HomeGuidesRisk & Compliance › RC-14
RC-14 Risk & Compliance 20% of OML score

Are compliance or regulatory changes monitored at a basic level?

Do you have a system to watch for new laws, rules, and regulations that affect your business, and do you act on them when they arrive? This means knowing when the government or industry bodies issue new requirements that you must follow, and then actually implementing them before deadlines.

Why This Matters to Your Business

If you miss a regulatory change, you could accidentally break the law and face fines, lose customer contracts, or damage your reputation. For example, if your company processes customer data and you miss an update to the DPDP Act 2023 rules, you could be fined up to ₹500 crore and customers might stop doing business with you. Banks and large clients now ask for proof of compliance during audits—if you can't show you're tracking regulatory changes, they may terminate contracts or refuse to work with you. Without this basic monitoring, you're essentially operating blind to the legal requirements changing around you.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You don't have any process to track new regulations. Your team finds out about compliance changes by accident—maybe a customer mentions it or an auditor flags it during a review.

Level 1
Initial

One person (usually the owner or IT lead) informally watches for changes by checking email newsletters or government websites occasionally. There's no formal schedule or list of what rules apply to your business.

Level 2
Developing

You've identified which laws apply to your business (DPDP, CERT-In, sector-specific rules) and someone checks for updates monthly or quarterly. You have a simple list of regulatory sources and a basic process to share changes with relevant teams.

Level 3
Defined

You have a documented process where assigned person(s) monitor regulatory bodies weekly or monthly. You track changes in a spreadsheet or simple document, assess impact, and communicate deadlines to relevant staff. You have evidence of at least one change acted upon in the last 12 months.

Level 4
Managed

You use a formal tracking system (spreadsheet or software) to log all regulatory changes by deadline date, business impact, and responsible person. Regular reviews happen monthly, and stakeholders are notified. You have documented evidence of multiple compliance actions completed on time.

Level 5
Optimised

You use automated alerts from regulatory sources or subscription services. Changes are logged in a system accessible to all relevant teams. Monthly governance reviews assess impact and assign owners. You have quarterly compliance metrics showing regulatory obligations met and documented risk assessments for each new requirement.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 List all laws and regulations that apply to your business (e.g., DPDP Act, CERT-In guidelines, Shops and Establishments Act, GST rules, industry-specific rules if you're in fintech, healthcare, e-commerce). Assign one person (owner or IT lead) to check government websites and industry newsletters monthly for updates. Business owner 2-3 hours
1 → 2 Create a simple spreadsheet listing the 5-10 key regulations affecting your business, the source website, and the date you last checked. Set a calendar reminder to check these sources on the 1st of each month. Document what you found and share one-line summaries with relevant staff. IT lead or compliance owner (designate one person) 1 week
2 → 3 Write a documented process (1-2 page document) defining: who monitors what regulations, how often, where findings are logged, who gets notified, and by when. Create a regulation register (spreadsheet) with columns: Regulation name, Deadline, Business impact (High/Medium/Low), Owner, Status (Not started/In progress/Completed). Review this monthly in a team meeting and document attendance. Compliance owner with input from department heads 2-3 weeks
3 → 4 Move your regulation tracking to a formal system (Excel template with version control or low-cost tool like Airtable). Add fields for: regulatory source, date issued, effective date, implementation owner, completion evidence, and quarterly risk rating. Hold monthly governance meetings with documented attendance and action items. Create a dashboard showing compliance status. Compliance manager or designated IT person 4-6 weeks
4 → 5 Subscribe to automated regulatory alert services specific to your sector (e.g., government alerts, industry body notifications). Integrate alerts into your compliance system. Conduct quarterly compliance reviews with leadership, update risk assessments, and prepare compliance metrics for board-level review. Document all decisions and maintain audit trail of actions taken. Compliance manager with IT support Ongoing (10-15 hours/month)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Documented list of applicable regulations and compliance requirements specific to your business
  • Regulation monitoring register or spreadsheet with columns: regulation name, source, check frequency, last checked date, and findings
  • Calendar entries or meeting minutes showing monthly/quarterly compliance review meetings with attendees named
  • Document detailing the process: who monitors which regulations, frequency of checks, notification procedure, and approval workflow
  • Evidence of at least 2 regulatory changes detected and acted upon in the last 12 months (e.g., email notifying staff of change, updated policy document, completion checklist with dates)
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Walk me through your process for monitoring new compliance and regulatory requirements. Who is responsible and how often do they check?"
  • "Can you show me your list of regulations that apply to this business and evidence that you've checked for updates in the last 90 days?"
  • "Give me an example of a regulatory change you discovered in the past year and show me what action you took and when."
  • "How do you communicate new regulatory requirements to the relevant teams? Can you show me documented evidence of this communication?"
  • "What happens if a new regulation is issued with a 30-day implementation deadline? Walk me through how your process would handle that."
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Monitor government websites and regulatory bodies for new rules and notifications Government India Portal (india.gov.in), MeitY website updates, CERT-In alerts (free email subscriptions), RBI circulars (rbi.org.in subscription), GST Council notifications Thomson Reuters Practical Law (₹2,00,000+/year), LexisNexis India (₹1,50,000+/year)
Track and manage compliance obligations, deadlines, and actions in one place Microsoft Excel or Google Sheets with version control, Airtable free tier (500 records limit) Airtable Pro (₹600/user/month), ComplianceQuest (₹5,00,000+/year), OneTrust (₹10,00,000+/year)
Get automated alerts when regulatory changes occur in your sector Google Alerts for regulatory keywords, industry body email newsletters (Chamber of Commerce, sector associations) Evisort (for contract/regulation analysis, ₹8,00,000+/year), RegTech platforms like Drata (₹3,00,000+/year)
🛡
How This Makes You More Resilient
When you actively monitor compliance changes, you catch new requirements early—before a customer audit or regulator inspection finds you out of compliance. This prevents surprise fines, contract terminations, and the costly scramble to retrofit your systems. You'll also avoid the reputational damage that comes from being labeled non-compliant, which matters hugely when customers and partners research your trustworthiness.
⚠️
Common Pitfalls in India
  • Waiting for customers or auditors to tell you about new rules instead of proactively watching regulatory sources yourself—by then you're already non-compliant and scrambling
  • Assuming one IT person will 'just remember' to check for updates without a documented process—person goes on leave, gets busy, or leaves the company and no one picks up the task
  • Only tracking regulations that directly affect your main business operations (e.g., GST for a retailer) and missing cross-cutting rules like DPDP Act or CERT-In directions that apply to all businesses handling data
  • Checking for changes once a year or ad-hoc instead of on a regular schedule—most regulatory bodies issue updates quarterly or semi-annually, so you miss windows to implement before deadlines
  • Not documenting what you found or the actions you took, so during an audit you can't prove you were monitoring or that you acted on known regulatory changes
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (Data Protection Board oversight); Section 17 (Accountability and Transparency); obligations to implement compliance measures within specified timeframes
CERT-In 2022 Direction 2.4.1 (Incident reporting and audit logs); Direction 5.2 (Implementation of security controls as per risk assessment)
ISO 27001:2022 Clause 5.2 (Policy for information security management); Clause 6.2 (Information security objectives); Annex A.5.1 (Management of information security)
NIST CSF 2.0 Govern (GV) function - GV.RO (Risk and Oversight); specifically GV.RO-01 (Establish and communicate organizational context for managing cybersecurity risk)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →