Compliance Check and Legal Risk Assessment
Noor Technologies has built its Cloud ERP platform for Pakistani textile manufacturers. Now Ayesha Malik wants to launch a new feature: AI-powered document processing that reads Urdu-language invoices, bills of lading, and export documentation. The feature will extract business names, addresses, shipment data, and financial figures automatically. Target market: Pakistan domestic customers with UAE and UK export partners.
Before Ayesha writes a single line of marketing copy, she needs to know what regulations apply. Not after launch. Not when a regulator sends a letter. Before the product reaches a single customer.
In Lesson 3, you reviewed an existing CloudStack contract. That was reactive -- the contract already existed and needed assessment. In Lesson 5, you triaged an incoming NDA. That was also reactive -- the NDA arrived and needed routing. This lesson is different. You will assess a planned business action before it creates legal exposure.
Three Compliance Modes
The Legal Plugin provides three distinct tools for compliance work. Each serves a different purpose:
| Tool | Mode | When to Use | Example |
|---|---|---|---|
/review-contract | Reactive | An agreement exists and needs legal review | CloudStack SaaS MSA arrives for signature |
/brief topic:regulatory | Monitoring | You need to track external regulatory changes | "What PDPA enforcement actions happened this month?" |
/compliance-check | Proactive | You plan to do something and need to know what rules apply | Noor wants to launch AI document processing |
Reactive compliance responds to documents that land on your desk. Monitoring tracks changes in the regulatory environment. Proactive compliance assesses your own planned actions before they create exposure. Most legal teams spend 90% of their time on reactive work. The /compliance-check command shifts that balance.
Proactive compliance is the practice of assessing regulatory requirements before launching a product, entering a market, or changing a business process. For example, before Noor Technologies launches AI document processing for textile exporters, proactive compliance identifies that the Pakistan Personal Data Protection Act 2023 requires consent for processing personal data, that UAE PDPL applies to data from UAE export partners, and that UK GDPR applies to data from UK partners -- all before a single document is processed. Proactive compliance costs hours. Reactive enforcement costs millions. Why it matters: a PKR 25 million PDPA penalty or a UK GDPR fine of up to 4% of global turnover dwarfs the cost of a pre-launch assessment.
Prediction Moment
Before running /compliance-check, make your prediction. Noor's AI document processing feature will handle Urdu invoices containing business names, addresses, and shipment data for customers in Pakistan, UAE, and UK.
Write down your answers:
- Will the assessment say Proceed, Proceed with conditions, or Requires review?
- Which specific regulations will it flag?
- How many jurisdictions will the assessment cover?
Hold your predictions. You will compare them to the output in a moment.
Running /compliance-check
Bilal opens Cowork and runs the assessment:
/compliance-check
Planned action: Launch AI-powered document processing service for
Pakistani textile manufacturers. The service will process Urdu-language
invoices, bills of lading, and export documentation containing business
names, addresses, and shipment data. Target market: Pakistan domestic
with UAE and UK export customers.
Processing details:
- Input: scanned PDFs and digital documents in Urdu and English
- Data extracted: company names, addresses, phone numbers, shipment
values, customs reference numbers, bank details for payment
- Storage: cloud infrastructure in Pakistan
- Access: Noor Technologies employees + customer portal access
- Third parties: OCR processing via cloud API (US-based provider)
What to expect: The agent produces a compliance assessment. Your output will vary, but look for these sections:
| Section | Intent | What to Verify |
|---|---|---|
| Recommendation header | Overall assessment: Proceed / Proceed with conditions / Requires review | Compare against your prediction — most students predict "Proceed" but the assessment typically returns "Proceed with conditions" |
| Applicable regulations | Lists each regulation that applies, why it applies, and key requirements | Should identify data protection regimes for all three jurisdictions (Pakistan, UAE, UK) plus any electronic transactions legislation |
| Requirements checklist | Specific compliance actions needed before launch | Should include cross-border transfer mechanisms, impact assessments, and processor agreements |
| Risk analysis | HIGH/MEDIUM/LOW classification of compliance gaps | Look for cross-border data transfer as the highest-risk item |
| Priority actions | Ordered list of pre-launch steps | Should prioritise items that address multiple jurisdictions simultaneously |
| Attorney review footer | Governance boundary reminder | Confirm the footer is present |
The specific regulations identified, risk ratings, and priority ordering depend on the business action described and your playbook configuration. Focus on whether the assessment identifies the correct jurisdictions and surfaces regulations you did not anticipate. The teaching point is proactive compliance — identifying regulatory requirements before launch, not after.
Calibration
Compare your prediction to the output. Most students predict "Proceed" because the service processes business documents, not sensitive personal data. The assessment typically returns "Proceed with conditions" because business documents contain personal data -- names, addresses, phone numbers, bank details -- that trigger data protection requirements in three jurisdictions. If you missed any applicable regulation, that is exactly the value of proactive assessment -- it surfaces requirements you did not anticipate.
A compliance assessment is a structured starting point for attorney review, not a substitute for legal advice. The assessment identifies applicable regulations and flags requirements. Your attorney confirms the analysis, verifies the regulatory interpretation, and signs off on the compliance plan.
The Legal Risk Assessment Framework
The compliance assessment identifies what regulations apply. The legal risk assessment quantifies how much risk each compliance gap creates. The Legal Plugin includes a legal-risk-assessment skill that uses a 5x5 severity-by-likelihood matrix -- the same framework used by enterprise risk management teams worldwide.
A 5x5 risk matrix plots the severity of a risk (how bad it would be) against its likelihood (how probable it is). Each axis runs from 1 to 5. The risk score is Severity multiplied by Likelihood, producing a number from 1 to 25. This score determines the risk classification: GREEN (1-4, acceptable), YELLOW (5-9, monitor), ORANGE (10-15, mitigate), RED (16-25, escalate immediately). For example, a risk with Severity 4 (Major -- 10-25% of relevant value) and Likelihood 3 (Possible) scores 12, classified as ORANGE -- requiring active mitigation before proceeding. Why it matters: the matrix transforms subjective legal judgment ("this feels risky") into quantified assessment ("this is a 12/25 ORANGE risk requiring mitigation before launch").
The Severity Scale
| Score | Level | Financial Impact | Description |
|---|---|---|---|
| 1 | Negligible | <1% of relevant value | Minor administrative issue, no regulatory consequence |
| 2 | Minor | 1-5% of relevant value | Procedural gap, correctable without external impact |
| 3 | Moderate | 5-10% of relevant value | Regulatory notice likely, remediation required |
| 4 | Major | 10-25% of relevant value | Enforcement action probable, material financial impact |
| 5 | Critical | >25% of relevant value | Criminal liability, licence revocation, existential threat |
The Likelihood Scale
| Score | Level | Probability | Description |
|---|---|---|---|
| 1 | Remote | <5% | Requires exceptional circumstances |
| 2 | Unlikely | 5-20% | Possible but not expected |
| 3 | Possible | 20-50% | Could occur under normal conditions |
| 4 | Likely | 50-80% | Expected to occur without intervention |
| 5 | Almost Certain | >80% | Will occur unless actively prevented |
Risk Score Classification
| Score Range | Band | Action Required |
|---|---|---|
| 1-4 | GREEN | Accept -- monitor during normal operations |
| 5-9 | YELLOW | Monitor -- include in quarterly risk review |
| 10-15 | ORANGE | Mitigate -- active risk reduction required before proceeding |
| 16-25 | RED | Escalate -- stop and address immediately, senior counsel required |
Applying the Matrix to Noor's AI Product Launch
Take the four risks from the compliance assessment and score them:
Assess the legal risks of launching AI document processing for
Pakistani textile manufacturers. Use the compliance assessment
above and score each risk using the 5x5 severity-by-likelihood
matrix.
What to expect: The agent produces a risk matrix scoring each compliance gap. Your output will vary, but look for these sections:
| Section | Intent | What to Verify |
|---|---|---|
| Per-risk severity and likelihood scores | Quantifies each compliance gap on the 5x5 scale | Check that the severity rationale references the correct regulatory penalty range |
| Risk score calculation | Severity x Likelihood = score, mapped to GREEN/YELLOW/ORANGE/RED band | Verify the arithmetic is correct and the band assignment matches the score range table above |
| Action recommendation per risk | Specific mitigation step for each risk | Should distinguish between items that block launch (RED) and items that need monitoring (YELLOW) |
| Summary with overall recommendation | Aggregated risk profile | Should reflect the highest-severity item as the gating factor |
The specific risk scores depend on how the agent assesses severity and likelihood for your scenario. Focus on whether the scoring rationale is defensible and whether the action recommendations are proportionate to the risk level. The teaching point is the 5x5 framework itself — transforming subjective risk judgment into quantified, prioritised action.
The risk matrix transforms the compliance assessment from a checklist into a prioritised action plan. RED items must be resolved before launch. YELLOW items need attention but do not block a phased rollout. GREEN items can be handled in the normal course of business.
Worked Example: PayGulf Compliance Assessment
Fatima Al-Rashidi at PayGulf Technologies faces a different compliance question. PayGulf wants to launch a cross-border payment feature allowing Saudi merchants to accept payments from UAE customers through the PayGulf platform.
/compliance-check
Planned action: Launch cross-border payment feature for Saudi
merchants. Saudi-based merchants will accept payments from UAE
customers through the PayGulf platform (DIFC-regulated). Payment
processing involves: customer payment data (card details, bank
accounts) flowing from UAE to DIFC infrastructure, transaction
records stored in DIFC, settlement to Saudi merchant bank accounts.
Regulatory context: PayGulf is DFSA-regulated (DIFC).
Expanding service to Saudi Arabia for the first time.
What to expect: The agent produces a compliance assessment for PayGulf's regulated scenario. Your output will vary, but look for these sections:
| Section | Intent | What to Verify |
|---|---|---|
| Recommendation header | Overall assessment — likely "Requires review" given regulated entity status | Check whether the agent escalates beyond "Proceed with conditions" given DFSA-regulated context |
| SAMA outsourcing rules | Saudi regulatory requirements for outsourcing payment processing | Should identify SAMA approval requirements and data localisation obligations |
| Saudi PDPL requirements | Data protection for Saudi residents | Should flag data localisation and cross-border transfer requirements |
| DFSA regulatory requirements | Home regulator obligations for material business changes | Should identify notification requirements and systems/controls obligations |
| Industry-specific standards | Payment card data security requirements | Should reference PCI DSS given payment data processing |
PayGulf's regulated status means the compliance assessment should be materially more severe than Noor's. A regulated entity faces both commercial law requirements and sector-specific regulatory obligations. Focus on whether the agent identifies the layered regulatory complexity — not just data protection, but financial services regulation and payment industry standards.
Fatima applies the risk matrix to PayGulf's four identified risks:
| Risk | Severity | Likelihood | Score | Band | Action |
|---|---|---|---|---|---|
| SAMA outsourcing approval not obtained | 5 (Critical -- licence risk) | 4 (Likely -- SAMA enforces actively) | 20 | RED | Stop. Engage SAMA regulatory counsel before any Saudi operations |
| Saudi data localisation gap | 4 (Major -- enforcement + data seizure) | 4 (Likely -- PDPL enforcement increasing) | 16 | RED | Stop. Architect Saudi data mirror before processing any Saudi data |
| DFSA notification of material change | 3 (Moderate -- regulatory action) | 3 (Possible -- depends on DFSA assessment) | 9 | YELLOW | Monitor. File notification before launch. DFSA response time: 4-6 weeks |
| PCI DSS compliance for new corridor | 3 (Moderate -- payment processing risk) | 2 (Unlikely -- existing PCI programme covers most) | 6 | YELLOW | Monitor. Extend current PCI scope to cover Saudi corridor |
PayGulf's assessment is more severe than Noor's. Two RED risks -- both requiring resolution before any Saudi operations begin. This is the output you want to see before launch, not after SAMA sends an enforcement notice.
What You Built
- Compliance assessment for Noor Technologies' AI document processing launch, identifying four applicable regulations across three jurisdictions
- Risk matrix with four risks scored using the 5x5 severity-by-likelihood framework -- 1 RED, 2 YELLOW, 1 GREEN
- Priority actions list for pre-launch compliance, ordered by risk score
- PayGulf comparison assessment demonstrating how regulated entities face higher compliance thresholds (2 RED risks vs. Noor's 1 RED)
Flashcards Study Aid
Try With AI
Setup: Use these prompts in Cowork or your preferred AI assistant.
Prompt 1: Reproduce
/compliance-check
Planned action: Launch AI-powered document processing service for
Pakistani textile manufacturers. Will process Urdu-language invoices,
bills of lading, and export documentation containing business names,
addresses, and shipment data. Target market: Pakistan domestic with
UAE/UK export customers. OCR processing via US-based cloud API.
What you are learning: How /compliance-check structures a regulatory assessment into applicable regulations, a requirements checklist, risk analysis, and priority actions. Compare your output to the reference in this lesson. The regulation list should be consistent across runs. The priority ordering may vary -- that variation shows you where professional judgment shapes compliance planning.
Prompt 2: Adapt
/compliance-check
Planned action: A DIFC-based fintech company plans to offer
automated invoice factoring to SMEs in Saudi Arabia. The service
will process invoice data (company names, amounts, payment terms,
bank details) from Saudi merchants, store data in DIFC cloud
infrastructure, and make factoring decisions using an AI credit
scoring model.
Score the top 4 risks using the 5x5 severity-by-likelihood matrix.
Classify each as GREEN (1-4), YELLOW (5-9), ORANGE (10-15), or
RED (16-25).
What you are learning: Changing the jurisdiction pair (DIFC to Saudi Arabia) and the business action (invoice factoring with AI credit scoring) tests whether you can apply the same compliance framework to a different scenario. SAMA's outsourcing rules and Saudi PDPL data localisation should appear again -- but the AI credit scoring model introduces new regulatory considerations (algorithmic fairness, explainability requirements) that the document processing scenario did not trigger.
Prompt 3: Apply
Think of a product launch, market expansion, or business process
change that your organisation is planning or has recently completed.
Run /compliance-check with a detailed description of the planned
action, including:
- What data will be processed
- Which jurisdictions are involved
- What third parties are involved
- What technology is being used
Then score the top 4 risks using the 5x5 matrix. For each risk,
write one sentence explaining your severity rating and one sentence
explaining your likelihood rating.
Compare your risk scores to the agent's risk analysis. Where you
disagree with the agent's assessment, explain why your organisation's
specific context changes the risk level.
What you are learning: Applying compliance assessment to your own organisation forces you to evaluate the agent's output against your institutional knowledge. The agent identifies regulations based on jurisdiction and data type. You calibrate severity and likelihood based on your organisation's specific circumstances -- its regulatory history, its existing compliance infrastructure, and its risk appetite. The gap between the agent's generic assessment and your calibrated one is where professional judgment lives.