchaseVaries — often ends after initial deliveryFirst review cycles built into scope; ongoing retainer option to keep cadence alive
Control mapping to IFCNot connectedSometimes connected, depends on consultant backgroundDirectly interfaces with internal financial controls documentation supporting Section 134(5)(e)
Board presentation & buy-inSelf-service — client presents own templateOften includedPNPC presents directly to Board/Audit Committee, incorporates feedback, secures documented approval
Post-build accessibilityNoneDepends on engagement termsDirect access to your engagement CA by phone and WhatsApp — not a support ticket
Approach to sizingOne-size-fits-all templateUsually scoped appropriatelyExplicitly right-sized — we tell clients when a full COSO build is overkill for their stage

What the PNPC package includes

  1. 01

    Scoping conversation to assess your actual regulatory obligations — SEBI LODR RMC applicability, Section 134(5)(e) IFC context, sector-specific requirements

  2. 02

    Structured risk identification workshops across finance, operations, compliance, HR, and IT functions

  3. 03

    Risk Appetite Statement drafted for Board discussion and approval

  4. 04

    Risk register built and scored using a likelihood-impact methodology calibrated to your organisation's actual financial scale

  5. 05

    Control mapping linking each material risk to existing and required mitigating controls

  6. 06

    Named risk ownership and escalation protocol design — not department-level, individual-level accountability

  7. 07

    Risk Management Committee or Audit Committee charter drafting, where applicable under SEBI LODR or as a governance best practice

  8. 08

    Key Risk Indicator (KRI) design for your top-priority risks — an early-warning layer, not just a periodic snapshot

  9. 09

    Board or Audit Committee presentation and facilitated approval session

  10. 10

    Complete documentation set: Risk Management Policy, risk register, appetite statement, committee charter, and board reporting template

  11. 11

    Review cadence design and internal risk-owner training so your team can run the framework independently

  12. 12

    Optional ongoing advisory retainer to facilitate quarterly reviews and keep the framework current as the business evolves

Speak directly with a PNPC Chartered Accountant about your organisation's risk governance — not a generic GRC template salesperson. A practising CA who understands your financial statements, your compliance history, and — where relevant — your India-UAE structure, and who will still be advising you when the framework faces its first real test.

← Back to Risk Advisory
Talk to a CA