The Risk Committee Imperative: Why More Indian Boards Are Creating Dedicated Risk Oversight Structures

Audit committees in India are overloaded. The regulatory requirements have expanded substantially over the past five years — expanded related-party transaction oversight, cybersecurity risk review, ESG disclosure assurance, and detailed internal audit oversight — without any corresponding reduction in the committee's traditional financial reporting and compliance mandate. The result, as CXO India's governance advisory team observes repeatedly, is an audit committee that is doing too many things too superficially. The solution that is gaining traction among India's more governance-forward boards is the separation of risk oversight into a dedicated risk committee. This structure — long established in the financial services sector where RBI mandates it — is now being voluntarily adopted by non-financial listed companies that recognise the limitation of the current structure. CXO India's 2025 governance survey found that 23% of NSE 100 non-financial companies now operate a risk committee separate from the audit committee, up from 14% three years ago. The risk committee model works best when it is designed deliberately rather than by default. The most common mistake is treating it as an administrative separation — moving items from one committee agenda to another — rather than a substantive redesign of how the board engages with enterprise risk. Effective risk committees develop a risk appetite framework in genuine dialogue with management, maintain a dynamic risk register that is honest about uncertainty, and have explicit protocols for escalating emerging risks to the full board before they reach crisis level. The directors who serve on these committees most effectively are those who bring operational experience in managing enterprise risk — not just financial risk, but operational, reputational, and strategic risk in its full complexity.