Disclosure LibraryPractitioner guidance for every reporting disclosure
Home Disclosure Library GRI GRI 2 GRI 2-27
GRI 2: General Disclosures
Disclosure GRI 2-27

Compliance with laws and regulations

Practical guidance for preparing this disclosure. Use this card to identify datapoints, verify claims and organise supporting evidence. For exact requirements, always refer to the official GRI source.

Dr Ross Kurinko, GRI Certified Trainer
Reviewed by Dr Ross Kurinko · GRI Certified Trainer LRA educational guidance · Not issued or endorsed by GRI
To prepare this disclosure
Disclosure focus

This disclosure asks an organisation to explain how it deals with compliance across its activities, rather than just saying it has policies in place. In practice, it is about whether the organisation has systems to identify, monitor and respond to legal and regulatory requirements, and whether it can show where any non-compliance has occurred and how it was handled.

The practical focus is on coverage and consistency across the organisation’s operations, not only at flagship sites or headquarters. A useful response should make clear the scope of the reporting boundary, the main areas of law and regulation that matter to the business, and any significant issues, patterns or follow-up actions that show how compliance is managed in reality.

This LRA educational guidance supports disclosure preparation. For the exact requirements, always refer to the official GRI source.

Before you start

A quick mental checklist before you prepare this disclosure — tick each as you settle it.

Preparation

Key datapoints to prepare

Datapoint What to capture Evidence hint Owner
Total serious breaches Count every serious breach of law or regulation identified in the reporting period, using the organisation’s own threshold for what counts as serious. Compliance incident log; legal case tracker; regulatory correspondence; period-end summary from legal/compliance. Legal and Compliance
Breaches with fines From the serious-breach count, identify how many cases led to a financial penalty being imposed in the reporting period. Penalty notices; finance/legal case files; compliance register with sanction outcome; period-end reconciliation. Legal and Compliance
Total serious breaches Count every serious breach of law or regulation identified in the reporting period, using the organisation’s own threshold for what counts as serious. Compliance incident log; legal case tracker; regulatory correspondence; period-end summary from legal/compliance. Legal and Compliance
Breaches with other sanctions From the serious-breach count, identify how many cases led to a non-financial sanction in the reporting period. Regulator letters; enforcement notices; compliance case files; legal review of sanction type. Legal and Compliance
Paid fines count Count the number of fines actually paid during the reporting period, regardless of when the underlying breach happened. Accounts payable records; bank payment evidence; legal settlement schedule; fine payment register. Finance
Paid fines value Capture the total money paid for fines during the reporting period, based on actual payments made in that period. General ledger; bank statements; accounts payable run; payment confirmations linked to each fine. Finance
Current-year fine split Split the fines paid in the reporting period into those tied to breaches that happened in the current reporting period, and capture both the count and the money paid for that subset. Case chronology in legal register; fine payment schedule; mapping of payment to breach date; finance reconciliation. Legal and Compliance
Current-year paid fines count Count only the fines paid in the reporting period that relate to breaches occurring in the current reporting period. Legal case register with breach date; payment evidence; current-period subset report. Legal and Compliance
Current-year paid fines value Capture the money paid in the reporting period for fines linked to breaches that happened in the current reporting period. Finance ledger; bank proof of payment; legal register showing breach period and payment amount. Finance
Prior-year fine split Split the fines paid in the reporting period into those tied to breaches that happened in earlier reporting periods, and capture both the count and the money paid for that subset. Historical case register; payment evidence; ageing schedule of fines by breach period; finance/legal reconciliation. Legal and Compliance
Breach descriptions Provide a plain-language description of each serious breach, covering what happened, where relevant the law or rule involved, and the outcome or sanction. Legal case file; regulator notice; internal investigation summary; incident narrative approved by compliance. Legal and Compliance
Seriousness method Explain the internal method used to decide which breaches are treated as serious, including the criteria, review process and who applies it. Compliance policy; escalation matrix; decision memo; governance approval of the seriousness threshold. Legal and Compliance
+ Show GRI 2-27 sub-elements (LRA working checklist)

How to prepare it

1Set the reporting boundary first: confirm which entities, sites, and activities are in scope for the period, so you only capture breaches linked to that defined perimeter.
2Agree the counting rules before you start compiling data: decide what your team will treat as a material breach, and keep that test consistent across all sources and locations.
3Pull together the underlying records: gather case logs, legal notices, penalty letters, sanction records, and payment evidence so you can identify each relevant breach and whether it led to a financial penalty or another sanction.
4Build the disclosure outputs from those records: prepare the overall count, the split between cases with fines and cases with other sanctions, and the fine totals and amounts paid, including the split between amounts tied to the current period and those linked to earlier periods.
5Write a short explanation of the cases themselves and your method: summarise the significant breaches, and explain the basis you used to judge which cases were treated as significant.
6Check the final draft against the source records and the official guidance: make sure exclusions, reclassifications, and period-to-period changes are explained, and that the figures and narrative match the evidence trail.
Request the data

Request the compliance incidents and penalties log

Translate the disclosure into an internal business question — then adapt it to your organisation's own language.

What significant legal or regulatory breaches were identified in the period, what penalties were paid, and how were those cases classified?

Use your organisation’s own incident, breach, case, penalty and sanction terms first, then map them to the reporting categories before sending anything back. Keep the request in the language your legal, compliance or company secretariat team already uses, and check the source records before sign-off.

Weak request

Please provide the GRI 2-27 compliance with laws and regulations data, including the number of significant instances, fines, non-monetary sanctions, and how significance was determined.

Why it fails: This uses framework language rather than the team’s own records and labels, so the owner has to translate the ask before they can answer it. It also does not clearly separate the case log, the payment record, and the explanation of significance, which makes the return harder to verify.

Better request

Please send the legal/compliance case log for [period] for [scope], showing each significant breach or enforcement case, any cash penalty paid during the period, any non-cash sanction, the amount paid, whether the case started this year or earlier, and a short note on why it was treated as significant. Use your own internal labels and add a mapping note if needed. Please check the source records before sign-off.

Formal email template
Subject: Request for compliance incident and penalty data for [reporting period]

Dear [name/team],

Please could you share the compliance incident and penalty information for [reporting period] for the [group / entity / site] scope.

For each significant case in scope, please provide:
- the case reference and short description
- the internal category you used
- whether any cash penalty was paid during the period
- whether any non-cash sanction was applied
- the amount paid, if any
- whether the case first arose in the current period or an earlier period
- a short note explaining why the case was treated as significant
- the source record or document supporting the entry

Please also confirm the total count of significant cases in scope and the split between cases with cash penalties and cases with non-cash sanctions.

If you use different internal terms, please keep those terms in your response and add a short mapping note so we can translate them for reporting. Please check the source records before sign-off.

Many thanks,
[preparer name]
Short Teams / Slack version
Hi [name/team] — could you send the compliance incident / penalty log for [period] for [scope]?

Please include the case list, any cash penalties paid, any non-cash sanctions, the amount paid, and a short note on why each case was treated as significant. If you use different internal labels, keep them and add a quick mapping note. Please check the source records before sign-off. Thanks.
Industry examples
Manufacturing

Context. A plant compliance team tracks environmental permit breaches, safety notices, and regulator penalties in a local register.

Adapted request. Please share the plant compliance register for [period] covering [site(s)], including each significant breach or enforcement case, any penalty paid during the period, any non-cash sanction, the amount paid, whether the case began this year or earlier, and the reason it was treated as significant. Keep your site team’s own labels and add a short mapping note.

Example response. The team returns a table with 4 significant cases: 2 with cash penalties paid during the period and 1 non-cash sanction; one case had both a penalty and a sanction. They include case IDs, dates, amounts, currency, and a short significance note for each case.

Financial services

Context. A compliance function maintains a regulatory matters log covering conduct, reporting, and licence-related issues across entities.

Adapted request. Please provide the regulatory matters log for [period] for [entity scope], showing each significant matter, any fine paid during the period, any non-cash sanction, the amount paid, whether the matter arose in the current period or a prior one, and the internal reason it was treated as significant. Use your normal matter categories and add a mapping note.

Example response. The team returns 3 significant matters: 1 current-period matter with a fine paid, 1 prior-period matter with a fine paid, and 1 matter with a non-cash sanction only. They attach the regulator correspondence and a short classification note for each entry.

Draft your disclosure

Notes that turn data into a disclosure

LRA training templates — adapt them to your organisation, and check the official source before sign-off.

Method note

Explain how the organisation decides which breaches are material enough to include, and state the basis used to count cases, fines and amounts paid.

Context note

Clarify what the figures represent in practice: the scale of notable legal or regulatory breaches, how many led to penalties, and how much was paid in fines during the period.

Fluctuation statement

If the numbers moved materially, note whether this was driven by new issues arising in the year, settlements of older cases, changes in how cases were classified, or a different mix of penalties.

Content index entry
GRI 2-27 Compliance with laws and regulations — [location / page] / [notes]
Download Centre

Preparation tools & forms

Professional preparation tools for GRI 2-27 — free with an LRA Community membership. Register once (it's free) and every download unlocks, together with the Disclosure Library, templates and the LRA AI-assistant.

Free · Community members
Assurance readiness

For each claim, check the evidence

ClaimRiskEvidence to check
The information reported for this disclosure reconciles to the underlying source records.What is reported cannot be traced back to the systems or documents it was drawn from, or does not tie out to them.calculation_workbook reconciling the reported value to source_system_export
The information reported for this disclosure is current as at the reporting date.The disclosure reflects a different period, a cut-off before the reporting date, or stale data carried over from a prior period.approval_record showing the data cut-off date and the period covered
The scope behind the information reported for this disclosure is applied consistently.Parts of the organisation are silently in or out of scope, or the scope differs from the prior period without that change being explained.methodology defining the scope and a site_register of what it covers
Everything in scope is included in the information reported for this disclosure — nothing material is left out.Parts of the population that should be reported are omitted, understating or overstating the disclosure.site_register of the full population vs the calculation_workbook of what was actually included

Evidence pack to prepare

Common reporting gaps

The information is presented without a date or as-at point.The scope or boundary of the statement is left undefined.Key terms are used inconsistently across the report.Material changes since the previous period are not disclosed.Assertions are made without supporting detail or a source record.Boilerplate is used that does not actually answer what is asked.
Common gaps

Mistakes to avoid when collecting the data

Wrong owner for the case list
The data request goes to Legal or Compliance in framework language, but the real source sits with the teams that log breaches, penalties, and case outcomes in their own systems.
Scope is left vague
The collector does not pin down which entities, sites, or activities are in scope, so different teams send different populations that cannot be reconciled.
Period basis is mixed up
The team blends cases that happened in the year with fines that were paid in the year, which makes the counts and values impossible to separate cleanly.
Current and prior cases are merged
Payments linked to this year’s cases are not kept apart from payments linked to older cases, so the breakdown by when the breach occurred is lost.
Count basis changes mid-stream
Some teams count incidents, others count fines, and others count payment lines, so the same event can be captured more than once or not at all.
Source labels are stripped out
Original case IDs, regulator references, and internal file names are removed during collection, leaving no way to trace each figure back to the underlying record.
Different populations are combined
Monetary penalties and non-cash sanctions are rolled into one spreadsheet without separate fields, so the required split between them disappears.
No evidence trail is kept
The collector saves only the final numbers and drops the supporting extracts, dates, and approver names, so the sign-off path cannot be checked later.

Where judgement is often needed

Setting the group boundary after a deal closes
Decide whether to include a business only from the date control starts or stops, and explain the cut-off used so the count of significant breaches and any related fines matches the reporting boundary.
Handling local rulebooks that do not line up
Where the same conduct is treated differently across countries, use a consistent internal basis for deciding what counts as a significant breach and say which local rules were applied in each case.
Borderline cases near the reporting perimeter
For joint ventures, agents, contractors or other close-to-scope arrangements, set out the rule used to include or exclude an incident and describe any material cases that sit near the edge.
Choosing the date for a fine or sanction
State whether you use the payment date, the decision date or another internal cut-off for the year’s totals, and keep the same basis for both the number and the value reported.
Separating current-year and earlier-year penalties
If a payment in the year relates to an older breach, show it in the prior-period split and explain how you traced the case back to the year in which the breach happened.
Using estimates where the case is still open
If the final amount or sanction is not yet settled, explain whether you have used a measured amount, a best estimate or excluded the case for now, and disclose the method used to update it later.
Rounding and currency conversion choices
Set out the rounding rule and exchange-rate basis used for monetary values so readers can reconcile the totals, especially where small differences could change the reported amount.
Protecting privacy in the case description
When naming the incident would expose personal or sensitive details, give a high-level description that still explains the nature of the breach and the sanction without identifying individuals.
Deciding what makes a breach significant
Explain the internal threshold used to judge significance, such as size, repeat pattern, legal exposure or operational impact, and show that the same test was applied across the period.
Reconciling duplicate records across systems
If the same case appears in legal, finance and compliance logs, use one source of truth for the final count and value, and note how duplicates were removed before reporting.
Examples

Illustrative examples

Synthetic, written by LRA — not from a company report, not text from any standard.

Illustrative (synthetic) example — Manufacturing

Synthetic example only: during the year, we recorded 5 material breaches of law or regulation, of which 3 led to fines and 2 to non-cash penalties. We paid 7 fines in total, worth £420,000; 4 of those fines related to matters arising this year (£260,000) and 3 related to earlier years (£160,000).

We treat an issue as material when it is significant in scale, seriousness, or likely impact, using our internal review of legal notices, regulator correspondence, and management escalation. The summary below separates the cases by outcome and shows which paid fines came from the current year versus earlier periods.

Synthetic breakdown of significant non-compliance and paid fines (cases / fines)
Significant instances3200
Paid fines0043
Illustrative (synthetic) example — Transport

Synthetic example only: we identified 4 material breaches in the period, with 1 resulting in a fine and 3 in non-cash sanctions. We settled 2 fines during the year, totalling £95,000; both were linked to issues that arose in previous years, and none related to the current year.

Our judgement of materiality is based on whether the matter was formally escalated, involved a regulator or court, and could reasonably affect our licence, operations, or reputation. The figures below split the breaches by outcome and show the fines paid by when the underlying issue first occurred.

Synthetic breakdown of significant non-compliance and paid fines (cases / fines)
Significant instances1300
Paid fines0002
Company reports

How companies report GRI 2-27

Real reports where this topic is disclosed. These are report practice, not exact disclosure templates to copy.

Interconexión Eléctrica S.A. E.S.P.
Electric Utilities / IPP / Energy Traders · Colombia · 2024
Open report →
Interconexión Eléctrica S.A. E.S.P.'s 2024 Integrated Management Report provides specific data on fines and penalties, noting monetary penalties exceeding USD 10,000 amounting to 2,887 (p.14) and mentions significant fines for non-compliance with service regulations (p.146). The report also details the breakdown and movements of the company’s debt by currency, source, and rates (p.124), and states there were no significant changes in relevant areas (p.131). However, no clear information was found regarding other narrative items related to the disclosure, indicating gaps in coverage for some expected details.
Advantech Co., Ltd.
Technology Hardware and Equipment · Taiwan · 2024
Open report →
Advantech Co., Ltd.'s 2024 ESG Report includes coverage of compliance with laws and regulations, noting incidents related to corruption and bribery on page 37 and referencing environmental law violations and fines on page 128. The report also mentions governance aspects tied to legal compliance on page 231. However, there is no clear evidence of reported fines for environmental violations in 2024, as page 260 states no fines were imposed, indicating some inconsistency or lack of clarity in the reporting of such incidents.
Sands China Ltd.
Hotels, Restaurants, Leisure, Tourism Services · Macao · 2025
Open report →
Sands China Ltd.’s 2025 ESG Report provides specific data on significant instances of noncompliance with laws and regulations, reporting two such instances on page 47, with no fines paid (p.47). The report also details greenhouse gas emissions by category, including purchased goods and services and capital goods, with figures provided on page 31 (p.31). However, there is no clear information on monetary losses related to fines and settlements beyond money laundering, which is reported as zero on page 54, and several other expected narrative items are not found or unclear in the report.
✓ LRA AI Assistant · Human-in-the-loop
Dr Ross Kurinko
Ask Study Studio AI assistant about this disclosure
Get a practical answer for your reporting context. Your first answer is free — create a free account to continue the conversation.
TryHow do I prepare GRI 2-27?What data do I need to collect?Where can I see a real-report example?What mistakes should I avoid?
1 free answer
Check your understanding

Scenarios to work through

During year-end close, a preparer finds two serious breaches that were settled in the period: one led to a cash penalty and the other to a non-cash enforcement action. The legal team also notes a third minor breach that was not treated as significant.

QWhich items should be counted and split out in the disclosure, and which should be left out?
Reveal model answer →

A fine of 120,000 was paid during the reporting period for a permit breach that happened this year. Another payment of 80,000 was made in the same period for a case that arose last year and was only settled now.

QHow should the paid fines be grouped for reporting?
Reveal model answer →

The compliance team has a register showing three significant cases: one ended with a cash penalty, one with a licence restriction, and one is still open but already considered significant. The draft report currently lists only the two closed cases.

QShould the open case be described as well, and what level of detail is needed?
Reveal model answer →

A group prepares its report using a central compliance dashboard, but each business unit applies different thresholds for what counts as significant. The group wants to state only that it uses a “materiality review” without explaining the process.

QWhat should the preparer do about the method used to decide significance?
Reveal model answer →
Framework references

Related framework references

How this disclosure maps across the major reporting frameworks.

GRI
GRI 2-27
within GRI 2: General Disclosures
Open official source →
Primary
Related & explore
FAQ

Questions this page answers

For GRI 2-27, what data points do I need to gather before I start drafting the disclosure?+
How do I use the step-by-step 'how to prepare' section for GRI 2-27 in practice?+
What should I include in the scope and methodology for GRI 2-27 serious breaches and fines?+
Who should own the GRI 2-27 data collection if the information sits across HR, legal, finance and compliance?+
How do I build an evidence pack for GRI 2-27 that is ready for assurance?+
What are the four assurance claims on the GRI 2-27 page and how do I use them?+
What common mistakes does the GRI 2-27 page warn about when reporting serious breaches and fines?+
How do I turn the GRI 2-27 data into a draft disclosure and narrative?+
Can I use the synthetic example disclosure on the GRI 2-27 page as a template for my own numbers?+
Where can I download the GRI 2-27 workbook and printable card, and what are they for?+
More questions this page can help with
GRI 2-27 serious breaches and fines: what datapoints should be in my source file?How do I split current-year and prior-year fines for GRI 2-27?What evidence should I keep for GRI 2-27 breach descriptions and fine values?How do I write a first draft for GRI 2-27 using the workbook?What are the most common GRI 2-27 reporting gaps to check before submission?How should I document the seriousness method for GRI 2-27?What does the GRI 2-27 example disclosure show about formatting the data table?How do I assign ownership across teams for GRI 2-27 reporting?What should an assurance reviewer look for in a GRI 2-27 evidence pack?Where can I find real company reports that disclose GRI 2-27 topics?How do I use the GRI 2-27 content-index line in a report draft?What is the best way to check that my GRI 2-27 counts and values are internally consistent?