Practice Area
Risk Advisory
We map the legal and regulatory risks a business is actually carrying — contractual, corporate, compliance, and enforcement — and turn the map into a ranked, costed work plan. For boards, CFOs, and investors who want to know what can hurt them before it does.
Every business is carrying legal risk it has not priced. Some of it is visible — the dispute already in correspondence, the licence renewal already overdue. Most of it is not: the contract that reads well but will not be enforced as written, the regulatory perimeter that moved while the product scaled, the corporate record that no longer proves who owns what. Risk advisory is the discipline of finding that exposure deliberately, on the company's own timetable, instead of having it found by a regulator, a counterparty, or an investor's diligence team.
The method matters more than the label. We do not audit everything; we scope a perimeter with management, review the documents and the record inside it, and map the business against the regimes that actually govern it — the Companies Act, 2017 and its filing machinery, the Contract Act, 1872 as Pakistani courts actually apply it, the AML and beneficial-ownership expectations that flow down from the Anti-Money Laundering Act, 2010, competition exposure under the Competition Act, 2010, data and systems exposure under the Prevention of Electronic Crimes Act, 2016, and the sectoral frameworks specific to the client. Each finding is stated with its legal basis as of the review date, because risk advice without an as-of date is folklore.
The output is a ranked register, not a memo. Boards do not need forty pages; they need to know the five things most likely to cost real money, what each would cost, and what fixing it costs instead. We rank by expected loss and write for a non-lawyer reader. Behind the summary sits a working schedule detailed enough that our conclusions can be tested — by the board, by a successor advisor, or by a diligence team eighteen months later reading the same documents.
Then the work turns practical. A risk register that is filed and forgotten is worse than none, because it proves knowledge. Every review ends in a remediation plan — filings to make, contracts to renegotiate, licences to apply for, policies to implement rather than merely adopt, and risks that are rationally accepted or insured. We execute the legal items ourselves where instructed, and we refresh the register on a cycle so the answer the board holds stays true.
Two audiences use this practice most. Enterprises use it as governance: a standing, independent check that management's assurances about compliance would survive contact with a regulator. Fintechs and other regulated or nearly-regulated businesses use it as navigation: knowing precisely where the licensing perimeter sits before a product launch crosses it. In both cases the position stated is as of the engagement date, July 2026 for this page, and confirmed against current law each time — regulatory perimeters in Pakistan move, and the value of the map is that it is redrawn.
When Businesses Need This
The moments this practice exists for.
- 01You are about to raise capital or sell, and you want to find the problems before the other side's diligence team finds them.
- 02The board has asked management a simple question — what are our top legal risks — and nobody can answer it in one page.
- 03A regulator has written to a competitor, and you do not know whether the same letter is coming to you.
- 04You have grown fast: new products, new provinces, new hires — and the contracts, licences, and policies were written for the company you were three years ago.
- 05A bank or payment partner has asked for your AML, sanctions, or beneficial-ownership position and the honest answer is a shrug.
- 06You are entering a regulated adjacency — payments, lending, insurance distribution, data-heavy services — and need to know what licence line you are about to cross.
- 07An incident has happened — a data breach, a fraud, a serious contract default — and you want the exposure assessed under privilege before decisions are made.
How It Works
The process, stage by stage.
1
Scoping
A working session with management to fix the perimeter: which entities, which business lines, which geographies, and which risk families are in scope. We agree what "material" means for you in rupees and in consequence, so the review reports against your thresholds rather than generic ones.
2
Document and record review
We review the corporate record, key contracts, licences and registrations, financing and security documents, employment framework, and any live or threatened disputes and notices. Where the paper is thin, that absence is itself a finding.
3
Regulatory exposure mapping
We map the business against the regimes that actually apply to it — company law, tax touchpoints, sectoral licensing, competition, AML, data and electronic-crimes exposure — and identify where the business is operating outside, ahead of, or in the grey zone of a regime. Each exposure is stated with its legal basis as of the review date.
4
Risk register and ranking
Findings go into a single register: the risk, its legal source, the realistic worst case, the likelihood as we assess it, and the fix. We rank by expected cost, not by how alarming the statute sounds. The register is written so a board member can read it without a lawyer beside them.
5
Remediation plan
For the risks worth fixing, we produce a sequenced plan — what to paper, what to file, what to renegotiate, what to disclose, and what simply to insure or accept — with owners and timelines. We can execute the legal items ourselves or hand the plan to your team.
6
Periodic refresh
Risk maps age. On a retainer we refresh the register on an agreed cycle and on trigger events — new product, new investor, new regulation — so the board's one-page answer stays current.
The Legal Framework
The law this work runs on.
- Companies Act, 2017
- The baseline for corporate risk: directors' duties, related-party approvals, beneficial-ownership reporting, and the filing record that regulators and counterparties read first. As of July 2026 this is where most SME risk reviews find their first ten findings.
- Contract Act, 1872
- Governs the enforceability of the contracts the business depends on — including the treatment of penalties and liquidated damages, restraint-of-trade clauses, and indemnities. Much contractual "risk" is drafting that assumes foreign law positions Pakistani courts do not take.
- Anti-Money Laundering Act, 2010
- With its subordinate regulations, this drives the AML, CFT, and beneficial-ownership expectations that banks and regulated partners pass down to ordinary businesses. Reporting-entity status and specific obligations are confirmed per client [SCOPE — TO BE VERIFIED BY REVIEWING LAWYER].
- Competition Act, 2010
- Prohibits abuse of dominance, restrictive agreements, and deceptive marketing, and requires clearance of notifiable mergers. Growing businesses cross its thresholds without noticing; the Competition Commission of Pakistan enforces with penalties calculated on turnover.
- Prevention of Electronic Crimes Act, 2016
- The criminal overlay on data and systems: unauthorised access, data breaches, and online content exposure. Relevant to any business holding customer data at scale. As of July 2026 a dedicated general data-protection statute remains pending, so PECA and sectoral rules carry the weight [LEGISLATIVE STATUS — TO BE VERIFIED BY REVIEWING LAWYER].
- Foreign Exchange Regulation Act, 1947
- With the State Bank's Foreign Exchange Manual, this governs cross-border payments, foreign shareholding mechanics, and repatriation — a recurring risk area for companies with foreign investors or foreign-currency revenue.
- Listed Companies (Code of Corporate Governance) Regulations, 2019
- Directly binding on listed companies and a de facto benchmark for larger unlisted ones, particularly where institutional investors sit on the board. Cited here as the governance yardstick, applied as of July 2026 [CURRENT VERSION — TO BE VERIFIED BY REVIEWING LAWYER].
Statutory references are stated as of the page’s as-of date and flagged where verification is pending; the law moves, and the current position should be confirmed before relying on it.
Common Mistakes
The errors we see most — and their price.
- Confusing an audit with a legal risk review — the statutory audit tests the accounts, not the contracts, licences, or filing record.
- Ranking risks by how frightening the statute is rather than by expected cost, so effort goes to remote criminal exposure while a lopsided customer contract bleeds the business monthly.
- Assuming licences follow the business — a model that was unregulated at launch can become licensable as it scales or as the regulator's perimeter moves.
- Papering over findings instead of fixing them: a policy document without implementation is discoverable evidence that you knew.
- Running incident reviews over email with no privilege discipline, so the candid internal assessment becomes the other side's best exhibit.
- Treating group companies as one company — risk sits per entity, and a clean holding company does not launder a non-compliant subsidiary.
- Waiting for the transaction to order the review, when the discount an investor takes for a known-and-fixed issue is a fraction of what they take for a discovered one.
Representative Scenarios
The shape of the work.
Illustrative scenarios, not case reports — composites drawn to show how matters of this kind run.
- —A logistics company preparing for a private-equity minority raise commissioned a pre-diligence risk review; the top findings — uncompleted share transfers and an unlicensed ancillary activity — were fixed in eight weeks, before the investor's lawyers arrived.Illustrative
- —A fintech operating under a partner's licence mapped its own regulatory perimeter and learned which product changes would push it into direct licensing, with a timeline for applying before launch rather than after.Illustrative
- —A family-owned manufacturer's board received its first one-page legal risk register: two contract exposures, one tax withholding gap, and one environmental consent issue, ranked and costed — illustrative of the standing output on a retainer.Illustrative
- —After an internal fraud, a services firm ran the investigation under external-counsel privilege, quantified the exposure, and made the disclosure and recovery decisions on assessed rather than assumed facts.Illustrative
Questions, Answered
What clients ask about risk advisory.
Same toolkit, different client and moment. Due diligence is done on a target for a buyer or investor, once, at a transaction. Risk advisory is done for the business itself, on its own timetable, so problems are found and fixed while they are cheap. Many clients commission it precisely because a transaction is eighteen months away.
A risk register — typically one summary page for the board and a working schedule behind it. Each entry states the risk, its legal basis as of the review date, our assessment of likelihood and worst case, and the recommended fix with an owner. No hundred-page memo; the schedule exists so the one page is defensible.
As of July 2026, the recurring five: an SECP record that does not match reality; key contracts with unenforceable or one-sided terms; tax withholding and documentation gaps; missing or expired sectoral licences and consents; and employment paperwork that would not survive a dispute. None is exotic. All are cheaper to fix than to litigate.
This is a fair concern and we structure for it. The review is conducted under legal-professional privilege as engagement counsel, findings are communicated with privilege discipline, and remediation is framed prospectively. Privilege under Pakistani law has limits — particularly once documents circulate beyond the client — so we agree the handling protocol before the first document is requested.
We identify tax exposures at the level of legal structure and documentation — withholding obligations, contract characterisation, intercompany arrangements — and flag where specialist tax computation or representation is needed. Where the risk is a live FBR dispute, we work alongside your tax advisors rather than duplicating them.
No. Your compliance function runs the day-to-day obligations under your licence. Risk advisory sits above it: testing whether the perimeter assumptions still hold, whether new products cross a licensing line, and whether the group structure and contracts match what was represented to the regulator. It is the periodic outside check on the framework your team operates.
For a single operating company with reasonable records, typically four to eight weeks from document delivery to board presentation. Groups, regulated businesses, and companies with thin records take longer — usually because the document-gathering itself surfaces the first findings. The scoping stage produces a firm timeline before work begins.
Scoped reviews are quoted as a fixed or capped fee in the engagement letter; standing retainers are priced on entity count and refresh cycle [FEE STRUCTURE — TO BE CONFIRMED BY THE FIRM]. The scoping session is where the perimeter, and therefore the price, gets fixed — we do not open-endedly bill a review.
Who To Call
Related Insights
Prepared by The First Counsel · As of 2026-07-12 · Pending professional review — statements flagged in the text are being verified
This publication is provided for general information only. It is not legal advice, and neither reading it nor corresponding with the firm about it creates a lawyer–client relationship. The position stated must be verified against current law before it is relied upon.
