The First Counsel

Advisory

Corporate & Legal Advisory in Pakistan: The Complete Guide

What general counsel work actually is, the fractional-GC model, governance under the Companies Act 2017 and the SECP codes, risk and policy architecture, compliance calendars, investor readiness, the legal health check — and what happens when advisory becomes defense.

This guide states the position as of July 2026. It is general information, not legal advice. Regulatory requirements, thresholds, and filing periods change; items that change frequently are marked for verification.

Most Pakistani businesses buy legal services the way they buy fire extinguishers: after the smoke. A lawyer is engaged when the notice arrives, the deal is signed, or the dispute is filed — which means the lawyer inherits decisions instead of shaping them. Corporate and legal advisory is the opposite arrangement: continuous counsel that sits inside the company's decisions, so that the contract is negotiated before signature, the regulator is answered before the deadline, and the dispute is priced before it exists. Large companies institutionalise this as a general counsel's office. Everyone else has to build it deliberately — and in Pakistan's regulatory environment, where the SECP, FBR, State Bank, Competition Commission, provincial authorities, and the criminal enforcement agencies all touch an ordinary operating company, building it deliberately is worth more than most companies realise.

This is the pillar page for our advisory hub. The cluster articles beneath it go deep on individual topics; this page gives you the architecture.

What general counsel work actually is

Strip the title away and general counsel work is four functions.

First, decision support: reading the legal dimension of commercial choices before they are made — the contract's real risk allocation, the regulatory perimeter of a new product, the employment consequences of a restructuring — and stating it in terms a board can act on. The output is rarely a memorandum; it is a sentence in a meeting at the right time.

Second, document control: owning the company's contractual estate. What the company has signed, with whom, expiring when, renewing on what terms, with which obligations nobody is tracking. Most Pakistani companies cannot answer these questions, and the cost surfaces in renewals accepted by default, warranties given twice, and indemnities discovered during disputes.

Third, regulatory interface: knowing which regulators govern the company, what each expects, and answering them in the register they respect — complete, on time, and without volunteering the next inquiry. In Pakistan this is a genuinely plural task; a single operating company may answer to the SECP for corporate filings, the FBR and a provincial revenue authority for tax, EOBI and a provincial social security institution for payroll, the Competition Commission of Pakistan for conduct and mergers, and a sector regulator besides.

Fourth, dispute posture: deciding, before disputes arrive, which ones the company will fight, settle, or design out of its documents — and preserving the evidence and privilege that the chosen posture will need.

None of this requires a full-time hire. All of it requires continuity — a counsel who knows the company on Tuesday because they knew it on Monday.

The fractional general counsel model

Between the first serious contract and the day a full-time general counsel is affordable, most Pakistani companies run on ad hoc legal work: a lawyer for the lease, another for the dispute, a consultant for the filings. The fractional GC model replaces that scatter with one relationship: an external counsel engaged on a continuing basis — a defined monthly rhythm of availability, attendance, and review — who carries the company's context between matters.

What the engagement typically includes: a standing channel for day-to-day questions with agreed response times; review of contracts above an agreed threshold before signature; maintenance of the compliance calendar and supervision of the filings; quarterly review of the risk register with management; attendance at board meetings where wanted; and coordination of specialists — tax, employment, disputes, criminal — when a matter needs depth, so the company buys expertise through one accountable counsel rather than managing five firms itself.

What it deliberately excludes matters as much: the fractional model is not a discount on litigation or transactions, which are scoped and priced separately when they arise. Its economics work because prevention is cheaper than cure and because context, once built, makes every subsequent answer faster. Fee structure is set by engagement letter [FEE STRUCTURE — TO BE CONFIRMED BY THE FIRM].

The model fits three situations particularly well: funded startups between rounds, whose investors expect governance the founders have not yet built; established SMEs whose legal exposure has outgrown the owner's personal lawyer; and Pakistani subsidiaries of foreign groups, which need a local counsel who can translate between the group's compliance expectations and Pakistani practice.

Governance under the Companies Act, 2017 and the SECP codes

The Companies Act, 2017 is the constitution of every Pakistani company, and its governance provisions are not optional formality — they are the standard against which directors' conduct is later judged by the SECP, by courts, and by investigating agencies.

The load-bearing elements, in outline. Boards: a private company needs at least two directors (one for a single member company), a public company three, a listed company seven, elected for fixed terms with the Act's procedures for election and removal [CURRENT REQUIREMENTS — TO BE VERIFIED BY REVIEWING LAWYER]. Directors' duties: the Act codifies what the general law implied — directors act in good faith, in the company's interest, with due care and skill, and must not derive undue advantage; breach is actionable and, in the enforcement climate of the last decade, increasingly acted upon [SECTION REFERENCES — TO BE VERIFIED BY REVIEWING LAWYER]. Related party transactions: dealings with directors, their relatives, and associated companies require the prescribed board (and in defined cases shareholder) approvals, arm's-length justification, and record-keeping under the Act and the SECP's related regulations — this is among the most common findings in Pakistani governance reviews [APPLICABLE PROVISIONS AND REGULATIONS — TO BE VERIFIED BY REVIEWING LAWYER]. Officers: companies above prescribed thresholds must appoint a company secretary, and auditors are mandatory above modest thresholds; listed companies add a CFO, internal audit, and the committee structure. Records and filings: statutory registers, minutes actually kept, ultimate beneficial ownership information maintained and reported as required [CURRENT UBO REQUIREMENTS — TO BE VERIFIED BY REVIEWING LAWYER], and event-driven filings within their windows.

Above the Act sit the codes. The Listed Companies (Code of Corporate Governance) Regulations, 2019 govern listed companies through a mix of mandatory requirements and comply-or-explain provisions: independent directors, female representation on the board, audit and human resource committees, and disclosure duties [CURRENT REQUIREMENTS — TO BE VERIFIED BY REVIEWING LAWYER]. State-owned enterprises answer to the public sector governance framework [CURRENT INSTRUMENT — TO BE VERIFIED BY REVIEWING LAWYER]. Unlisted companies are not bound by the listed code, but investors, lenders, and acquirers increasingly measure them against it — which makes the code a useful voluntary benchmark long before listing is contemplated.

The practical counsel is simple: run the company as if the record will one day be read by someone hostile, because in any SECP inquiry, shareholder dispute, or investigation, it will be. Minutes that record actual deliberation, approvals obtained before the transaction rather than after, and filings that match reality are the whole game.

Risk architecture

Risk management in most companies is a spreadsheet nobody reads. A working risk architecture is smaller and harder: an honest register of the ten to twenty risks that could actually hurt the company, each with an owner, a current control, and a review date — maintained as a living document that the board sees quarterly.

For a Pakistani operating company the register usually spans five families. Regulatory: the perimeter of every regulator that touches the business, with the licences, filings, and inspection exposure under each — SECP, FBR and provincial revenue authorities, SBP where foreign exchange or finance is involved, CCP, labour and social security authorities, and the sector regulator if any. Contractual: concentration in key customers or suppliers, uncapped liabilities, expiring terms, and the obligations nobody is tracking. People: misclassification, key-person dependence, and the employment-law stack covered in our Employment & HR hub. Financial-crime exposure: the areas where an ordinary commercial problem can be recharacterised — related party dealings, government touchpoints, tax positions, and anything involving public money, where the National Accountability Ordinance, 1999 and the Anti-Money Laundering Act, 2010 sit in the background. Data and technology: system dependence and the obligations under the Prevention of Electronic Crimes Act, 2016, with a general data protection statute still pending as of mid-2026 [STATUS — TO BE VERIFIED BY REVIEWING LAWYER].

Two instruments make the architecture operational. A delegation of authority matrix — who may sign what, up to what value, with whose counter-approval — so that authority is designed rather than assumed. And an escalation protocol: the defined events (regulator contact, litigation threat, data incident, raid) that must reach counsel and management within hours, with the first steps scripted in advance. Companies do not rise to the occasion in a crisis; they fall to the level of their preparation.

The policies architecture

Policies fail in two opposite ways: the company that has none, and the company that has forty, downloaded, unread, and contradicted by daily practice. A policy the company does not follow is worse than no policy — it is documentary evidence that the company knew the standard and ignored it.

Build in three tiers. Tier one, constitutional: the memorandum and articles, the shareholders' agreement if any, and board terms of reference — the documents that allocate power. Tier two, board-approved policies, kept short and few: a code of conduct; the anti-harassment code the law requires (see the Employment & HR hub); a related party transactions policy that operationalises the Act's requirements; financial authority and procurement limits; a whistleblowing channel; anti-bribery and gifts rules, which matter acutely wherever the business touches government; and data and information security. Where the company is in a regulated sector, the AML/CFT framework its regulator prescribes joins this tier [APPLICABLE SECTORAL REQUIREMENTS — TO BE VERIFIED BY REVIEWING LAWYER]. Tier three, operating procedures owned by management — HR processes, finance SOPs, contract playbooks — which change without board ceremony.

Three disciplines keep the architecture honest. Every policy has an owner and a review date. Every policy is trained, briefly, to the people it governs, with attendance recorded. And the set is pruned annually: a policy no one can name the owner of is a liability, not an asset.

Compliance calendars

Most regulatory penalties in Pakistani companies are not defiance; they are the absence of a list. The compliance calendar is that list: every recurring obligation, its statutory deadline, its owner, and the evidence that it was done.

The recurring skeleton for an ordinary private company: SECP — the annual return and financial statements within their prescribed periods, the AGM where required, and event-driven filings (directors, registered office, allotments, transfers, charges) within their windows [CURRENT PERIODS — TO BE VERIFIED BY REVIEWING LAWYER]. FBR — monthly withholding statements, monthly sales tax returns where registered, the annual income tax return, and responses to notices within their own deadlines. Provincial — services sales tax returns to the PRA, SRB, or counterpart; professional tax; shops-and-establishments and labour registrations and renewals. Payroll — monthly EOBI and social security contributions. Sectoral — licence renewals, regulatory returns, and the CCP's requirements where merger clearances or exemptions carry conditions.

Three design rules. The calendar names people, not departments — an obligation owned by "Finance" is owned by no one. It records evidence — the filed acknowledgment, the payment receipt — because in an inspection the question is never whether you complied but whether you can show it. And it is reconciled quarterly against reality: new hires, new offices, new products, and new thresholds all add lines, and the calendar that is not maintained decays into false comfort within a year.

Working with regulators day to day

Between the calendar's routine filings and the investigations discussed below sits the ordinary correspondence of regulated life: information requests, inspection visits, show-cause notices, and audit selections. How a company answers these determines whether they stay ordinary.

Five disciplines apply to every regulator. Answer within the deadline, or seek the extension in writing before it expires — a late reply converts a query into a finding. Answer the question asked, completely and accurately, without volunteering the adjacent matter; completeness and volume are different things. Keep one channel: a single counsel or officer who signs every response, so the company never contradicts itself across letters. Preserve the file — every notice, every reply, every acknowledgment — because regulatory matters are decided on paper trails and the regulator keeps its copy. And treat a show-cause notice as the serious instrument it is: it is the regulator's case stated in advance, the reply is the company's evidence, and the quality of that reply usually decides whether the matter ends in a warning, a penalty, or an escalation. A show-cause answered casually by an accounts officer has foreclosed defenses that counsel could have preserved.

The same logic governs voluntary contact. Where the company discovers its own non-compliance — a missed filing, an unregistered charge, an unreported allotment — most regimes are measurably kinder to the company that approaches the regulator first, with the default cured and counsel's framing around it, than to the one discovered later. Whether and how to self-report is a judgment call that belongs with counsel, made matter by matter; but the option only exists for companies that find their own problems, which is what the health check below is for.

Investor and board readiness

Diligence is a test the company sits long before it knows the date. Investors, lenders, and acquirers all ask for the same corpus: the constitutional documents and every amendment; the statutory registers and filings, reconciled; the cap table with the authority behind every issue and transfer; board and shareholder minutes that actually record decisions; material contracts, signed and stamped; the IP assignments; the employment stack and payroll registrations; tax filings and open notices; licences; and litigation. A company that maintains this corpus continuously — a standing data room, updated as events occur — closes rounds and sales weeks faster and concedes fewer price adjustments than one that assembles it under deadline. Every gap discovered in diligence is negotiated against you; every gap fixed in advance is invisible.

Board readiness is the same discipline applied to governance. A board pack that arrives on time, states each decision sought, and records the outcome in minutes that match; resolutions passed before the transaction, not reconstructed after; conflicts declared and minuted. For companies with institutional investors, this is contractual — the shareholders' agreement will prescribe information rights and reserved matters — and the company that treats those clauses as living obligations, rather than closing-day boilerplate, keeps its investors as allies rather than auditors.

A legal health check is a structured, privileged review of the company's entire legal position, conducted the way opposing counsel or an acquirer would conduct it — except the findings go to you, in time to act. It is the single highest-return advisory product for a company that has grown faster than its paperwork.

The scope, typically: corporate records and filings against the SECP's register; the cap table against the authorities behind it; related party arrangements against the Act's requirements; the top twenty contracts for signature, stamping, term, liability, and termination exposure; the employment stack against the audit described in our Employment & HR hub; tax registrations, filings, and open positions; licences and regulatory correspondence; IP ownership and registrations; insurance against the actual risk register; and pending or threatened disputes with an honest reserve against each.

The output is a findings memorandum in three bands — items creating current legal exposure, items that will be diligence findings, and items of hygiene — each with an owner, a cost, and a date. Run the check before every fundraise or sale, after every acquisition, on a change of control or management, and otherwise every couple of years. Conduct it under legal privilege, through counsel, with the findings addressed rather than filed: a health check the company commissions and ignores has documented its own knowledge.

When advisory becomes defense

In Pakistan, the distance between a compliance question and a criminal inquiry is shorter than most boards assume. A tax audit can be recharacterised as concealment and prosecuted; an SECP inspection can become a show-cause and then a reference; a commercial dispute can arrive as an FIA complaint under the Prevention of Electronic Crimes Act, 2016 or a banking-offences file; and anything that touches public money or state-owned counterparties sits within reach of the National Accountability Ordinance, 1999. The Anti-Money Laundering Act, 2010 attaches predicate-offence consequences to matters that began as ordinary business. Advisory work done well anticipates this: it is the difference between a company that meets an investigation with a clean record, asserted privilege, and a scripted first response, and one that improvises.

Three preparations belong in the advisory layer before any trouble exists. A dawn-raid and first-response protocol: who calls counsel, who receives the officers, what is checked on the warrant or authority, how seizure is recorded, and the instruction that no statement is volunteered. A privilege discipline: communications between advocate and client are protected under the Qanun-e-Shahadat Order, 1984 [ARTICLES AND SCOPE, INCLUDING THE POSITION OF IN-HOUSE COUNSEL — TO BE VERIFIED BY REVIEWING LAWYER], and the protection is strongest where legal advice is sought through external counsel and marked and managed as such from the start. And a document-retention and litigation-hold practice, so that when an inquiry begins, preservation is a switch, not a scramble.

This is also where the shape of the adviser matters. The First Counsel pairs corporate advisory with one of Pakistan's deepest white-collar defense practices — NAB references, FIA matters, SECP and regulatory enforcement, asset freezing, and the accountability courts. The pairing is deliberate: the counsel who designed the compliance record is the counsel best placed to defend it, and the defense lawyer's knowledge of how investigations actually unfold is what makes the advisory layer realistic rather than theoretical. Our white-collar and investigations pages, and the White-Collar Handbook in our guides, cover the defensive side in the depth it deserves.

What this means for you

Advisory is architecture, not paperwork. Decide who your counsel is before you need one; put the governance record in order while it is cheap; write the risk register, the policy set, and the compliance calendar as short, owned, living documents; keep the standing data room that diligence will one day demand; run the health check before someone hostile runs it for you; and prepare the first hours of the investigation you hope never comes.

The cluster articles under this hub take each element to working depth — the fractional GC engagement, board and governance practice under the 2017 Act, compliance calendars as usable artifacts, the health check scope, and investigation readiness. The Startup hub covers formation and fundraising; the Employment & HR hub covers the people layer.

The First Counsel provides this work as a practice: continuing general counsel engagements, governance and SECP compliance, policy and risk architecture, transaction and investor readiness, legal health checks, and — when advisory becomes defense — the investigation and enforcement response itself. Fees are set by engagement letter. The useful moment to start is before the question becomes a matter.

The Guides

Every topic in this hub, in depth.

The pillar above gives you the map; each guide below goes deep on one decision, document, or filing.

  1. 01What a General Counsel DoesThe general counsel is the executive who owns a company's legal position — this is what the job actually consists of in Pakistan, and how to tell when your company needs one.
  2. 02The Fractional General Counsel ModelHow a senior lawyer can serve as your general counsel on a defined cadence — what the arrangement covers, how it is structured, and when it stops being enough.
  3. 03Board AdvisoryWhat counsel to a Pakistani board actually involves — composition under the Companies Act 2017, the duties directors personally carry, and the meeting-room disciplines that decide whether a board's decisions survive scrutiny.
  4. 04Legal Risk AdvisoryHow a Pakistani business identifies, ranks, and manages the legal risks it is actually carrying — and how to build the one-page answer a board is entitled to expect.
  5. 05Corporate Governance in PakistanA CEO's map of the governance rules that actually bind a Pakistani company — the Companies Act 2017, the SECP's codes, and the paper record that every investor, auditor and regulator will eventually read.
  6. 06Internal Policies ArchitectureWhich internal policies Pakistani law actually requires, which ones auditors and investors expect, and how to build a policy stack your people will follow rather than sign and forget.
  7. 07Business ExpansionThe legal work behind growing a Pakistani business — a second province, a new entity, a franchise network, an acquisition, or the first step abroad — and the registrations and approvals each route triggers.
  8. 08Investor ReadinessWhat an institutional or strategic investor's lawyers will test in an established Pakistani company — the corporate record and the group, the consent map, the related-party file, tax and disputes, and the shareholders themselves — and how a board runs the readiness programme before the process opens.
  9. 09The Legal Health CheckA privileged, counsel-led audit of your own company — what it covers module by module, how the review is run, what the findings memorandum looks like, and why it is cheapest before a fundraise, a sale, or a notice.
  10. 10Vendor RiskHow a Pakistani company controls the risk that arrives with its vendors — counterparty verification, contract remedies that survive sections 73 and 74 of the Contract Act, 1872, data and confidentiality exposure, AML and beneficial-ownership screening, and the concentration nobody mapped.
  11. 11The Corporate Compliance CalendarThe recurring obligations of an established Pakistani company as one interlocking timetable — the audit, AGM, accounts, and Form A chain under the Companies Act, 2017, the tax year under the Income Tax Ordinance, 2001, the sales tax cycle, and the employer funds — and how a board keeps the machine from drifting.
  12. 12Business StructuringWhen a Pakistani business should become a group — holding companies, subsidiaries versus divisions, family ownership, and the Companies Act and tax provisions that decide whether a reorganization is routine or ruinous.

Working Documents

Take the checklists with you.

Prepared by The First Counsel · As of 2026-07-12 · Pending professional review — statements flagged in the text are being verified

This publication is provided for general information only. It is not legal advice, and neither reading it nor corresponding with the firm about it creates a lawyer–client relationship. The position stated must be verified against current law before it is relied upon.

Every matter begins with a first conversation.

Contact the Firm