The First Counsel

The Advisory Hub

Legal Risk Advisory

How a Pakistani business identifies, ranks, and manages the legal risks it is actually carrying — and how to build the one-page answer a board is entitled to expect.

Every board in Pakistan can get a cash position from its CFO and an audit opinion from its auditor. Very few can get a straight answer to a simpler question: what are the legal risks this company is carrying, ranked, on one page? Legal risk advisory is the discipline that produces that page — and, more importantly, the register behind it and the cycle that keeps it true. This page explains what the discipline involves for a Pakistani business, written for the CEO, CFO, or director who has to commission it, as of mid-2026.

The term is used loosely, so it is worth fixing. A legal risk is an exposure whose trigger is a legal mechanism: a contract that can be enforced against you, a statutory duty you are breaching, a licence condition you are outside, a limitation period running in your favour or against you. It differs from general business risk in one decisive respect — legal risks crystallise through process. A regulator issues a notice; a counterparty invokes a clause; a court applies a statute. Because the mechanism is knowable in advance, legal risk is unusually mappable: the statute says what the penalty is, the contract says what termination costs, the filing record says what is late. A legal risk review is not prophecy. It is reading documents the company already has against laws that already exist, and stating what they add up to.

The risk families, for a Pakistani business

The map differs by company, but for most Pakistani businesses the exposures cluster into six families, each anchored in identifiable instruments.

Corporate-record risk. Defaults under the Companies Act, 2017 — late or missing returns, unminuted decisions, defective appointments, unreported changes in shareholding or beneficial ownership. Individually small, these compound into penalties that can name officers personally and into a record that degrades every future transaction. This family is almost always where a first review finds its earliest findings, because the evidence is a filing history anyone can pull.

Contract risk. The obligations the company has actually signed, read against the Contract Act, 1872 and Pakistani enforcement reality. Foreign-template drafting is the recurring problem: penalty clauses and broad restraints that Pakistani courts treat differently from the jurisdictions the templates came from, indemnities wider than the insurance behind them, and arbitration clauses whose seat and rules nobody chose deliberately. The exposure is not that the contracts are bad; it is that management's mental model of them is wrong.

Regulatory and licensing risk. Operating outside, ahead of, or in the grey zone of a regime — the SECP's remit, State Bank territory under the Foreign Exchange Regulation Act, 1947 for anything touching cross-border payments, sector licensing, and competition exposure under the Competition Act, 2010, whose merger-clearance thresholds and marketing-conduct rules growing companies cross without noticing. The Competition Commission of Pakistan calculates penalties by reference to turnover, which is why this family ranks high on expected cost even at modest likelihood.

Financial-crime and counterparty risk. The Anti-Money Laundering Act, 2010 and its subordinate framework drive the beneficial-ownership and screening expectations that banks and regulated partners pass down the chain — so a business can carry AML-shaped risk commercially even where its own reporting-entity status is arguable [SCOPE — TO BE VERIFIED BY REVIEWING LAWYER]. The practical exposure is often a debanking letter, not a prosecution.

Data and technology risk. Exposure under the Prevention of Electronic Crimes Act, 2016, contractual data-protection commitments made to foreign customers that exceed anything Pakistani law yet requires, and the moving status of dedicated data-protection legislation, which should be verified as at the review date [LEGISLATIVE STATUS — TO BE VERIFIED BY REVIEWING LAWYER].

Tax and disputes. The positions being taken under the Income Tax Ordinance, 2001 and the Sales Tax Act, 1990 that an FBR audit would test, plus the live dispute portfolio — each matter stated with a realistic worst case rather than the optimistic number litigation counsel gives by default.

The register: one row per risk

The output that makes the exercise useful is a register in which every risk is one row with five entries: the risk in plain language; its legal source, named — the section, the regulation, the clause; the realistic worst case in rupees and consequence; the likelihood as honestly assessed; and the fix, with an owner and a date. The discipline of the five entries is the analysis. A risk that cannot be traced to a legal source is a worry, not a risk; a risk with no worst case attached cannot be ranked; a risk with no owner will be in next year's register unchanged.

Ranking is by expected cost — likelihood against consequence — not by statutory drama. An offence carrying imprisonment that no regulator has enforced in a decade may rank below a routine contract exposure that crystallises annually. Boards are poorly served by registers sorted by fear.

Every row then takes one of three treatments, and the third is the one companies avoid writing down. Treat: fix it — file, ratify, renegotiate, apply for the licence. Transfer: insure it or shift it contractually. Accept: decide, eyes open, to carry it — and minute that decision at board level, because an accepted risk with a minuted rationale is a business judgment, while the same risk undocumented looks, in hindsight, like negligence. Sections 204 and 205 of the Companies Act, 2017 make the difference between those two characterisations a matter of personal consequence for directors.

Running the cycle

A register is a photograph; the value is the film. The workable cycle is an annual full refresh, a quarterly review of the top ten at board level, and event-driven updates on defined triggers — a new product, province, investor, regulation, or dispute. Two disciplines keep the cycle honest. First, privilege: a candid register is a roadmap for an adversary, so it should be prepared through counsel, marked, and circulated narrowly, with the protection of Articles 9 and 12 of the Qanun-e-Shahadat Order, 1984 in mind from the first draft. Second, closure: each cycle should begin by scoring the last one — which fixes were actually done — because a register that carries the same red rows year after year is not a risk process but a confession, renewed annually. The companies that get value from this discipline are not the ones with the fewest risks. They are the ones whose boards could, on any given Tuesday, produce the page.

The Checklist

Legal risk register build checklist

The steps to build a legal risk register a board can actually use, in order.

  • Fix the perimeter first: which entities, business lines, and provinces the register covers.
  • Agree with the CFO what materiality means in rupees before scoring anything.
  • List every regulator with jurisdiction over the business, and the instrument that gives it.
  • Pull the SECP filing history for every entity and record each late or missing return as a finding.
  • Test the ten largest contracts by value for termination, indemnity, penalty, and governing-law exposure.
  • Schedule every licence and registration with its conditions, renewal date, and responsible owner.
  • List all live and threatened disputes with a realistic worst case and current status for each.
  • Map every related-party dealing and check it against the approvals section 208 requires.
  • Record the tax positions being taken that an FBR audit would test, with the sums at stake.
  • Identify data, AML, and sanctions exposure by tracing actual money and data flows, not policies.
  • State each risk with its legal source, worst case, likelihood, and the fix — one row each.
  • Rank rows by expected cost, not by how severe the statute sounds.
  • Assign every row an owner by name and a review date; unowned risks are unmanaged risks.
  • Mark each row treat, transfer, or accept — and get the accept decisions minuted by the board.
  • Check the register itself for privilege handling before it circulates beyond the board.
  • Set the refresh triggers: new product, new province, new investor, new regulation, new dispute.
  • Put the top ten on one page and table it at the next board meeting.

Questions, Answered

What clients ask most.

The statutory audit tests whether the financial statements fairly present the company's position; it examines legal matters mainly through disclosed litigation and contingencies. A legal risk review reads the underlying position — contracts, licences, filings, regulator exposure — and asks what could hurt the company, not how last year is reported. The two overlap at the provisions line and almost nowhere else.

One named person — the general counsel where one exists, otherwise the CFO with external counsel behind them — with the board receiving the top-ten page on a fixed cycle. Under sections 204 and 205 of the Companies Act 2017, directors' duties of care and diligence make oversight of material risk part of the board's own job, which is a polite way of saying the register protects the directors as much as the company.

A document that candidly lists your legal exposures is exactly what an opposing party or investigator would want, so handling matters. Communications with advocates attract protection under Articles 9 and 12 of the Qanun-e-Shahadat Order, 1984; the position of internally prepared material is less certain [POSITION — TO BE VERIFIED BY REVIEWING LAWYER]. The practical discipline is to prepare the register through counsel, mark it, and control circulation from the first draft.

On a fixed cycle — annually at minimum, and quarterly for the top ten — plus on trigger events: a new product or province, a new investor or lender, a new regulation touching the business, a significant dispute or incident. A register more than a year old describes a company that no longer exists; treating the refresh as a calendar item rather than a project is what keeps the cost proportionate.

That is the single best time. The buyer's or investor's diligence team will build this exact map of your business and price every finding against you or condition the deal on fixing it. Running the review first means the fixable items — filings, approvals, contract repairs — are fixed on your timetable, and the residual items are disclosed on your terms with an explanation attached rather than discovered with leverage attached.

The full FAQ Center

Prepared by The First Counsel · As of 2026-07-12 · Pending professional review — statements flagged in the text are being verified

This publication is provided for general information only. It is not legal advice, and neither reading it nor corresponding with the firm about it creates a lawyer–client relationship. The position stated must be verified against current law before it is relied upon.

Every matter begins with a first conversation.

Contact the Firm