The Companies Act 2013, administered by the Ministry of Corporate Affairs (MCA), introduced comprehensive risk management provisions primarily through Section 134(3)(n) mandating risk disclosure and Section 177 establishing risk management committees. Rules amended in 2021 require top 1000 listed companies by market capitalisation to constitute a Risk Management Committee with majority board members, complemented by Regulation 21 of SEBI LODR. The Act shifts risk management from voluntary best practice to statutory compliance, requiring systematic identification, assessment and mitigation of internal and external risks including cyber security, environmental and ESG factors.

• Board-level accountability with mandatory Risk Management Committee ensures top management focus on strategic and operational risks rather than delegating solely to management
• Enhanced investor confidence through mandatory annual disclosure in Board's Report under Section 134(3)(n) covering risk elements, assessment procedures and mitigation plans
• Integration with related provisions like Section 143 (auditor reporting on adequacy of internal financial controls) creates comprehensive governance architecture
• Specific focus on top 1000 listed entities ensures material risks affecting systemically important companies receive appropriate board oversight and resource allocation
• Alignment with international frameworks like COSO ERM and ISO 31000 facilitates cross-border operations and foreign investment by demonstrating robust governance

• Lack of prescriptive standards on risk taxonomy, assessment methodologies or appetite frameworks leads to significant variation in quality and depth across companies
• Many companies treat risk management as compliance checklist exercise with perfunctory disclosures rather than embedding risk culture across organizational levels
• Insufficient expertise among board members on emerging risks like climate change, AI/technology disruption and cyber threats limits effectiveness of Risk Management Committees
• No mandatory requirement for Chief Risk Officer position or dedicated risk management resources below top 1000 companies despite complex business environments
• Weak enforcement mechanism with MCA rarely penalizing inadequate risk disclosures unless coupled with actual fraud or financial irregularities

• IL&FS crisis (2018) exposed inadequate board-level risk oversight despite having Risk Management Committee, with concentrated infrastructure exposure, ALM mismatches and governance failures going unidentified until systemic default triggered Rs 91,000 crore liability crisis.
• Yes Bank's Rs 50,000 crore exposure concentration to stressed corporates like DHFL, Anil Ambani group and Cox & Kings during 2015-19 demonstrated failure of risk management framework to enforce sectoral limits despite board committee existence, leading to RBI reconstruction scheme in March 2020.
• Vedanta Limited faced stakeholder backlash and Sterlite Copper Tuticorin plant closure in 2018 partly due to inadequate environmental and social risk assessment disclosure in annual reports, despite Section 134(3)(n) requiring material risk identification including regulatory and community risks.

• Adopt comprehensive Enterprise Risk Management frameworks with clearly articulated risk appetite statements approved by board and cascaded through business units with quantified tolerance limits
• Establish dedicated Risk Management Function with qualified Chief Risk Officer reporting independently to Risk Committee, separate from internal audit, with adequate technology infrastructure for real-time monitoring
• Enhance board competency through targeted training on emerging risks including climate-related financial disclosures aligned with TCFD, cyber security frameworks and technology disruption scenarios
• Move beyond boilerplate disclosures to provide meaningful Section 134(3)(n) commentary on top 10 risks with likelihood-impact assessment, specific mitigation actions taken and residual risk exposure with quantification where possible