Risk Appetite Frameworks for Indian Mid-Market Companies: From Board Policy to Insurance Decisions

Indian mid-market companies, those with annual revenue between INR 100 crore and INR 500 crore, occupy a peculiar gap in risk management maturity. They are large enough that a single uninsured or underinsured loss can threaten solvency, yet small enough that they rarely have a dedicated risk management function. Their insurance programmes are typically assembled reactively, driven by lender covenants, customer requirements, or the last claim experience, rather than by a deliberate assessment of what risks the company can absorb and what risks it must transfer.

The absence of a defined risk appetite means that insurance decisions are made ad hoc. The CFO approves a deductible increase because the broker says it will save INR 8 lakh in premium, without evaluating whether the company's balance sheet can comfortably absorb a INR 25 lakh retention on a machinery breakdown claim. The promoter declines to purchase business interruption cover because the premium seems high, without quantifying that a three-month shutdown of the primary manufacturing line would burn through INR 4 crore in fixed costs alone. Each of these decisions reflects an implicit risk appetite, but because that appetite has never been articulated, the decisions are inconsistent and often contradictory.

The consequences become visible only when losses occur. A textile manufacturer in Surat with INR 200 crore revenue discovered during a fire loss in 2024 that its total self-retention across property, stock, and BI exceeded INR 6 crore, more than its entire annual net profit. The retention level had grown incrementally over several renewals, with each increase approved in isolation, and nobody had aggregated the total downside exposure. A formal risk appetite statement would have flagged this accumulation long before the loss.

IRDAI's corporate governance guidelines for insurers require defined risk appetite frameworks, but no equivalent mandate exists for the insured. This leaves Indian mid-market corporates to self-govern. The companies that do it well, typically those with institutional investors or PE backing that demands governance rigour, gain a measurable advantage: lower total cost of risk, faster claims recovery, and more informed board-level decision-making about growth, capex, and geographic expansion.

Risk appetite is the amount and type of risk that an organisation is willing to accept in pursuit of its strategic objectives. For an Indian mid-market company, translating this abstract concept into actionable statements requires specificity. A risk appetite statement that says 'the company has a moderate appetite for operational risk' is functionally useless. A statement that says 'the company will retain property and machinery losses up to INR 15 lakh per occurrence and will not accept aggregate retained losses exceeding 3% of EBITDA in any financial year' provides clear decision criteria for the insurance programme.

The board of directors is the appropriate body to approve the risk appetite framework. This does not mean the board needs to debate every deductible level. Rather, the board sets the boundaries: the maximum acceptable loss from a single event, the maximum aggregate retained losses in a year, and the categories of risk where zero tolerance applies (such as regulatory penalties or environmental liabilities). The CFO or risk manager then translates these boundaries into specific insurance programme parameters.

For Indian mid-market companies, the risk appetite framework should address four dimensions. First, maximum tolerable loss (MTL) from a single event, expressed in absolute INR terms. For a company with INR 300 crore revenue and INR 30 crore EBITDA, an MTL of INR 50 lakh to INR 1 crore per event is typical, representing 1.5% to 3.3% of annual profit. Second, aggregate annual retention, the total amount the company is willing to absorb across all risk categories in a single financial year. This is commonly set at 5-10% of EBITDA. Third, catastrophe tolerance, the maximum loss the company could survive from a single extreme event (earthquake, flood, fire destroying the primary facility). This is distinct from the MTL and relates to solvency rather than profitability. Fourth, risk categories where no retention is acceptable, typically third-party liability, directors and officers liability, and regulatory compliance risks.

The language matters because the risk appetite statement will be referenced by people who are not risk professionals: the procurement team evaluating supplier contracts, the operations head approving a new warehouse location, the business development team pricing a large contract. The statement must be written in plain business language, with INR thresholds that can be directly applied to operational decisions.

Once the board has approved the risk appetite boundaries, the next step is mapping those boundaries to the insurance programme. This mapping is where most Indian mid-market companies struggle, because the connection between risk appetite statements and specific insurance terms (deductibles, sub-limits, policy exclusions, and self-insured retentions) is not intuitive to non-insurance professionals.

The deductible on each policy is the most direct expression of risk retention. If the board has set a maximum tolerable loss of INR 10 lakh per event, then no individual policy deductible should exceed INR 10 lakh, and the aggregate of deductibles across all policies that could be triggered by a single event must stay within this limit. For example, a fire at a factory could trigger claims under the property policy, the stock policy, the machinery breakdown policy, and the business interruption policy simultaneously. If each carries a INR 5 lakh deductible, the total retention from a single fire event is INR 20 lakh, which breaches the INR 10 lakh MTL even though each individual deductible appears reasonable.

Sub-limits within policies represent another form of retention. If the property policy has a sum insured of INR 50 crore but carries a sub-limit of INR 5 crore for flood damage, and the company's flood exposure at its primary facility exceeds INR 5 crore, the difference is effectively a self-retained risk. Many mid-market companies are unaware of the sub-limits embedded in their policies and therefore cannot assess whether their actual retention matches their stated appetite.

Policy exclusions create uninsured retentions that are often invisible. The standard fire policy excludes terrorism damage unless the terrorism pool cover is purchased separately. If the company's facility is in an area with elevated terrorism risk, and the board's risk appetite says 'zero tolerance for catastrophic property loss,' then the terrorism exclusion directly contradicts the risk appetite unless separately addressed.

A practical approach for mid-market companies is to create a risk retention matrix: a simple spreadsheet listing every insured risk category, the policy deductible, applicable sub-limits, known exclusions, and the resulting maximum retention per event and per year. This matrix, reviewed quarterly, makes the gap between stated risk appetite and actual insurance programme immediately visible.

The financial metrics used to calibrate risk appetite must resonate with the CFO's existing framework. Indian mid-market CFOs think in terms of EBITDA, working capital, debt service coverage, and cash reserves. The risk appetite framework should use the same vocabulary.

EBITDA-based retention. The simplest and most widely used metric. A company with INR 40 crore EBITDA that sets aggregate annual retention at 5% of EBITDA is willing to absorb INR 2 crore in total retained losses per year. This metric is intuitive because it directly relates to the company's earning capacity. However, it must be stress-tested: if EBITDA drops by 30% in a bad year (common in cyclical industries like steel, textiles, or construction), the 5% threshold drops to INR 1.4 crore, but the underlying risks have not decreased. The risk appetite framework should specify whether the EBITDA benchmark uses a trailing average (more stable) or current year projections (more responsive).

Cash reserve adequacy. Retained losses must be funded from available cash. A company may have INR 40 crore EBITDA but only INR 3 crore in free cash (after meeting working capital and debt service requirements). Setting aggregate retention at INR 2 crore when free cash is INR 3 crore means a bad year of losses could consume two-thirds of the liquidity buffer. The risk appetite should incorporate a cash adequacy test: retained losses should not exceed a specified percentage of free cash, typically 30-50%.

Debt covenant sensitivity. Many mid-market companies have loan covenants that require minimum debt service coverage ratios (DSCR), current ratios, or net worth thresholds. A major uninsured loss that impairs net worth or reduces DSCR below covenant levels can trigger loan acceleration, converting a manageable operational loss into a solvency crisis. The risk appetite framework must identify covenant-sensitive thresholds and ensure that the maximum possible retained loss (single event plus aggregate) cannot breach them.

Working capital impact. For manufacturing and trading companies, a large retained loss often hits working capital directly, through damaged stock, uncollectable receivables from disrupted customers, or emergency procurement at inflated prices. The risk appetite should assess whether the company can absorb a retained loss without requiring emergency borrowing or supplier payment delays that damage trade relationships.

A useful calibration exercise: model three loss scenarios (minor, moderate, catastrophic) against the company's current financial position and projected financials. For each scenario, assess the impact on EBITDA, cash, covenants, and working capital. The point at which the impact transitions from 'manageable within normal operations' to 'requires emergency measures' defines the upper boundary of risk appetite.

In a large Indian conglomerate, risk appetite governance sits with a dedicated Chief Risk Officer reporting to the board's Risk Committee. In a mid-market company with INR 100-500 crore revenue, this structure is rarely practical. The company may have 500 to 5,000 employees, a lean leadership team, and no dedicated risk function. Yet governance is not optional; without clear ownership, the risk appetite framework becomes a document that is approved once and forgotten.

The most effective governance model for Indian mid-market companies assigns three distinct roles. First, the board (or a board-designated committee, often the Audit Committee) approves the risk appetite statement annually and reviews it whenever the company's strategic direction changes materially, such as entering a new geography, making an acquisition, or launching a capital-intensive project. The board does not manage day-to-day risk; it sets the boundaries and holds management accountable for operating within them.

Second, the CFO owns the implementation. In most mid-market companies, the CFO already manages the insurance relationship (directly or through the company secretary). Formalising this role means the CFO is responsible for translating the board-approved risk appetite into insurance programme specifications, monitoring retained losses against the annual aggregate threshold, and reporting to the board when actual losses approach the defined limits. The CFO should present a risk retention report to the board quarterly, showing actual retained losses against the appetite, major claims activity, and any insurance programme changes.

Third, the insurance broker serves as the technical advisor. Indian mid-market companies rarely have the in-house expertise to evaluate policy wordings, benchmark deductible structures, or assess whether a specific sub-limit aligns with the risk appetite. The broker's mandate should be expanded beyond placement to include annual gap analysis against the risk appetite framework, scenario modelling for proposed deductible changes, and market intelligence on emerging risks that may require appetite revision.

A common governance failure in Indian mid-market companies is treating insurance renewal as an annual administrative task rather than a strategic decision. The renewal is the single most important moment for aligning the insurance programme with risk appetite: it is when deductibles are set, sub-limits are negotiated, and coverage gaps are either closed or accepted. Elevating the renewal to a board-agenda item, with a pre-renewal risk appetite review and post-renewal confirmation of alignment, transforms insurance from a cost centre into a governance function.

Indian mid-market companies do not need a multi-year transformation programme to implement a risk appetite framework. A pragmatic 90-day roadmap can move the company from no formal risk appetite to a board-approved framework that directly shapes the next insurance renewal.

Weeks 1-3: Risk inventory and financial benchmarking. The CFO and broker jointly catalogue the company's insured and uninsured risk exposures. This includes reviewing all existing insurance policies (property, stock, machinery, BI, liability, marine, motor fleet), identifying the deductible, sub-limits, and exclusions in each, and mapping uninsured exposures (such as cyber risk, supply chain disruption, or key person dependency). Simultaneously, the CFO prepares a financial profile: trailing three-year EBITDA, current cash reserves, debt covenant thresholds, and working capital headroom. The output is a risk-financial baseline document.

Weeks 4-6: Scenario modelling and appetite calibration. Using the risk inventory, the broker models three to five loss scenarios ranging from a minor machinery breakdown (INR 10-20 lakh) to a catastrophic fire destroying the primary facility (INR 30-50 crore depending on facility value). For each scenario, the model shows the financial impact under the current insurance programme (retained portion after deductibles, sub-limits, and exclusions) and the impact on EBITDA, cash, and covenants. The CFO and promoter review these scenarios and define preliminary appetite thresholds: maximum single-event retention, maximum aggregate annual retention, and zero-tolerance categories.

Weeks 7-9: Board approval and documentation. The CFO presents the risk appetite framework to the board, including the financial rationale, scenario analysis, and proposed thresholds. The board reviews, adjusts if necessary, and approves the framework. The approved statement is documented as a board resolution and incorporated into the company's governance manual.

Weeks 10-12: Insurance programme alignment. The broker receives the approved risk appetite framework and conducts a gap analysis against the current insurance programme. The analysis identifies where deductibles exceed the approved retention, where sub-limits create hidden exposures beyond the appetite, and where uninsured risks contradict zero-tolerance categories. The broker prepares recommendations for the next renewal, with premium estimates for closing each gap. The CFO prioritises the recommendations based on cost-benefit analysis within the board-approved boundaries.

This 90-day process costs nothing beyond the time of existing management and the broker's advisory engagement, which should be part of the broker's standard service for a mid-market client. The output, a board-approved risk appetite framework with direct linkage to insurance programme design, is the single most valuable risk governance tool available to a mid-market company.

Even companies that invest in building a risk appetite framework frequently encounter implementation failures that render the framework ineffective. Understanding these pitfalls helps avoid them.

Pitfall 1: Setting appetite based on premium budget rather than financial capacity. The most common error is defining risk retention not by what the company can absorb, but by what premium the company is willing to pay. A promoter who says 'we will not spend more than INR 25 lakh on insurance premium' is implicitly accepting whatever retention level that budget produces, without evaluating whether the resulting self-insured exposure is tolerable. The risk appetite must be set independently of premium considerations, and then the insurance programme is designed to deliver that appetite at the best available price.

Pitfall 2: Ignoring correlation between risks. Indian mid-market companies often set deductibles policy by policy, without considering that a single event can trigger multiple policies simultaneously. A fire at the factory triggers property damage, stock loss, machinery breakdown, and business interruption claims. If each policy carries a INR 5 lakh deductible, the aggregate retained amount from one fire is INR 20 lakh. The risk appetite framework must evaluate retention on an aggregated, per-event basis, not per policy.

Pitfall 3: Failing to update the framework after material changes. A company that acquires a new facility, enters a high-risk product line, or takes on significant debt has materially changed its risk profile. If the risk appetite framework is not revisited, the existing thresholds may be completely inappropriate. The governance process must include triggers for mandatory review: any acquisition exceeding INR 10 crore, any new facility, any change in debt structure exceeding 20% of existing debt, and any single loss exceeding 50% of the annual retention budget.

Pitfall 4: Treating risk appetite as a compliance exercise rather than a decision tool. If the framework is approved by the board but never referenced when actual insurance decisions are made, it serves no purpose. The test of a functional risk appetite framework is whether it is consulted when the broker proposes a deductible change, when the operations team wants to skip purchasing transit insurance for a new supply route, or when the business development team evaluates a contract that requires specific liability coverage. Embedding the framework into decision workflows, not just board minutes, is what separates effective governance from performative governance.

Pitfall 5: Not communicating the framework to operational managers. The plant head who approves a hot-work permit, the logistics manager who selects a transport route, and the procurement manager who evaluates a critical supplier are all making risk decisions daily. If they are unaware of the company's defined risk appetite, their decisions may inadvertently create exposures that the insurance programme does not cover.

A well-defined risk appetite framework is not a one-time exercise; it is the foundation of a multi-year insurance programme strategy. Indian mid-market companies that treat each renewal as an isolated transaction miss the opportunity to build a programme that improves in both coverage adequacy and cost efficiency over time.

The risk appetite framework enables three strategic capabilities. First, it provides the basis for a structured deductible optimisation programme. Instead of accepting whatever deductible the insurer offers, the company can systematically evaluate deductible options against the approved retention thresholds, selecting the level that optimises the trade-off between premium savings and retained risk. Over a three-year period, a disciplined approach to deductible selection, guided by a clear appetite, typically reduces total cost of risk by 10-15% compared to ad hoc decision-making.

Second, the framework supports informed discussions with insurers about risk quality. When the company can demonstrate to underwriters that it has a board-approved risk appetite, quantified retention thresholds, and a governance process for monitoring retained losses, it signals maturity. Indian insurers and reinsurers increasingly differentiate pricing based on the perceived quality of the insured's risk management. A company that can present its risk appetite framework alongside loss history and risk improvement investments is more likely to receive competitive terms than one that simply shops for the lowest premium.

Third, the framework enables strategic capacity planning. As the company grows, its risk profile changes, more facilities, more inventory, higher revenue, greater third-party exposures. The risk appetite framework allows the CFO to model how growth scenarios affect insurance needs and budget for programme expansion proactively rather than reactively. A company planning to double revenue over five years can project the insurance programme evolution, including anticipated premium increases, additional covers required, and the capital needed to fund increased retentions, and incorporate these projections into business planning.

The IRDAI's 2024 reforms encouraging risk-based pricing and insurer-led risk assessments further increase the value of a documented risk appetite framework. As the Indian insurance market moves toward more differentiated underwriting, companies that can articulate and demonstrate their risk governance will receive increasingly favourable treatment compared to those that present only a premium quotation request. For Indian mid-market companies competing for growth capital, institutional investment, and strategic partnerships, a board-approved risk appetite framework is becoming a prerequisite, not a differentiator.