Drafting a Risk Appetite Statement for Mid-Cap Indian Corporates 2026: Insurance, Retention, and Board Sign-Off

The risk appetite statement is the document that captures, in board-approved form, how much risk an enterprise is willing to accept in pursuit of its strategic objectives. The statement sets the boundaries within which operational, financial, and strategic decisions are taken. The 2024 to 2026 period has seen Indian mid-cap corporates with market capitalisation in the INR 5,000 to 50,000 crore range progressively adopt structured risk appetite statements as the anchor document for enterprise risk management (ERM).

The drivers of adoption are several. SEBI LODR Regulation 4(2)(f) establishes the principles of corporate governance applicable to listed companies, with the board's risk oversight role specifically articulated. SEBI LODR Regulation 21 requires top 1,000 listed companies (by market capitalisation as on 31 March) to constitute a Risk Management Committee with a defined operating mandate. The Companies Act 2013 through Section 134(3)(n) requires the Board's report to include a statement on the risk management policy including identification of elements of risk that may threaten the existence of the company. Section 177(4)(vii) requires the audit committee to evaluate internal financial controls and risk management systems. The combined framework places the board under direct accountability for risk management oversight, with the risk appetite statement as the natural anchor document.

The National Financial Reporting Authority (NFRA) scrutiny of risk management disclosures through 2023 to 2025 has produced enforcement orders against auditors for inadequate audit work on risk management systems. The scrutiny has flowed through to mid-cap companies via auditor demand for documented risk frameworks. Auditors at mid-cap clients now expect to see a board-approved risk appetite statement, a risk register aligned to the statement, and evidence of board-level risk discussions reflecting the appetite framework before signing off the audit.

For Indian mid-cap corporates in 2026, the practical position is that the risk appetite statement is not an optional governance artifact. It is the document that the board uses to set risk boundaries, that the CRO and CFO use to design the insurance programme and treasury policy, that the auditor uses to evaluate risk management, and that the regulator and the credit rating agency use to assess governance quality. The statement that works captures the enterprise's specific risk profile and decision frame. The statement that fails reads like generic risk language without operational substance.

This post lays out the 2026 framework for drafting a risk appetite statement for an Indian mid-cap corporate. It covers framework selection between ISO 31000 and COSO ERM, the qualitative and quantitative thresholds that translate appetite into operating limits, the retention versus transfer decisions that flow from the statement, the SEBI LODR and Companies Act compliance touchpoints, the board sign-off process, and the alignment with insurer underwriting submissions.

The risk appetite statement should be grounded in a recognised ERM framework. The two dominant references for Indian mid-cap corporates are ISO 31000:2018 and COSO ERM 2017. The choice between them, or the hybrid that uses both, depends on the enterprise's profile and the preference of the board and the audit committee.

ISO 31000:2018

The ISO 31000:2018 Risk Management Guidelines provide principles, framework, and process guidance applicable across organisations. The framework is compact, principle-led, and well-suited to industrial and engineering contexts. ISO 31000 articulates eight risk management principles including integration, structured and thorough approach, customisation, inclusion, dynamic adjustment, best available information, human and cultural factors, and continual improvement.

The ISO 31000 framework structures risk management through six phases: scope, context, and criteria; risk assessment (identification, analysis, evaluation); risk treatment; communication and consultation; recording and reporting; and monitoring and review. The framework supports a clear progression from establishing the risk context through to treatment decisions, with the appetite statement positioned as part of the scope and criteria definition.

COSO ERM 2017

The COSO Enterprise Risk Management 2017 Update positions risk management within strategy and performance. The framework articulates twenty principles across five components: governance and culture, strategy and objective-setting, performance, review and revision, and information, communication, and reporting.

The COSO framework is well-suited to enterprises with significant strategic and financial complexity, including listed mid-cap companies with multi-segment operations, financial services exposure, or international operations. The framework's emphasis on aligning risk management with strategy execution supports the board-level conversation about appetite as a strategic decision rather than a compliance artifact.

Hybrid framework

Most Indian mid-cap corporates in 2026 operate hybrid frameworks combining COSO ERM at the governance and strategy level with ISO 31000 at the operational risk level. The hybrid approach reflects practical reality: COSO supports board and audit committee discussions; ISO 31000 supports operational risk identification, assessment, and treatment at the business unit level. The hybrid framework is well-suited to mid-cap enterprises that have both strategic and operational risk concentration.

Practical framework selection guidance

1. Listed mid-cap companies above INR 10,000 crore market cap: COSO ERM 2017 with ISO 31000 operational supplementation. The COSO emphasis on strategy and appetite matches SEBI LODR Regulation 21 risk management committee requirements.
2. Industrial and manufacturing mid-cap: ISO 31000-led hybrid with COSO components for board reporting.
3. Service and technology mid-cap: COSO ERM 2017 with integrated cyber and information security risk treatment.
4. Family-owned and promoter-led mid-cap: simpler ISO 31000 framework with attention to governance and culture is often more workable than full COSO.

The framework selection should be documented in the risk management policy with the rationale captured for auditor and regulator review.

Avoiding framework dogmatism

An important practical point is that the framework is the structure, not the substance. The Indian mid-cap risk appetite statements that work focus on identifying real risk boundaries that the enterprise will operate within. The statements that fail follow the framework template without engaging with the underlying risk reality. Auditors and regulators look through framework compliance to substantive risk content; framework adoption without substance produces audit qualifications and regulatory disclosure issues.

The risk appetite statement should articulate appetite through both qualitative statements (describing the enterprise's strategic stance toward each major risk category) and quantitative thresholds (specifying operating limits in measurable terms). The combination is what gives the statement operational value.

Qualitative appetite statements

The qualitative statements should cover the major risk categories with clear language about the enterprise's posture. Examples for an Indian mid-cap manufacturer might include:

• Strategic risk: 'The enterprise has moderate appetite for strategic risk associated with capacity expansion, technology adoption, and adjacent product line entry. The enterprise will accept strategic risk where the expected economic value supports the risk and where the risk does not threaten enterprise existence.'
• Operational risk: 'The enterprise has low appetite for operational risk including production disruption, equipment failure, and supply chain failure. The enterprise will invest in operational risk controls including preventive maintenance, supplier diversification, and business continuity to maintain operational risk within tolerance.'
• Financial risk: 'The enterprise has low to moderate appetite for financial risk. The enterprise will maintain conservative gearing, prudent foreign exchange and commodity hedging, and adequate liquidity to absorb credit and counterparty losses within tolerance.'
• Compliance and legal risk: 'The enterprise has zero appetite for compliance failures. The enterprise will operate within all applicable laws and regulations and will invest in compliance infrastructure to maintain compliance risk at minimum.'
• Reputational and ESG risk: 'The enterprise has low appetite for reputational risk. The enterprise will operate to high ESG standards, will engage with stakeholders transparently, and will respond to reputational events with disciplined communication and corrective action.'

The qualitative statements should be specific to the enterprise. Generic language fails the substance test that auditors and regulators apply.

Quantitative thresholds

The quantitative thresholds translate qualitative appetite into measurable operating limits. The 2026 best practice for Indian mid-cap corporates includes thresholds across six categories.

1. Single-loss tolerance: the maximum financial loss from a single event that the enterprise will absorb without strategic or financial impairment. For a mid-cap with INR 8,000 crore turnover and INR 4,000 crore total assets, single-loss tolerance might be set at INR 200 crore representing approximately 2.5 percent of turnover and 5 percent of total assets. Single losses above the tolerance must be transferred through insurance, hedging, or other mechanisms.
2. Aggregate-loss tolerance: the maximum aggregate loss from all sources in a single financial year that the enterprise will absorb. Typically calibrated at 2x to 3x single-loss tolerance, recognising that multiple smaller events can aggregate to material impact. For the example mid-cap, aggregate-loss tolerance might be set at INR 500 crore.
3. Liquidity tolerance: minimum liquidity position the enterprise will maintain through stress scenarios. Typically expressed as cash plus undrawn credit facilities relative to short-term obligations. A typical mid-cap tolerance might be 1.5x cover of 6-month operating costs under stress.
4. Leverage tolerance: maximum net debt to EBITDA ratio the enterprise will operate at. Typical mid-cap tolerance ranges from 2.5x to 3.5x net debt to EBITDA depending on sector and stability.
5. Customer concentration tolerance: maximum revenue concentration with any single customer. Typical mid-cap tolerance ranges from 15 to 25 percent revenue from a single customer.
6. Supplier concentration tolerance: maximum input concentration from any single supplier. Typical mid-cap tolerance ranges from 20 to 35 percent input value from a single supplier.

Threshold calibration to balance sheet

The thresholds should be calibrated to the enterprise's specific balance sheet and risk capacity rather than to industry benchmarks. The calibration process runs through three steps. First, identify the enterprise's risk capacity: the maximum loss the enterprise can absorb without compromising operational continuity, strategic execution, or stakeholder commitments. Second, identify the enterprise's risk appetite as a fraction of risk capacity: typically risk appetite is set at 50 to 70 percent of risk capacity, leaving margin for execution variability and unidentified risks. Third, allocate the appetite across risk categories based on the enterprise's strategic priorities and the specific risk profile.

Stress scenario calibration

The thresholds should be tested against stress scenarios to validate that they would hold under adverse conditions. The 2026 best practice includes annual stress testing against scenarios such as a major cyber incident with extended business interruption, a fire or natural catastrophe at the largest site, a key customer default, a supplier failure, a regulatory action, and a leadership departure. The stress testing reveals where the thresholds are inadequate and where the appetite framework requires adjustment.

The risk appetite statement directly drives the retention versus transfer decision that shapes the enterprise's insurance programme. The 2026 best practice for Indian mid-cap corporates uses the appetite thresholds as the explicit basis for deciding which risks to retain on balance sheet and which to transfer through insurance.

Retention decision framework

The retention decision runs through four questions for each material risk.

1. Is the single-loss tolerance breached? If the inherent or residual loss potential from a single event exceeds the single-loss tolerance, transfer through insurance is required for the portion above tolerance. The portion below tolerance is candidates for retention if the economics support it.
2. Is the aggregate-loss tolerance breached when combined with other retained risks? Even where individual single losses are below tolerance, the aggregate of retained losses across all sources may exceed aggregate tolerance. The aggregate test constrains the total retention the enterprise can absorb.
3. Is the retention economically efficient? The retention versus transfer decision is also an economic decision: at what premium does insurance transfer become cost-effective relative to retained risk? For high-frequency low-severity risks, retention through deductibles is typically more efficient than transfer of small losses. For low-frequency high-severity risks, transfer is typically more efficient than retention because the premium reflects the expected loss with a margin that is justified by the smoothing of large variances.
4. Does retention require dedicated financing? Large retentions may require dedicated financing mechanisms including reserves, captive insurance, parametric covers, or contingent capital facilities. The appetite statement should connect the retention decision to the financing mechanism.

Deductible structure design

The deductible structure on insurance covers translates the retention decision into operational form. For each major insurance line, the deductible should be calibrated to the enterprise's appetite for retained loss in that category.

• Property and fire: per-loss deductible typically INR 25 lakh to INR 5 crore for mid-cap depending on retention capacity, with separate STFI deductible reflecting cat exposure tolerance.
• Business interruption: time deductible typically 3 to 14 days for the indemnity period start, with monetary deductible reflecting the appetite for short-duration interruption absorption.
• Machinery breakdown: per-loss deductible typically INR 10 lakh to INR 1 crore depending on equipment value and operational continuity requirements.
• Cyber: per-incident deductible typically INR 25 lakh to INR 5 crore with sub-deductibles for ransomware, business interruption, and data restoration.
• D&O: per-claim deductible (retention) typically INR 1 crore to INR 25 crore for management-side retention with zero deductible for Side A defence cost cover.
• Liability: per-claim deductible typically INR 10 lakh to INR 2 crore for product liability and public liability covers.

Captive insurance and self-insurance

For mid-cap enterprises with significant retention capacity, captive insurance or self-insurance arrangements may be appropriate. The captive structure provides formal vehicle for retained risks with associated benefits including tax efficiency, risk financing flexibility, and underwriting discipline. The GIFT City captive framework provides Indian mid-cap enterprises with onshore captive capability since 2024 with growing uptake through 2025 and 2026.

The appetite statement should connect any captive or self-insurance arrangement to the broader retention framework with explicit limits on captive retention, reinsurance structure, and capital allocation.

Premium budget alignment

The insurance premium budget should be aligned with the appetite-driven retention versus transfer split. The 2026 best practice includes annual reconciliation showing total exposure, retained portion, transferred portion through insurance, total premium paid, and effective cost per unit of transferred risk. The reconciliation supports board-level discussion of insurance programme effectiveness and identifies opportunities for optimisation.

The risk appetite statement for an Indian mid-cap listed corporate must satisfy specific regulatory compliance touchpoints. The 2026 framework covers SEBI LODR Regulation 4(2)(f), Regulation 21, the Companies Act 2013, and adjacent disclosures.

SEBI LODR Regulation 4(2)(f)

Regulation 4(2)(f) establishes the principles of corporate governance applicable to listed entities. The principles include responsibilities of the board with explicit articulation of risk oversight: the board should be responsible for overseeing the implementation of strategic objectives, the operational and risk policies, and the financial strategies. The risk appetite statement is the natural anchor for the risk policies that the board oversees under Regulation 4(2)(f).

The regulation is principle-based rather than prescriptive, providing flexibility for listed corporates to design appetite frameworks suited to their specific profile. The flexibility should not be misread as permission to operate without an appetite framework: SEBI inspection and audit observations through 2024 to 2026 have specifically noted inadequacy of risk policy documentation as a Regulation 4(2)(f) concern.

SEBI LODR Regulation 21 and the Risk Management Committee

Regulation 21 requires the top 1,000 listed entities by market capitalisation as on 31 March of every year to constitute a Risk Management Committee (RMC) with at least three members of whom one shall be an independent director. The RMC meets at least twice a year with quorum requirements. The committee's responsibilities include formulation of a detailed risk management policy and review and monitoring of risk management plans.

The risk appetite statement is the central artifact that the RMC owns. The committee should review the appetite statement annually, recommend changes to the board, and monitor compliance with the appetite framework through quarterly reporting from the CRO. The RMC should also engage with the appetite-driven insurance programme structure, with the CRO and CFO presenting the alignment between appetite and insurance design.

For mid-cap listed companies within the top 1,000, the RMC mandate is statutory. For mid-cap listed companies outside the top 1,000, a formal RMC is not statutorily required but the broader Regulation 4(2)(f) and audit committee responsibilities still apply. Many mid-cap companies outside the top 1,000 constitute voluntary RMCs to operate the appetite framework with appropriate governance.

Companies Act 2013

Section 134(3)(n) requires the Board's report to include a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk which in the opinion of the Board may threaten the existence of the company. The risk appetite statement is the natural source document for the Section 134(3)(n) disclosure.

The 2024 to 2025 NFRA scrutiny of Section 134(3)(n) disclosures has produced multiple cases where the disclosure was found inadequate. The 2026 standard requires specific substantive disclosure rather than generic risk management language. The Board's report should reference the appetite framework, identify the existential risks within the framework, and articulate the risk treatment approach including insurance programme structure.

Section 177(4)(vii) requires the audit committee to evaluate internal financial controls and risk management systems. The audit committee's evaluation should reference the appetite statement and assess whether the operational risk management aligns with the board-approved appetite.

Ind AS disclosure

The Indian Accounting Standards (Ind AS) framework requires disclosure of significant risks and risk management responses in the financial statements. Specific standards including Ind AS 107 (Financial Instruments: Disclosures) require detailed disclosure of financial risk management policies. The appetite statement is the foundation for these disclosures, with the financial statement disclosures cross-referenced to the appetite framework.

Adjacent regulatory frameworks

Depending on the enterprise's sector, additional regulatory frameworks may interact with the appetite statement. RBI regulation for financial services and NBFC operations requires specific risk management and capital adequacy frameworks. IRDAI regulation for insurance and insurance intermediary operations requires specific risk frameworks. SEBI regulation for capital market intermediaries requires specific frameworks. The appetite statement for entities under sector-specific regulation should be designed to satisfy both the cross-cutting governance requirements and the sectoral regulatory requirements.

Disclosure best practice

The 2026 disclosure best practice for Indian mid-cap listed companies includes explicit reference to the appetite framework in the annual report, in the Board's report under Section 134(3)(n), and in the Business Responsibility and Sustainability Report (BRSR). The disclosure should articulate the framework selection, the qualitative appetite for major risk categories, the existence and structure of the RMC where applicable, and the integration with the insurance programme. The disclosure should avoid generic risk language and should provide specific substantive content that the reader can engage with.

The risk appetite statement requires board approval at sign-off and at material amendments. The 2026 best practice for Indian mid-cap corporates uses a structured sign-off process with a board-pack template that supports board engagement with the appetite content.

Sign-off cadence

The initial sign-off establishes the appetite framework. Subsequent reviews occur on an annual cadence with material amendments approved as they arise. The annual review is typically scheduled before the financial year-end to feed into the next year's budget, business plan, and insurance renewal cycle.

Pre-sign-off process

The pre-sign-off process runs through five steps.

1. CRO drafting: the CRO prepares the draft appetite statement informed by the risk register, the previous year's risk experience, the strategic plan, and the financial plan. The CRO consults with business unit heads, the CFO, and the legal and compliance function to validate the draft.
2. Risk Management Committee review (where constituted): the RMC reviews the draft, challenges the framework selection and threshold calibration, and recommends changes to the CRO. The RMC produces a recommendation to the board.
3. Audit committee review: the audit committee reviews the draft from the financial controls and risk systems perspective, validating that the appetite framework aligns with the internal financial controls and the risk management systems.
4. Executive committee review: the CEO, CFO, and other executive committee members review the draft from the operational and strategic execution perspective.
5. Board approval: the full board reviews the appetite statement, discusses the substantive content, approves the framework, and authorises the operational implementation.

Board-pack content

The board-pack supporting sign-off should include the following components.

1. Executive summary: one-page summary of the appetite framework with the headline thresholds and the key changes from the previous version.
2. Framework description: documentation of the framework selection (COSO ERM 2017, ISO 31000:2018, or hybrid) with rationale.
3. Qualitative appetite statements: appetite for each major risk category with specific language.
4. Quantitative thresholds: single-loss tolerance, aggregate-loss tolerance, liquidity, gearing, customer concentration, supplier concentration, and any sector-specific thresholds.
5. Calibration analysis: documentation of how the thresholds were calibrated to the balance sheet, the stress scenario testing results, and the comparison to peer benchmarks where available.
6. Risk register summary: top 15 to 20 risks from the register with their alignment to the appetite framework.
7. Insurance programme alignment: how the current insurance programme reflects the appetite framework, the retention versus transfer split by line, and any identified gaps.
8. Compliance touchpoints: how the appetite statement supports Section 134(3)(n) disclosure, Regulation 4(2)(f) and Regulation 21 compliance, audit committee responsibilities, and sector-specific regulatory requirements.
9. Implementation roadmap: actions planned to operationalise the appetite framework over the next 12 months including any required policy updates, system changes, or capability investments.
10. Resolution language: draft board resolution approving the appetite statement and authorising the CRO and CFO to operate the framework.

Board engagement and challenge

The board sign-off should involve substantive engagement and challenge rather than perfunctory approval. The board should test the threshold calibration against the strategic plan, challenge the framework selection where alternative frameworks might better suit the enterprise, probe the alignment with the insurance programme, and evaluate the integration with the financial plan and the capital allocation framework. The 2026 best practice includes a board-level discussion of at least 60 to 90 minutes on the appetite statement at the annual review, with documented board-pack response capturing the board's challenge and the CRO's response.

Documentation

The sign-off should be documented through board minutes recording the discussion, the resolution approving the appetite statement, and any board-directed changes. The signed appetite statement should be retained in the board archive and made available to the auditor, the RMC, the audit committee, and the executive team. The documentation supports both the audit trail for compliance purposes and the operational reference for the CRO and CFO.

The risk appetite statement directly affects how the enterprise engages with insurance underwriters at renewal and at new placements. The 2026 best practice for Indian mid-cap corporates integrates the appetite framework into the underwriting submission, supporting better pricing, broader cover, and stronger insurer relationships.

Underwriting submission as risk story

The underwriting submission is the enterprise's story to the insurance market. Submissions that present the enterprise as a sophisticated buyer with documented risk frameworks, defined appetite, and disciplined risk management typically secure better terms than submissions that present the enterprise as a transactional buyer with generic risk content.

The risk appetite statement provides the natural narrative structure for the submission. The submission can articulate the enterprise's risk profile, the appetite framework that the board has approved, the specific retention versus transfer decisions that flow from the appetite, and the insurance programme structure that implements the appetite. The structure positions the buyer as a sophisticated counterparty that has thought carefully about the risk transfer decision.

Risk improvement narrative

The appetite statement also supports the risk improvement narrative in the underwriting submission. The statement establishes appetite for residual risk; the gap between current exposure and appetite drives risk improvement priorities. The submission can articulate the risk improvement programme including specific actions, timelines, and investment, demonstrating to underwriters that the enterprise is actively managing risk rather than relying solely on insurance transfer.

Limit and structure alignment

The submission should specifically reference the appetite-driven limit and structure design. For each major insurance line, the submission can articulate the single-loss exposure, the alignment with single-loss tolerance, the retention structure that reflects appetite, and the limit selection that ensures cover above the retention zone. The alignment narrative supports the credibility of the limit and structure ask, particularly for non-standard structures or large limits.

Insurer engagement cadence

The 2026 best practice for Indian mid-cap corporates includes deeper insurer engagement than transactional renewal interactions. The deeper engagement runs through three channels.

1. Annual underwriter briefings: structured annual meetings with the primary insurer underwriters at the renewal cycle, presenting the appetite framework, the risk register, the risk improvement progress, and the placement structure ask. The briefings position the enterprise as a long-term partner rather than a transactional buyer.
2. Mid-cycle updates: communication of material changes during the policy year including significant new exposures, completed risk improvement actions, or changes to the appetite framework. The updates maintain insurer awareness and support continuity of the underwriter relationship.
3. Loss notification and management: disciplined loss notification with prepared documentation, clear engagement with surveyors and adjusters, and constructive resolution of disputes. The loss management approach influences insurer perception of the buyer and affects future placement terms.

Broker role

The broker's role in the appetite-driven placement is meaningful. The broker should engage with the appetite framework as a primary placement input, design the placement structure to reflect the appetite, and articulate the appetite alignment in the insurer submission. The broker should also be the structured channel between the insured and the insurance market for appetite-driven discussions including material changes, new placements, and structure optimisation.

Operational integration with treasury and finance

The risk appetite statement should integrate with the treasury and finance function beyond the insurance programme. The integration runs through several channels.

• Treasury policy alignment: foreign exchange hedging, commodity hedging, and interest rate hedging policies should reflect the financial risk appetite.
• Credit policy alignment: customer credit limits, counterparty exposure limits, and supplier prepayment limits should reflect the credit risk appetite.
• Liquidity management: cash management, committed facilities, and contingent capital arrangements should reflect the liquidity tolerance.
• Capital allocation: investment decisions, M&A appetite, and capital structure should reflect the strategic risk appetite.

The integration ensures that the appetite framework operates as the consistent reference for risk decisions across the enterprise rather than as a siloed insurance and ERM artifact.

Continuous improvement

The appetite framework should evolve with the enterprise. The annual review provides the formal update cadence, but the framework should also adjust to material changes in the enterprise profile including strategic pivots, M&A activity, sector evolution, and external risk environment changes. The 2026 best practice includes continuous improvement orientation with regular benchmarking against peer practice, engagement with framework guidance updates from ISO and COSO, and learning capture from loss events and near-misses.