Risk Advisory · Governance, Risk & Compliance (GRC)
Risk Assessment Framework Design
A risk register that sits in a shared drive and gets updated once a year before the board meeting is not a risk management framework — it is a compliance artefact.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
A risk register that sits in a shared drive and gets updated once a year before the board meeting is not a risk management framework — it is a compliance artefact. At PNPC Global, we design risk assessment frameworks that boards and audit committees actually use: a documented risk appetite, a working risk register tied to real business decisions, and a review rhythm that keeps pace with the business rather than a once-a-year ritual. Since 1986, we have sat on the advisory side of board rooms and audit committees across India and the UAE — we build frameworks that hold up under an auditor's, a regulator's, and an investor's scrutiny, not just a template that looks complete on paper.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
A Risk Assessment Framework is the structured methodology an organisation uses to identify, assess, prioritise, respond to, and monitor the risks that could prevent it from achieving its objectives. It is not a single document — it is a system comprising a risk appetite statement (how much risk the board is willing to accept in pursuit of its objectives), a risk register (the living inventory of identified risks, their likelihood, impact, ownership, and mitigation status), a risk assessment methodology (how risks are scored and prioritised — typically a likelihood-times-impact matrix, sometimes supplemented by velocity and detectability factors), and a governance structure that assigns clear ownership for risk identification, escalation, and response at management and board level. Internationally recognised frameworks — COSO's Enterprise Risk Management (ERM) Integrated Framework and ISO 31000:2018 — provide the structural backbone that most Indian and UAE risk frameworks are built on, adapted to the specific regulatory, sectoral, and organisational context of the entity.
When your organisation needs a formal risk framework
Board or Audit Committee has flagged the absence of a structured risk management process, or an internal or statutory auditor has raised it as an observation in the audit report or management letter
Company falls within SEBI's Listed Entities framework where a Risk Management Committee is mandated under Regulation 21 of the SEBI (LODR) Regulations, 2015 for the top 1,000 listed entities by market capitalisation
Board is required to confirm, under Section 134(5)(e) of the Companies Act 2013, that it has laid down internal financial controls and that such controls are adequate and operating effectively — a confirmation that is difficult to make credibly without an underlying risk assessment
Organisation is preparing for institutional fundraising, private equity due diligence, or a strategic partnership where investors expect to see a documented risk management approach as part of governance readiness
Business has grown past the stage where risk can be managed informally in the founder's or CEO's head — multiple business lines, geographies, or regulatory regimes now create risk interactions that need a structured view
Recent adverse event — a fraud incident, a cybersecurity breach, a regulatory penalty, a key-person departure, a significant vendor failure — has exposed the absence of a systematic way to anticipate and respond to comparable risks
Organisation operates in a regulated sector (financial services, healthcare, infrastructure, listed company, or a company receiving foreign investment) where a documented risk framework is either an explicit regulatory expectation or a practical necessity for regulator and lender confidence
When a lighter-touch approach may be more appropriate
Very early-stage startup with a handful of employees and no institutional board — a founder-level risk discussion documented in board minutes is proportionate; a full COSO-aligned framework is premature and will not be maintained
Organisation has no board, audit committee, or external stakeholder (lender, investor, regulator) that requires evidence of formal risk governance — the cost of building and maintaining a framework should be weighed against who will actually use it
The business already has an internal audit function or a management assurance process that substantively covers risk identification and monitoring — in that case, the requirement may be to formalise and document the existing process rather than build one from scratch
Organisation needs a one-time risk assessment for a specific transaction (an M&A deal, a new product launch, a single large contract) rather than an ongoing enterprise-wide framework — a focused risk assessment exercise is more appropriate than a full framework build
Resource and bandwidth constraints mean the framework, once built, will not be reviewed, updated, or used to inform actual decisions — a framework nobody maintains creates false comfort and is arguably worse than acknowledging risk is being managed informally
Common risk management framework approaches — choosing the right fit for your organisation's stage and regulatory context
| Feature | COSO ERM Framework | ISO 31000:2018 | SEBI LODR-driven RMC Framework | Informal / Ad-hoc Approach |
|---|---|---|---|---|
| Primary origin | US-developed, widely adopted globally and in India | International standard, principles-based, sector-agnostic | India-specific, driven by SEBI listing regulations for top listed entities | No external reference point |
| Best suited for | Organisations wanting a comprehensive, strategy-linked ERM structure | Organisations wanting a lean, principles-based, flexible structure | Listed companies within SEBI's mandated Risk Management Committee scope | Very early-stage or informally governed entities |
| Board / committee structure required | Recommended — typically Audit Committee or dedicated Risk Committee oversight | Recommended but flexible — governance structure adapted to entity | Mandatory Risk Management Committee under Regulation 21 for applicable listed entities | None |
| Risk appetite statement | Central, explicit component | Central, explicit component | Increasingly expected as part of RMC charter and disclosures | Rarely documented |
| Documentation rigour | High — objectives, components, principles all mapped | Moderate to high — principles and process documented, format flexible | Moderate — policy, charter, and register typically required for compliance | Minimal or none |
| Regulatory recognition in India | Widely referenced by auditors and audit committees as good practice | Referenced but no direct statutory mandate | Directly linked to SEBI (LODR) Regulations, 2015 compliance | No regulatory standing |
| Linkage to internal financial controls (IFC) | Strong — COSO Internal Control framework is the common IFC reference under Section 134(5)(e) | Indirect — ISO 31000 does not itself prescribe an IFC structure | Expected to interface with IFC documentation for listed entities | Typically absent, creating an IFC certification gap |
| Effort to implement | Higher — comprehensive but resource-intensive to build properly | Moderate — designed to be proportionate to organisation size | Moderate to high — policy, committee, charter, and reporting cycle required | Low — but produces limited defensibility |
| Ongoing maintenance need | Continuous — risk register review, KRI monitoring, board reporting | Continuous but scalable to organisation's risk maturity | Continuous — RMC must meet per LODR-prescribed frequency and report to board | Ad-hoc, typically deteriorates without ownership |
| PNPC's typical recommendation | For companies preparing for institutional investment, listing, or complex multi-entity risk exposure | For mid-sized private companies wanting rigour without over-engineering | Where mandated by SEBI LODR scope, or voluntarily adopted for listing readiness | Not recommended once the organisation has a board, lenders, or external investors |
This table gives directional guidance only. Most PNPC engagements are not a pure choice between frameworks — we typically build a COSO-aligned or ISO 31000-aligned structure, right-sized to the organisation, that also satisfies SEBI LODR Regulation 21 requirements where applicable. The right framework, its scope, and its rigour depend on your sector, regulatory obligations, ownership structure, and board expectations. A scoping conversation with a practising CA is the appropriate first step before any framework is drafted.
| # | Stage & What PNPC Does | CA Advice That Generic Consultants Miss | Timeline |
|---|---|---|---|
| 1 | Scoping & Governance Context Review — Understanding your actual risk exposure and regulatory obligations | We start by asking what a template provider never asks: Are you SEBI-listed and within Regulation 21's Risk Management Committee mandate? Do you have institutional investors expecting governance readiness? Is there a recent adverse event driving this engagement? What does your Section 134(5)(e) internal financial controls certification currently rest on? These answers determine the scope, rigour, and regulatory anchoring of the framework — a listed entity's RMC-compliant framework looks materially different from a pre-Series-A startup's board-level risk discussion. | Week 1 |
| 2 | Risk Universe & Business Context Mapping — Structured workshops across business functions | A risk framework built solely from management's self-reported risks misses the risks nobody wants to surface — related-party exposure, key-person dependency, control gaps flagged in prior audits but not remediated. We run structured interviews across finance, operations, compliance, HR, and IT, and cross-reference against prior statutory audit observations, internal audit findings, and any regulatory correspondence — before drafting a single risk statement. | Week 1–2 |
| 3 | Risk Appetite Statement Drafting — The board-level starting point most frameworks skip | Most off-the-shelf frameworks jump straight to a risk register without a risk appetite statement — the board's explicit articulation of how much risk it is willing to accept in pursuit of objectives, by risk category (financial, operational, compliance, reputational, strategic). Without this anchor, risk scoring becomes arbitrary and the register cannot be prioritised meaningfully. We draft the risk appetite statement for board discussion and approval before the register is built. | Week 2–3 |
| 4 | Risk Identification & Categorisation — Building the risk universe by category | Risks are categorised — typically strategic, operational, financial, compliance/regulatory, reputational, and technology/cyber — and identified at a granularity that is actionable, not so broad it is meaningless ('economic risk') nor so narrow it is unmanageable (hundreds of micro-risks). We calibrate this to your organisation's actual scale and complexity. | Week 3–4 |
| 5 | Likelihood-Impact Assessment & Scoring Methodology — Quantifying and prioritising the register | We design a scoring matrix appropriate to your organisation — typically a 5x5 likelihood-impact grid, sometimes supplemented by velocity (how fast the risk could materialise) and detectability. Scoring criteria are defined in concrete, organisation-specific terms — a 'high impact' financial risk is defined against your actual revenue and capital base, not a generic template threshold. | Week 4–5 |
| 6 | Mitigation & Control Mapping — Linking each risk to existing and required controls | For every risk scored as material, we map the existing control environment — what is already in place — and identify control gaps. This is where the framework interfaces directly with your internal financial controls documentation under Section 134(5)(e) and, if applicable, your internal audit scope. A risk framework that does not map to actual controls is descriptive, not operational. | Week 5–6 |
| 7 | Risk Ownership & RACI Assignment — Naming names, not departments | Every risk in the register is assigned a named owner accountable for monitoring and mitigation status — not a department. We have seen risk registers where 'Finance Team' is listed as owner for a dozen risks with no individual accountable; nothing gets actioned. PNPC assigns individual ownership with escalation paths to the Audit Committee or Risk Management Committee. | Week 6 |
| 8 | Governance Structure & Charter Design — Committee, reporting lines, and escalation protocol | For SEBI-listed entities within Regulation 21 scope, we draft the Risk Management Committee charter — composition, meeting frequency (the LODR framework specifies minimum RMC meeting cadence for applicable entities), reporting lines to the Board, and the specific disclosures the RMC must make. For non-listed entities, we design a proportionate governance structure — often Audit Committee oversight with management-level risk review. | Week 6–7 |
| 9 | Board & Audit Committee Presentation — Framework approval and buy-in | A framework designed in isolation from the board is a framework that gets shelved after one review cycle. We present the draft risk appetite statement, register, and governance structure to the Board or Audit Committee, incorporate their input, and secure formal approval — creating both ownership and the documented board minute that evidences board-level risk oversight. | Week 7–8 |
| 10 | Key Risk Indicator (KRI) Design — Early-warning metrics for material risks | For the highest-priority risks, we design Key Risk Indicators — quantifiable, trackable metrics that signal a risk is trending toward materialisation before it actually crystallises (e.g., customer concentration percentage, days sales outstanding trend, employee attrition in key roles, cybersecurity incident frequency). This converts the framework from a static document into an early-warning system. | Week 8 |
| 11 | Documentation & Policy Finalisation — The complete framework document set | We finalise the Risk Management Policy document, the risk appetite statement, the risk register (typically delivered in a working spreadsheet or dashboard format your team can actually maintain), the RMC/committee charter, and a one-page risk heat map for board-level reporting. Every document is drafted to be usable by your team going forward — not a one-time consultant deliverable that nobody can update. | Week 8–9 |
| 12 | Review Cadence & Handover Training — Making the framework self-sustaining | A framework is only as good as its review discipline. We establish the review cadence (typically quarterly risk register review at management level, and at minimum the LODR-prescribed frequency at RMC/Board level for listed entities), train the internal risk owner or CFO's team on how to update and re-score the register, and hand over a framework the organisation can run without needing PNPC to touch it every quarter — though we remain available for periodic health checks and material risk events. | Week 9–10 |
| 13 | Ongoing Advisory & Framework Refresh — CA guidance as risks evolve | Risk frameworks decay if untouched — new risks emerge (a new regulation, a new geography, a cybersecurity threat vector), and old risks that were mitigated should be retired rather than cluttering the register. PNPC offers periodic framework health-check engagements — typically annual or aligned to major business events (fundraising, new market entry, M&A) — to keep the framework current and credible. | Ongoing, as needed |
Realistic timeline for a full framework build, from scoping to board approval: 8–10 weeks for a mid-sized organisation; longer for complex multi-entity or multi-jurisdiction groups, shorter for a lighter-touch framework at an early growth-stage company. The framework itself has no 'completion' date — it is designed to be a living system with a defined review cadence from Day 1.
Latest Memorandum and Articles of Association — to understand the entity's objects, governance structure, and any existing board-level committee provisions
Board composition details and any existing Board or Audit Committee charters — to understand current governance maturity and where a Risk Management Committee would sit
Organisation chart across key functions — finance, operations, compliance, HR, IT/technology — to identify functional risk owners during the workshop phase
Details of listing status, if applicable — market capitalisation ranking and confirmation of SEBI (LODR) Regulation 21 applicability for Risk Management Committee requirements
Any existing risk policy, risk register, or informal risk notes — even outdated or incomplete documents help PNPC understand what has already been attempted and why it may not have been sustained
Latest audited financial statements (2–3 years if available) — to understand financial risk exposure, revenue concentration, and balance sheet structure
Latest statutory audit report and management letter — auditor observations frequently point directly at unaddressed risk and control gaps
Internal audit reports, if an internal audit function exists — a critical input for the risk universe and control-gap mapping
Details of major contracts, customer/vendor concentration, and any related-party transactions — key sources of operational and financial risk
Details of borrowings, guarantees, and any covenant obligations with lenders — a common but under-assessed risk category
Details of any regulatory notices, show-cause notices, penalties, or ongoing litigation in the last 3–5 years — across tax, corporate law, labour, environmental, or sector-specific regulators
List of all statutory registrations and licences held (GST, FEMA/RBI filings if applicable, sector-specific licences) and their current compliance status
Prior Section 134(5)(e) internal financial controls certification basis, if the company is required to make this confirmation and has done so previously
Any cybersecurity, data protection, or IT security policy currently in place, and details of any prior security incidents
Confirmation of market capitalisation ranking to establish Regulation 21 Risk Management Committee applicability
Existing Risk Management Committee composition and any prior RMC minutes, if a committee already exists in some form
Prior annual report risk disclosures and Business Responsibility and Sustainability Report (BRSR) risk-related content, if applicable
Details of the company's Related Party Transaction policy and Whistle Blower/Vigil Mechanism policy — both interface directly with the risk framework
Availability calendar for key management personnel across functions for risk identification workshops — typically 60–90 minutes per functional head
Board and Audit Committee meeting calendar — to schedule the framework presentation and approval session appropriately
Access to relevant management information system (MIS) reports or dashboards already used to track operational or financial performance — useful for KRI design
Name of the internal risk owner or coordinator (often the CFO, Company Secretary, or a designated risk officer) who will own the framework post-handover
Risk Management Policy document — the master policy governing the framework's scope, methodology, and governance
Risk Appetite Statement — drafted for Board approval, articulating acceptable risk thresholds by category
Risk Register — the working document listing identified risks, scoring, ownership, mitigation status, and review dates
Risk Management Committee Charter (where applicable) — composition, mandate, meeting frequency, and reporting lines
Key Risk Indicator (KRI) dashboard template — for ongoing monitoring of the highest-priority risks
Board/Audit Committee presentation deck summarising the framework, key risks, and recommended mitigation priorities
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Framework Design (Week 1–10) | Decision to formalise risk management | Scoping against actual regulatory obligations, risk appetite statement drafting, structured risk identification workshops, likelihood-impact scoring methodology, control mapping, and governance charter design — built for your organisation's actual scale, not a generic template. | A generic template framework that does not reflect the organisation's actual risk profile, gets shelved after one review, and provides no real defensibility if a regulator, auditor, or investor examines it. |
| Board Adoption | Framework presented for approval | Presentation to the Board or Audit Committee with the risk appetite statement, top-priority risks, and governance structure, securing a documented board resolution or minute approving the framework — the evidence that risk oversight is a board-level function, not a document nobody signed off on. | No documented board approval means the framework has no governance standing — undermining the Section 134(5)(e) internal financial controls confirmation and any claim of board-level risk oversight in due diligence or regulatory scrutiny. |
| Quarterly Review Cycle | Scheduled review cadence | Risk register re-scored quarterly at management level; KRIs monitored for early-warning signals; new risks added and mitigated risks retired; Risk Management Committee (or Audit Committee, where no separate RMC exists) briefed each cycle per the agreed cadence. | A stale risk register that has not been updated in over a year is functionally useless — and, for listed entities within LODR scope, a lapsed RMC reporting cadence is itself a governance and disclosure gap. |
| Annual Refresh | Financial year-end / AGM cycle | Full annual review of the risk appetite statement, risk universe (adding risks from new business lines, geographies, or regulatory changes), and the control environment — timed to align with the statutory audit cycle and annual report risk disclosures where applicable. | Risk disclosures in the annual report or board's responsibility statement that do not reflect the organisation's actual current risk profile — a credibility and, for listed entities, a disclosure-accuracy concern. |
| Material Risk Event | Fraud, cyber incident, regulatory action, key-person exit, major litigation | Immediate framework activation — the event is assessed against the existing risk register (was it identified? was the KRI signal missed? was the mitigation inadequate?), the register is updated, and root-cause learnings are fed back into the framework and control environment. | Treating a material risk event as a one-off crisis rather than feeding it back into the framework means the same category of risk recurs, and the organisation cannot demonstrate to auditors, regulators, or investors that it has learned from the event. |
| Fundraising / Investor Due Diligence | Term sheet or investor diligence request | Framework, risk register, and governance minutes packaged for investor review; gaps identified and remediated proactively before diligence begins rather than discovered mid-process; risk appetite statement and control mapping reviewed for consistency with representations made to investors. | Investors uncovering an undocumented or inconsistent risk management approach during diligence creates valuation pressure, additional warranty and indemnity asks, and can delay or derail a funding round. |
| Scaling / New Business Line or Geography | Business expansion decision | Risk universe extended to the new business line, geography, or regulatory regime (including, where relevant, UAE or other overseas risk categories PNPC's Dubai office can advise on directly) before the expansion is executed — not retrofitted afterward. | Expansion into a new geography or business line without an updated risk assessment routinely surfaces unanticipated regulatory, tax, or operational exposure that a pre-expansion risk review would have flagged. |
| Framework Maturity Review | 1–2 years post-implementation, or leadership change | Independent health-check of the framework's actual use — is the register being updated, are KRIs tracked, is the RMC/Audit Committee cadence being met — with recommendations to refresh, simplify, or deepen the framework as the organisation's risk maturity evolves. | A framework that was well-designed at inception but has drifted from actual practice provides false assurance to the board and external stakeholders that risk is being actively managed when it is not. |
What exactly is a Risk Assessment Framework, in plain terms?
It is the structured system your organisation uses to identify what could go wrong (risks), decide how much of that risk you are willing to accept (risk appetite), track and prioritise the risks that matter (a risk register), and assign clear ownership for managing them. It is not a one-time report — it is a recurring process with a governance structure (usually an Audit Committee or Risk Management Committee) that keeps it alive and relevant as the business changes.
Is a formal risk management framework legally mandatory for my company?
It depends on your entity type and regulatory status. There is no blanket statutory requirement for every private company to maintain a COSO- or ISO 31000-aligned framework. However, under Section 134(5)(e) of the Companies Act 2013, the Board's responsibility statement (for listed companies, and in practice a good governance expectation for larger private companies) must confirm that internal financial controls are adequate and operating effectively — a confirmation that is difficult to make credibly without an underlying risk assessment process. For SEBI-listed entities within the top 1,000 by market capitalisation, Regulation 21 of the SEBI (LODR) Regulations, 2015 mandates a Risk Management Committee with a defined charter and reporting cadence.
What is a risk appetite statement and why does PNPC insist on drafting it first?
A risk appetite statement is the Board's explicit articulation of how much risk the organisation is willing to accept, by category (financial, operational, compliance, reputational, strategic, technology), in pursuit of its objectives. Without it, risk scoring in the register becomes subjective and inconsistent — one manager's 'high risk' is another's 'medium.' The risk appetite statement gives the scoring methodology an anchor and gives the Board a documented, defensible basis for its risk tolerance decisions.
COSO ERM or ISO 31000 — which framework should we adopt?
Both are internationally recognised and neither is mandated by Indian law for most private companies. COSO's Enterprise Risk Management Integrated Framework is more comprehensive and strategy-linked — commonly chosen by organisations preparing for institutional investment, listing readiness, or complex multi-entity risk exposure, and it aligns naturally with the internal financial controls documentation many boards must already maintain. ISO 31000:2018 is a leaner, principles-based international standard, more proportionate for mid-sized private companies that want rigour without over-engineering. In practice, most PNPC engagements borrow structural elements from both, calibrated to the organisation's size and regulatory context, rather than adopting either framework in its complete textbook form.
What is a Risk Management Committee (RMC) and who needs one under SEBI rules?
Under Regulation 21 of the SEBI (LODR) Regulations, 2015, a Risk Management Committee is mandatory for the top 1,000 listed entities determined on the basis of market capitalisation, as well as certain other categories of listed entities specified by SEBI from time to time. The RMC must have a defined composition (a majority of members being Board directors, including at least one independent director for applicable categories), a documented charter, and must meet at a prescribed minimum frequency, reporting to the Board on the risk management framework's effectiveness. Companies outside this mandated scope are not statutorily required to constitute a separate RMC, though many voluntarily route risk oversight through the Audit Committee.
How does a risk framework relate to internal financial controls (IFC) under Section 134(5)(e)?
Internal financial controls are the specific policies and procedures that ensure the orderly and efficient conduct of business, accuracy and completeness of accounting records, and timely preparation of reliable financial information. A risk assessment framework is broader — it covers financial, operational, compliance, reputational, and strategic risk — but the two are deeply linked: you cannot credibly assess whether your internal financial controls are 'adequate and operating effectively' (the Board's Section 134(5)(e) confirmation) without first identifying the financial risks those controls are meant to address. PNPC designs the risk framework to explicitly interface with, and support, the IFC documentation and testing that underpins this Board confirmation.
We are a private, unlisted company with no immediate SEBI obligations. Do we still need this?
There is no statutory mandate specific to private unlisted companies to build a formal risk framework. Whether you need one is a business judgement, not a compliance requirement. Common triggers we see for unlisted private companies: preparing for institutional fundraising where investors expect governance readiness, a recent adverse event (fraud, major vendor failure, cybersecurity breach) that exposed the lack of a structured process, growth past the point where risk can be tracked informally by the founder or CEO, or a lender covenant or large enterprise customer contract that expects evidence of risk governance.
How long does it take to build a full risk assessment framework from scratch?
For a mid-sized organisation, a realistic timeline from initial scoping to Board approval is 8 to 10 weeks — covering scoping, risk identification workshops across functions, risk appetite statement drafting, scoring methodology design, control mapping, governance charter drafting, and Board presentation. Complex multi-entity or multi-jurisdiction groups (including India-UAE structures) typically take longer given the need to map risk across each entity and regulatory regime. A lighter-touch framework for an early growth-stage company can be built faster, in proportion to its complexity.
What does a risk register actually look like — is it just a spreadsheet?
At its core, yes — a risk register is typically a structured spreadsheet or dashboard listing each identified risk, its category, likelihood score, impact score, overall risk rating, existing controls, control gaps, the named risk owner, planned mitigation actions, target dates, and current status. What separates a working register from a shelf document is not the tool (spreadsheet versus dedicated GRC software) but the discipline of updating it on a defined cadence and using it to drive actual management decisions and board reporting.
How is likelihood and impact actually scored — is it subjective?
Scoring inevitably involves judgement, but a good framework reduces subjectivity by defining concrete, organisation-specific criteria for each score level before any risk is scored. For example, 'high impact' on a financial risk might be explicitly defined as 'potential loss exceeding X% of annual revenue or Y absolute rupee value' rather than left to individual interpretation. PNPC calibrates these thresholds to your organisation's actual financial scale during the framework design phase, and scoring is typically done collaboratively across function heads with a facilitator (PNPC, initially) to reduce inconsistency between departments.
What are Key Risk Indicators (KRIs) and how are they different from the risk register?
The risk register is a periodic (typically quarterly) point-in-time assessment. Key Risk Indicators are ongoing, trackable metrics designed to give an early warning that a specific high-priority risk is trending toward materialising, between formal review cycles. Examples include customer concentration percentage trending upward, days sales outstanding lengthening, employee attrition in key roles rising, or the frequency of near-miss cybersecurity incidents increasing. PNPC designs KRIs only for the highest-priority risks in the register — tracking too many KRIs dilutes attention and becomes unsustainable.
Who should own the risk register once PNPC hands it over?
There should be a single named internal coordinator — most commonly the CFO, Company Secretary, or a designated Chief Risk Officer / risk manager in larger organisations — responsible for maintaining the register, coordinating the periodic review cycle, and preparing the Board or Audit Committee/RMC reporting pack. Individual risks within the register are owned by the relevant function head, but the overall framework needs one accountable coordinator or it drifts.
How often should the risk register be reviewed and updated?
A common and reasonable cadence is quarterly review at the management level, with reporting to the Audit Committee or Risk Management Committee at a frequency consistent with your committee's meeting schedule — and for SEBI-listed entities within Regulation 21 scope, in line with the minimum frequency prescribed for RMC meetings. New risks (from a new business line, regulatory change, or major contract) should be added to the register as they emerge rather than waiting for the next scheduled quarterly cycle, and material risk events should trigger an immediate ad-hoc review.
We had a fraud incident. Would this framework have prevented it, and how do we prevent a recurrence?
A risk framework cannot guarantee prevention of every adverse event — its purpose is to systematically increase the likelihood that material risks are identified, monitored, and mitigated before they materialise, and to provide a structured process for learning from events that do occur. If a fraud incident has already happened, the immediate priority is root-cause analysis: was this risk category identified in any prior assessment? Was there a control gap that should have been flagged? PNPC treats a material risk event as a direct input into refreshing the framework and control environment — not a separate, one-off forensic exercise disconnected from ongoing risk management.
Does PNPC also help with forensic investigation if a risk materialises into an actual fraud or loss event?
PNPC's risk advisory practice focuses on framework design, risk assessment, internal controls advisory, and governance structuring. Where a material event requires forensic investigation, quantification of loss, or litigation support, we scope that as a related but distinct engagement — often working alongside the risk framework refresh so that findings from the investigation directly inform the updated risk register and control recommendations.
How does risk assessment interact with our statutory audit?
Your statutory auditor independently performs a risk-based audit under Standards on Auditing, which includes their own assessment of risks of material misstatement in the financial statements — this is a distinct, auditor-owned process governed by auditing standards, not something PNPC's risk advisory engagement replaces or performs on the auditor's behalf. However, a well-documented enterprise risk framework — particularly the sections addressing financial and compliance risk and the internal control environment — is a valuable input the auditor will typically review, and it supports the Board's own Section 134(5)(e) internal financial controls confirmation, which is separate from the auditor's own risk assessment.
What is the difference between risk management and internal audit?
Risk management (the framework PNPC builds) is a forward-looking, management- and Board-owned process for identifying and responding to risks before they materialise. Internal audit is typically an independent assurance function — either an in-house team or an outsourced provider — that periodically tests whether the controls management has put in place (including those addressing risks in the register) are actually operating as designed. The two are complementary: the risk register often forms the basis for the internal audit plan, prioritising audit focus on the highest-risk areas, while internal audit findings feed back into refreshing the risk register.
We are a group with an Indian company and a UAE entity. Does the risk framework cover both?
Yes — PNPC's risk advisory engagements for India-UAE groups build a consolidated framework that captures entity-specific and group-level risks, including cross-border risk categories: FEMA and RBI compliance risk on the India side, UAE Corporate Tax and regulatory compliance risk on the UAE side, transfer pricing exposure on intercompany transactions, and consolidated financial reporting risk where applicable. With operating offices in Chennai, Bangalore, Hyderabad, and Dubai, PNPC coordinates the framework build across both jurisdictions under a single engagement rather than requiring you to brief separate advisors in each country.
What does it cost to build a risk assessment framework with PNPC?
PNPC charges a fixed, agreed professional fee for a risk framework engagement, scoped after the initial conversation based on your organisation's size, number of business functions and entities involved, regulatory complexity (including any SEBI LODR RMC requirements), and whether workshops are needed across multiple locations or jurisdictions. The exact fee and scope are confirmed in writing before work begins — there is no standard 'off-the-shelf' price because the effort genuinely varies with organisational complexity.
Can a small consulting firm or freelance GRC consultant do this instead of a CA firm?
Many risk framework engagements are delivered competently by dedicated GRC (Governance, Risk, Compliance) consultants or boutique risk advisory firms, and there is no legal requirement that this work be performed by a Chartered Accountant. The advantage of engaging a practising CA firm like PNPC is the direct interface with statutory compliance obligations that a pure GRC consultant may not have day-to-day familiarity with — Section 134(5)(e) internal financial controls, the statutory audit process, tax and regulatory risk specifics, and (for our clients) an existing understanding of your financial statements, compliance history, and business from other engagements.
How does a risk framework help during private equity or venture capital due diligence?
Institutional investors' legal and financial due diligence processes routinely probe governance maturity — whether the Board has visibility into key risks, whether internal controls are documented and tested, and whether there is a structured process (rather than founder intuition alone) managing operational, financial, compliance, and reputational risk. A well-documented risk framework, with evidence of Board or Audit Committee engagement (minutes, review cycles), materially strengthens the governance narrative in diligence and can pre-empt additional warranty, indemnity, or valuation-discount asks that arise when investors perceive governance as immature.
Does the risk framework need to be disclosed publicly or filed with any regulator?
For most private, unlisted companies, there is no requirement to file the risk framework itself with any regulator — it is an internal governance document, though the Board's confirmation on internal financial controls under Section 134(5)(e) is disclosed in the Board's report attached to the annual financial statements. For SEBI-listed entities, certain risk-related disclosures are required in the annual report and, where applicable, the Business Responsibility and Sustainability Report (BRSR) — though the full risk register and appetite statement themselves remain internal documents; only summarised risk disclosures are made public.
What is the difference between inherent risk and residual risk in the register?
Inherent risk is the level of risk that exists before considering any mitigating controls — the raw exposure. Residual risk is the level of risk that remains after accounting for the controls and mitigation measures currently in place. A risk register that only scores inherent risk overstates the organisation's actual exposure and does not show where controls are working; a register that only scores residual risk can understate how serious a risk would be if a control failed. PNPC's framework scores both, so the Board can see the effectiveness of existing controls (the gap between inherent and residual) as well as the current actual exposure.
Our board meets only quarterly. How do we handle risks that emerge between meetings?
The governance structure PNPC designs typically includes a defined escalation protocol for risks that emerge or materially change between scheduled Board or Audit Committee meetings — usually a threshold-based trigger (a risk scored above a certain severity, or any risk event with actual or potential financial/reputational impact above an agreed threshold) that requires immediate escalation to the Committee Chair or Board Chair outside the regular cycle, rather than waiting for the next scheduled meeting.
Can this framework help with cybersecurity and data protection risk specifically?
Yes — cybersecurity and technology risk is typically one of the standard risk categories within the framework (alongside strategic, operational, financial, compliance, and reputational risk), and is increasingly one of the highest-scored categories across most organisations given the rising frequency of cyber incidents. PNPC's framework identifies and scores cybersecurity and data protection risks at an enterprise-governance level — data breach exposure, third-party/vendor access risk, business continuity risk from a system outage — but for deep technical cybersecurity control implementation (network security architecture, penetration testing, technical remediation), we recommend a specialist technical security partner working alongside the risk framework, with PNPC ensuring the governance and Board-reporting layer stays connected to their technical findings.
Is a Risk Management Committee the same as an Audit Committee?
No, though they are related and, in smaller organisations, functions sometimes overlap. The Audit Committee, mandated under Section 177 of the Companies Act 2013 for specified classes of companies, has a statutorily defined mandate centred on financial reporting oversight, auditor recommendation and oversight, and related-party transaction approval. A Risk Management Committee, where mandated under SEBI (LODR) Regulation 21 or voluntarily constituted, has a broader mandate specifically focused on enterprise risk oversight across all risk categories, not solely financial reporting risk. Where a company is not required to have (or chooses not to constitute) a separate RMC, risk oversight responsibility is commonly routed through the existing Audit Committee.
What happens if we build the framework but the Board never actually reviews the risk register?
This is the most common way risk frameworks fail — not at the design stage, but at the sustained-use stage. A framework that is built, presented once, and then never revisited provides false assurance: on paper, governance looks mature; in practice, the Board has no current visibility into the organisation's actual risk exposure. This creates real exposure if a material risk event occurs and any subsequent inquiry (by an auditor, regulator, or in litigation) reveals the framework was not being used as represented.
Does PNPC provide ongoing support after the framework is built, or is it a one-time engagement?
We offer both models depending on client need: a one-time framework build with handover and training for organisations that want to run the framework independently going forward, and an ongoing advisory retainer for organisations that want PNPC to facilitate the quarterly review cycles, refresh the register, and prepare Board/RMC reporting packs on a continuing basis. Many clients start with the former and move to the latter once they experience how much discipline the review cadence actually requires.
How does risk assessment framework design fit with PNPC's broader risk advisory and audit services?
Risk framework design sits within PNPC's Governance, Risk & Compliance (GRC) practice under our broader Risk Advisory pillar, which also covers internal audit, internal financial controls testing, fraud risk assessment, and regulatory compliance advisory. For clients where PNPC also serves as statutory auditor, tax advisor, or compliance retainer client, the risk framework engagement benefits from — but is delivered independently of, where auditor-independence rules require it — the institutional knowledge PNPC already holds about the business.
Why should we engage PNPC rather than a generic risk consulting firm or build the framework in-house?
A generic risk consulting firm can deliver a technically sound framework but typically lacks the day-to-day statutory compliance context — how the framework interfaces with Section 134(5)(e) internal financial controls certification, the statutory audit process, or India-UAE cross-border regulatory risk. Building in-house without external facilitation is possible but commonly stalls at the risk appetite statement stage (a genuinely difficult document to draft objectively from inside the organisation) and rarely sustains the review cadence without external accountability. PNPC combines CA-level regulatory and financial fluency with dedicated risk framework methodology, and — because we are a practising firm present since 1986 across India and the UAE — we remain available for the ongoing review cycles, not just the initial build.
| Feature | Generic Risk Template / Software | Boutique GRC Consultant | PNPC Global |
|---|---|---|---|
| Regulatory anchoring | Generic — not mapped to Companies Act or SEBI LODR specifics | Often strong on GRC methodology, may lack day-to-day statutory compliance depth | Framework explicitly mapped to Section 134(5)(e), Section 177, and SEBI LODR Regulation 21 where applicable |
| Risk appetite statement | Generic boilerplate wording — not calibrated to your revenue, capital base, or actual risk categories | Usually included, methodology varies | Facilitated Board-level drafting anchored to your actual financial scale and objectives |
| Understanding of your financials | None — generic inputs only | Limited unless separately engaged for financial diligence | Where PNPC serves as auditor/advisor, deep pre-existing financial and compliance context (with independence walls respected) |
| India-UAE cross-border risk | Not addressed | Rarely covered unless a specialist cross-border firm | Native coverage from Chennai/Bangalore/Hyderabad AND Dubai offices under one engagement |
| Sustained review cadence | No support after purchase | Varies — often ends after initial delivery | First review cycles built into scope; ongoing retainer option to keep cadence alive |
| Control mapping to IFC | Not connected | Sometimes connected, depends on consultant background | Directly interfaces with internal financial controls documentation supporting Section 134(5)(e) |
| Board presentation & buy-in | Self-service — client presents own template | Often included | PNPC presents directly to Board/Audit Committee, incorporates feedback, secures documented approval |
| Post-build accessibility | None | Depends on engagement terms | Direct access to your engagement CA by phone and WhatsApp — not a support ticket |
| Approach to sizing | One-size-fits-all template | Usually scoped appropriately | Explicitly right-sized — we tell clients when a full COSO build is overkill for their stage |
What the PNPC package includes
- 01
Scoping conversation to assess your actual regulatory obligations — SEBI LODR RMC applicability, Section 134(5)(e) IFC context, sector-specific requirements
- 02
Structured risk identification workshops across finance, operations, compliance, HR, and IT functions
- 03
Risk Appetite Statement drafted for Board discussion and approval
- 04
Risk register built and scored using a likelihood-impact methodology calibrated to your organisation's actual financial scale
- 05
Control mapping linking each material risk to existing and required mitigating controls
- 06
Named risk ownership and escalation protocol design — not department-level, individual-level accountability
- 07
Risk Management Committee or Audit Committee charter drafting, where applicable under SEBI LODR or as a governance best practice
- 08
Key Risk Indicator (KRI) design for your top-priority risks — an early-warning layer, not just a periodic snapshot
- 09
Board or Audit Committee presentation and facilitated approval session
- 10
Complete documentation set: Risk Management Policy, risk register, appetite statement, committee charter, and board reporting template
- 11
Review cadence design and internal risk-owner training so your team can run the framework independently
- 12
Optional ongoing advisory retainer to facilitate quarterly reviews and keep the framework current as the business evolves
Speak directly with a PNPC Chartered Accountant about your organisation's risk governance — not a generic GRC template salesperson. A practising CA who understands your financial statements, your compliance history, and — where relevant — your India-UAE structure, and who will still be advising you when the framework faces its first real test.