Risk Manager Dashboard Design for Indian Corporates 2026: KRIs, Insurance Programme Visibility, and Board Reporting

Through 2020 to 2025 the Indian corporate risk function has moved from a procurement-adjacent administrative role to a board-level governance discipline. The shift has been driven by a sequence of regulatory and market events: the Companies Act 2013 Section 134(3)(n) requirement for risk-management policy reporting in the directors' report, the SEBI (Listing Obligations and Disclosure Requirements) Regulations 2015 mandate for a risk-management committee at the top 1,000 listed entities, the Digital Personal Data Protection Act 2023 with its data-fiduciary accountability framework, the IRDAI Information and Cybersecurity Guidelines 2023 governing third-party data flows, the cyber loss patterns through 2023 to 2025, and the rate hardening across cyber, property catastrophe, and D&O lines.

The board-level expectation has hardened in parallel. Risk-management committees at the top 1,000 listed entities in India now meet at least twice a year as a statutory minimum, with most large-caps meeting quarterly. Each meeting requires a risk-management committee pack that surfaces the corporate's residual risk position, the insurance programme response, the regulatory exposure, and the operating actions in flight. The pack is built from a dashboard.

The dashboard is not a presentation artefact. It is the operational reporting layer that the chief risk officer (CRO), the chief financial officer, the company secretary, the audit committee, the risk-management committee, and the full board read at different cadences and depths. A well-designed dashboard tells the same story at every layer with the right level of detail. A poorly-designed dashboard fragments the narrative, with the CRO presenting one number, the broker presenting another, and the insurer's submission carrying a third.

This guide covers the 2026 design framework for the risk manager dashboard in Indian mid-cap and large-cap corporates. It addresses the key risk indicators (KRIs) to surface, the insurance programme visibility that boards genuinely need, the tooling choices across Archer, ServiceNow GRC, Tableau, and Power BI, the regulatory disclosure overlap with IRDAI and SEBI reporting and the IFRS 17 corporate-side mirror, the integration paths into broker portals, and the operating governance that holds the dashboard discipline together.

The KRI set is the heart of the dashboard. A workable KRI design in 2026 covers eight categories that span the corporate's residual risk position. The KRI count should be tight, typically 25 to 40 indicators across the categories rather than a sprawling 100-plus list that no one reads.

Cyber risk KRIs

1. External attack-surface score from the corporate's monitoring tool (BitSight, SecurityScorecard, RiskRecon), tracked monthly with material deteriorations escalated.
2. Phishing simulation click-through rate across the workforce, tracked monthly, with target ranges defined by HR-risk policy (typically below 5 percent click-through, below 1 percent credential entry).
3. DPDP Act data subject request closure rate within the 30-day statutory window, tracked monthly.
4. Third-party vendor cyber-score deterioration count for Tier 1 vendors, tracked monthly.
5. Mean time to detect (MTTD) and mean time to respond (MTTR) for security incidents, tracked monthly.

Property and casualty KRIs

1. Probable maximum loss (PML) and maximum foreseeable loss (MFL) by site, refreshed annually with site-survey input.
2. Sum-insured-to-actual-value ratio for the property programme, tracked at renewal with monthly variance reporting for major asset additions.
3. Average clause exposure flagging sites where the sum insured ratio has dropped below 85 percent of replacement value.
4. Loss-to-premium ratio by line of business (LoB), tracked monthly, with the trailing 5-year experience benchmark.

Business interruption KRIs

1. Business interruption MFL and PML by site, computed against the project's expected revenue and fixed costs.
2. Maximum indemnity period (MIP) versus current placement indemnity period, with gap flagging.
3. Supplier concentration for top 10 suppliers by single-source dependency and revenue exposure.
4. Contingent business interruption declared values versus internal estimates.

Claims experience KRIs

1. Claims frequency by LoB, tracked monthly, with the trailing 5-year benchmark.
2. Claim severity by LoB, tracked monthly.
3. Open claims ageing with categorisation by age band (under 90 days, 90 to 180 days, 180 to 365 days, over 365 days).
4. Reserve adequacy as the ratio of paid plus outstanding to initial estimate, tracked at claim file level for the largest open claims.

Premium and programme KRIs

1. Premium volatility by LoB tracked as year-over-year and 5-year movement.
2. Retention by LoB in terms of deductible, self-insured retention, and captive cession where relevant.
3. Programme leakage as the ratio of claims paid outside policy response to total claims, indicating coverage-gap exposure.
4. Broker performance score across submission quality, market access, claims advocacy, and renewal cycle time.

Vendor and supply-chain KRIs

1. Tier 1 vendor count and concentration by services category and revenue exposure.
2. Vendor contractual indemnity adequacy flagging vendors where indemnity caps are below internal exposure estimates.
3. Supplier financial-health scores tracked through a vendor due-diligence tool.

Regulatory KRIs

1. Open regulatory inspections count by regulator (SEBI, IRDAI for regulated subsidiaries, RBI for fintech, DPI under DPDP Act).
2. Regulatory penalty exposure computed across active proceedings, with provision movement tracked.
3. Compliance training completion percentage across the workforce.

Strategic and ESG KRIs

1. ESG risk score from the corporate's chosen rating provider (MSCI, Sustainalytics, CRISIL ESG).
2. Climate-transition risk exposure computed against the corporate's stranded-asset and physical-risk modelling.
3. Reputation incident count with severity classification, drawn from media-monitoring tools.

Boards do not need the detail of every policy in the programme. They need a structured view that answers four questions at every meeting: what is the residual risk after the insurance programme operates, where are the material gaps, what is the financial impact of the gaps, and what is the renewal trajectory.

The programme map

The foundational visibility artefact is a one-page programme map that lists every active policy by LoB, with sum insured, deductible or retention, premium, insurer, broker, expiry date, and renewal cycle position. A mid-cap Indian corporate typically runs 15 to 35 policies across property, business interruption, marine cargo, marine hull (where relevant), commercial general liability, employer's liability, directors' and officers' liability, errors and omissions or professional indemnity, cyber, group personal accident, group medical, motor fleet, employee benefits, and various project-specific covers. The programme map shows them all on a single page with the financial parameters that matter.

Gap analysis

The gap analysis is the visibility artefact that translates the KRI set into insurance terms. For each material risk identified by the KRIs, the analysis shows whether and how the insurance programme responds: which policy carries the cover, what is the limit, what are the relevant exclusions, what is the deductible, and where are the gaps. The gap analysis is typically structured as a heat map with risk categories on one axis and policy response columns on the other, with green-yellow-red cells indicating coverage adequacy.

Common 2026 gaps that the analysis should surface include cyber third-party vendor incidents not covered under the cyber policy wording, contingent business interruption for supply-chain incidents not declared at placement, DPDP Act regulatory penalties potentially excluded under the cyber policy regulatory-fine sub-limit, ESG-related D&O exposure for climate-disclosure disputes not within standard D&O wording scope, and motor fleet aggregation risk on EV-fleet conversions not adequately rated at placement.

Financial impact view

For each material gap, the dashboard should show the financial exposure: the modelled loss in a defined scenario, the policy response, and the net retention. The view should be scenario-based rather than abstract. A cyber-incident scenario showing INR 250 crore loss with INR 100 crore policy response and INR 150 crore net retention is materially more useful to a board than a generic statement that 'cyber coverage may be inadequate'.

Renewal trajectory

The renewal trajectory view shows the upcoming renewals over the next 6 to 12 months, the indicative market position for each, the expected rate movement, the capacity outlook, and the broker's preparation status. The view supports board pre-approval of material renewal terms and prevents end-of-quarter rushes that produce sub-optimal placements.

Captive and reinsurance view

For corporates with captive insurance entities (Indian corporates with captives are still rare in 2026 given the GIFT City IIO regime is maturing, but the count is growing), the dashboard should include the captive's underwriting position, the captive's retention versus session, the captive's reinsurance arrangement, and the captive's solvency position. The view supports the board's oversight of the captive as a financial subsidiary, not only as a risk-transfer vehicle.

The 2026 dashboard tooling market for Indian corporates spans four primary platform categories. The choice depends on the corporate's existing technology stack, the risk function's scale, the integration requirements, and the budget envelope.

Archer (RSA, now part of Cohesity)

Archer is the historical incumbent in the integrated risk management (IRM) and GRC category, with deep capabilities across risk register management, control assessment, issue management, regulatory compliance tracking, and third-party risk management. The platform supports custom application development through its application builder, allowing risk teams to extend the core functionality into bespoke risk views. Implementation cost in the Indian market typically runs INR 1.5 to 6 crore for an enterprise deployment with the first 18 months of run cost, with annual run thereafter at INR 60 lakh to INR 2 crore depending on user count and module scope. The platform suits mid-cap to large-cap corporates with mature risk functions that can absorb the implementation overhead.

ServiceNow GRC

ServiceNow GRC is the fastest-growing IRM platform in the Indian market in 2024 to 2026, driven by ServiceNow's broad enterprise footprint across IT service management and operations. The platform offers integrated risk management, policy and compliance management, audit management, and vendor risk management modules. Pricing in the Indian market typically runs INR 1 to 4 crore for initial implementation with the first 12 months of subscription, with annual subscription thereafter at INR 80 lakh to INR 3 crore depending on user count. The platform suits corporates already running ServiceNow for IT or HR services where the integration creates network effects.

Tableau

Tableau (Salesforce) is a visualisation layer rather than a complete risk-management platform. Indian risk functions use Tableau to build dashboards on top of underlying data sources (claim systems, broker portal extracts, policy administration systems, internal risk registers). The platform's strength is the visualisation flexibility and the analyst-friendly authoring model. Pricing for an enterprise deployment runs INR 20 to 80 lakh annually depending on user count. The platform suits corporates that want a strong dashboard front end without a full IRM platform commitment, but it does not provide the underlying risk-register and control-management workflow that Archer or ServiceNow GRC delivers.

Power BI

Power BI (Microsoft) is the dominant visualisation tool in Indian mid-cap corporates, given its bundling with Microsoft 365 enterprise licences. The platform offers similar visualisation capability to Tableau at a materially lower incremental cost. The integration with Microsoft Excel, SharePoint, and Teams supports broad organisational adoption. Pricing in the Indian market runs INR 5 to 30 lakh annually for a Power BI Pro or Premium deployment on top of existing Microsoft licensing. The platform suits cost-sensitive mid-cap deployments and corporates with broader Microsoft technology investments.

Integration considerations

Whichever platform is selected, the dashboard must integrate with the underlying data sources to avoid manual data entry that degrades reliability. The integration targets typically include the broker portal (claims and policy data), the claims management system (loss runs and reserve movements), the policy administration system (active policies, expiry dates, premium ledger), the procurement system (vendor inventory and contractual data), the ESG rating provider feed, the security operations dashboard (cyber KRIs), the IT service management system (vendor incident data), the finance system (premium ledger and provisioning), and the regulatory compliance system (open inspections and penalty exposure).

Build versus configure versus buy

The build-versus-configure-versus-buy decision is the practical anchor. A fully-built bespoke dashboard on Power BI or Tableau over a custom data warehouse may suit a corporate with a strong data team and specific requirements that off-the-shelf platforms do not address. A configured deployment of Archer or ServiceNow GRC with custom application builder extensions may suit a corporate that wants the integrated risk-register workflow without bespoke development cost. A pure platform deployment of Archer or ServiceNow GRC with minimal customisation may suit a corporate prioritising fast time-to-value.

The practical 2026 pattern for Indian mid-cap corporates is a hybrid: a ServiceNow GRC or Archer platform for the risk-register and workflow layer, integrated with a Power BI or Tableau dashboard layer for board-level visualisation. The platform layer holds the structured risk data, the visualisation layer presents it.

The risk manager dashboard sits at the intersection of multiple regulatory disclosure regimes. Treating the disclosures as separate exercises produces duplication and inconsistency. Treating them as a single discipline served by the dashboard produces both efficiency and credibility with regulators.

SEBI listed-entity disclosure obligations

The SEBI (Listing Obligations and Disclosure Requirements) Regulations 2015, as amended through 2024, require the top 1,000 listed entities (by market capitalisation) to establish a risk-management committee with at least two members from the board, one independent. The committee must meet at least twice a year, with terms of reference covering the corporate's risk-management framework, the risk-management policy, the implementation of policy, the cyber-security adequacy, and the review of the framework periodically.

The SEBI Business Responsibility and Sustainability Report (BRSR) is mandatory for the top 1,000 listed entities in 2026 and includes principle-level disclosure on risk management, including governance structures, risk identification processes, and material risks identified during the reporting period. The BRSR Core (BRSR-C) reasonable-assurance pathway requires third-party assurance on specified indicators including environmental and social KRIs.

The SEBI Climate-Related Disclosures Framework, drawn from TCFD (Task Force on Climate-related Financial Disclosures) and aligned with the ISSB IFRS S2 standard, requires the top 1,000 listed entities in 2026 to disclose climate-related risks, opportunities, transition plans, and scenario-analysis outputs.

For the risk manager, the practical implication is that the SEBI disclosures should be served by the same KRI data set that drives the internal dashboard. The board pack flows into the BRSR, the climate disclosure draws on the climate-risk KRIs, and the risk-management committee reporting carries the same KRI data with internal narrative.

IRDAI disclosure obligations for regulated subsidiaries

For Indian corporates with regulated insurance subsidiaries (insurance broking entities, captive insurers, surplus lines facilitators in GIFT City), the IRDAI imposes additional disclosure obligations. The IRDAI Information and Cybersecurity Guidelines 2023 require regulated entities to maintain board-approved cybersecurity policies and to report material cyber incidents to IRDAI within prescribed windows. The IRDAI (Insurance Brokers) Regulations 2018 as amended through 2024 require brokers to maintain prescribed governance structures with risk-management oversight.

For corporates with regulated subsidiaries, the dashboard should accommodate the subsidiary-level reporting in addition to the parent-level reporting, with appropriate segregation of regulated entity data to support IRDAI inspection.

IRDA EOM and broker commission disclosure

The IRDAI (Expenses of Management) Regulations 2024 govern insurer expense management, with implications for broker commission disclosure to corporate clients. Brokers in 2026 are required to disclose commissions to clients, with the disclosure flowing into the client's premium ledger. The risk manager dashboard should track broker commissions paid against the disclosed amounts, with reconciliation supporting the corporate's procurement and audit functions.

IFRS 17 corporate-side mirror reporting

The IFRS 17 Insurance Contracts standard applies primarily to insurers as issuers of insurance contracts. The corporate-side mirror is more subtle: for corporates holding material insurance contracts as policyholders, IFRS 17 has limited direct application but indirect effects on disclosure expectations. Audit committees increasingly expect corporates to apply IFRS 17-equivalent disclosure rigour to their insurance programme reporting, including discounting of long-tail liability reserves, recognition of contract boundaries, and presentation of risk-adjusted positions. The dashboard should support the audit committee's expectation by carrying the IFRS 17-equivalent positions in the underlying data.

CSR and DPDP Act intersections

The Companies Act 2013 Section 135 CSR reporting and the DPDP Act 2023 data-fiduciary accountability framework both intersect the risk-management dashboard. CSR-related reputational and operational risks should appear in the KRI set; DPDP Act compliance KRIs (data subject request closure, breach notification compliance, vendor data-processing agreement currency) should appear with the cyber KRIs.

The single largest practical improvement available to most Indian corporate risk functions in 2026 is integration of the broker portal data into the dashboard. The historical pattern of quarterly broker MIS spreadsheets emailed to the risk function is the source of most dashboard reliability issues.

What the broker portal carries

A modern Indian commercial broker portal (Marsh, Aon, WTW, Howden, JB Boda, Anand Rathi, Prudent and others maintain portals at various capability levels in 2026) typically holds policy data (active policies, expiry dates, sums insured, premiums, insurer, deductibles), claims data (intimated claims, status, paid amounts, reserves), submissions data (renewal submissions in flight, market response), and commission data (commissions paid, disclosed amounts). The data is updated continuously rather than on a quarterly cycle.

Integration patterns

Three integration patterns dominate.

1. API integration: the broker portal exposes an API that the corporate's dashboard tool consumes. This is the highest-fidelity option, with real-time updates and structured data. The 2024 to 2026 period has seen the major Indian brokers move toward API exposure, with the largest corporates running daily or weekly extracts.
2. Scheduled file extracts: the broker portal generates structured file extracts (CSV, JSON, Parquet) on a daily or weekly schedule, with the corporate's dashboard tool consuming the extracts. This is the most common 2026 pattern for mid-cap corporates whose brokers do not yet offer API access.
3. Email-based MIS: the historical pattern of quarterly or monthly MIS by email, ingested manually into the dashboard. This is the lowest-fidelity option and is being phased out at most large-cap corporates.

Multi-broker corporates

Large Indian corporates typically work with multiple brokers across LoBs and geographies. The dashboard must consolidate data from multiple broker portals into a single view. The consolidation is the responsibility of the corporate risk function, not the brokers, because brokers each have their own data structures and field definitions. The corporate's dashboard layer normalises the data into a single schema.

Data quality and reconciliation

Broker portal data quality varies. The risk function should maintain a reconciliation discipline: monthly reconciliation of policy schedules between broker portal and internal policy register, quarterly reconciliation of claim positions between broker portal and the corporate's own claim tracking, and renewal-time reconciliation of premium ledger between broker portal and finance system.

Bima Sugam intersection

The Bima Sugam infrastructure rolling out through 2024 to 2026 introduces a regulator-operated insurance marketplace and information utility. The Bima Sugam data structures and APIs are likely to become the integration standard over time, with broker portals and corporate dashboards aligning to the common schemas. Corporate risk functions planning major dashboard investments in 2026 should consider Bima Sugam alignment in the data architecture, even if the immediate integration is broker-portal-direct.

What integration enables

Live broker portal integration enables a set of dashboard views that quarterly MIS cannot support: claim-status dashboards showing current open-claim positions with ageing analysis, renewal-cycle dashboards showing market response in real time during the submission period, premium-versus-budget tracking through the year, commission-paid versus commission-disclosed reconciliation, and material-event flags within hours of claim intimation. The operating benefit is the time the risk function reclaims from manual data wrangling and the credibility benefit of dashboard data that matches the broker's own systems.

The dashboard discipline is sustained by operating governance, not by tooling. The governance structure determines whether the dashboard remains a live instrument or drifts into a deck refreshed only before committee meetings.

Dashboard ownership

A named senior person in the risk function owns the dashboard with accountability for its data quality, the KRI set design, the visualisation layer, and the publication cadence. In a mid-cap corporate the role typically sits with the CRO or a head-of-risk reporting directly to the CRO. In a large-cap corporate the role typically sits at deputy-CRO level or with a head of integrated risk reporting.

Reporting cadence

The dashboard should refresh continuously on the underlying data but should be formally reviewed at defined cadences.

1. Weekly operational review by the risk team, covering KRI movements during the week, new incidents or claims, and any threshold breaches requiring escalation.
2. Monthly executive review by the CRO, CFO, and head of compliance, covering material movements and forward actions.
3. Quarterly risk-management committee review of the full dashboard, with the committee's documented response to material findings.
4. Half-yearly board review at the standard SEBI minimum, with the dashboard supporting the board pack.
5. Annual external assurance, where the internal audit function tests the dashboard's data accuracy and the underlying integration discipline.

Escalation protocols

Dashboards without escalation protocols become reporting wallpaper. For each KRI category, the dashboard should specify the threshold breach values, the named escalation recipients, and the response timeline. A cyber KRI breach should escalate to the chief information security officer within 24 hours; a property KRI breach should escalate to the head of operations and the broker within 5 working days; a claims-frequency breach should escalate to the head of claims within 10 working days.

Maturity progression

Dashboard programmes mature in stages. The typical Indian mid-cap progression in 2024 to 2026 runs through four stages.

1. Stage 1: Spreadsheet-based reporting, quarterly cycle, broker MIS email-driven. The starting position for most corporates without a dedicated risk function.
2. Stage 2: Single-tool dashboard, typically Power BI or Tableau on top of broker portal extracts plus internal data, refreshed weekly or monthly. The first formal dashboard discipline.
3. Stage 3: Integrated GRC platform, Archer or ServiceNow GRC with risk-register and control workflow, plus visualisation layer, refreshed daily or continuously.
4. Stage 4: Real-time integrated dashboard, with live broker portal API integration, automated KRI computation, threshold-breach alerts, and board-pack generation from the live data.

The progression typically takes 24 to 60 months from Stage 1 to Stage 4 depending on the corporate's size, the existing technology stack, and the risk function's investment runway.

Cost and return

The investment scale across the stages runs from negligible at Stage 1 to INR 4 to 12 crore over 3 years for Stage 4 implementation in a large-cap corporate. The return is partly defensible cost (faster regulatory disclosure, fewer manual hours), partly risk-adjusted (better KRI visibility producing earlier intervention on emerging risks), and partly insurance-programme-related (better submission quality producing better renewal terms in a hardening market). A well-designed dashboard supporting a well-prepared renewal can produce premium savings of 5 to 15 percent on the largest LoBs against the unprepared baseline.

The 2026 imperative

The combination of board expectations, SEBI and IRDAI disclosure tightening, DPDP Act accountability, IFRS 17-equivalent reporting expectations, and the hardening commercial insurance market makes 2026 the year that Indian mid-cap and large-cap corporates either build the dashboard discipline or fall behind peers. The corporates that have invested through 2023 to 2025 are now operating at Stage 3 or Stage 4; the corporates still at Stage 1 face a multi-year catch-up that becomes harder as the regulatory and market complexity continues to grow.

The risk function's case for the investment is straightforward: a dashboard that surfaces the right KRIs at the right cadence to the right audience changes how the corporate makes risk decisions. The alternative is risk management as a backward-looking compliance exercise that arrives at the board after the events it should have anticipated.