Enterprise Risk Register for Mid-Market Indian Corporates: 2026 Design and Operating Framework

Indian mid-market corporates with turnover in the INR 500 to 5,000 crore range have historically operated risk management at a less mature level than their large-cap counterparts. The 2020 to 2026 period has progressively changed this position. The COVID-19 supply chain disruption, the 2021 to 2023 commodity price volatility, the cyber incident cluster through 2022 to 2025, the regulatory tightening under DPDP Act 2023 and SEBI ESG disclosure norms, and the climate adaptation pressure on industrial operations have all combined to require mid-market firms to operate structured enterprise risk management (ERM) rather than ad-hoc risk responses.

The Companies Act 2013 framework places explicit risk management obligations on listed and large unlisted Indian companies. Section 134(3)(n) requires the Board's report to include a statement indicating development and implementation of a risk management policy for the company. Section 177(4)(vii) requires the audit committee to evaluate internal financial controls and risk management systems. Regulation 21 of the SEBI LODR requires listed companies (and the top 1,000 by market cap face additional risk management committee requirements) to constitute a risk management committee. The Indian Accounting Standards (Ind AS) framework requires disclosure of significant risks and risk management responses in the financial statements. The combined regulatory framework places mid-market companies under documentation pressure that ad-hoc risk management cannot satisfy.

The National Financial Reporting Authority (NFRA) review activity through 2023 to 2025 has produced specific scrutiny of risk management disclosures in audited financial statements, with several enforcement orders against auditors for inadequate audit work on risk management systems. The scrutiny has flowed through to mid-market companies via the auditor engagement: auditors at mid-market clients now demand documented risk registers, formal risk management policy, and evidence of board-level risk discussions before signing off the audit.

For mid-market Indian corporates in 2026, the practical position is that ERM is no longer optional. The choice is between operating a structured ERM framework that meets regulatory and audit expectations and incurring the compliance and disclosure costs of operating without one.

This guide lays out the 2026 ERM framework for mid-market Indian corporates. It covers framework selection, risk register design, scoring methodology, the top 15 commercial risks, board reporting cadence under Section 134(3)(n), and the NFRA and SEBI scrutiny pattern. It is written for chief risk officers, chief financial officers, audit committee chairs, and the broker advisors supporting them on insurance and risk programme design.

The starting decision for an Indian mid-market ERM programme is the framework selection. Three options dominate the practical choice space.

COSO ERM 2017

The COSO Enterprise Risk Management framework (most recent 2017 edition) is the dominant ERM reference globally and the framework that auditors most frequently expect to see referenced. COSO ERM positions risk management within strategy and performance, with five components: governance and culture, strategy and objective-setting, performance, review and revision, and information, communication, and reporting.

The COSO framework is well-suited to Indian mid-market companies because it integrates risk management with strategy execution and provides a structured basis for board-level risk discussions. The framework's emphasis on risk appetite and tolerance fits well with the SEBI risk management committee mandate.

ISO 31000:2018

The ISO 31000 risk management framework is a more compact alternative widely used in industrial and engineering contexts. ISO 31000 provides principles, framework, and process guidance applicable across organisational types. The framework is well-suited to manufacturing and industrial mid-market companies with operational risk concentration.

Hybrid frameworks

Most Indian mid-market ERM programmes in practice operate hybrid frameworks combining COSO ERM at the governance and strategy level with ISO 31000 at the operational risk level. The hybrid approach reflects the practical reality that Indian companies have a mixed audit, regulatory, and operational risk environment that no single framework cleanly addresses.

Practical framework selection guidance

For a mid-market Indian corporate selecting an ERM framework in 2026, the practical guidance is as follows.

1. Listed companies above INR 1,000 crore turnover: COSO ERM 2017 with ISO 31000 operational risk supplementation. The COSO emphasis on strategy and risk appetite matches the SEBI LODR risk management committee requirements.
2. Unlisted companies with audit committee maturity: COSO ERM 2017 with simpler operational risk treatment.
3. Industrial and manufacturing companies: hybrid with ISO 31000 at operational level.
4. Service and technology companies: COSO ERM 2017 with cyber and information security risk treatment integrated.

The framework selection should be documented in the risk management policy with the rationale captured for auditor and regulator review.

Avoiding framework dogmatism

An important practical point is that the framework is the structure, not the substance. The Indian mid-market ERM programmes that work focus on identifying real risks, assessing them honestly, and operating credible response controls. The programmes that fail are those that follow the framework template without engaging with the underlying risk reality. Auditors and regulators look through framework compliance to substantive risk management evidence; framework adoption without substance produces audit qualifications and regulatory disclosure issues.

The risk register is the operational heart of the ERM framework. The register documents the company's identified risks, their assessment, the response controls, and the ongoing monitoring. A well-designed register supports board reporting, audit work, regulatory disclosure, and operational decision-making. A poorly-designed register produces compliance work without operational value.

Risk register fields

The minimum field set for a 2026 mid-market risk register includes the following.

1. Risk identification number: unique identifier for tracking.
2. Risk description: clear, specific statement of the risk including the source, the event, and the consequence.
3. Risk category: classification under the company's risk taxonomy (strategic, operational, financial, compliance, reputational).
4. Risk owner: named executive accountable for the risk and its management.
5. Inherent likelihood: probability assessment before considering controls.
6. Inherent impact: financial impact assessment before considering controls.
7. Inherent risk score: combined inherent risk rating.
8. Existing controls: description of the controls currently in place.
9. Control effectiveness: assessment of how well the controls work.
10. Residual likelihood: probability assessment after considering controls.
11. Residual impact: financial impact assessment after considering controls.
12. Residual risk score: combined residual risk rating.
13. Target risk score: risk score that management considers acceptable.
14. Risk response action: actions planned to move from residual to target.
15. Action owner and deadline: who is accountable and when.
16. Insurance treatment: how the risk is treated in the insurance programme.
17. Last review date and next review date: documentation of review cadence.

Risk categories

The risk taxonomy should reflect the company's specific risk profile. A practical Indian mid-market taxonomy uses five primary categories with sub-categories.

1. Strategic: market and competitive position, business model viability, M&A and growth risks, capital structure.
2. Operational: production and supply chain, infrastructure and assets, technology and cyber, human resources, third-party vendors.
3. Financial: liquidity and treasury, foreign exchange, commodity price, credit, working capital.
4. Compliance and legal: regulatory compliance, contract performance, intellectual property, litigation, taxation.
5. Reputational and ESG: brand and customer trust, environmental, social, governance, climate.

The taxonomy should be stable across reporting periods to allow trend analysis. Restructuring the taxonomy regularly destroys the longitudinal value of the risk register.

Operating system selection

The risk register can be operated in spreadsheet form for the smallest mid-market companies, in dedicated GRC (governance, risk, and compliance) platforms for larger mid-market companies, or in custom-built systems for companies with specific integration needs. The choice depends on the register size, the number of users, the integration requirements, and the audit and regulatory expectations.

For a typical Indian mid-market company with 50 to 150 risks in the register and 5 to 15 risk owners across the organisation, a dedicated GRC platform from MetricStream, ServiceNow GRC, SAP GRC, IBM OpenPages, or domestic Indian alternatives like ProcessGene, RiskAssur, and similar provides the right balance. The investment is typically INR 25 lakh to INR 2 crore annually depending on platform and scope.

Register refresh cadence

The risk register should be refreshed on a defined cadence with three operating windows.

1. Continuous updates: new risks added, control updates recorded, action progress logged on a continuous basis by risk owners.
2. Quarterly review: structured review of each risk by the risk owner with the CRO, refreshing the residual scores and action progress.
3. Annual refresh: full review of the entire register by the risk management committee, with revalidation of the taxonomy, the scoring methodology, and the risk appetite statements.

The cadence should be documented and operated discipline. Risk registers that drift between quarterly reviews become stale and lose operational value. Risk registers that are refreshed only at year-end become annual-report compliance exercises without operational substance.

Risk scoring translates qualitative judgement about likelihood and impact into quantitative inputs for the risk register. The dominant approach in Indian mid-market ERM is the 5x5 matrix with five likelihood levels and five impact levels combining to produce 25 cells with associated risk ratings.

Likelihood scale

The likelihood scale should reference a defined time horizon (typically one year) and use observable language rather than abstract probability.

1. Rare (1): event might occur only in exceptional circumstances; less than 5 percent likelihood in the year.
2. Unlikely (2): event could occur at some time; 5 to 25 percent likelihood in the year.
3. Possible (3): event might occur at some time; 25 to 50 percent likelihood in the year.
4. Likely (4): event will probably occur in most circumstances; 50 to 75 percent likelihood in the year.
5. Almost certain (5): event is expected to occur in most circumstances; above 75 percent likelihood in the year.

Impact scale

The impact scale should reference the company's specific financial position with thresholds calibrated to the turnover and capital base. For a mid-market company with INR 1,500 crore turnover and INR 800 crore total assets, the impact scale might use the following thresholds (adjusted proportionally for other company sizes).

1. Insignificant (1): financial impact below INR 1 crore; minimal operational or reputational impact.
2. Minor (2): financial impact INR 1 to 10 crore; limited operational disruption.
3. Moderate (3): financial impact INR 10 to 50 crore; material operational disruption or reputational impact.
4. Major (4): financial impact INR 50 to 200 crore; significant operational disruption or reputational damage.
5. Catastrophic (5): financial impact above INR 200 crore; existential or near-existential threat to the company.

The impact scale should consider multiple dimensions beyond financial: operational disruption, reputational damage, regulatory consequences, customer impact, and employee impact. The dominant dimension for each risk is typically financial but the multi-dimensional view supports better board discussions.

Risk rating output

The 5x5 matrix produces 25 cells with associated ratings. A common rating scheme assigns the following ratings.

1. Low (likelihood x impact 1 to 4): acceptable risk, monitor.
2. Moderate (5 to 10): managed risk, periodic review.
3. High (11 to 16): elevated risk, active management.
4. Very high (17 to 25): unacceptable risk, immediate action required.

The ratings drive the risk treatment decisions and the board reporting priority.

Inherent versus residual scoring

The register should score each risk twice: inherent (before considering controls) and residual (after considering controls). The distinction matters for two reasons. First, the inherent score reveals the underlying risk exposure if controls were to fail; this is the relevant measure for stress-scenario analysis and insurance limit sizing. Second, the gap between inherent and residual reveals the dependence on controls; risks with a large inherent-to-residual gap are dependent on control effectiveness and require monitoring of those controls.

Scoring discipline and bias

Risk scoring is subject to systematic biases. Risk owners typically under-score risks within their accountability area to avoid drawing adverse attention to issues in their function. The 2026 best practice is to subject scores to challenge by the CRO and the risk management committee, with documented rationale for scores above and below the apparent expectation. Auditors and regulators look at scoring discipline as an indicator of ERM maturity; consistent under-scoring or unsupported scoring drives audit qualifications.

The risk register categories produce the structural taxonomy. The specific risks within the categories vary by company but the dominant risks across Indian mid-market corporates in 2026 cluster around 15 recurring themes. The list below captures these dominant risks with brief notes on each.

1. Cyber and information security: ransomware, data breach, business email compromise, supply chain compromise. Driven by ongoing threat actor activity and DPDP Act compliance obligations.
2. Supply chain disruption: single-source vendor failure, semiconductor and API import-dependency exposure, geopolitical disruption to specific trade routes, China-plus-one transition cost.
3. Fire and special perils: factory and warehouse fire, monsoon flooding, cyclone exposure for coastal operations. Indian commercial fire claims volumes have remained elevated through 2024 to 2026.
4. Business interruption: extended downtime from material damage, contingent BI from supplier or utility disruption, cascading BI from interconnected operations.
5. Regulatory and compliance: DPDP Act implementation, GST and direct tax disputes, sector-specific regulatory changes, labour law compliance.
6. Product liability and recall: product safety claims, recall costs, regulatory product action. Material for automotive, pharma, FMCG, and consumer electronics mid-market companies.
7. Professional liability: indemnity exposure for advisory, consulting, technology services. Material for IT services, professional services, and design-engineering mid-market.
8. Foreign exchange and commodity price: INR volatility, USD-denominated debt exposure, raw material price spikes (steel, copper, aluminium, polymers).
9. Credit and counterparty: customer payment defaults, supplier prepayment exposure, dealer and distributor default.
10. Working capital and liquidity: receivables management, inventory carrying cost, working capital cycle disruption.
11. Key person and human capital: dependency on senior executives, attrition in critical functions, succession planning gaps.
12. Reputation and brand: social media exposure, customer experience failures, ESG and sustainability scrutiny.
13. Climate physical and transition: extreme weather affecting operations, water stress, regulatory climate transition cost (carbon pricing, mandatory ESG reporting).
14. Litigation and legal: contract disputes with customers and suppliers, employment law claims, intellectual property disputes.
15. Strategic and competitive: market share erosion, technological disruption, M&A and integration risk.

Sector-specific overlays

The top 15 list applies across sectors but specific sectors carry additional concentrated risks.

1. Manufacturing: machinery breakdown, hazardous chemicals exposure, environmental compliance.
2. Pharmaceuticals: clinical trial liability, batch recall, regulatory inspection findings.
3. IT services: client contract liability, offshore delivery risk, cyber incident at client environments.
4. Financial services: credit portfolio risk, market risk, operational risk, regulatory capital risk.
5. Healthcare: clinical malpractice, patient data protection, medical equipment failure.
6. Logistics and warehousing: cargo loss, fleet accident, fire and theft at warehouse facilities.
7. Real estate and construction: project completion risk, contractor performance, regulatory approval risk.

Insurance treatment in the register

Each risk in the register should carry an insurance treatment field documenting how the risk is handled in the insurance programme. The treatment options are: transferred (insurance responds), partially transferred (insurance responds subject to limit, deductible, or exclusion), retained (no insurance), or shared (insurance with retention or co-insurance). The insurance treatment field allows the CFO and the broker to align the insurance programme with the risk register, with insurance limits and structures designed to match the register's residual risk exposure.

The Companies Act 2013 and the SEBI LODR Regulations 2015 establish the formal board reporting framework for Indian listed and large unlisted companies. Mid-market companies operating ERM in 2026 must satisfy both the statutory and the audit-driven expectations.

Companies Act Section 134(3)(n)

Section 134(3)(n) of the Companies Act 2013 requires the Board's report to include a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company.

The Section 134(3)(n) statement is the public-facing disclosure of the company's risk management framework. The 2026 NFRA scrutiny of these disclosures has produced multiple cases where the statement was found to be inadequate, leading to auditor qualifications and management accountability questions. The 2026 standard for the Section 134(3)(n) statement requires specific, substantive disclosure rather than generic risk management language.

SEBI LODR Regulation 21

SEBI LODR Regulation 21 requires top 1,000 listed companies (by market capitalisation as on 31 March) to constitute a Risk Management Committee with at least three members of whom one shall be an independent director. The committee meets at least twice a year with quorum requirements. The committee responsibilities include formulating and reviewing the risk management policy, monitoring and reviewing risk management plans, and reporting to the board.

For mid-market listed companies within the top 1,000, the Regulation 21 mandate drives the formal committee structure. For mid-market listed companies outside the top 1,000, the formal committee is not statutorily required but the broader Section 134(3)(n) and audit committee responsibilities still apply.

Mid-market reporting cadence

A workable 2026 reporting cadence for Indian mid-market companies includes the following.

1. Quarterly CRO report to the audit committee or risk management committee covering material changes in the risk register, action progress on the priority risks, and material incidents during the quarter.
2. Bi-annual deep dive at the risk management committee or audit committee covering one or two specific risk areas in depth (typically cyber, supply chain, regulatory, or specific operational risk).
3. Annual risk review at the full board reviewing the complete risk register, the risk appetite statements, the insurance programme, and the year-ahead risk priorities.
4. Annual report disclosure in the Board's report under Section 134(3)(n) reflecting the substantive risk management framework and the existential risks identified.
5. Incident reporting on material incidents during the year, with the timing and detail of reporting calibrated to the incident severity.

Audit committee role

The audit committee under Section 177(4)(vii) has specific responsibility for evaluating internal financial controls and risk management systems. The audit committee in mid-market companies typically receives the CRO report at each quarterly meeting and provides oversight of the risk management framework. The audit committee chairman is typically the senior governance contact for risk discussions in the absence of a separately-constituted risk management committee.

CFO and finance team integration

The CFO role in mid-market ERM is critical because the financial impact assessment, the insurance programme, and the disclosure language all flow through the finance function. The CFO should be co-accountable with the CRO for the register, the insurance treatment, and the board reporting. Mid-market companies that separate CRO and CFO accountabilities without coordination produce risk registers that do not align with the financial planning and the insurance programme.

The risk register is the operational artefact, but it is only useful when it drives decisions about insurance, risk controls, and resource allocation. Mid-market ERM programmes that produce a register without integrating it into decision-making produce compliance documents rather than operating improvements.

Insurance programme alignment

The insurance programme should be designed against the risk register's residual risk profile, not against generic industry benchmarks. The alignment runs through three steps.

1. Map each register risk to the insurance programme. For each material risk in the register, identify the policy line that responds (or the gap if no policy responds). The mapping reveals where the insurance programme over-covers (multiple policies responding to the same risk at unnecessary cost) and where it under-covers (material risks without insurance response).
2. Size insurance limits against register impact assessment. The impact assessment in the register provides the basis for sizing insurance limits. A risk with INR 200 crore residual impact should have insurance limit response in the INR 200 crore range, not at generic industry levels that may be materially higher or lower.
3. Review insurance deductibles against the company's risk appetite. The risk appetite statements in the register establish the level of retained risk that the company can absorb. Insurance deductibles should align with this appetite: deductibles materially below the company's tolerable absorption are unnecessarily costly, and deductibles materially above produce balance sheet exposure beyond the appetite.

Broker engagement on register-driven placement

Brokers placing insurance programmes for Indian mid-market companies in 2026 should engage with the company's risk register as a primary placement input. The placement conversation that starts from 'what does your risk register show?' is materially more effective than the placement conversation that starts from 'what is your current insurance programme?'. The register-driven placement allows the broker to identify cover gaps, optimisation opportunities, and structural improvements that a renewal-driven placement cannot surface.

Continuous improvement and maturity progression

ERM is a multi-year journey. The mid-market companies that adopt ERM in 2026 are at varying maturity levels: some are at initial framework adoption, some at register design, some at scoring operationalisation, some at full integration with strategy and insurance. The progression should be planned with realistic milestones and resource allocation.

A practical maturity progression for Indian mid-market ERM looks like the following.

1. Year 1: framework selection, risk register design, taxonomy and scoring methodology, initial risk identification, basic board reporting.
2. Year 2: scoring discipline, register refresh cadence, insurance programme mapping, audit committee integration, first detailed Section 134(3)(n) disclosure.
3. Year 3: full integration with strategy, risk appetite quantification, scenario analysis, second-line and third-line assurance structure.
4. Year 4 and beyond: continuous improvement, peer benchmarking, integration with ESG reporting and climate disclosure.

The progression should be appropriate to the company's scale and resource availability. Mid-market companies that attempt to leap to advanced maturity without the foundations produce sophisticated-looking artefacts that fail at the operational substance test.

The value of structured ERM for mid-market

The value of structured ERM for Indian mid-market corporates is real and not theoretical. The 2025 to 2026 cases of mid-market companies experiencing material losses (cyber incidents, supply chain disruption, regulatory action, climate events) have shown that companies with structured ERM identify and respond to the risks more effectively than companies operating ad-hoc risk management. The insurance recovery on losses is also better for companies with documented ERM, with insurers responding more favourably when the insured can demonstrate that the loss event was identified in the risk register and that the response was consistent with the documented framework.

For mid-market Indian corporates in 2026, the practical recommendation is to invest in structured ERM proportionate to the company's scale, to integrate the framework with insurance programme design, and to treat the Section 134(3)(n) disclosure as a substantive board-level document rather than as compliance boilerplate. The investment is modest relative to the cost of operating without ERM, and the benefits accrue across regulatory compliance, audit relationships, insurance economics, and resilience to actual loss events.