Board Risk Reporting: Insurance Programme Adequacy, Coverage Gaps, and Residual Risk Quantification for Indian Corporates

Insurance is not a finance function; it is a risk function. Boards of Indian companies are expected to have visibility into the company's insurance programme as part of their fiduciary duty to oversee material risks. This expectation is codified in two regulatory frameworks: the Companies Act, 2013, and the SEBI Listing Obligations and Disclosure Requirements (LODR), 2015.

Under the Companies Act, Section 177 establishes that the audit committee must review the company's policies and procedures related to enterprise risk management and risk appetite. Insurance is a core component of risk appetite because it determines which risks are transferred to insurers and which are retained by the company. The audit committee is expected to review the insurance programme at least once annually, typically at the renewal cycle.

The SEBI LODR, Regulation 21, requires that listed companies establish a risk management committee (which may be the audit committee) that shall monitor and evaluate the company's risk management framework. This includes overseeing the company's insurance programme and its alignment with the risk appetite framework. Large-cap companies (market cap exceeding INR 10,000 crore) are required to have a dedicated risk management committee distinct from the audit committee.

The practical implication is that the Chief Risk Officer (CRO) or Chief Financial Officer (CFO) is expected to present the insurance programme to the board or risk committee at least once annually, typically three months before the insurance renewal. This presentation must be more than a summary of policy documents; it must address whether the current insurance programme is adequate to protect the company against its identified top risks, whether coverage gaps exist, and what residual risk remains uninsured.

Boards that have little engagement with insurance until a major claim occurs are exposing the company to regulatory scrutiny. A claim for INR 100 crore that arises from an identified but uninsured risk can trigger questions from SEBI, stock exchange audits, and shareholder scrutiny. The board's failure to review the insurance programme adequately becomes a corporate governance issue.

The starting point for board reporting is insurance adequacy: the alignment between the company's identified risks and the insurance programme's coverage. The CRO should maintain a risk register that lists the company's top 20-30 risks by probability and financial impact. For each risk, the insurance programme should provide a documented response: either the risk is transferred to insurers through a specific policy, or it is retained by the company with conscious board approval.

A typical risk register for a mid-size Indian manufacturer might include risks such as: fire at Plant A, earthquake in Seismic Zone III, flood at the Mumbai warehouse, supply chain disruption from a key supplier, loss of a major customer, product liability claims, third-party bodily injury liability, loss of key personnel, cybersecurity breach, and regulatory non-compliance. For each of these, the insurance programme should provide a clear line of coverage or an explicit retention decision.

The coverage mapping process involves five steps:

1. Identify the top risks that could generate significant financial loss (typically losses exceeding INR 5-10 crore).
2. Determine the current insurance policy that covers each risk. For example, fire losses are covered under the property insurance policy; third-party liability is covered under the public liability policy.
3. Review the policy limits and exclusions to confirm that the coverage is adequate and that the risk is not partly or fully excluded.
4. Calculate the gap, if any, between the identified risk magnitude and the insurance limit. If the property insurance limit is INR 200 crore and the identified fire loss exposure is INR 250 crore, the gap is INR 50 crore.
5. Document the residual risk and the board's decision to either close the gap (by increasing coverage) or retain the uninsured portion.

This disciplined approach produces a one-page table that the CRO can present to the board, showing: Risk Name | Magnitude (INR) | Insurance Policy | Insurance Limit | Coverage Gap | Board Decision. For example: 'Fire loss at Pune facility, INR 300 crore identified loss, covered by Fire Policy 001, limit INR 300 crore, gap INR 0 crore, no action required.' Or: 'Supply chain disruption, INR 60 crore identified exposure, covered by Contingent BI, limit INR 30 crore, gap INR 30 crore, board approved to retain INR 30 crore uninsured.'

The gap analysis identifies whether the insurance programme is adequate or whether coverage increases are needed. An adequately sized programme has closure of identified major risk gaps. A programme with persistent gaps is inadequate and should be flagged to the board as a risk that requires either increased insurance spending or explicit acceptance of uninsured exposure.

Most board risk reports focus on a 'top 10 risks' framework that translates into a matrix showing each top risk, its identified loss magnitude, the insurance response, and the residual risk (uninsured portion).

A sample matrix for a logistics company: (1) Loss of major customer (30% of revenue), INR 150 crore exposure, no insurance (uninsurable), residual INR 150 crore. (2) Fleet collision claims, INR 50 crore, Motor Fleet Policy INR 50 crore limit, residual INR 0. (3) Warehouse fire, INR 80 crore, Fire policy INR 80 crore limit, residual INR 0. (4) Supply chain disruption, INR 40 crore, CBI INR 30 crore with 30-day waiting period, residual INR 10 crore. (5) Cybersecurity breach, INR 25 crore, Cyber insurance INR 20 crore, residual INR 5 crore. (6) Earthquake (Zone III), INR 60 crore, Fire + earthquake INR 60 crore, residual INR 0. (7) Cargo loss, INR 25 crore, Marine Cargo INR 25 crore, residual INR 0. (8) Key personnel loss, INR 30 crore, Key Person INR 10 crore, residual INR 20 crore. (9) Bodily injury claim, INR 10 crore, EL + PL INR 10 crore, residual INR 0. (10) Regulatory violation, INR 15 crore, D&O potentially covers, residual INR 10 crore (fines may be uninsurable).

This matrix makes clear which risks are covered, partly covered, or uninsured. Residual risks are discussed in the context of risk appetite: Is INR 30 crore of uninsured supply chain disruption acceptable given operational liquidity?

Residual risk is the portion of identified loss not covered by insurance. It arises from three sources:

• policy exclusions and limitations
• coverage gaps (identified but uninsured)
• uninsurable risks such as loss of customers or regulatory fines

Example: property policy with INR 200 crore fire coverage but only INR 80 crore flood coverage (limited reinsurance capacity) in a flood-prone area. Residual flood risk: INR 120 crore.

Business interruption typically has sub-limits and waiting periods creating gaps. 12-month BI with 30-day waiting period, but actual reinstatement 18 months, creates residual risk for months 12-18 plus 30-day gap. For INR 100 crore annual gross profit business, residual BI risk could be INR 30-40 crore.

Board report should quantify residual risk by category: property (sub-limits/exclusions), BI (reinstatement/waiting period gaps), liability (limits below exposure), operational (uninsurable risks). Total is company's true uninsured exposure.

Large corporates set thresholds: 'Residual risk not exceed 5% EBITDA' or '15% net worth.' If exceeded, company increases coverage or reduces exposure (exit high-risk geography).

Institutional investors and rating agencies (Moody's, Fitch, CRISIL) assess insurance adequacy for credit ratings. High residual risk relative to financial capacity may trigger downgrades; strong programmes support credit ratings.

The Total Cost of Risk (TCOR) is the sum of insurance premiums paid plus expected self-insured losses (losses not covered by insurance). It is the metric that connects insurance spending to financial outcomes.

TCOR = Insurance Premiums Paid + Expected Self-Insured Losses + Risk Management Costs.

Insurance premiums are visible and directly measurable. Self-insured losses are less visible but equally important. A company that retains INR 50 crore of residual risk in property insurance, expecting 5% of that to be lost annually in average losses, is bearing an implicit 'cost' of INR 2.5 crore annually that does not appear in the premium line item. A company that experiences zero fire losses in five years because of strong prevention practices has a low self-insured loss, whereas a company with multiple fire losses has a high self-insured loss.

TCOR analysis helps the board understand whether the insurance programme is cost-efficient. An insurance programme with high premiums but zero self-insured losses may be more cost-efficient than a programme with low premiums but high residual losses. Comparing TCOR across years reveals whether the programme is becoming more or less cost-efficient. If TCOR is increasing, it is because either: (1) premiums are rising due to market hardening or increased exposure, (2) self-insured losses are increasing due to poor loss prevention or deteriorating business conditions, or (3) the company is retaining more residual risk.

For Indian corporates, TCOR trends are particularly important during market hardening cycles. When reinsurance becomes scarce (as it has during certain periods post-natural disasters), insurance premiums spike. A company experiencing 20% premium increases across its programme must decide: accept the higher TCOR, reduce insurance coverage (and accept higher residual risk), or invest in risk improvement (loss prevention, facility upgrades) to justify lower premiums.

The board should review TCOR annually, comparing it to the prior year and to industry benchmarks. A mid-size manufacturing company might have a TCOR of INR 10-15 crore annually (combined premiums and expected losses) against a revenue base of INR 500 crore, which is 2-3% of revenue. This varies significantly by industry, geography, and risk profile. The board can challenge whether this cost is appropriate or whether the programme should be restructured to optimize cost.

Many Indian corporates also benefit from reporting TCOR to institutional investors as evidence of disciplined risk management. Insurance analysts at investment firms increasingly ask about TCOR trends, and a company with stable or declining TCOR despite business growth is viewed positively as having strong risk management.

Board engagement peaks 3-4 months before renewal. CFO/CRO presents to audit or risk committee seeking approval. Renewal presentation includes: prior year claims experience, broker market feedback (premium trends, capacity, peril/region hardening), proposed coverage changes, renewal premium projection vs. Prior year, updated risk register and coverage gaps, CRO recommendation.

Board decides to: approve as proposed, ask CRO to negotiate specific terms (limits/deductibles/rates), or reject terms and request alternative capacity. Decision must be documented in board minutes as explicit approval and residual risk acceptance.

Large corporates may hold multiple meetings (risk committee detail review, audit committee gap assessment, board ratification). Mid-market companies may use single audit committee presentation.

Timing is critical. Engagement two weeks before renewal limits negotiation time. Best practice: begin 90 days before renewal for thorough review and negotiation.

Companies Act Section 177 requires audit committees to meet quarterly; at least one meeting annually should address insurance/risk management. A dedicated 'insurance and risk' review before renewal satisfies this requirement. Minutes must document:

• programme review
• coverage gaps identified, or none identified
• residual risks discussed
• board approval or further action

SEBI LODR Regulation 21(4) requires risk management committees to monitor and evaluate risk management implementation, including insurance adequacy. Separate risk committees should meet annually; minutes must document: (1) programme aligns with risk appetite, (2) top risks addressed via insurance or mitigation, (3) board comfort with residual risk levels.

Large-cap companies (market cap exceeding INR 10,000 crore) with separate risk committees face SEBI expectations for granular review: assess actuarial basis for premium changes, review claims outcomes, evaluate alternative risk transfer (captive, parametric insurance).

Compliance gaps: audit committee does not meet to review insurance; review lacks substance (no coverage gap/residual risk discussion); no board minutes document review; residual risks not disclosed; board does not pre-approve renewal. Companies experiencing major claims from undisclosed, uncovered risks face regulatory and shareholder scrutiny.

Effective board presentations should follow a structured template. Executive Summary: total premium, policies, major changes, CRO recommendation. Risk Register Update: top 10 risks with magnitude, insurance response, residual risk in table format. Coverage Adequacy: gap analysis, uninsured risks, reasons (cost/availability/exclusion), board decision. Claims Experience: prior 12 months claims, amounts recovered, loss ratio, patterns. Market Update: premium trends, rate increases, capacity constraints, broker outlook. Proposed Changes: new policies, limit increases, term changes, cost impact. Premium Projection: prior year vs. Renewal, percentage change, reasons. TCOR Analysis: premiums plus expected self-insured losses, trend analysis. Residual Risk Summary: uninsured exposure by category, alignment with risk appetite. Recommendation: CRO advice, board decision.

Key metrics: Total Premium Cost (INR and % of revenue), Top 3-5 Risks and Response, Total Residual Risk (INR and % of EBITDA), Claims Ratio (claims/premiums), Premium Change vs. Prior Year (%), Number of Policies and Insurers. Insufficient metrics suggest inadequate oversight.