Building a Strategic Risk Register for Indian Mid-Market Companies

Indian mid-market companies, those with annual revenues between INR 100 crore and INR 2,000 crore, occupy a peculiar position in the risk management field. They face enterprise-scale risks spanning regulatory compliance, supply chain disruption, fire and natural catastrophe exposure, and growing cyber threats, yet they rarely have dedicated risk management teams or the institutional frameworks that larger conglomerates rely on. The result is that risk identification happens informally, in corridor conversations, in the CFO's mental model of what keeps them up at night, or reactively after an incident forces attention.

When mid-market companies do create risk registers, the exercise typically follows a pattern that undermines its own purpose. A consultant or auditor prompts the creation during an ISO certification, a statutory audit, or a board governance initiative. A workshop is convened. Risks are brainstormed, usually from a generic template that includes entries like 'fire at factory' and 'exchange rate fluctuation' without grounding them in the specific context of the business. Each risk is assigned a probability score and an impact score on a five-point scale. The resulting matrix is printed, filed, and forgotten until the next audit cycle.

This approach fails for three reasons specific to the Indian mid-market context. First, the risk register is disconnected from insurance programme design. The company purchases property, liability, and marine covers based on broker recommendations and renewal inertia, with no systematic mapping between identified risks and the insurance portfolio. Second, the register does not reflect the regulatory space unique to Indian operations, including compliance with the Factories Act, state-level pollution control board requirements, FSSAI regulations for food businesses, PESO licensing for companies handling petroleum or explosives, and sector-specific SEBI or RBI mandates. Third, the scoring methodology lacks calibration against actual financial exposure, so a risk rated '4 out of 5' on impact could represent anything from INR 50 lakh to INR 50 crore of potential loss, rendering the prioritisation meaningless for capital allocation decisions.

A strategic risk register must begin with a clearly defined scope and a risk taxonomy tailored to the operating environment. For Indian mid-market companies, the taxonomy should reflect four tiers of risk that mirror how losses actually materialise in this segment.

The first tier covers operational risks: fire, machinery breakdown, supply chain interruption, warehouse damage, transit losses, and workplace safety incidents. These are the bread-and-butter risks that Indian commercial insurance programmes address, and they should be described in sufficient specificity to map directly to policy covers. Rather than a single entry for 'fire risk,' the register should distinguish between electrical fire at the main manufacturing unit, fire in raw material storage (especially where flammable goods are involved), fire in the finished goods warehouse, and fire at leased premises. Each entry carries different insurance implications: different sum insured calculations, different sub-limits, and different add-on covers required under the Standard Fire and Special Perils policy.

The second tier covers regulatory and compliance risks. Indian businesses operate under overlapping jurisdictions: central government regulations such as the Companies Act 2013 and GST framework, state-level factory inspectorate and pollution control requirements, and sector-specific regulators. Non-compliance penalties in India have increased substantially since the introduction of the Companies (Amendment) Act 2020, and directors face personal liability for certain environmental and safety violations. These risks rarely appear in standard risk registers but can produce financial exposure exceeding INR 5-10 crore in penalties, remediation costs, and operational shutdown orders.

The third tier covers strategic risks: market shifts, customer concentration, technology disruption, and competitive dynamics. While not directly insurable, these risks influence the design of business interruption covers, key person insurance, and trade credit programmes. The fourth tier addresses emerging risks: cyber attacks, climate-related perils, pandemic-driven supply chain disruption, and evolving IRDAI regulatory requirements that may alter available insurance products. Indian mid-market companies that explicitly track emerging risks gain early advantage in securing coverage before the market hardens or exclusions tighten. The taxonomy should use plain language descriptions, not insurance jargon, to ensure that operational leaders across the business can engage meaningfully with the risk identification process.

The standard five-by-five probability-impact matrix used in most Indian risk registers produces a false sense of precision. When a plant manager rates a risk as 'probability 3, impact 4,' there is no shared understanding of what those numbers mean in rupee terms or in operational disruption days. A strategic risk register replaces subjective scales with calibrated financial thresholds anchored to the company's own financial profile.

For impact assessment, define five financial bands specific to the organisation. For an Indian mid-market manufacturer with revenues of INR 500 crore, these bands might be: Band 1 (Negligible) at losses below INR 25 lakh, Band 2 (Minor) at INR 25 lakh to INR 1 crore, Band 3 (Moderate) at INR 1 crore to INR 5 crore, Band 4 (Major) at INR 5 crore to INR 25 crore, and Band 5 (Severe) at losses exceeding INR 25 crore. These thresholds should be set relative to the company's annual profit, balance sheet strength, and cash flow resilience, not arbitrary round numbers. A company operating on 8 percent net margins views a INR 5 crore loss very differently from one operating at 18 percent margins.

For probability assessment, use frequency-based definitions rather than vague descriptors. 'Rare' means less than once in 25 years based on industry loss data for comparable Indian operations. 'Unlikely' means once in 10 to 25 years. 'Possible' means once in 3 to 10 years. 'Likely' means once in 1 to 3 years. 'Almost certain' means at least annually. Industry loss data from IRDAI annual reports, Tariff Advisory Committee historical records, and sector-specific loss databases maintained by bodies like the Indian Chemical Council or the Confederation of Indian Textile Industry provide grounding for these frequency estimates.

Velocity is an often-overlooked third dimension that matters greatly for Indian mid-market companies. A supply chain disruption may have moderate financial impact but arrive with almost no warning, leaving inadequate time to activate contingency plans. A regulatory change may have severe impact but develop over 12 to 18 months through draft notifications and public consultation periods. Include velocity (fast, moderate, slow) as a field in the risk register to inform both insurance programme design and business continuity planning. Fast-onset risks with severe impact demand immediate-response insurance covers and pre-approved claims protocols, while slow-onset risks allow for programme restructuring during the next renewal cycle.

The highest-value application of a strategic risk register for an Indian mid-market company is the direct linkage between each identified risk and the insurance programme. This mapping exercise exposes three critical findings that most organisations discover for the first time: risks that are insured but overvalued, risks that are insured but carry inadequate limits, and risks that are not insured at all despite being financially material.

Start by creating a coverage map where each risk entry in the register is tagged with the relevant insurance policy, the specific section or endorsement that responds, the applicable sub-limit, and the deductible. For operational risks, this is relatively straightforward. A fire risk at the main factory maps to the SFSP policy with a defined sum insured, debris removal add-on, loss of profits cover with a specified indemnity period, and a deductible of, say, INR 10 lakh. But the exercise becomes revealing when applied to less obvious risks. A supply chain disruption caused by a key supplier's factory fire may be partially covered under a contingent business interruption extension, but many Indian mid-market policies either lack this cover or carry it with a sub-limit of INR 50 lakh to INR 1 crore against a potential exposure of INR 5 to 10 crore.

Regulatory risks present a particular mapping challenge. Directors' and officers' liability insurance covers defence costs and certain penalties arising from regulatory actions, but the scope of coverage varies widely among Indian D&O products. Environmental liability from pollution control board proceedings may require a separate environmental impairment liability policy, a product that remains relatively uncommon in Indian mid-market insurance programmes. Employment practices liability, relevant for companies facing disputes under the Industrial Disputes Act or the new labour codes, is another gap this mapping frequently uncovers.

The mapping should also identify where the company is over-insuring relative to its actual risk profile. Indian mid-market companies that have grown through acquisition sometimes carry duplicate transit policies, overlapping liability covers across group entities, or property policies with sum insured declarations that have not been updated despite asset disposals. The risk register mapping exercise routinely identifies INR 10 to 30 lakh in annual premium savings by eliminating these redundancies, partially funding the cost of filling genuine coverage gaps. Present the completed coverage map as a heat matrix where green indicates adequate cover, amber indicates partial cover with known gaps, and red indicates uninsured or significantly underinsured risks.

A risk register without clear ownership is an administrative artefact, not a management tool. Each risk entry must have a designated risk owner: a named individual with the authority and operational responsibility to influence the likelihood or impact of that risk. In Indian mid-market companies where formal risk management functions are rare, risk ownership must be distributed across the existing management structure.

The plant head or operations director typically owns manufacturing risks including fire, machinery breakdown, and workplace safety. The supply chain or procurement head owns vendor concentration risks, transit losses, and raw material price volatility. The CFO owns financial risks including currency exposure, credit risk, and insurance programme adequacy. The company secretary or legal head owns regulatory compliance risks. The IT head or CTO owns cyber and technology risks. The CEO or managing director retains ownership of strategic risks that span multiple functions.

Risk ownership in the Indian mid-market context carries a specific challenge: most of these individuals are already stretched across multiple responsibilities. Asking a plant head who manages 500 workers across two shifts to also maintain a risk register section is unrealistic without support structures. The practical solution is to assign each risk owner a risk coordinator, typically an existing direct report, who handles the data collection, incident logging, and register updates while the risk owner retains accountability for mitigation decisions and escalation.

Each risk owner should review their assigned risks quarterly and provide four inputs: whether the risk rating has changed and why, whether any new incidents or near-misses have occurred since the last review, the status of mitigation actions previously agreed, and whether insurance coverage for their risk area remains adequate based on operational changes. These quarterly inputs feed into a consolidated risk report presented to the board or management committee.

To prevent the register from becoming stale, establish trigger-based updates in addition to the quarterly cycle. Triggers include any loss event exceeding INR 10 lakh, any regulatory notice or inspection finding, any significant change in operations (new product line, new facility, major contract win or loss), changes to the insurance programme at renewal, and external events affecting comparable Indian businesses (a competitor's factory fire, a new IRDAI regulation, or a court ruling that shifts liability exposure). Embedding these triggers into existing management routines, such as monthly operations reviews and board meetings, ensures the risk register remains a living document rather than a compliance checkbox.

Indian mid-market companies, particularly those that are listed or preparing for an IPO, face increasing regulatory expectations around formal risk management. The Companies Act 2013, Section 134(3)(n), requires the board's report to include a statement on the development and implementation of a risk management policy. For listed companies, SEBI's LODR Regulations mandate the constitution of a Risk Management Committee with defined terms of reference, and the committee must meet at least twice a year. While unlisted mid-market companies face less prescriptive requirements, the Companies Act mandate applies universally, and auditors increasingly examine whether risk management disclosures are substantive or merely boilerplate.

A well-structured risk register serves as the primary evidence that the company has a functioning risk management framework. When statutory auditors evaluate the risk management disclosures under Section 134, they look for documentation that demonstrates risks have been systematically identified, assessed, and assigned for management. The strategic risk register provides exactly this evidence, and its integration with the insurance programme demonstrates that the company has taken concrete steps to address identified risks through appropriate risk transfer mechanisms.

From an IRDAI perspective, the risk register strengthens the company's position in insurance procurement and claims. Insurers and reinsurers increasingly request risk management documentation during the underwriting process, particularly for large or complex accounts. An Indian mid-market company that presents a structured risk register during the insurance placement process signals underwriting maturity that can translate into more favourable terms, broader coverage, and access to capacity from insurers who might otherwise decline the risk based on limited information.

During claims, the risk register provides contemporaneous evidence of the company's risk awareness and mitigation efforts. IRDAI-appointed surveyors assessing a fire loss will view a company more favourably if it can demonstrate that fire risk was identified in its risk register, that specific mitigation measures were implemented, and that appropriate insurance covers were purchased. This documentation can influence surveyor recommendations on claim admissibility, particularly in borderline cases where the insurer might otherwise argue contributory negligence or inadequate risk management.

Companies in regulated sectors face additional requirements. FSSAI-registered food businesses must maintain hazard analysis documentation that overlaps significantly with the risk register. Companies holding PESO licences for petroleum or explosive handling must demonstrate risk assessment as part of their licence renewal. Integrating these sector-specific requirements into the central risk register eliminates duplication and ensures consistency across regulatory submissions.

Indian mid-market companies frequently over-invest in risk management software or under-invest by relying on paper records. The right technology choice depends on the organisation's scale, the number of risk entries, and the sophistication of the reporting requirements.

For companies with fewer than 100 identified risks and a single primary location, a well-structured spreadsheet remains the most practical tool. The spreadsheet should include columns for risk ID, risk category (from the taxonomy), risk description, risk owner, probability rating, impact rating (in INR), velocity, current controls, insurance coverage mapping (policy number, section, sub-limit, deductible), residual risk rating, mitigation actions with deadlines, and last review date. Indian companies can build this in Microsoft Excel or Google Sheets, with the latter offering advantages for multi-user access and version control. A conditional formatting layer that colour-codes cells based on risk rating creates an instant visual dashboard without additional software.

For companies with multiple locations, more than 150 risk entries, or regulatory reporting requirements that demand audit trails, dedicated risk management software becomes justified. Several platforms serve the Indian mid-market at monthly costs between INR 15,000 and INR 1 lakh: LogicManager, Resolver, and Riskonnect offer cloud-based solutions with India data residency options. Indian-developed platforms such as Corporater (with its GRC module) and niche solutions from Indian consultancies have the advantage of pre-built templates aligned to Indian regulatory frameworks including the Companies Act, SEBI LODR, and IRDAI requirements.

Regardless of the tool, three features are non-negotiable for Indian mid-market risk registers. First, the ability to generate board-ready reports in a format consistent with Companies Act disclosure requirements. Second, the ability to link risk entries to specific insurance policies and track coverage adequacy over time. Third, an audit trail that records who changed what and when, providing evidence for statutory auditors and regulatory inspections.

A common mistake is to launch the risk register on an expensive platform before the organisation has developed the discipline to maintain it. Start with a spreadsheet for the first two quarterly cycles. Once the review cadence is established and the management team has internalised the process, migrate to dedicated software if the scale and reporting needs justify it. The tool is irrelevant if the underlying process is not embedded in organisational routines.

The strategic risk register achieves its full value when it drives a structured annual cycle of risk review, insurance programme adjustment, and board reporting. For Indian mid-market companies, this cycle should be synchronised with the insurance renewal timeline and the annual board governance calendar.

The cycle begins 120 days before the primary insurance programme renewal. The risk manager or CFO initiates a full risk register refresh, requiring each risk owner to update their risk entries, reassess ratings based on the prior year's incident data, and flag any new risks arising from operational changes. This refresh should incorporate loss data from the expiring policy period, obtained from the broker's claims experience report, and map actual losses against the register's predicted profile. Significant divergences indicate that the register needs recalibration. If the register rated machinery breakdown as a 'moderate' risk but the company experienced three breakdown events totalling INR 2 crore in losses during the year, the rating and its corresponding insurance response require upward revision.

At 90 days before renewal, the updated risk register informs the renewal strategy document prepared by the broker. Coverage gaps identified through the register-to-insurance mapping are prioritised by financial materiality. New risks are presented to potential insurers as part of the submission, together with evidence of mitigation measures implemented during the year. This structured approach distinguishes mid-market accounts from the majority of Indian commercial placements that rely on a standard proposal form and last year's policy wording.

At 30 days after renewal, the register is updated to reflect the new insurance programme, with revised policy numbers, sub-limits, deductibles, and any coverage changes. This post-renewal update is the most commonly skipped step and the one that creates the greatest long-term value, because it ensures the register accurately reflects the current state of risk transfer at all times.

The annual board presentation should include three elements: the current risk heat map showing risk distribution across probability and impact bands, a year-on-year comparison showing how the risk profile has shifted, and a reconciliation of the register against the insurance programme identifying residual uninsured exposures with their estimated financial impact. Indian boards are increasingly receptive to this level of risk transparency, particularly where independent directors bring governance experience from larger organisations. Over a three to five year period, this discipline transforms the risk register from a compliance document into the central decision-making framework for risk financing and insurance programme design.