Building a Risk Register and Mapping It to Insurance Coverage in India

A risk register is a structured record of identified risks that an organisation faces, together with their likelihood and impact assessments, assigned ownership, existing controls, and residual risk after controls are applied. It is not a compliance document produced annually to satisfy an auditor and filed away. At its most useful, it is a live management tool that shapes decisions on capital allocation, insurance placement, and operational priorities.

Most large Indian corporates (those in the Nifty 500 or subject to SEBI's LODR Regulations requiring board-level risk management committees) maintain some form of risk register. The challenge in the mid-market, companies with revenues between INR 50 crore and INR 2,000 crore, is that the register tends toward one of two failure modes. The first is a purely financial risk register, focused on credit, currency, interest rate, and commodity exposures, because those risks have obvious P&L linkages and are familiar to finance teams. Physical, operational, and liability risks are absent or superficially treated. The second failure mode is an overly elaborate risk taxonomy copied from an MNC framework, with 60 or 80 risk categories, most of which no one actively monitors, and ownership assigned to roles rather than named individuals.

The objective of this guide is a risk register format that is genuinely useful for a mid-market Indian company: specific enough to be actionable, connected to the actual insurance programme, and simple enough that a risk manager without a dedicated team can maintain it. The target output is a register with 30 to 60 risks across the company's key risk categories, each mapped to either an insurance policy, a retained deductible decision, or a mitigation control.

A risk register for insurance purposes needs to capture more than a standard ERM register. Each risk entry should contain at minimum:

Risk ID: a unique identifier enabling cross-reference between the register, insurance schedules, and board reports.

Risk description: a plain-language statement of what could go wrong, written in active terms (e.g., 'fire destroys the Pune manufacturing plant' rather than 'fire risk'). Specificity matters: a vague description cannot be mapped to a specific insurance coverage.

Risk category: one of a defined set of categories (see next section). Categories enable portfolio-level views and ensure no category is systematically overlooked.

Likelihood rating: a 1 to 5 scale (or similar), calibrated to a defined time horizon, typically one year. For Indian industrial risks, historical IRDAI loss data, natural catastrophe models for the relevant geography, and industry loss statistics from the Insurance Information Bureau provide calibration inputs.

Impact rating: a 1 to 5 scale across financial, operational, reputational, and regulatory dimensions. Financial impact should be expressed in INR ranges (e.g., Level 3: INR 1 crore to INR 10 crore). This quantification is what allows the insurance deductible and limit decision to be referenced back to the register.

Risk owner: a named individual, not a department or role. The risk owner is accountable for the risk's management, not just its reporting.

Current controls: a brief description of existing preventive and detective controls. A manufacturing plant's fire risk entry should reference the hydrant system specification, hot-work permit procedures, and fire load controls.

Residual risk after controls: the revised likelihood and impact after controls are applied. Residual risk is what the insurance programme is pricing.

Insurance treatment: which policy (by policy number and insurer) responds to this risk, and at what limit and deductible. This is the field most often absent from standard ERM registers and the most important for risk-insurance alignment.

Retention/gap note: any portion of the residual risk that is uninsured, whether by deliberate retention (deductible, self-insurance) or by gap (coverage not obtained or excluded from the policy).

Indian commercial enterprises face a risk mix that differs from the global templates embedded in ISO 31000 or COSO ERM frameworks. A risk category structure appropriate for an Indian mid-market manufacturer, logistics provider, or IT services company should include the following categories.

Property and physical asset risks: fire, explosion, flood, windstorm, earthquake, malicious damage, machinery breakdown, and business interruption. For Indian companies, flood and earthquake exposure varies sharply by geography; a factory in the Brahmaputra floodplain faces a categorically different natural catastrophe profile than one in Pune. The Indian Meteorological Department's flood and cyclone zone classifications and the Bureau of Indian Standards' seismic zone map provide the geographic calibration.

Liability risks: bodily injury and property damage to third parties from operations (public liability); product defect or failure (product liability); professional error or omission in services (professional indemnity); pollution from operations or products (environmental liability). Each sub-category needs its own register entry, as the insurance response differs.

People risks: workplace accidents, employer liability, key person loss (the death or incapacity of a CEO, CFO, or technical specialist whose absence would materially impair the business). Group personal accident and key man life insurance are the typical insurance responses.

Supply chain and business interruption risks: supplier failure, logistics disruption, port congestion, container shortage, and raw material price spike. Only some of these are insurable; contingent business interruption coverage is available but narrow in its triggers; raw material price risk is generally not insurable.

Cyber and technology risks: ransomware attack, data breach, system outage, third-party technology failure. Indian companies in IT services, fintech, and data-intensive sectors have elevated exposure. Cyber insurance penetration in India remains low: less than 15% of mid-market companies carried dedicated cyber coverage as of 2025, making this a frequent gap between the risk register and the insurance programme.

Regulatory and compliance risks: IRDAI regulatory action (for insurance intermediaries), GST audit and demand, SEBI enforcement (for listed companies), environmental compliance, and sector-specific licensing. Regulatory fines and penalties are excluded from most Indian insurance policies, meaning these risks are typically retained.

Reputational risks: social media crisis, product contamination publicity, management misconduct. Reputation risk is rarely directly insurable but is addressed through crisis management retainer services attached to D&O or product liability policies.

Key person and human capital risks: talent loss in specialised roles, labour disputes, succession gaps. Life and disability insurance on key individuals is the insurance response; broader human capital risks are retained management issues.

Once the register is populated, the mapping process assigns each risk to one of three treatment types: insured, retained, or mitigated. This is where the risk register becomes directly useful for insurance decision-making.

Insurable risks are those where a commercial insurance policy exists, the risk falls within its coverage triggers, and the insurer is willing to accept the risk at a commercially viable premium. For each insurable risk, the mapping records the specific policy, limit, deductible, and any material exclusions that create residual uninsured exposure. A fire risk entry for a INR 250 crore manufacturing facility should note that the fire policy covers material damage up to INR 250 crore (the sum insured), that the deductible is INR 25 lakh, that the business interruption extension covers up to 12 months of gross profit, and that there is a 15% flood sublimit (i.e., INR 37.5 crore) relevant because the plant is in a flood-exposed zone.

Retained risks are those where the company deliberately accepts the financial consequence. Retention may be deliberate (the risk is below the deductible and the deductible reflects a conscious cost-benefit decision) or forced (insurance for this risk is unavailable or prohibitively expensive). Regulatory fines, cyber attack costs below a INR 50 lakh threshold, and reputational damage costs are commonly retained. The register should capture the maximum probable retention for each retained risk so that the board can assess aggregate retained exposure.

Mitigated risks are those where a control reduces the likelihood or impact to a level where insurance is not required or where residual risk after mitigation is fully retained. A fire risk reduced to a very low level by a sprinkler system and rigorous hot-work controls may be classified as mitigated rather than requiring full insurance coverage, though in practice, lenders and contractual counterparties typically require insurance regardless of the mitigation quality.

The most instructive output of the mapping exercise is the gap list: risks that appear on the register as significant (high likelihood or high impact) but that have no insurance treatment. Common gaps found in Indian mid-market risk mapping exercises include: cyber attack (on the register but no cyber policy); supply chain disruption (on the register but no contingent BI coverage); product recall (on the register for manufacturers but no recall expense policy); directors' liability (on the register for listed or PE-backed companies but no D&O policy or limit inadequate for the company's public profile). Each gap should generate a board-level decision: obtain coverage, deliberately retain, or control to an acceptable level.

Across mid-market Indian companies in manufacturing, logistics, and IT services, several gaps appear with enough consistency to warrant specific attention.

Intangible assets: Risk registers frequently include brand value, customer relationships, intellectual property, and software as significant assets. These rarely appear in the sum insured on the property insurance policy, which covers tangible assets at reinstatement value. If a cyberattack destroys proprietary software code, the property policy will not respond; a cyber policy's data restoration coverage might, but only if the intangible asset is specifically scheduled. Indian companies with significant intangible asset bases, including software companies,, pharmaceutical companies with research data, and media companies, should explicitly address this gap in the mapping exercise.

Regulatory fines and penalties: Environmental fines under the Environment Protection Act, 1986; competition penalties from the Competition Commission of India; and GST penalties from the tax authority all appear on risk registers as significant financial risks. None are covered by standard Indian insurance policies, which universally exclude fines, penalties, and punitive damages. The gap is real but the treatment is retention and compliance investment, not insurance.

Key person risk: Most Indian mid-market companies identify key person dependence as a significant risk: a founder who is also the primary customer relationship holder, a CFO with unique banking relationships, a technical director whose absence would halt product development. Key man life insurance is available and relatively inexpensive. Yet a 2024 survey by a major Indian broker found that fewer than 30% of mid-market companies with a formal risk register had actually purchased key man insurance for the individuals identified as critical. The gap between identification and action is a symptom of risk registers being treated as a documentation exercise rather than a decision tool.

Cyber and technology: As noted, cyber insurance penetration is low. The gap is widened by a mismatch between how companies describe their cyber risk on the register (typically as a broad 'data breach or system disruption') and what standard cyber policies actually cover (specific defined losses such as incident response costs, notification costs, cyber extortion, and network interruption). Companies that have not modelled their probable maximum loss from a ransomware event cannot assess whether the INR 5 crore cyber limit they carry is adequate or whether the INR 10 lakh deductible is appropriately sized.

Business interruption from non-damage triggers: Standard Indian business interruption policies trigger on insured physical damage. A factory that shuts for six weeks because a key supplier's facility burned down cannot claim under its own BI policy unless it has a contingent business interruption extension. Logistics companies that cannot operate because a port is closed by a government order after a chemical incident cannot claim unless they have a loss of attraction or government-ordered closure extension. These gaps are common on risk registers and uncommon in actual policy schedules.

IRDAI has published detailed Enterprise Risk Management guidelines applicable to insurance companies under its various circulars and the IRDAI (ISCO) Regulations. While these guidelines are directed at insurers rather than at commercial corporates purchasing insurance, they provide a useful reference model for corporates building their own ERM frameworks. IRDAI requires insurers to maintain a board-approved risk appetite statement, a risk register aligned to defined risk categories, risk ownership at board and executive levels, and integration between ERM outputs and capital adequacy assessments. Commercial corporates seeking a regulator-endorsed template for their own registers can usefully adapt this structure.

ISO 31000:2018 provides the international standard for risk management. Its principles: integration, structured approach, customisation, inclusivity, and dynamism. These principles are broadly applicable to Indian commercial risk registers, but its process framework is more relevant than its specific tools. Indian risk managers sometimes over-invest in ISO 31000 compliance certification for the risk register process itself when the management value is in the register's content and its use in decision-making, not in the certification.

COSO ERM (2017) is the framework most familiar to Indian listed companies with US-educated CFOs or Big Four audit relationships. COSO's five components (governance and culture, strategy and objective-setting, performance, review and revision, and information and reporting) map well to how an insurance-linked risk register feeds into the annual board risk report. The COSO 'risk profile' concept, which aggregates individual risk entries into a portfolio view showing the distribution of inherent and residual risk across the organisation, is a useful tool for presenting insurance adequacy to the board: the profile can show which risks sit above the insurance programme's coverage (uninsured high-severity risks) and which are covered.

For listed Indian companies, Regulation 21 of SEBI's LODR Regulations requires a Risk Management Committee at the board level for the top 1,000 listed entities (by market capitalisation). The Committee's mandate includes formulating risk management policy and overseeing risk mitigation. The risk register, mapped to the insurance programme, is the natural primary input to this Committee's quarterly review. Risk managers who can present the register in terms the Committee understands (residual risk, coverage adequacy, retention levels) are more likely to secure board support for insurance budget decisions.

The most immediate operational value of a well-maintained, insurance-mapped risk register is in preparing for the annual insurance renewal. The renewal briefing presented to insurers and brokers should not be a repeat of last year's submission with updated financials. It should reflect the changes in the company's risk profile over the past year, as documented in the register.

Changes that material underwriters care about (and that the register should capture) include: new locations added to the asset base; changes in maximum sum insured driven by asset additions or revaluation; new products launched that carry product liability exposure; new contracts with indemnity obligations that extend the liability programme's required limits; supply chain changes that alter the contingent BI exposure profile; and IT system changes (cloud migration, new SaaS platforms, third-party integrations) that alter the cyber attack surface.

For deductible and limit decisions specifically, the risk register provides the evidentiary basis for board-level conversations. If the board's risk appetite statement specifies that the company will retain losses up to INR 50 lakh without insurance recovery, then deductibles across the property, liability, and cyber policies should be set at approximately that level. If the register shows that the maximum credible loss from a cyber event (ransomware shutting down all operational systems for 10 days) is INR 30 crore, the cyber policy limit of INR 5 crore is visibly inadequate against the register's own risk assessment. These are conversations that the risk register enables and that cannot be had without it.

For a manufacturing company with significant fixed assets, the register's property section should include a current replacement cost valuation, updated at least every three years by an independent valuer. Underinsurance, defined as where the sum insured is below the reinstatement cost, is endemic in the Indian mid-market. IRDAI's average clause (also called the condition of average) reduces claim payments proportionately where underinsurance exists. A plant with INR 150 crore reinstatement value insured for INR 100 crore will receive only two-thirds of any partial loss payment. The risk register's asset valuation field, cross-referenced to the insurance policy's sum insured, makes this underinsurance gap visible before a loss occurs.

Concrete examples illustrate how the mapping exercise works in practice across three sectors common in the Indian mid-market.

Manufacturing (auto components, Pune): A tier-2 supplier with INR 400 crore annual revenue, three plants, and 1,200 employees. The risk register's top five risks by residual severity are: (1) fire destroying the primary press shop, estimated maximum loss INR 120 crore; (2) product liability claim from an OEM customer for defective components used in a vehicle recall; (3) machinery breakdown of the CNC machining line causing 30-day production halt; (4) industrial accident causing fatalities among contractual workers; and (5) key person loss of the technical director. Mapping: risks 1 and 3 are covered by a combined fire-and-engineering policy with a INR 200 crore property limit and a INR 50 crore machinery breakdown limit; risk 2 is covered by a product liability policy at INR 25 crore, which is below the OEM's contractual requirement of INR 50 crore (gap identified); risk 4 is covered by employer's liability and group personal accident with INR 10 lakh per person limit; risk 5 has no key man insurance in place despite appearing on the register (action assigned).

Logistics (freight forwarding, Mumbai): A company with INR 150 crore revenue, warehouses in three cities, and a fleet of 45 owned trucks. Top register risks: (1) warehouse fire destroying customer goods in storage; (2) goods in transit loss from theft or accident; (3) third party liability from a truck accident causing fatalities; (4) customs duty liability on misdeclared cargo; (5) cyber attack on the transport management system causing operational paralysis. Mapping: risks 1 and 2 are covered under marine cargo and warehouse keeper's liability policies; risk 3 is covered under motor third party insurance (mandatory) and a supplemental commercial vehicle liability policy; risk 4 is not insured and represents a retained regulatory risk; risk 5 has no cyber policy (gap identified; company has no standalone cyber coverage).

IT services (mid-size software firm, Bengaluru): Revenue INR 200 crore, 800 employees, clients predominantly in the US and Europe. Top risks: (1) data breach exposing client personal data, triggering regulatory action under DPDP Act and client contract penalties; (2) professional error in software deployment causing client system downtime; (3) key talent attrition disrupting delivery on a fixed-price contract; (4) ransomware attack encrypting all systems; (5) client insolvency on a large receivable. Mapping: risks 1 and 4 are partially covered by a cyber policy at INR 10 crore (gap: client contracts require USD 5 million coverage); risk 2 is covered by professional indemnity at INR 15 crore; risk 3 is a retained HR risk; risk 5 is a retained credit risk. The gap analysis produces two action items: enhance cyber limit and negotiate contract language on insurance specifications.