--- name: "governance-compliance-shield" description: "Corporate governance and regulatory compliance operating system covering board management, board meeting protocols, corporate governance best practices, audit readiness, SOC 2/ISO 27001/ISO 9001 certification, ESG framework, data governance, internal controls, risk management framework, whistleblower policy, anti-bribery/FCPA, related party transactions, and regulatory compliance by industry. Includes India governance stack covering Companies Act 2013 governance requirements, MCA/ROC compliance, Board composition rules, CSR obligations (Section 135), related party transactions (Section 188), annual compliance calendar, statutory audit requirements, secretarial audit, SEBI LODR for listed companies, and NCLT proceedings. Use when user mentions board, governance, compliance, audit, SOC 2, ISO, ESG, internal controls, risk management, whistleblower, anti-bribery, FCPA, board meeting, board minutes, independent director, audit committee, CSR, Companies Act, MCA, ROC, SEBI LODR, statutory audit, secretarial audit, corporate governance, or any governance/compliance need." license: MIT metadata: version: 2.0.0 author: TechKnowmad AI category: governance domain: corporate-compliance updated: 2026-03-22 frameworks: corporate-governance, compliance-management, audit-readiness data-sources: NACD, NYSE Governance Services, PwC, Deloitte, EY, KPMG, Companies Act 2013, SEBI, MCA, ICAI, ICSI, SOC 2 Trust Services Criteria, ISO 27001, COSO Framework --- # Governance & Compliance Shield The startup corporate governance and compliance system. From "good enough" seed-stage governance to board-room ready Series C+ — practical frameworks that satisfy investors, regulators, and auditors without drowning in bureaucracy. ## Keywords board, board of directors, board meeting, board minutes, board resolution, governance, corporate governance, compliance, audit, auditor, statutory audit, internal audit, SOC 2, SOC2, ISO 27001, ISO 9001, ESG, CSR, internal controls, risk management, ERM, whistleblower, anti-bribery, FCPA, UK Bribery Act, related party transaction, RPT, independent director, audit committee, nomination committee, remuneration committee, shareholder meeting, AGM, EGM, proxy, voting, fiduciary duty, D&O, director liability, Companies Act, MCA, ROC, SEBI, LODR, secretarial audit, annual return, corporate social responsibility, Section 135, Section 188, NCLT, CLB, company secretary --- ## How to Use This Skill | Mode | Trigger | What It Does | |------|---------|--------------| | **Setup** | "board governance", "setting up board" | Board structure, committee design, governance docs | | **Comply** | "SOC 2", "ISO 27001", "compliance" | Certification roadmaps, gap analysis, audit prep | | **Manage** | "board meeting", "board materials" | Meeting management, materials prep, resolution drafting | | **Audit** | "audit readiness", "preparing for audit" | Audit preparation, documentation, controls testing | | **Report** | "ESG report", "compliance report" | Reporting frameworks, disclosure requirements | | **India** | "MCA compliance", "Companies Act" | India-specific corporate governance compliance | **Chain with existing skills:** - `legal-ip-fortress` for legal compliance and regulatory frameworks - `crisis-war-room` for board/governance crises - `ops-scale-engine` for operational compliance integration - `fundraising-command-center` for investor governance requirements --- ## 1. Board Governance by Stage ### Board Composition Evolution | Stage | Board Size | Composition | Meeting Cadence | |-------|-----------|-------------|-----------------| | **Pre-Seed** | 1-2 | Founders only | No formal board needed | | **Seed** | 3 | 2 founders + 1 investor or advisor | Quarterly (informal OK) | | **Series A** | 3-5 | 2 founders + 1-2 investors + 0-1 independent | Quarterly (formal) | | **Series B** | 5 | 2 founders + 2 investors + 1 independent | Quarterly + committee meetings | | **Series C+** | 5-7 | 2 management + 2 investors + 1-3 independent | Monthly board, quarterly committees | | **Pre-IPO** | 7-9 | Majority independent (per exchange rules) | Monthly + committee cadence | ### Board Meeting Management **Pre-Meeting (7 Days Before):** 1. Send board deck (12-15 slides max) 2. Include: financials, KPIs, team update, strategic issues, asks 3. Pre-read materials: detailed appendix, data room updates 4. Board member 1:1 pre-calls (no surprises in meetings) **Board Deck Template:** | Section | Slides | Content | |---------|--------|---------| | Highlights/Lowlights | 1 | Top 3 wins, top 3 concerns — honest | | KPI Dashboard | 1-2 | North star, revenue, growth, burn, runway | | Financial Summary | 1-2 | P&L, cash flow, budget vs actual | | Product Update | 1-2 | Roadmap progress, key releases, customer feedback | | Team | 1 | Headcount, key hires, attrition, open roles | | Strategic Discussion | 2-3 | 1-2 topics needing board input (frame as decision) | | Asks | 1 | Specific asks: intros, advice, approvals | **During Meeting:** 1. Start on time, end on time 2. CEO drives agenda, Chair manages discussion 3. Limit presentations — maximize discussion time (60/40 rule) 4. Capture action items and decisions in real-time 5. Executive session (without management) at end — this is normal and healthy **Post-Meeting (48 Hours After):** 1. Circulate draft minutes within 48 hours 2. Action items with owners and deadlines 3. Board-approved resolutions documented --- ## 2. Compliance Certification Roadmaps ### SOC 2 Type II (Most Common for SaaS) **What**: Audit of controls related to Security, Availability, Processing Integrity, Confidentiality, and Privacy **Who needs it**: Any SaaS selling to mid-market or enterprise customers **Timeline**: 6-12 months (Type I: 3-6 months, Type II requires 6+ month observation) **Cost**: $20,000-80,000 (auditor fees) + internal effort **SOC 2 Readiness Checklist:** | Control Area | Key Requirements | Common Gaps | |-------------|-----------------|-------------| | **Security** | Access controls, encryption, MFA, monitoring | MFA not enforced, no SIEM | | **Availability** | SLA, DR plan, incident response | No tested DR plan | | **Confidentiality** | Data classification, NDA, encryption at rest | No data classification policy | | **Processing Integrity** | QA, change management, monitoring | No formal change management | | **Privacy** | Privacy policy, data retention, consent | No data retention schedule | **Implementation Timeline:** - Month 1-2: Gap assessment, policy writing - Month 3-4: Control implementation, tool deployment - Month 5: Type I audit (point-in-time) - Month 6-11: Observation period (controls operating) - Month 12: Type II audit (period of time) ### ISO 27001 (Information Security Management) **Who needs it**: Companies with EU/global enterprise customers, regulated industries **Timeline**: 6-18 months **Cost**: $30,000-150,000+ **Key difference from SOC 2**: Prescriptive controls (Annex A — 93 controls), certification by accredited body ### ISO 9001 (Quality Management) **Who needs it**: Manufacturing, healthcare, government contractors **Timeline**: 6-12 months **Cost**: $15,000-50,000 --- ## 3. Internal Controls Framework ### COSO-Lite for Startups | Component | Startup Implementation | Priority by Stage | |-----------|----------------------|-------------------| | **Control Environment** | Tone from the top, code of ethics, org structure | Seed onwards | | **Risk Assessment** | Quarterly risk review, document top 10 risks | Series A | | **Control Activities** | Segregation of duties, approval workflows, access controls | Series A | | **Information & Communication** | Financial reporting, board materials, compliance reporting | Series A | | **Monitoring** | Internal audit (even informal), control testing | Series B | ### Financial Controls Minimum | Control | Description | When to Implement | |---------|------------|-------------------| | **Dual authorization** | 2 signatures for payments >$10K | Day 1 | | **Bank reconciliation** | Monthly reconciliation of all accounts | Day 1 | | **Expense approval** | Manager approval for all expenses | 10+ employees | | **Segregation of duties** | No single person controls entire financial process | 25+ employees | | **Budget vs actual** | Monthly variance analysis | Series A | | **Revenue recognition** | ASC 606 compliant recognition | Series A | | **Payroll audit** | Monthly payroll reconciliation | 25+ employees | | **Vendor approval** | Formal vendor onboarding and approval | Series B | | **Internal audit** | Annual internal audit | Series C | --- ## 4. Risk Management Framework ### Enterprise Risk Register (Simplified) | Risk Category | Example Risks | Likelihood (1-5) | Impact (1-5) | Risk Score | Mitigation | |--------------|--------------|-------------------|-------------|-----------|-----------| | **Strategic** | Market shift, competitor disruption | | | L×I | | | **Financial** | Cash crisis, revenue concentration | | | L×I | | | **Operational** | Key person loss, system failure | | | L×I | | | **Compliance** | Regulatory change, data breach | | | L×I | | | **Reputational** | PR crisis, customer trust loss | | | L×I | | **Risk Response Options:** - **Accept**: Risk is low and cost of mitigation exceeds potential impact - **Mitigate**: Implement controls to reduce likelihood or impact - **Transfer**: Insurance, indemnification, outsourcing - **Avoid**: Change plans to eliminate the risk entirely --- ## 5. ESG Framework for Startups ### ESG Relevance by Stage | Stage | ESG Priority | Why | |-------|-------------|-----| | **Seed** | Minimal — focus on survival | Don't over-index | | **Series A** | Foundation — DEI policy, basic carbon awareness | Investors asking | | **Series B** | Structured — ESG metrics, supply chain review | Part of DD | | **Series C+** | Comprehensive — ESG report, science-based targets | Customer/investor requirement | | **Pre-IPO** | Mandatory — TCFD/CSRD reporting, ESG rating | Exchange listing requirements | ### Minimal Viable ESG (Series A) | Pillar | Minimum Actions | Documentation | |--------|----------------|---------------| | **Environmental** | Measure Scope 1+2 emissions, cloud provider sustainability | Carbon footprint estimate | | **Social** | DEI policy, pay equity analysis, employee wellness | DEI metrics, employee survey | | **Governance** | Independent director, board diversity, ethics policy | Governance charter | --- ## 6. India Corporate Governance Stack ### Companies Act 2013 — Key Governance Requirements | Requirement | Threshold | Section | Deadline | |------------|-----------|---------|----------| | **Board Meetings** | Min 4/year, gap ≤120 days | Section 173 | Quarterly | | **First Board Meeting** | Within 30 days of incorporation | Section 173 | 30 days | | **AGM** | Within 6 months of financial year end | Section 96 | September 30 | | **Financial Statements** | Adoption at AGM | Section 129 | At AGM | | **Annual Return** | File MGT-7/MGT-7A with ROC | Section 92 | Within 60 days of AGM | | **Statutory Audit** | Mandatory for all companies | Section 139 | Annual | | **Secretarial Audit** | Listed + prescribed companies | Section 204 | Annual | | **CSR** | NW ≥500Cr OR TO ≥1000Cr OR NP ≥5Cr | Section 135 | Annual | | **Related Party Transactions** | Board/shareholder approval | Section 188 | Per transaction | | **Director Disclosure** | Annual disclosure of interests | Section 184 | Annual | | **KYC** | DIR-3 KYC for all directors annually | MCA Rules | September 30 | | **Registered Office** | File INC-22 within 30 days | Section 12 | At incorporation | ### India Board Composition Rules | Company Type | Minimum Directors | Independent Directors | Woman Director | |-------------|------------------|----------------------|---------------| | **Private Limited** | 2 | Not mandatory (unless listed) | Not mandatory (unless paid-up ≥100Cr OR TO ≥300Cr) | | **Public Limited** | 3 | Min 1/3 of total board | Mandatory | | **Listed Company** | 3 | Min 1/3 (or 1/2 if Chair is non-independent) | Mandatory | ### India CSR Requirements (Section 135) **Trigger**: Net worth ≥INR 500 Cr OR Turnover ≥INR 1,000 Cr OR Net profit ≥INR 5 Cr (in any of preceding 3 years) **Requirement**: Spend 2% of average net profits (preceding 3 years) on CSR activities **CSR Activities (Schedule VII):** - Eradicating hunger, poverty - Education, gender equality, women empowerment - Environmental sustainability - Healthcare, sanitation - Rural development - Protection of heritage, art, culture - Armed forces veterans welfare - Sports promotion - Technology incubators (DPIIT approved) - Rural sports, Paralympic, Olympic training ### India Statutory Compliance Officers | Role | Requirement | Qualification | |------|------------|--------------| | **Company Secretary** | Mandatory if paid-up capital ≥5Cr | ICSI member | | **Statutory Auditor** | Mandatory for all companies | CA (ICAI member) | | **Internal Auditor** | Listed + prescribed companies | CA or cost accountant | | **Secretarial Auditor** | Listed + prescribed companies | Practicing CS | | **Cost Auditor** | Prescribed manufacturing companies | Cost accountant | --- ## 7. Anti-Bribery & Ethics ### FCPA / UK Bribery Act Essentials (For International Operations) | Area | FCPA (US) | UK Bribery Act | Prevention of Corruption Act (India) | |------|---------|----------------|-------------------------------------| | **Scope** | US persons, SEC-registered, US-connected payments | UK-connected companies, worldwide | India-connected, public servants | | **Prohibited** | Payments to foreign officials | All bribery (public + commercial) | Bribing public servants | | **Facilitation Payments** | Narrow exception | No exception | No exception | | **Penalty** | Up to $250M fine, imprisonment | Unlimited fine, imprisonment | Imprisonment + fine | | **Defense** | Compliance program is mitigating | "Adequate procedures" defense | No statutory defense | ### Minimum Anti-Corruption Program - [ ] Written anti-bribery policy - [ ] Tone from the top (board-level commitment) - [ ] Due diligence on third parties (agents, distributors, JV partners) - [ ] Gifts and hospitality policy (limits, approval, documentation) - [ ] Training for employees in at-risk roles - [ ] Confidential reporting mechanism (whistleblower) - [ ] Regular monitoring and review - [ ] Documented investigations of any concerns --- ## Reference Files For detailed governance documentation, load: - [`reference/board-templates.md`](reference/board-templates.md) — Board deck template, resolution formats, minutes template - [`reference/india-governance-calendar.md`](reference/india-governance-calendar.md) — Month-by-month India Companies Act compliance calendar ## Adversarial Governance Layer ### Red Team Governance ``` Before every major board decision: 1. Assign 2-3 people to build strongest case AGAINST the proposal 2. Give 24-48 hours for evidence-based counter-argument 3. Present counter-case BEFORE the proposal 4. No rebuttal during presentation — listen first 5. Score objections: likelihood x severity. Address anything >7/10. ``` ### Devil's Advocate Protocol ``` 1. Rotate role — never same person twice consecutively 2. Give preparation time (unprepared advocacy is theater) 3. Advocate presents FIRST (prevents anchoring) 4. No interruptions during counter-presentation Effective only when advocate is genuinely prepared, not role-playing. ``` ### Pre-Mortem for Strategic Governance ``` 90-MINUTE SESSION before any major commitment: 1. Brief board on proposal (10 min) 2. "Imagine 12 months from now, this FAILED. Write why." (15 min silent) 3. Round robin — one reason per round (30 min) 4. Cluster: Likelihood x Impact 2x2 (20 min) 5. Mitigate top-right quadrant (15 min) Prospective hindsight increases diagnostic accuracy by 30%. ``` ### ACH for Board Decisions ``` 1. List ALL plausible hypotheses (not just obvious two) 2. Evidence matrix: hypotheses as columns, evidence as rows 3. Mark what each evidence DISPROVES (not confirms) 4. Eliminate hypotheses with most inconsistent evidence 5. Surviving hypothesis gets resourced. Others get monitoring triggers. Source: CIA Structured Analytic Technique (Richards Heuer) ``` ### Counter-Intelligence for Governance ``` Board materials: CONFIDENTIAL default, numbered/watermarked copies, access logging Social engineering defense: "talk track" for public info, classification system Insider threat: unusual data access flagged, departing exec access restricted Quarterly: security awareness refresher, board-level access audit ```