Service 07

Compliance & Risk Management.

Governance almost always lags growth. The setup that was clean at thirty people is quietly exposed at three hundred. Build a proportionate framework now, so the gaps aren’t surfaced for you by a regulator, a DPDP notice, a disgruntled former employee, or a diligence team halfway through a term sheet.

Book a discovery call

What we put in place

Risk register with owners, likelihood, and impact scoring

Regulatory mapping for your sector and geographies

Board-level governance calendar and reporting pack

Policy library (data, conduct, AML, whistleblowing)

Incident response and escalation playbooks

Training cadence your team will actually complete

What this is

Governance that fits the business.

Most Indian SMEs land in one of two camps. Either nothing is written down and leadership is quietly hoping, or there’s a binder of policies copied from a multinational template that nobody in the building has actually read. Both fail the first serious audit. Both fail the first time something goes wrong.

We build something proportionate. A real risk register drawn from interviews, not a template. Policies written in the language of your business so people can actually follow them. Clear ownership against each control. A review cadence that keeps the whole thing current. The aim isn’t to tick every possible box. It’s to be able to show, honestly, that you know your top risks and you’re managing them.

We aren’t lawyers and we don’t give legal advice. Where a legal opinion is needed, we’ll say so and bring in your counsel. Our job is to translate their requirements into something the operating business can actually sustain on its own.

What we solve

The problems we usually walk into.

Six patterns that show up across NBFCs, healthcare, edtech, and data-heavy SMEs. Two or three usually apply.

Growth outpacing governance

Policies designed for 30 people don’t hold at 300. Approvals happen over WhatsApp, accountability is fuzzy, audit trails are thin.

Regulatory exposure

New rules came in (GST, data protection, sector-specific) and nobody fully mapped what they mean for the business. There’s quiet exposure nobody has priced.

No real risk register

If asked to list the top ten risks to the business, three leaders would give three different lists. Risk isn’t being managed, it’s being hoped away.

Data & privacy gaps

Customer data is held in ad-hoc systems, access is broader than it should be, there’s no clear retention or breach response plan.

Contract sprawl

Customer and supplier contracts are inconsistent, signed out of view, held in someone’s email. Nobody can answer basic questions about obligations.

Audit readiness panic

An audit or diligence request triggers a two-week scramble. The information exists but it takes a team to pull it together each time.

Our approach

How we actually build it.

Typically sixteen to twenty-four weeks. Sector drives what gets scoped in (RBI, DPDP, FSSAI, SEBI); the shape of the engagement stays broadly the same.

Step 01 01

Risk & regulatory mapping

We map the regulatory obligations specific to your sector and geography, interview the team, and build the real risk register, not a template.

Step 02 02

Gap analysis & priorities

Against the map, where are you genuinely exposed? We rank gaps by probability and impact and agree the ones worth closing now.

Step 03 03

Build the framework

Policies written to be followed, controls designed to be operational, ownership assigned, training delivered. Practical over pretty.

Step 04 04

Governance cadence

Quarterly risk review, annual policy refresh, defined escalation, built into the existing management rhythm, not layered as a separate bureaucracy.

What you get

Concrete deliverables.

Governance artefacts your board, your auditor, and your CFO can all use. Proportionate, practical, and sized for the business you run today, not the one the template assumes.

Risk register

Top risks to the business with likelihood, impact, existing controls, and owner, built from interviews and evidence, not a generic template.

Regulatory obligations map

Specific rules that apply to your business today, what they require, who owns each, and the evidence you’d need to show compliance.

Gap analysis & remediation plan

An honest list of where you’re exposed, prioritised, with a remediation plan that has owners, deadlines, and realistic effort estimates.

Core policy set

The handful of policies that actually matter, data protection, AML where relevant, code of conduct, whistleblowing, contracts, written in language people can follow.

Control & approval framework

Who approves what, at what threshold, with what evidence, replacing informal approvals with a framework an auditor can follow.

Governance cadence & training

Quarterly risk review format, annual refresh process, and training sessions so the framework lives with the people who have to run it.

Who this is for

Fit matters more than fees.

Governance theatre helps no one. If policies aren’t going to be enforced, don’t commission them. Read the lists honestly first.

This is right if you…

Operate in a regulated sector (financial services, healthcare, education, real estate, data-heavy businesses) and know you’ve outgrown your setup.
Are preparing for diligence, investor, acquirer, or a major customer that will audit you.
Want a practical framework that the team will actually use, not a binder for the shelf.
Have a founder or leadership team willing to sign off policies and enforce them afterward.

This is wrong if you…

Need legal advice on a specific matter or a regulatory licence application. For that, you want a law firm or specialist licensing consultant.
Are in the middle of an active investigation or enforcement action, that needs a specialist, urgently, not a framework engagement.
Want certification (ISO, SOC 2, etc.) as the primary output. We prepare you for it; the actual audit is done by an accredited body.
Want policies on paper only and don’t intend to change how decisions get approved. That’s the governance theatre we’re trying to avoid.

FAQ

Common questions.

Five questions CFOs, company secretaries, and general counsel raise on every first call. Short answers below.

Are you a law firm?

No. We don’t give legal advice and we don’t replace your lawyers. We work alongside them, translating legal requirements into the operational policies, controls, and processes the business runs on. Where we need a legal opinion, we get one.

Can you get us ISO or SOC 2 certified?

We can prepare you for it, run a gap assessment, build out the controls, get the evidence in order. The certification itself is issued by an accredited audit body, not us. We’ll tell you whether you’re ready before you commission the audit.

What about data protection / DPDP?

We scope your obligations, build the policy and process set (consent, retention, access, breach response), and help you implement. For high-technical items like data mapping across systems, we may bring in or recommend a specialist.

How big does our team need to be?

Below twenty people the framework is usually too heavy. Above that, governance gaps start to matter. For regulated businesses, even small teams can need this, the regulator doesn’t care how many staff you have.

Do you handle ongoing compliance monitoring?

We build the framework and install the quarterly cadence. Ongoing day-to-day monitoring is owned in-house or by a retained compliance officer. For specific sectors that need a formal CCO function, we help you scope the role and hire.