Risk Maturity Assessment Framework for Indian Conglomerates 2026: From Insurance Procurement to Board-Level ERM

Indian listed conglomerates entering FY2026-27 face a confluence of governance, disclosure and operational risk pressures that collectively demand a structured assessment of their risk management capability. The pressures originate from multiple directions: SEBI's Business Responsibility and Sustainability Reporting (BRSR) Core framework now operational for the top 1,000 listed companies with mandatory disclosure on risk-related ESG dimensions; the Companies Act 2013 risk governance expectations under section 134(3)(n), section 177 (audit committee responsibilities) and the related provisions on risk management policies; IRDAI broker remuneration disclosure rules creating transparency in insurance procurement that boards now want to understand; the Ind AS 117 transition for any insurance-licensed group entity adding complexity to insurance accounting; and the broader investor and rating agency scrutiny of enterprise risk management (ERM) maturity that increasingly affects capital cost.

The Indian conglomerate structure compounds these pressures. A typical large Indian conglomerate (Tata Group, Mahindra Group, Aditya Birla Group, Reliance Industries, Adani Group, Bharti Group, JSW Group, Larsen and Toubro, ITC, Vedanta, Godrej Group and others at comparable scale) operates 10 to 50 subsidiaries spanning multiple industries, with insurance procurement traditionally decentralised at the operating company level. The decentralisation produces inefficiencies including premium aggregation losses, coverage inconsistency across group entities, limited central visibility into accumulated risk exposure and fragmented broker relationships. Centralising the insurance and risk management function is widely accepted as desirable but operationally challenging given the diversity of operating businesses and the embedded relationships at operating company level.

The ERM dimension extends well beyond insurance procurement. ERM as practised in 2026 at sophisticated Indian conglomerates encompasses strategic risk (industry positioning, business model resilience), operational risk (process integrity, technology dependence, supplier dependency), financial risk (currency, interest rate, commodity, counterparty), compliance risk (regulatory framework changes across multiple sectors), reputational risk (brand, ESG, social licence) and emerging risk (climate transition, geopolitical, technology disruption). Insurance is one risk transfer mechanism within this broader ERM context, complementing risk avoidance, risk reduction, risk retention and other transfer mechanisms.

The board-level expectation has evolved substantially. Indian boards through 2024-25 have increased their direct engagement with risk management beyond compliance review to active risk strategy formulation. Independent directors with risk expertise are increasingly required on boards under SEBI listing regulations. Risk committees of boards (typically chaired by an independent director with relevant background) are receiving more granular reporting on risk register evolution, risk control effectiveness and risk transfer programme adequacy. The board's expectation is for structured assessment of the group's risk maturity that supports board-level oversight rather than ad hoc operational reporting.

The risk maturity assessment framework provides the structure for this work. The framework should: characterise the current state of risk management capability across the group; identify gaps relative to a defined target state; provide a roadmap for capability development with timelines and resource requirements; and produce reporting that supports board-level oversight and external disclosure. The framework should be tailored to the specific conglomerate's structure, industry mix and strategic objectives rather than applied as a generic template.

The assessment work is not academic. It directly affects insurance programme structure, broker selection, captive consideration, board reporting cadence and the strategic positioning of the risk management function. Conglomerates that have invested in structured risk maturity assessment through 2024-25 are typically further along in centralisation, captive development, broker rationalisation and ERM integration than peers without the structured assessment. The competitive advantage compounds over time as the operational benefits accumulate.

For brokers and insurance advisors, the risk maturity assessment work is the frontier of advisory value. Pure placement-stage broking competes on price, scale and relationship, with limited differentiation. Risk maturity advisory engages the board-level conversation on risk strategy and connects to the operational decisions that drive insurance procurement, captive development and ERM integration over multi-year horizons. Brokers with credible risk maturity advisory capability are differentiated for the conglomerate buyer segment; brokers without are relegated to placement-stage commodity competition.

A practical risk maturity model for Indian conglomerates uses five levels of capability characterisation, drawing on international frameworks (COSO ERM, ISO 31000, ISO 31022) and adapting them to the Indian regulatory and operational context. The five levels span from ad hoc risk management at the lowest level to integrated strategic risk management at the highest level.

Level 1 (Ad Hoc) describes conglomerates where risk management is largely reactive, with insurance procurement handled at operating company level by finance functions without specialist risk management roles. The risk register, where it exists, is a compliance document rather than an operational tool. Insurance placements are renewed based on prior year structure with limited risk reassessment. Brokers are selected primarily on commercial relationship and pricing rather than on capability. The board receives compliance-level risk reporting without depth or analytical content. Captive structures are not used. ERM is largely a label rather than an operational discipline.

Level 2 (Defined) describes conglomerates with a documented risk management policy and a risk register maintained at central or operating company level. Insurance procurement uses a central broker (or a small number of brokers) with documented procurement processes. The risk register is updated periodically (typically annually) with limited integration into business strategy or operational decisions. Board reporting is more substantive but typically focused on insurance programme structure and major loss events rather than on systematic risk evolution. Captive structures may be considered but are typically not yet operational. ERM capability exists but is staffed at limited seniority.

Level 3 (Managed) describes conglomerates with operational ERM capability including a Chief Risk Officer or equivalent senior role, integrated risk register with risk owners and risk control documentation, structured insurance procurement using broker selection processes that consider technical capability alongside commercial terms, captive insurance for specific risk transfer applications, and board-level risk committee with substantive engagement. The risk register is integrated with business planning, with risks linked to strategic objectives and risk control effectiveness measured. Internal audit engages with ERM through risk-based audit planning. The risk management function has visibility into group-wide exposure aggregation.

Level 4 (Integrated) describes conglomerates with mature ERM capability extending across strategic, operational, financial, compliance, reputational and emerging risk categories. Insurance programme structure is sophisticated with layered placements, alternative risk transfer instruments, captive structures handling specific exposures and integrated coordination across operating companies. Risk transfer decisions are evaluated against retention alternatives on a structured economic basis. ERM analytics include quantitative modelling of major risk exposures, scenario analysis of multi-risk events, and integration of risk capital with broader capital allocation decisions. Board engagement is sophisticated with regular substantive review of risk register evolution, control effectiveness and emerging risk landscape. ESG and climate risk are integrated into ERM rather than handled separately.

Level 5 (Strategic) describes conglomerates where ERM is integrated with strategic decision-making at the highest level. Risk capacity, risk appetite and risk tolerance are board-level decisions that constrain strategic options. Major capital allocation decisions are evaluated through risk-adjusted return frameworks. Insurance and alternative risk transfer programmes are structured to optimise across the group's full risk portfolio rather than treated as separate operational matters. Captive structures may include multi-purpose captives serving as risk management vehicles across the group. ERM analytics include quantitative aggregation of risks across categories, integration with credit, market and operational risk capital frameworks, and dynamic adjustment to changing strategic context. Board engagement is at the level of strategic risk choices rather than operational risk monitoring.

Assessment methodology

The assessment of current maturity level uses structured evidence gathering across the dimensions of the model. The evidence sources include: documentation review (risk management policy, risk register, insurance programme documentation, broker engagement letters, captive documentation, board reporting); interviews with key risk and insurance professionals (Chief Risk Officer where the role exists, insurance manager, group treasurer, operating company finance and risk staff); review of board minutes for risk committee and audit committee proceedings; review of internal audit findings related to risk management; and benchmark comparison with peer conglomerates where data is available.

The assessment should be conducted by a combination of internal risk management staff and external advisors to ensure objectivity and to leverage external benchmarking expertise. Major insurance brokers (Marsh India, Aon India, WTW India, Howden India, JLT-Mercer, Anand Rathi, Prudent Insurance Brokers, K M Dastur), specialist risk advisory firms (Protiviti, KPMG, EY, Deloitte, PwC) and dedicated risk management consultancies are available for this work. The assessment typically takes 8 to 16 weeks depending on conglomerate scale and complexity.

Multi-entity calibration

For conglomerates with diverse operating businesses, the maturity assessment should be calibrated across operating entities rather than aggregated into a single group-level rating. An operating company in a highly regulated industry (banking, insurance) may operate at level 4 while an adjacent operating company in a less regulated industry operates at level 2. The maturity calibration enables targeted capability development at operating companies where the gap is largest, rather than uniform investment across the group.

The calibration also surfaces the central function's role. Where operating companies operate at varying maturity levels, the central group risk function should provide consistency and elevation, supporting lower-maturity operating companies while not constraining higher-maturity operating companies. The central function's own maturity is a separate assessment dimension that interacts with operating company maturity.

Insurance procurement is one of the most visible dimensions of risk maturity and one where Indian conglomerates frequently have significant capability gaps. The procurement maturity progression moves through operating-company-level placement with multiple brokers and inconsistent terms, through centralised broker engagement with operating-company-level decisions, through group-level programme architecture with operating-company implementation, to integrated risk transfer programmes with captive structures and alternative instruments.

The operating-company-level placement model, which remains common at many Indian conglomerates, has structural disadvantages. Different operating companies may negotiate with different brokers, accept different policy wordings for the same risk type and pay materially different rates for comparable exposure. The aggregate group spend is fragmented across multiple insurers and reinsurers with no leverage from the total volume. Coverage gaps and overlaps exist between operating companies, with some risks double-insured and others uninsured. Loss experience is not aggregated for negotiating leverage, with each operating company presenting its own loss history rather than the consolidated group experience.

The centralised broker engagement model, increasingly common at major Indian conglomerates, addresses some of these disadvantages. A single broker (or a small panel of brokers selected for specific lines or geographies) is engaged at group level with consistent service standards across operating companies. The aggregate group spend is presented to the market through the central broker, enabling some leverage on terms. Policy wordings are standardised where possible across operating companies. Coverage gaps and overlaps are identified through the central review. Loss experience is aggregated for negotiating purposes.

The centralised broker model still has limitations. The actual placement decisions and policy structures often remain at operating company level, with the central function providing coordination rather than authority. The group view of risk exposure is incomplete because operating company-level decisions may not align with group-level priorities. The broker scope is typically limited to placement services rather than full risk advisory.

The group programme architecture model represents a substantial advancement. The central risk management function defines the group programme structure, including: master policy structures covering multiple operating companies under common wording; layered programme structures with captive participation at retention layers and traditional market at higher layers; centralised broker management with technical and commercial roles separated; centralised claims management with consistency across operating companies; and integrated reporting that supports both operating company management and group-level oversight. Operating companies implement within the group framework rather than operating independently.

The integrated risk transfer programme model is the most advanced approach. The group captive (typically in GIFT City IFSC or in a traditional captive domicile) retains specific layer exposures with capacity scaled to the group's risk appetite. Alternative risk transfer instruments (parametric covers, insurance-linked securities, structured experience-rated arrangements) supplement the traditional market placement. The risk transfer architecture is optimised across the group's full risk portfolio with risk capital allocated efficiently. The board's risk appetite statement informs the architecture, with measurable thresholds for retention versus transfer.

Centralisation transition management

The transition from operating-company-level placement to group programme architecture is operationally complex. The transition typically takes 24 to 48 months to complete and requires careful change management. The key transition elements include: stakeholder management at operating company level (where the existing broker relationships and procurement processes have embedded value); broker rationalisation (selecting the broker or brokers to manage the centralised function); policy wording harmonisation (developing common wordings that work across diverse operating companies); claims management integration (establishing claims handling consistency); and reporting framework development (designing reporting that supports both operating and group level needs).

The transition should be sequenced to avoid disrupting active claims, ongoing programme renewals or critical operations. Typically the transition starts with a small number of policy lines or operating companies, expands to broader coverage over the transition period, and reaches full centralisation in years 3 to 4 of the programme. The broker engagement during the transition is critical; brokers with experience in similar conglomerate centralisation transitions are differentiated for this work.

Captive structure consideration

GIFT City IFSC captive structures have become increasingly attractive for Indian conglomerates through 2024-25 and into FY2026-27. The captive economic case depends on group premium volume (typically requiring INR 50 crore-plus annual premium spend for captive economics), loss experience profile, the operational cost of captive management and the regulatory and tax framework. The captive structuring decision should be addressed as part of the group programme architecture rather than as a standalone consideration.

The captive can serve multiple functions: retention of attritional and working-layer exposures with controlled risk financing economics; access to reinsurance market on the captive's own paper rather than through fronting insurer arrangements; centralised risk financing decision-making with group-wide visibility; and ESG and climate risk management vehicle for emerging risk categories where traditional market is limited. The captive design should reflect the specific functions intended at the design stage.

Broker relationship management

The broker relationship in mature insurance procurement is structured as a strategic advisory partnership rather than a transactional placement service. The broker engagement letter should specify the scope of services beyond placement (risk advisory, claims management, captive management, reporting, training), the service level standards, the remuneration structure (with explicit treatment of insurer-paid commissions, fee-based components and any conflict provisions), and the performance measurement framework. The IRDAI broker remuneration disclosure framework, refined in 2024-25, has improved transparency in this area.

The broker selection at the strategic advisory level should evaluate technical capability, sector specialisation, client portfolio comparability, claims advocacy track record, technology platform capability and team continuity. The major Indian and international brokers offer comparable strategic advisory capability for the conglomerate segment with differentiation primarily in sector specialisation and specific team strength. The brokers without scale or specialty positioning are not appropriate for the conglomerate strategic advisory role regardless of competitive pricing on the placement side.

Board and risk committee engagement on risk management has matured substantially at Indian conglomerates through 2024-25 in response to regulatory expectations (Companies Act, SEBI listing regulations, BRSR Core), investor expectations (rating agencies, institutional investors with ESG mandates) and operational complexity (group-wide risk visibility requirements). The engagement structure determines how effectively the risk management function supports the board's oversight role and how risk considerations inform strategic decisions.

The risk committee of the board, where established as a separate committee, typically meets quarterly with substantive agenda covering risk register evolution, risk control effectiveness, insurance programme structure, claims experience and emerging risk landscape. Where a separate risk committee is not established, the audit committee handles the risk oversight responsibilities, with potential capacity constraints given the audit committee's other duties. The Companies Act framework allows either structure; SEBI listing regulations require risk management committee for certain listed entities.

The risk committee composition should include independent directors with relevant expertise (former CROs, insurance industry executives, retired regulators, risk management academics) alongside executive directors with operational responsibility. The chairperson is typically an independent director with risk expertise. The committee should receive substantive briefing materials before each meeting with adequate time for preparation; superficial briefing materials that arrive immediately before the meeting do not support effective oversight.

The regular risk committee agenda should cover: risk register updates with new risk identification, risk score changes and control effectiveness assessment; insurance programme structure summary with placement progress, claims experience and programme performance; captive structure performance where applicable; ESG and climate risk integration; emerging risk monitoring with scenario analysis for high-impact emerging risks; and forward-looking review of regulatory and operational risk landscape. The agenda should be tailored to the specific conglomerate's risk profile with annual themes addressing strategic risk topics in greater depth.

The board-level engagement (full board rather than risk committee) typically focuses on risk appetite, major risk decisions and strategic risk implications. The board should review the risk appetite statement at least annually with consideration of changes in the strategic environment. Major risk decisions (significant captive establishment, major new risk transfer programme, strategic risk acceptance for new business ventures) should come to the full board for approval rather than being handled at risk committee level. Strategic risk implications of major capital allocation decisions should be addressed at the board level as part of the strategic review.

Reporting framework design

The reporting framework supporting board and risk committee engagement should be designed to provide both operational detail for substantive review and strategic synthesis for decision support. The framework typically includes: a monthly or quarterly executive dashboard with key risk indicators and major movements; a quarterly risk committee package with detailed risk register, insurance programme, claims and captive reporting; an annual strategic risk report addressing the risk landscape, capability assessment, and forward-looking initiatives; and ad hoc reporting for material events or emerging risks requiring board attention.

The reporting should balance detail and synthesis. Excessive detail produces information overload and reduces strategic engagement; insufficient detail prevents substantive oversight. The framework should evolve based on board feedback, with regular review of reporting effectiveness and structured improvement.

ESG, climate and BRSR Core integration

The BRSR Core framework operational from FY2024-25 requires disclosure on specific ESG dimensions including risk-related metrics. The integration of BRSR Core requirements with the risk management framework supports both regulatory compliance and substantive risk management. The integrated approach treats ESG and climate risk as components of the broader risk register rather than separate workstreams, with cross-functional engagement between sustainability, risk management and finance functions.

The climate risk dimension is particularly important. The Indian regulatory expectation for climate risk disclosure has accelerated with the BRSR Core operational, the Reserve Bank of India's climate risk framework for banks and the broader investor expectation. The risk management function should integrate physical climate risk (operational impact from extreme weather, sea level rise, water stress) and transition climate risk (regulatory transition costs, technology obsolescence, market shifts) into the risk register with structured assessment of materiality, control effectiveness and risk transfer adequacy.

The scenario analysis approach to climate risk has matured through 2024-25 with several Indian conglomerates publishing detailed climate risk disclosures referencing TCFD frameworks (Task Force on Climate-related Financial Disclosures) and the BRSR Core requirements. The scenario analysis should be substantive rather than checkbox-compliant, with quantitative analysis where data is available and structured qualitative analysis where it is not. The output should inform both disclosure and operational decisions.

Internal audit and assurance integration

Internal audit engagement with the risk management framework provides important assurance and supports continuous improvement. The internal audit should: conduct risk-based audit planning that aligns audit activities with the risk register priorities; review the operational effectiveness of risk controls identified in the risk register; assess the design and operation of the insurance programme and claims management framework; review captive structure operations and reporting; and report findings to the audit committee with implications for risk management capability.

The relationship between internal audit and risk management should be coordinated but independent. The risk management function provides the framework and operational support; internal audit provides independent assurance on the framework's design and operation. The roles should not be conflated, and the reporting lines should support both functions' independence (typically risk management reporting to the CFO or directly to the CEO; internal audit reporting to the audit committee with administrative support from the CFO).

Indian conglomerate operating businesses span industries with materially different risk profiles, regulatory frameworks and insurance market structures. The risk maturity framework must be customised to the specific operating business while maintaining group-level consistency. The customisation typically operates at the level of the risk register categorisation, the insurance programme structure and the operational risk management practices, while group-level governance and reporting remain consistent.

For manufacturing operating businesses (steel, cement, chemicals, automotive, textiles, food processing, pharmaceuticals), the risk register typically emphasises operational risks including process safety, equipment integrity, supply chain dependency, product liability and environmental compliance. The insurance programme structure typically combines property and engineering (large primary programmes), liability (product liability, public liability, professional indemnity where applicable), marine cargo for inbound feedstock and outbound product, and specific covers (statutory boiler insurance, regulatory cover specific to the industry). The risk management practices emphasise process safety management, equipment maintenance discipline, supply chain risk management and environmental compliance.

For services operating businesses (IT services, financial services, retail, hospitality, healthcare), the risk register typically emphasises customer-facing risks (service delivery, data protection, brand and reputation), people risks (key person, employment-related liabilities) and technology risks (cyber, system availability, data integrity). The insurance programme structure typically combines professional indemnity (primary cover for service delivery risks), cyber (data and system protection), directors and officers (governance risk), and specific covers (medical malpractice for healthcare, fidelity for financial services). The risk management practices emphasise data protection, service level management, customer experience, employee engagement and technology resilience.

For infrastructure and energy operating businesses (power generation, transmission, ports, roads, telecom, renewable energy), the risk register typically emphasises project execution risks (during construction phase), operational availability risks (during operation), regulatory risks (in the sector-specific regulatory framework) and political and force majeure risks (for long-tenure infrastructure assets). The insurance programme structure typically combines CAR and EAR with DSU during construction, operational property and engineering during operation, and specific covers (terrorism insurance for critical infrastructure, parametric weather covers for renewable energy). The risk management practices emphasise project management discipline, operational reliability, regulatory engagement and asset integrity management.

For banking and financial services regulated entities (where the conglomerate includes a bank, NBFC, asset manager or insurance company), the regulatory framework dominates the risk management approach. The RBI risk framework for banks and NBFCs, the SEBI framework for asset managers and the IRDAI framework for insurance entities each impose specific risk management requirements that interact with but exceed the group ERM framework. The integration of regulated entity risk management with group ERM requires careful design to avoid duplication while ensuring consistency.

Cross-business risk aggregation

The diverse operating businesses produce risk exposures that aggregate at group level even where the specific risks are different. Geographic aggregation (multiple operating businesses in the same state or city facing common natural perils, political risk or regulatory exposure), supplier aggregation (multiple operating businesses dependent on common suppliers), customer aggregation (multiple operating businesses serving the same large customers), and brand aggregation (where issues at one operating business affect group reputation) all create cross-business risk dimensions.

The risk register should include cross-business risk categories alongside operating-business-specific categories. The cross-business risks are typically managed at central group level rather than at operating company level, with operating companies providing inputs but the aggregate position being held centrally. Insurance programme structure for cross-business risks may include group-level master programmes that allocate cover across operating companies based on exposure.

M&A and divestment integration

The risk maturity framework should integrate with M&A and divestment activity. New acquisitions bring their own risk profiles, insurance programmes and risk management capabilities that need to be assessed and integrated. Divestments remove specific risk exposures but may leave residual obligations (representation and warranty exposure, transition service agreements, ongoing indemnification). The risk management function should be engaged early in M&A and divestment processes with structured due diligence input and integration planning.

The integration of an acquired business should include: assessment of the acquired business's risk maturity against the group framework; identification of risk gaps requiring remediation; integration of the acquired business's insurance programme with the group programme (typically over a 12 to 24 month transition); integration of risk reporting with the group framework; and ongoing capability development to bring the acquired business to the group's target maturity level. The integration process is often where conglomerates' risk maturity is tested, with capability gaps revealed when M&A activity exceeds the integration capacity.

International operations consideration

Indian conglomerates with international operations face additional risk dimensions including currency risk, political risk, cross-border regulatory risk and varying local insurance market conditions. The international insurance programme structure typically uses master policies covering all jurisdictions with local-issued policies in jurisdictions requiring local paper, supplementary covers for specific jurisdiction risks and coordinated claims management across jurisdictions. The international captive considerations include domicile choice, tax efficiency, regulatory simplicity and operational practicality.

The major Indian conglomerates with significant international operations (Tata Group through Tata Steel, Tata Motors, Jaguar Land Rover and other entities; Mahindra Group through international automotive and farm equipment operations; Reliance through international refining and petrochemicals; Adani through international port and energy operations; JSW through international steel and energy; Larsen and Toubro through Middle East infrastructure) have built sophisticated international risk management structures that the broader conglomerate base can reference.

The roadmap from current maturity level to target maturity level requires structured planning with sequencing of initiatives, investment commitment and capability building. The typical conglomerate at level 2 or level 3 targets level 4 over a 3 to 5 year horizon, with specific initiative sequencing depending on current capability gaps and strategic priorities. The roadmap should be approved at risk committee or board level with periodic progress review.

The initiative sequencing should typically follow a logical progression. Phase 1 (year 1) focuses on foundation building including: risk management policy refresh and approval; risk register restructuring with consistent methodology across operating companies; broker rationalisation with selection of central broker partner; insurance programme inventory and gap analysis; and risk committee or audit committee operating model refinement. Phase 1 produces visible improvement in governance and consistency without requiring major capability investment.

Phase 2 (years 1 to 2) addresses insurance programme architecture and the captive structure decision. The phase includes: insurance programme architecture design with master policy structures, layered placement and captive participation; captive feasibility assessment and (where positive) captive establishment in GIFT City IFSC or alternative domicile; broker relationship deepening with explicit advisory scope; claims management framework development; and reporting framework refinement. Phase 2 requires more investment in capability and infrastructure but produces material economic benefit through programme optimisation.

Phase 3 (years 2 to 3) addresses ERM analytical capability and broader integration. The phase includes: quantitative risk modelling capability for major exposure categories; scenario analysis framework for emerging risk including climate; integration with strategic planning and capital allocation processes; ESG and BRSR Core integration; and analytical talent recruitment to support the capability. Phase 3 requires substantial investment in talent and tools but transforms the risk management function from operational support to strategic enabler.

Phase 4 (years 3 to 5) addresses the integrated strategic risk management capability characteristic of level 5 maturity. The phase includes: risk capital allocation framework integration with broader capital allocation; alternative risk transfer instrument deployment for specific risk categories; multi-purpose captive structure development; board-level engagement on risk strategy in strategic decision context; and continuous capability evolution. Phase 4 represents the leading-edge capability that distinguishes the most sophisticated conglomerates.

Capability building dimensions

The capability building required across the roadmap spans multiple dimensions. The talent dimension requires recruiting and developing risk management professionals with relevant expertise. Senior roles include Chief Risk Officer (often with insurance, banking or consulting background), Group Insurance Manager (with broker or insurer background), captive manager (with captive insurance experience), risk analytics lead (with quantitative background) and operating company risk managers. The talent market for these roles in India is competitive, with significant compensation premium for experienced professionals.

The technology dimension requires platforms supporting risk register management, insurance programme administration, claims management, captive operations and analytical capability. The platform options include enterprise risk management platforms (RSA Archer, MetricStream, Logic Manager and others), insurance broker platforms with client-facing capability (used through the broker relationship), and bespoke development. The choice depends on the conglomerate's specific requirements, the broader IT environment and the cost-benefit assessment.

The process dimension requires structured operating procedures for risk register maintenance, insurance programme management, claims handling, captive operations and reporting. The procedures should be documented, trained and audited for compliance. The standardisation across operating companies is a continuous improvement effort that benefits from central function leadership.

The culture dimension is the most difficult and often the most important. Risk management capability requires a culture that values structured risk thinking, supports open communication of risk findings and integrates risk considerations into business decisions. The culture is built through leadership commitment, structured training, performance management integration and continuous reinforcement. Conglomerates with strong risk culture at the operating level typically have it because senior leadership has invested in it over years; conglomerates with weak risk culture cannot remediate it quickly even with policy and process changes.

Investment scale and return

The investment scale for the multi-year roadmap depends on conglomerate scale and starting capability. A typical INR 50,000 crore revenue conglomerate moving from level 2 to level 4 might invest INR 30 to 80 crore over the 3 to 5 year period in central function capability, technology platforms, broker partnership and captive operations, with operating company-level investment additional to this central investment. The return on the investment comes through insurance programme cost reduction (typically 8 to 15 percent of programme cost), loss avoidance and mitigation (variable but typically significant), captive economic benefit (where applicable), and strategic decision support (less directly measurable but important).

The payback period for the investment typically ranges from 18 to 36 months on the directly measurable economic benefits, with longer-term strategic benefits continuing to accumulate. Conglomerates that have made the investment through 2023-25 are typically realising the returns through 2026-27.

Platform support for the journey

Integrated insurance technology platforms supporting brokers and corporates in delivering the risk maturity roadmap are emerging in the Indian market. The platforms provide centralised data management for risk registers, insurance programmes, claims data, captive operations and analytical capability. They support the integrated workflow across the risk management function with appropriate access controls for operating company users, central function users, broker users and board users. Sarvada is one such platform supporting brokers in delivering integrated risk maturity advisory for Indian conglomerate buyers. Request Access to evaluate the platform capabilities for the multi-year capability building work that the risk maturity journey requires.