The First Counsel

Practice Area

Risk Advisory

We map the legal and regulatory risks a business is actually carrying — contractual, corporate, compliance, and enforcement — and turn the map into a ranked, costed work plan. For boards, CFOs, and investors who want to know what can hurt them before it does.

Every business is carrying legal risk it has not priced. Some of it is visible — the dispute already in correspondence, the licence renewal already overdue. Most of it is not: the contract that reads well but will not be enforced as written, the regulatory perimeter that moved while the product scaled, the corporate record that no longer proves who owns what. Risk advisory is the discipline of finding that exposure deliberately, on the company's own timetable, instead of having it found by a regulator, a counterparty, or an investor's diligence team.

The method matters more than the label. We do not audit everything; we scope a perimeter with management, review the documents and the record inside it, and map the business against the regimes that actually govern it — the Companies Act, 2017 and its filing machinery, the Contract Act, 1872 as Pakistani courts actually apply it, the AML and beneficial-ownership expectations that flow down from the Anti-Money Laundering Act, 2010, competition exposure under the Competition Act, 2010, data and systems exposure under the Prevention of Electronic Crimes Act, 2016, and the sectoral frameworks specific to the client. Each finding is stated with its legal basis as of the review date, because risk advice without an as-of date is folklore.

The output is a ranked register, not a memo. Boards do not need forty pages; they need to know the five things most likely to cost real money, what each would cost, and what fixing it costs instead. We rank by expected loss and write for a non-lawyer reader. Behind the summary sits a working schedule detailed enough that our conclusions can be tested — by the board, by a successor advisor, or by a diligence team eighteen months later reading the same documents.

Then the work turns practical. A risk register that is filed and forgotten is worse than none, because it proves knowledge. Every review ends in a remediation plan — filings to make, contracts to renegotiate, licences to apply for, policies to implement rather than merely adopt, and risks that are rationally accepted or insured. We execute the legal items ourselves where instructed, and we refresh the register on a cycle so the answer the board holds stays true.

Two audiences use this practice most. Enterprises use it as governance: a standing, independent check that management's assurances about compliance would survive contact with a regulator. Fintechs and other regulated or nearly-regulated businesses use it as navigation: knowing precisely where the licensing perimeter sits before a product launch crosses it. In both cases the position stated is as of the engagement date, July 2026 for this page, and confirmed against current law each time — regulatory perimeters in Pakistan move, and the value of the map is that it is redrawn.

When Businesses Need This

The moments this practice exists for.

How It Works

The process, stage by stage.

  1. 1

    Scoping

    A working session with management to fix the perimeter: which entities, which business lines, which geographies, and which risk families are in scope. We agree what "material" means for you in rupees and in consequence, so the review reports against your thresholds rather than generic ones.

  2. 2

    Document and record review

    We review the corporate record, key contracts, licences and registrations, financing and security documents, employment framework, and any live or threatened disputes and notices. Where the paper is thin, that absence is itself a finding.

  3. 3

    Regulatory exposure mapping

    We map the business against the regimes that actually apply to it — company law, tax touchpoints, sectoral licensing, competition, AML, data and electronic-crimes exposure — and identify where the business is operating outside, ahead of, or in the grey zone of a regime. Each exposure is stated with its legal basis as of the review date.

  4. 4

    Risk register and ranking

    Findings go into a single register: the risk, its legal source, the realistic worst case, the likelihood as we assess it, and the fix. We rank by expected cost, not by how alarming the statute sounds. The register is written so a board member can read it without a lawyer beside them.

  5. 5

    Remediation plan

    For the risks worth fixing, we produce a sequenced plan — what to paper, what to file, what to renegotiate, what to disclose, and what simply to insure or accept — with owners and timelines. We can execute the legal items ourselves or hand the plan to your team.

  6. 6

    Periodic refresh

    Risk maps age. On a retainer we refresh the register on an agreed cycle and on trigger events — new product, new investor, new regulation — so the board's one-page answer stays current.

The Legal Framework

The law this work runs on.

Companies Act, 2017
The baseline for corporate risk: directors' duties, related-party approvals, beneficial-ownership reporting, and the filing record that regulators and counterparties read first. As of July 2026 this is where most SME risk reviews find their first ten findings.
Contract Act, 1872
Governs the enforceability of the contracts the business depends on — including the treatment of penalties and liquidated damages, restraint-of-trade clauses, and indemnities. Much contractual "risk" is drafting that assumes foreign law positions Pakistani courts do not take.
Anti-Money Laundering Act, 2010
With its subordinate regulations, this drives the AML, CFT, and beneficial-ownership expectations that banks and regulated partners pass down to ordinary businesses. Reporting-entity status and specific obligations are confirmed per client [SCOPE — TO BE VERIFIED BY REVIEWING LAWYER].
Competition Act, 2010
Prohibits abuse of dominance, restrictive agreements, and deceptive marketing, and requires clearance of notifiable mergers. Growing businesses cross its thresholds without noticing; the Competition Commission of Pakistan enforces with penalties calculated on turnover.
Prevention of Electronic Crimes Act, 2016
The criminal overlay on data and systems: unauthorised access, data breaches, and online content exposure. Relevant to any business holding customer data at scale. As of July 2026 a dedicated general data-protection statute remains pending, so PECA and sectoral rules carry the weight [LEGISLATIVE STATUS — TO BE VERIFIED BY REVIEWING LAWYER].
Foreign Exchange Regulation Act, 1947
With the State Bank's Foreign Exchange Manual, this governs cross-border payments, foreign shareholding mechanics, and repatriation — a recurring risk area for companies with foreign investors or foreign-currency revenue.
Listed Companies (Code of Corporate Governance) Regulations, 2019
Directly binding on listed companies and a de facto benchmark for larger unlisted ones, particularly where institutional investors sit on the board. Cited here as the governance yardstick, applied as of July 2026 [CURRENT VERSION — TO BE VERIFIED BY REVIEWING LAWYER].

Statutory references are stated as of the page’s as-of date and flagged where verification is pending; the law moves, and the current position should be confirmed before relying on it.

Common Mistakes

The errors we see most — and their price.

  • Confusing an audit with a legal risk review — the statutory audit tests the accounts, not the contracts, licences, or filing record.
  • Ranking risks by how frightening the statute is rather than by expected cost, so effort goes to remote criminal exposure while a lopsided customer contract bleeds the business monthly.
  • Assuming licences follow the business — a model that was unregulated at launch can become licensable as it scales or as the regulator's perimeter moves.
  • Papering over findings instead of fixing them: a policy document without implementation is discoverable evidence that you knew.
  • Running incident reviews over email with no privilege discipline, so the candid internal assessment becomes the other side's best exhibit.
  • Treating group companies as one company — risk sits per entity, and a clean holding company does not launder a non-compliant subsidiary.
  • Waiting for the transaction to order the review, when the discount an investor takes for a known-and-fixed issue is a fraction of what they take for a discovered one.

Representative Scenarios

The shape of the work.

Illustrative scenarios, not case reports — composites drawn to show how matters of this kind run.

Questions, Answered

What clients ask about risk advisory.

Same toolkit, different client and moment. Due diligence is done on a target for a buyer or investor, once, at a transaction. Risk advisory is done for the business itself, on its own timetable, so problems are found and fixed while they are cheap. Many clients commission it precisely because a transaction is eighteen months away.

A risk register — typically one summary page for the board and a working schedule behind it. Each entry states the risk, its legal basis as of the review date, our assessment of likelihood and worst case, and the recommended fix with an owner. No hundred-page memo; the schedule exists so the one page is defensible.

As of July 2026, the recurring five: an SECP record that does not match reality; key contracts with unenforceable or one-sided terms; tax withholding and documentation gaps; missing or expired sectoral licences and consents; and employment paperwork that would not survive a dispute. None is exotic. All are cheaper to fix than to litigate.

This is a fair concern and we structure for it. The review is conducted under legal-professional privilege as engagement counsel, findings are communicated with privilege discipline, and remediation is framed prospectively. Privilege under Pakistani law has limits — particularly once documents circulate beyond the client — so we agree the handling protocol before the first document is requested.

We identify tax exposures at the level of legal structure and documentation — withholding obligations, contract characterisation, intercompany arrangements — and flag where specialist tax computation or representation is needed. Where the risk is a live FBR dispute, we work alongside your tax advisors rather than duplicating them.

No. Your compliance function runs the day-to-day obligations under your licence. Risk advisory sits above it: testing whether the perimeter assumptions still hold, whether new products cross a licensing line, and whether the group structure and contracts match what was represented to the regulator. It is the periodic outside check on the framework your team operates.

For a single operating company with reasonable records, typically four to eight weeks from document delivery to board presentation. Groups, regulated businesses, and companies with thin records take longer — usually because the document-gathering itself surfaces the first findings. The scoping stage produces a firm timeline before work begins.

Scoped reviews are quoted as a fixed or capped fee in the engagement letter; standing retainers are priced on entity count and refresh cycle [FEE STRUCTURE — TO BE CONFIRMED BY THE FIRM]. The scoping session is where the perimeter, and therefore the price, gets fixed — we do not open-endedly bill a review.

The full FAQ Center

Who To Call

Related Insights

Prepared by The First Counsel · As of 2026-07-12 · Pending professional review — statements flagged in the text are being verified

This publication is provided for general information only. It is not legal advice, and neither reading it nor corresponding with the firm about it creates a lawyer–client relationship. The position stated must be verified against current law before it is relied upon.

Every matter begins with a first conversation.

Contact the Firm