Building an Enterprise Risk Framework for Indian Mid-Cap Manufacturers: Register Design, Control Self-Assessment, and Insurance-Procurement Integration

Indian mid-cap manufacturers, defined here as listed and unlisted entities with annual revenues of INR 500 crore to INR 5,000 crore, occupy an awkward position in the risk management spectrum. They are too large to operate on the informal owner-driven risk management that works at small companies, where the founder personally tracks every material exposure. They are too small to afford the dedicated risk function, internal audit team, and external risk advisory engagement that large-cap and Nifty 100 companies maintain. The middle position produces a recurring pattern: risk awareness exists at the operating level, but it does not flow systematically to the board, and it does not connect to the insurance procurement decisions that translate risk awareness into financial protection.

The regulatory expectation has evolved through 2018 to 2026. The Companies Act, 2013 Section 134(3)(n) requires the directors' report to include a statement indicating development and implementation of a risk management policy, with identification of elements of risk that may threaten the company's existence. SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 Regulation 21 requires listed entities (initially top 100 by market cap, expanded to top 1000 by 2022) to constitute a Risk Management Committee, with Regulation 17(9) requiring the board to be responsible for framing, implementing, and monitoring risk management plans. The Reserve Bank of India's master directions on NBFC and bank governance require ERM frameworks at supervised entities, and several state-level industrial safety regulations require risk assessment as a precondition to operating consent.

The practical experience at mid-cap manufacturers is that the regulatory minimum is met (a risk management policy exists, a risk register is maintained, a board committee meets quarterly) but the operational impact is limited. The risk register lists 60 to 120 entries that nobody references between quarterly meetings. The board committee receives a colour-coded heat map that does not change materially from quarter to quarter. The insurance broker proposes the same coverage structure as the previous year because the renewal cycle proceeds independently of the risk register. The risk function, where it exists, reports to the CFO or the company secretary rather than to an independent chief risk officer, which produces budgetary and reporting conflicts with the finance and compliance agenda.

This post describes an ERM implementation that mid-cap manufacturers can deliver with the resources available at their scale: typically a part-time risk officer (CFO or CS function), a board risk committee meeting four times a year, modest annual external advisory engagement, and existing operating teams that contribute risk insight as part of their day jobs. The framework draws on ISO 31000:2018 Risk Management Guidelines and COSO ERM 2017 Enterprise Risk Management Integrating with Strategy and Performance, adapted for the Indian regulatory and commercial context.

The single most important shift this framework asks of mid-cap manufacturers is to treat the risk register and the insurance programme as one integrated artefact rather than two separate documents owned by different people. The risk register identifies, classifies, and quantifies exposures. The insurance programme transfers a defined subset of those exposures to insurer balance sheets at a defined cost. The other risks (those retained, those treated through operational controls, those treated through contractual transfer) are the responsibility of the operating organisation. The integration of these two views is the value proposition of ERM at the mid-cap scale.

A practical observation from implementation experience at Indian mid-cap manufacturers: the framework takes 12 to 18 months to embed fully, with the first six months focused on register design and initial population, the next six months on control self-assessment and quantification, and the final six months on integration with the insurance procurement and board reporting cycles. Companies that try to deliver the entire framework in one budget year typically produce a paper exercise that does not survive into the second year. Companies that phase the build and accept incremental progress produce sustainable practices that compound in value over multiple cycles.

The risk register is the spine of the ERM framework. A well-designed register at a mid-cap manufacturer contains 60 to 150 entries organised into a stable taxonomy with consistent rating criteria. A poorly-designed register contains 200 to 500 entries of varying granularity, no consistent rating, and limited usefulness for management decision making.

The taxonomy choice is the first design decision. Four taxonomies are commonly used in the Indian context. The first is the COSO ERM 2017 taxonomy organised around strategy and performance, with categories of strategic, operational, reporting, and compliance risk. The second is the ISO 31000 approach organised around objectives and uncertainty without a prescribed category structure. The third is the BASEL operational risk taxonomy used in Indian banking and adapted at NBFC-MFIs, organised around event types (internal fraud, external fraud, employment practices, clients products and business practices, damage to physical assets, business disruption, execution delivery and process management). The fourth is the asset-and-process taxonomy commonly used in manufacturing risk management consulting, organised around physical assets, supply chain, technology, people, and external environment.

For mid-cap manufacturers, the asset-and-process taxonomy works best because it maps directly to operational accountability. Each risk has a clear owner (the plant manager, the supply chain head, the IT manager, the HR head, or the head of corporate affairs for external risk). The COSO and ISO taxonomies are conceptually elegant but require interpretation to assign operational ownership. The BASEL taxonomy is well-defined but designed for financial services rather than industrial operations.

The register fields beyond the taxonomy are: risk ID (a unique code for tracking), risk description (one or two sentences describing the specific exposure, not a generic category label), risk owner (named individual, not a department), inherent likelihood and impact rating (typical 1 to 5 scale or low/medium/high), inherent risk score (likelihood multiplied by impact), existing controls description, residual likelihood and impact rating after controls, residual risk score, treatment approach (accept, transfer to insurer, transfer by contract, treat by additional controls, avoid by exit), treatment action and owner, insurance line where applicable, sum insured and deductible where applicable, and review date. A register with these fields populated for 80 to 120 risks runs to several spreadsheet tabs or a dedicated GRC platform module.

The quantification approach for likelihood and impact is the area where most mid-cap implementations fail. Pure qualitative scoring (low/medium/high) produces a register that cannot prioritise across categories. Pure quantitative scoring (probability percentages and INR impact ranges) requires data that most mid-cap manufacturers do not have. The practical hybrid approach is qualitative scoring with anchored definitions for each level. For impact, anchor definitions in monetary terms tied to company financials: a Level 5 impact might be defined as 'loss exceeding 5 percent of revenue or 25 percent of net profit, whichever is higher.' For likelihood, anchor definitions in frequency terms: a Level 5 likelihood might be defined as 'event has occurred at the company in the past 3 years, or industry data shows annual occurrence rate above 20 percent.' These anchored definitions make the scoring auditable and allow consistent comparison across categories.

Population of the register is best done through facilitated workshops rather than top-down or bottom-up data collection. The facilitated workshop brings the risk owner, the relevant operating manager, and the risk officer together for a two to three hour session per risk area, with a defined agenda that walks through risk identification, control assessment, residual rating, and treatment options. A mid-cap manufacturer typically requires 8 to 14 such workshops to populate the initial register across all operating domains, completing the exercise in three to four months of elapsed time. The workshop output is the source data; the register entries are derived by the risk officer after each session.

A particular issue for mid-cap manufacturers is the question of risk granularity. The fire risk at a plant can be entered as one register entry ('plant fire') or disaggregated into multiple entries (electrical fire, raw material warehouse fire, finished goods warehouse fire, hot work fire, cable trench fire). The disaggregated approach provides more granular treatment but produces a register that is harder to maintain. The recommended approach is one register entry per loss scenario where the controls, treatment, and insurance response are materially different. Plant fire as a single entry works where one fire policy and one BI policy respond to all fire scenarios. Disaggregation makes sense only where different scenarios require different treatments.

Control self-assessment (CSA) is the mechanism by which risk awareness moves from the quarterly risk committee meeting into the day-to-day operational management of the company. CSA is a structured exercise in which operating teams assess the design and operating effectiveness of the controls that mitigate the risks they own, on a defined cycle, with results reported into the risk committee.

The CSA design at a mid-cap manufacturer typically operates on a quarterly cycle aligned to the quarterly financial close and the risk committee meeting cycle. Each operating team (plant operations, maintenance, supply chain, finance, HR, IT, compliance, customer service) completes a CSA questionnaire covering their assigned risks. The questionnaire asks specific questions about each control: Does the control exist as designed? Has the control operated consistently during the quarter? Were any control failures or exceptions identified? What corrective actions were taken? What is the team's confidence in the control's effectiveness going forward?

The questionnaire design is critical. A poorly designed CSA asks generic questions ('Is risk management effective?') that elicit generic answers ('Yes'). A well-designed CSA asks specific operational questions tied to defined control attributes. For example, the fire control questionnaire might ask: How many fire extinguishers were due for refill or replacement during the quarter? How many of those were completed on schedule? What was the average response time during fire drills conducted during the quarter? How many hot work permits were issued, and what percentage had complete documentation? The specific questions force operational teams to engage with the controls rather than provide pro-forma confirmations.

The scoring methodology should produce both a control-level rating and an aggregated risk-area rating. Control-level ratings are typically green (operating as designed), amber (operating but with identified weaknesses), or red (not operating effectively). The aggregated risk-area rating reflects the worst control rating in the area, with adjustments for the criticality of the underlying risk. The aggregated rating flows up to the risk committee dashboard.

Verification and challenge are the elements that distinguish meaningful CSA from a self-confirming paper exercise. The risk officer or internal audit (where it exists) should sample 15 to 25 percent of CSA responses each quarter, verify the supporting evidence, and challenge the rating where evidence does not support the self-assessment. Verification findings are documented and produce corrective action plans where the verified rating differs from the self-assessment. Over multiple cycles, the verification process should produce convergence between self-assessment and verified rating, with persistent gaps in any team flagged to the audit committee.

A particular challenge at mid-cap manufacturers is securing operational team engagement with CSA. The teams perceive CSA as additional reporting burden without direct operational benefit. The successful implementations build CSA into the natural rhythm of operational management rather than treating it as a separate exercise. The plant safety review, the supply chain review, the IT operations review all become forums for CSA discussion. The CSA outputs feed into operational improvement priorities, with budget allocations following CSA-identified weaknesses where appropriate. The connection between CSA findings and operational decisions is the engagement driver.

The CSA cycle should produce three artefacts each quarter. First, the CSA dashboard summarising all control ratings across the risk register, with trend lines showing changes from prior quarters. Second, a corrective action register tracking specific actions arising from CSA findings or verification challenges, with named owners and target dates. Third, a heat map view of residual risk by category, refreshed based on the quarter's CSA results. These three artefacts form the core of the quarterly risk committee report and the annual board risk report under the Companies Act 2013 requirements.

The Operational Risk Committee (ORC) is the management committee that owns the ERM framework's operational execution. It sits below the board's Risk Management Committee (RMC) and is the bridge between operating teams and board governance. ORC composition at a mid-cap manufacturer typically includes the CEO or COO as chair, the CFO, the heads of plant operations, supply chain, IT, HR, compliance, and the risk officer as secretary. Where the company has multiple sites, plant heads from major sites participate, with smaller sites represented by the operations director.

ORC cadence should be monthly during the first 18 months of ERM implementation, transitioning to bi-monthly once the framework is embedded. Monthly cadence is necessary during build-out because the framework requires constant attention to new risks identified, CSA findings emerging, and integration questions arising. Once the framework is stable, monthly cadence becomes administrative overhead and the ORC can move to bi-monthly meetings with ad-hoc calls between meetings for material events.

ORC decision authority should be explicitly defined. Typical authorities include approval of CSA questionnaires and rating criteria, approval of risk register updates and re-classifications, approval of treatment plans for residual risks above defined thresholds, approval of insurance procurement strategy and broker selection (subject to ratification by the RMC and board where required by Companies Act delegated authority limits), approval of internal risk policy updates, and review of incident reports above defined thresholds.

The ORC's relationship with the board's RMC is a critical design question. The ORC handles operational risk management. The RMC provides board-level oversight, sets risk appetite, approves the overall ERM framework, and reviews material residual risks. Reporting from ORC to RMC should be structured around defined exception triggers (significant new risks identified, residual risk increasing above appetite, material incidents, deviation from approved treatment plans) plus periodic full reporting (quarterly heat map and aggregated dashboard).

The risk appetite statement is the foundational document that connects ORC operational decisions to RMC governance. Risk appetite expresses the level of risk the company is willing to take in pursuit of its objectives, typically defined across financial appetite (maximum loss willing to absorb), operational appetite (acceptable disruption levels), compliance appetite (regulatory tolerance), reputational appetite (brand impact tolerance), and strategic appetite (transformation risk tolerance). The RMC approves the risk appetite statement annually; the ORC operates within it; treatment decisions that would breach appetite are escalated to the RMC.

For mid-cap manufacturers, the practical risk appetite statement is short (one to two pages) and quantified where possible. Financial appetite might be expressed as 'maximum single-event loss not to exceed 8 percent of revenue or 35 percent of expected net profit, whichever is lower.' Operational appetite might be expressed as 'production downtime at any single site not to exceed 14 days for any single event scenario.' Compliance appetite might be expressed as 'zero tolerance for material regulatory violations leading to consent withdrawal or significant penalties.' Reputational appetite might be expressed as 'no event leading to sustained negative national media coverage.' These quantified statements give the ORC clear boundaries for its decision making.

A further design consideration is the relationship between the ORC and other management committees: the safety committee, the IT security committee, the compliance committee, the audit committee. Overlap is inevitable but should be managed through explicit charter language defining each committee's primary domain and the escalation path between them. ORC has the broadest mandate covering all risk categories; the specialised committees have deeper engagement on their domain risks but report into ORC for the aggregated view.

The integration of risk findings with insurance procurement is the operational test of whether the ERM framework delivers value. At mid-cap manufacturers without ERM integration, the insurance renewal cycle proceeds independently of the risk register. The broker proposes a renewal package similar to the prior year, the CFO and broker negotiate premium, and the renewal binds. The risk register sits in a different process owned by a different function, and the connection between identified risks and insurance coverage is at most an annual reconciliation document that few people read.

ERM integration changes the renewal cycle structurally. The risk register, with residual risk scores and current treatment status, becomes the starting point for the renewal discussion. The renewal question is no longer 'should we renew the same policies as last year?' but 'given our current residual risk profile, is our insurance programme delivering the right transfer at the right cost?' This question generates different conversations with brokers and insurers, and produces different procurement outcomes.

The integration mechanism is a structured pre-renewal review conducted 4 to 6 months before each renewal date. The review covers each significant policy line and asks: What are the underlying risks the policy is intended to transfer? Have those risks changed materially since the last renewal? Are there new risks in the register that this policy could be extended to cover? Are there risks the policy currently covers that could be retained or transferred differently to reduce premium? What is the cost-benefit comparison between the current programme and alternative structures?

For a mid-cap manufacturer with typical insurance lines (SFSP and BI, machinery breakdown, marine cargo and transit, public liability, professional indemnity for B2B services, D&O liability, group health and group personal accident, employees compensation, motor fleet), this pre-renewal review takes 6 to 10 weeks and involves the risk officer, the insurance broker, the CFO, and the relevant operating heads. The output is a renewal strategy document approved by the ORC and ratified by the RMC where required, with specific instructions to the broker on coverage changes, deductible levels, and pricing targets.

The practical impact of integration is typically a 10 to 25 percent reduction in total insurance spend over 24 to 36 months, achieved through three mechanisms. First, identification of over-insured exposures where the sum insured exceeds the actual risk and premium is being paid for cover the company does not need. Second, identification of under-insured exposures where increased coverage delivers protection that the residual risk profile justifies. Third, restructuring of deductibles and self-insured retentions to reflect the company's true risk-bearing capacity, which is typically higher than the deductibles in standard policies sold to companies of this size.

The integration also surfaces risks that insurance does not address. A mid-cap manufacturer with a significant supplier concentration risk in the register may discover that no available insurance product responds to non-damage supply chain disruption at the limits and price points that would make the cover economic. The integration process surfaces this gap explicitly, allowing the ORC and RMC to decide on operational mitigation, contractual transfer to the supplier, or acceptance of the residual risk. Without the integration process, the gap exists but is not consciously decided.

A further benefit of integration is the negotiation position with insurers. A company that presents a complete risk register, documented controls, CSA results, and a clear risk appetite statement is a different negotiation partner from a company that sends prior-year claims data and waits for the broker's recommendation. Insurers reward the disciplined risk management with better terms (lower premium, higher limits, broader coverage), better claims handling, and earlier flagging of capacity or appetite changes. The relationship value compounds over multiple renewal cycles.

For brokers servicing mid-cap manufacturers, the integration represents an opportunity to deliver advisory value beyond placement. Brokers who engage with the risk register, who structure pre-renewal reviews, and who contribute to risk treatment decisions become strategic partners rather than transactional intermediaries. The brokerage retained by these advisory-mode brokers tends to be higher than transaction-only brokerage, justified by the value delivered, and the client retention rate is materially higher.

Board reporting on risk management at Indian mid-cap manufacturers must meet several converging requirements: Companies Act, 2013 Section 134(3)(n) directors' report disclosure on risk management policy and material risks, SEBI LODR Regulation 21 RMC composition and meeting requirements, SEBI LODR Schedule II Part D on RMC roles and responsibilities, and the relevant industry-specific regulatory expectations. Beyond regulatory minimums, board reporting should give directors the information they need to discharge their fiduciary obligations including approval of risk appetite, approval of treatment plans for material residual risks, and oversight of incident response.

The board risk report should be presented quarterly by the RMC chair, with annual deep dives on specific risk categories. The standard structure includes the aggregated residual risk heat map (refreshed for the quarter), changes from prior quarter (new risks, escalations, mitigations completed), top 10 residual risks with treatment status, incidents during the quarter and root cause analyses, CSA findings summary with verification observations, insurance programme status including any mid-year coverage changes or incidents, risk appetite headroom by category, and forward-looking risk indicators.

Directors at mid-cap manufacturers often have limited exposure to formal risk management methodology, and the board report should be accessible without requiring specialist background. The dashboard should be visual rather than text-heavy. Risk scores should be explained with anchored definitions rather than presented as bare numbers. Treatment options should be framed in terms of business consequences rather than risk management jargon. Annual board education sessions on emerging risks, regulatory changes, and ERM methodology updates help directors engage meaningfully with the quarterly reports.

External auditor coordination has become more important with the Companies Act, 2013 Section 143 and the audit standards on internal financial controls. The statutory auditor reviews the internal financial controls over financial reporting (IFCFR), which has significant overlap with the ERM framework on financial and compliance risks. Coordination between the risk officer and the statutory auditor reduces duplication, ensures consistency between ERM and IFCFR assessments, and produces a unified narrative for the audit committee. The coordination cycle typically involves the risk officer participating in pre-audit planning, sharing the risk register and CSA results with the statutory auditor, and reconciling any divergent assessments before the audit committee meeting.

Where the company has internal audit (either in-house or outsourced to a chartered accountancy firm), the internal audit plan should be informed by the risk register. Audit focus should follow residual risk, with audit hours allocated proportionately to risk score across the register. This risk-based internal audit approach is required by the Internal Audit Standards on Quality issued by the Institute of Internal Auditors India and is increasingly expected by external auditors and audit committees.

Regulatory disclosures connected to the ERM framework include the annual report directors' report risk management section (Companies Act 2013), the corporate governance report (SEBI LODR), Business Responsibility and Sustainability Report (BRSR) sections on risk and opportunity (where applicable), the management discussion and analysis section addressing risks and concerns, and any sector-specific disclosures (CSR risk under Section 135, environmental risk under Pollution Control Board consents, labour risk under Factories Act compliance reports). The ERM framework should be the source of truth for these disclosures, ensuring consistency across documents and avoiding the situation where different disclosures contain inconsistent risk descriptions.

For mid-cap manufacturers preparing for IPO or significant capital raises, the ERM framework's quality becomes a due diligence item for investors and regulators. SEBI's diligence requirements for IPO offer documents include risk factor disclosure. Private equity and strategic investors evaluating mid-cap manufacturers conduct risk management diligence. A well-built ERM framework with documented register, CSA results, treatment plans, and board reporting history significantly improves the company's positioning in these transactions. Companies that begin ERM build-out 18 to 24 months ahead of contemplated capital events typically realise this benefit; companies that build ERM under deadline pressure during a transaction process produce paper exercises that do not survive diligence scrutiny.

A practical implementation roadmap for mid-cap manufacturers building ERM from scratch runs 18 months across three phases. Phase one (months 1 to 6) is foundation and design. Phase two (months 7 to 12) is operationalisation and embedding. Phase three (months 13 to 18) is integration and continuous improvement.

Phase one begins with executive commitment. The CEO and CFO must agree that ERM is a multi-year priority, not a quarterly compliance task. Without that commitment the framework will not survive the first budget pressure. Phase one then defines the ERM framework charter (covering policy, ORC composition, RMC interface, taxonomy, rating criteria, CSA design, and risk appetite structure), conducts an initial risk register population through 8 to 14 facilitated workshops across operating domains, drafts the first risk appetite statement for RMC approval, and establishes the GRC tooling (which can be a structured spreadsheet for the first year or a dedicated platform from providers including SAS GRC, MetricStream, Resolver, LogicGate, ServiceNow GRC, or domestic platforms from VComply and 6clicks).

Resource requirement during phase one includes a risk officer (typically a part-time role for the CFO, CS, or compliance head at this scale), external advisory engagement of INR 15 to 35 lakh for framework design and workshop facilitation, internal time commitment of approximately 4 to 6 person-months across operating teams for workshop participation and content development, and ORC and RMC time of approximately 15 to 25 hours during the phase. The deliverables at end of phase one are the approved ERM framework charter, the populated initial risk register, the approved risk appetite statement, and the first ORC meeting having occurred.

Phase two operationalises the framework through the first CSA cycle, the first quarterly RMC reporting cycle, the development of the corrective action tracking discipline, and the alignment of internal audit and external auditor coordination with the ERM framework. The first CSA cycle typically produces lower ratings than the steady state because operating teams are conservative in the absence of established norms, and the verification process surfaces gaps that require corrective action. Phase two is the most operationally intensive phase because all of these activities are happening for the first time.

The key risk during phase two is loss of executive engagement. The CFO and CEO who championed phase one are now busy with the operating year, the ORC meetings can drift to be less effective than envisioned, and the corrective action tracking can become a long list of overdue items. The remedy is rigorous discipline by the risk officer, supported by the company secretary and the board's RMC chair. The corrective action register should never exceed 30 to 40 open items; aging beyond 90 days should trigger escalation. The ORC dashboard should track its own meeting effectiveness with metrics like meeting attendance, decisions made, and action item closure rates.

Phase three completes the integration with insurance procurement, with the pre-renewal review described earlier conducted for the first time during this phase. By month 18 the integration cycle has run for at least one major insurance renewal, the risk register has been updated based on CSA findings and operational experience, the board has received four to five quarterly RMC reports with growing sophistication, and the framework is sustainable into year two without external advisory support.

The long-term value realisation continues beyond month 18. Insurance spend reductions of 10 to 25 percent typically realise during years 2 and 3 as multiple renewal cycles operate under the integrated framework. Operational improvement from CSA-driven corrective actions compounds over multiple cycles. Board governance maturity improves with each annual cycle as directors become familiar with the framework artefacts. The framework becomes a competitive advantage in regulatory inspections, in capital market interactions, and in stakeholder management.

For mid-cap manufacturers considering ERM build-out, the practical recommendation is to commit to the 18-month roadmap with executive sponsorship, accept the resource commitment as a multi-year investment, and resist the temptation to short-cut the build. Companies that invest fully in the build see the framework deliver value for a decade. Companies that build under deadline produce frameworks that need re-build every two to three years, at greater cumulative cost and lower steady-state effectiveness.