Compliance with laws and regulations
Practical guidance for preparing this disclosure. Use this card to identify datapoints, verify claims and organise supporting evidence. For exact requirements, always refer to the official GRI source.
↗ Share
This disclosure asks an organisation to explain how it deals with compliance across its activities, rather than just saying it has policies in place. In practice, it is about whether the organisation has systems to identify, monitor and respond to legal and regulatory requirements, and whether it can show where any non-compliance has occurred and how it was handled.
The practical focus is on coverage and consistency across the organisation’s operations, not only at flagship sites or headquarters. A useful response should make clear the scope of the reporting boundary, the main areas of law and regulation that matter to the business, and any significant issues, patterns or follow-up actions that show how compliance is managed in reality.
* This LRA educational guidance supports disclosure preparation. For the exact requirements, always refer to the official GRI source.
A quick mental checklist before you prepare this disclosure — tick each as you settle it.
| Datapoint | What to capture | Evidence hint | Owner |
|---|---|---|---|
| Total serious breaches | Count every serious breach of law or regulation identified in the reporting period, using the organisation’s own threshold for what counts as serious. | Compliance incident log; legal case tracker; regulatory correspondence; period-end summary from legal/compliance. | Legal and Compliance |
| Breaches with fines | From the serious-breach count, identify how many cases led to a financial penalty being imposed in the reporting period. | Penalty notices; finance/legal case files; compliance register with sanction outcome; period-end reconciliation. | Legal and Compliance |
| Total serious breaches | Count every serious breach of law or regulation identified in the reporting period, using the organisation’s own threshold for what counts as serious. | Compliance incident log; legal case tracker; regulatory correspondence; period-end summary from legal/compliance. | Legal and Compliance |
| Breaches with other sanctions | From the serious-breach count, identify how many cases led to a non-financial sanction in the reporting period. | Regulator letters; enforcement notices; compliance case files; legal review of sanction type. | Legal and Compliance |
| Paid fines count | Count the number of fines actually paid during the reporting period, regardless of when the underlying breach happened. | Accounts payable records; bank payment evidence; legal settlement schedule; fine payment register. | Finance |
| Paid fines value | Capture the total money paid for fines during the reporting period, based on actual payments made in that period. | General ledger; bank statements; accounts payable run; payment confirmations linked to each fine. | Finance |
| Current-year fine split | Split the fines paid in the reporting period into those tied to breaches that happened in the current reporting period, and capture both the count and the money paid for that subset. | Case chronology in legal register; fine payment schedule; mapping of payment to breach date; finance reconciliation. | Legal and Compliance |
| Current-year paid fines count | Count only the fines paid in the reporting period that relate to breaches occurring in the current reporting period. | Legal case register with breach date; payment evidence; current-period subset report. | Legal and Compliance |
| Current-year paid fines value | Capture the money paid in the reporting period for fines linked to breaches that happened in the current reporting period. | Finance ledger; bank proof of payment; legal register showing breach period and payment amount. | Finance |
| Prior-year fine split | Split the fines paid in the reporting period into those tied to breaches that happened in earlier reporting periods, and capture both the count and the money paid for that subset. | Historical case register; payment evidence; ageing schedule of fines by breach period; finance/legal reconciliation. | Legal and Compliance |
| Breach descriptions | Provide a plain-language description of each serious breach, covering what happened, where relevant the law or rule involved, and the outcome or sanction. | Legal case file; regulator notice; internal investigation summary; incident narrative approved by compliance. | Legal and Compliance |
| Seriousness method | Explain the internal method used to decide which breaches are treated as serious, including the criteria, review process and who applies it. | Compliance policy; escalation matrix; decision memo; governance approval of the seriousness threshold. | Legal and Compliance |
Show GRI 2-27 sub-elements (LRA working checklist)
- Set out the method used to decide which breaches count as significant.
- Set out the significant breaches themselves.
- Split the significant legal and regulatory breaches in the period by those that led to fines.
- Split the significant legal and regulatory breaches in the period by those that led to non-cash penalties.
- For fines paid in the period, separate those linked to earlier-period breaches and give both the count and the amount.
- For fines paid in the period, separate those linked to breaches arising in the current period and give both the count and the amount.
- State the amount of fines paid during the period.
- State the number of fines paid during the period.
- State the total number of significant legal and regulatory breaches in the period.
LRA working checklist - paraphrased; see official source
- Set the reporting boundary first: confirm which entities, sites, and activities are in scope for the period, so you only capture breaches linked to that defined perimeter.
- Agree the counting rules before you start compiling data: decide what your team will treat as a material breach, and keep that test consistent across all sources and locations.
- Pull together the underlying records: gather case logs, legal notices, penalty letters, sanction records, and payment evidence so you can identify each relevant breach and whether it led to a financial penalty or another sanction.
- Build the disclosure outputs from those records: prepare the overall count, the split between cases with fines and cases with other sanctions, and the fine totals and amounts paid, including the split between amounts tied to the current period and those linked to earlier periods.
- Write a short explanation of the cases themselves and your method: summarise the significant breaches, and explain the basis you used to judge which cases were treated as significant.
- Check the final draft against the source records and the official guidance: make sure exclusions, reclassifications, and period-to-period changes are explained, and that the figures and narrative match the evidence trail.
Translate the disclosure into an internal business question — then adapt it to your organisation's own language.
Use your organisation’s own incident, breach, case, penalty and sanction terms first, then map them to the reporting categories before sending anything back. Keep the request in the language your legal, compliance or company secretariat team already uses, and check the source records before sign-off.
Please provide the GRI 2-27 compliance with laws and regulations data, including the number of significant instances, fines, non-monetary sanctions, and how significance was determined.
Please send the legal/compliance case log for [period] for [scope], showing each significant breach or enforcement case, any cash penalty paid during the period, any non-cash sanction, the amount paid, whether the case started this year or earlier, and a short note on why it was treated as significant. Use your own internal labels and add a mapping note if needed. Please check the source records before sign-off.
Formal email template
Subject: Request for compliance incident and penalty data for [reporting period] Dear [name/team], Please could you share the compliance incident and penalty information for [reporting period] for the [group / entity / site] scope. For each significant case in scope, please provide: - the case reference and short description - the internal category you used - whether any cash penalty was paid during the period - whether any non-cash sanction was applied - the amount paid, if any - whether the case first arose in the current period or an earlier period - a short note explaining why the case was treated as significant - the source record or document supporting the entry Please also confirm the total count of significant cases in scope and the split between cases with cash penalties and cases with non-cash sanctions. If you use different internal terms, please keep those terms in your response and add a short mapping note so we can translate them for reporting. Please check the source records before sign-off. Many thanks, [preparer name]
Short Teams / Slack version
Hi [name/team] — could you send the compliance incident / penalty log for [period] for [scope]? Please include the case list, any cash penalties paid, any non-cash sanctions, the amount paid, and a short note on why each case was treated as significant. If you use different internal labels, keep them and add a quick mapping note. Please check the source records before sign-off. Thanks.
Manufacturing
Context. A plant compliance team tracks environmental permit breaches, safety notices, and regulator penalties in a local register.
Adapted request. Please share the plant compliance register for [period] covering [site(s)], including each significant breach or enforcement case, any penalty paid during the period, any non-cash sanction, the amount paid, whether the case began this year or earlier, and the reason it was treated as significant. Keep your site team’s own labels and add a short mapping note.
Example response. The team returns a table with 4 significant cases: 2 with cash penalties paid during the period and 1 non-cash sanction; one case had both a penalty and a sanction. They include case IDs, dates, amounts, currency, and a short significance note for each case.
Financial services
Context. A compliance function maintains a regulatory matters log covering conduct, reporting, and licence-related issues across entities.
Adapted request. Please provide the regulatory matters log for [period] for [entity scope], showing each significant matter, any fine paid during the period, any non-cash sanction, the amount paid, whether the matter arose in the current period or a prior one, and the internal reason it was treated as significant. Use your normal matter categories and add a mapping note.
Example response. The team returns 3 significant matters: 1 current-period matter with a fine paid, 1 prior-period matter with a fine paid, and 1 matter with a non-cash sanction only. They attach the regulator correspondence and a short classification note for each entry.
The full request pack — response form, data table, evidence metadata and sign-off — is in the Download Centre.
LRA training templates — adapt them to your organisation, and check the official source before sign-off.
Explain how the organisation decides which breaches are material enough to include, and state the basis used to count cases, fines and amounts paid.
Clarify what the figures represent in practice: the scale of notable legal or regulatory breaches, how many led to penalties, and how much was paid in fines during the period.
If the numbers moved materially, note whether this was driven by new issues arising in the year, settlements of older cases, changes in how cases were classified, or a different mix of penalties.
GRI 2-27 Compliance with laws and regulations — [location / page] / [notes]
Professional preparation tools and forms for GRI 2-27. Each download includes a concise “How to use” guide.
| Claim | Risk | Evidence to check |
|---|---|---|
| The information reported for this disclosure reconciles to the underlying source records. | What is reported cannot be traced back to the systems or documents it was drawn from, or does not tie out to them. | calculation_workbook reconciling the reported value to source_system_export |
| The information reported for this disclosure is current as at the reporting date. | The disclosure reflects a different period, a cut-off before the reporting date, or stale data carried over from a prior period. | approval_record showing the data cut-off date and the period covered |
| The scope behind the information reported for this disclosure is applied consistently. | Parts of the organisation are silently in or out of scope, or the scope differs from the prior period without that change being explained. | methodology defining the scope and a site_register of what it covers |
| Everything in scope is included in the information reported for this disclosure — nothing material is left out. | Parts of the population that should be reported are omitted, understating or overstating the disclosure. | site_register of the full population vs the calculation_workbook of what was actually included |
- The governing policy or written commitment behind this disclosure
- A methodology / definition note setting out how the disclosure was scoped and prepared
- Source-system exports the figures or facts were drawn from
- The internal approval / sign-off record for the disclosure before publication
- Minutes or records evidencing the relevant engagement or consultation
- The information is presented without a date or as-at point.
- The scope or boundary of the statement is left undefined.
- Key terms are used inconsistently across the report.
- Material changes since the previous period are not disclosed.
- Assertions are made without supporting detail or a source record.
- Boilerplate is used that does not actually answer what is asked.
- Wrong owner for the case list
The data request goes to Legal or Compliance in framework language, but the real source sits with the teams that log breaches, penalties, and case outcomes in their own systems.
- Scope is left vague
The collector does not pin down which entities, sites, or activities are in scope, so different teams send different populations that cannot be reconciled.
- Period basis is mixed up
The team blends cases that happened in the year with fines that were paid in the year, which makes the counts and values impossible to separate cleanly.
- Current and prior cases are merged
Payments linked to this year’s cases are not kept apart from payments linked to older cases, so the breakdown by when the breach occurred is lost.
- Count basis changes mid-stream
Some teams count incidents, others count fines, and others count payment lines, so the same event can be captured more than once or not at all.
- Source labels are stripped out
Original case IDs, regulator references, and internal file names are removed during collection, leaving no way to trace each figure back to the underlying record.
- Different populations are combined
Monetary penalties and non-cash sanctions are rolled into one spreadsheet without separate fields, so the required split between them disappears.
- No evidence trail is kept
The collector saves only the final numbers and drops the supporting extracts, dates, and approver names, so the sign-off path cannot be checked later.
- Setting the group boundary after a deal closes
Decide whether to include a business only from the date control starts or stops, and explain the cut-off used so the count of significant breaches and any related fines matches the reporting boundary.
- Handling local rulebooks that do not line up
Where the same conduct is treated differently across countries, use a consistent internal basis for deciding what counts as a significant breach and say which local rules were applied in each case.
- Borderline cases near the reporting perimeter
For joint ventures, agents, contractors or other close-to-scope arrangements, set out the rule used to include or exclude an incident and describe any material cases that sit near the edge.
- Choosing the date for a fine or sanction
State whether you use the payment date, the decision date or another internal cut-off for the year’s totals, and keep the same basis for both the number and the value reported.
- Separating current-year and earlier-year penalties
If a payment in the year relates to an older breach, show it in the prior-period split and explain how you traced the case back to the year in which the breach happened.
- Using estimates where the case is still open
If the final amount or sanction is not yet settled, explain whether you have used a measured amount, a best estimate or excluded the case for now, and disclose the method used to update it later.
- Rounding and currency conversion choices
Set out the rounding rule and exchange-rate basis used for monetary values so readers can reconcile the totals, especially where small differences could change the reported amount.
- Protecting privacy in the case description
When naming the incident would expose personal or sensitive details, give a high-level description that still explains the nature of the breach and the sanction without identifying individuals.
- Deciding what makes a breach significant
Explain the internal threshold used to judge significance, such as size, repeat pattern, legal exposure or operational impact, and show that the same test was applied across the period.
- Reconciling duplicate records across systems
If the same case appears in legal, finance and compliance logs, use one source of truth for the final count and value, and note how duplicates were removed before reporting.
Synthetic, written by LRA — not from a company report, not text from any standard.
| Category | Fines incurred | Non-monetary sanctions | Paid fines from current period | Paid fines from prior periods | Total |
|---|---|---|---|---|---|
| Significant instances | 3 | 2 | 0 | 0 | 5 |
| Paid fines | 0 | 0 | 4 | 3 | 7 |
Synthetic example only: during the year, we recorded 5 material breaches of law or regulation, of which 3 led to fines and 2 to non-cash penalties. We paid 7 fines in total, worth £420,000; 4 of those fines related to matters arising this year (£260,000) and 3 related to earlier years (£160,000).
| Category | Fines incurred | Non-monetary sanctions | Paid fines from current period | Paid fines from prior periods | Total |
|---|---|---|---|---|---|
| Significant instances | 1 | 3 | 0 | 0 | 4 |
| Paid fines | 0 | 0 | 0 | 2 | 2 |
Synthetic example only: we identified 4 material breaches in the period, with 1 resulting in a fine and 3 in non-cash sanctions. We settled 2 fines during the year, totalling £95,000; both were linked to issues that arose in previous years, and none related to the current year.
How to turn the collected data into a draft disclosure. The charts below are drawn from the illustrative figures above — swap in your own data.
Other views you could build
- Overall non-compliance cases — table: A simple count of all notable breaches identified in the period, with a separate column for those that led to financial penalties and those that led to other sanctions.
- Penalty type split — stacked bar: How the total set of notable breaches divides between cases that resulted in fines and cases that resulted in non-cash sanctions.
- Paid fines by timing of the breach — stacked bar: The number of fines settled during the period and their value, split between breaches that happened this period and those carried over from earlier periods.
- Value of fines settled — bar: The monetary amount of fines paid in the period, with separate bars for current-period breaches and earlier-period breaches.
- Case profile of significant breaches — table: Short descriptions of each notable breach, including the nature of the issue and the outcome where a penalty or sanction was applied.
What separates a figure from a disclosure.
We recorded 3 significant breaches of law in the year.
We recorded 3 significant breaches of law in the year, including 2 cases that led to fines and 1 case that led to a non-cash sanction.
We recorded 3 significant breaches of law in the year across our operations, with 2 cases leading to fines and 1 to a non-cash sanction; of the 2 fines paid, 1 related to this year and 1 to an earlier year, and the later-year increase was mainly due to a one-off licensing issue.
Real reports where this topic is disclosed. The confidence label shows how closely each match maps to GRI 2-27 — these are report practice, not exact disclosure examples.
| Company | Sector · Country | Year | Match | Page | Report | Assurance | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Interconexión Eléctrica S.A. E.S.P. | Electric Utilities / IPP / Energy Traders · Colombia | 2024 | Partial | p. 142 →p. 146 →p. 97 → | ISA Integrated Management Report 2024 → | ey | ||||||||||||||||||||||||||||||||||||||||
Evidence in Interconexión Eléctrica S.A. E.S.P.’s reportWhat the report shows Interconexión Eléctrica S.A. E.S.P.'s 2024 Integrated Management Report provides specific data on fines and penalties, noting monetary penalties exceeding USD 10,000 amounting to 2,887 (p.14) and mentions significant fines for non-compliance with service regulations (p.146). The report also details the breakdown and movements of the company’s debt by currency, source, and rates (p.124), and states there were no significant changes in relevant areas (p.131). However, no clear information was found regarding other narrative items related to the disclosure, indicating gaps in coverage for some expected details.
Evidence-based summary of this company’s own report — not a disclosure template to copy, and not a compliance verdict. Datapoint coverage
Source trail
|
||||||||||||||||||||||||||||||||||||||||||||||
| Advantech Co., Ltd. | Technology Hardware and Equipment · Taiwan | 2024 | Partial | p. 38 →p. 97 →p. 114 → | 2024 ESG Report → | PwC | ||||||||||||||||||||||||||||||||||||||||
Evidence in Advantech Co., Ltd.’s reportWhat the report shows Advantech Co., Ltd.'s 2024 ESG Report includes coverage of compliance with laws and regulations, noting incidents related to corruption and bribery on page 37 and referencing environmental law violations and fines on page 128. The report also mentions governance aspects tied to legal compliance on page 231. However, there is no clear evidence of reported fines for environmental violations in 2024, as page 260 states no fines were imposed, indicating some inconsistency or lack of clarity in the reporting of such incidents.
Evidence-based summary of this company’s own report — not a disclosure template to copy, and not a compliance verdict. Datapoint coverage
Source trail
|
||||||||||||||||||||||||||||||||||||||||||||||
| Sands China Ltd. | Hotels, Restaurants, Leisure, Tourism Services · Macao | 2025 | Partial | p. 46 →p. 47 →p. 45 → | 2025 ESG Report → | EY | ||||||||||||||||||||||||||||||||||||||||
Evidence in Sands China Ltd.’s reportWhat the report shows Sands China Ltd.’s 2025 ESG Report provides specific data on significant instances of noncompliance with laws and regulations, reporting two such instances on page 47, with no fines paid (p.47). The report also details greenhouse gas emissions by category, including purchased goods and services and capital goods, with figures provided on page 31 (p.31). However, there is no clear information on monetary losses related to fines and settlements beyond money laundering, which is reported as zero on page 54, and several other expected narrative items are not found or unclear in the report.
Evidence-based summary of this company’s own report — not a disclosure template to copy, and not a compliance verdict. Datapoint coverage
Source trail
|
||||||||||||||||||||||||||||||||||||||||||||||
During year-end close, a preparer finds two serious breaches that were settled in the period: one led to a cash penalty and the other to a non-cash enforcement action. The legal team also notes a third minor breach that was not treated as significant.Which items should be counted and split out in the disclosure, and which should be left out?
A fine of 120,000 was paid during the reporting period for a permit breach that happened this year. Another payment of 80,000 was made in the same period for a case that arose last year and was only settled now.How should the paid fines be grouped for reporting?
The compliance team has a register showing three significant cases: one ended with a cash penalty, one with a licence restriction, and one is still open but already considered significant. The draft report currently lists only the two closed cases.Should the open case be described as well, and what level of detail is needed?
A group prepares its report using a central compliance dashboard, but each business unit applies different thresholds for what counts as significant. The group wants to state only that it uses a “materiality review” without explaining the process.What should the preparer do about the method used to decide significance?
See how companies actually report GRI 2-27 — drawn from their own published reports, with the exact pages, and an LRA AI-assistant that works through it with you. Available to LRA Community members and to students throughout their platform access.
How this disclosure maps across the major reporting frameworks.
For GRI 2-27, what data points do I need to gather before I start drafting the disclosure?
The page says to prepare the serious-breach and fine datapoints, including counts, values, split by current and prior year, plus breach descriptions and the seriousness method. It is set up as a practical checklist, so you can use it to confirm the dataset is complete before drafting. ↑ section
How do I use the step-by-step 'how to prepare' section for GRI 2-27 in practice?
Use it as a working sequence for collecting the data, checking the scope, and turning the inputs into a draft. The page is designed to help you move from raw records to a disclosure-ready summary rather than just read the topic in theory. ↑ section
What should I include in the scope and methodology for GRI 2-27 serious breaches and fines?
The page points you to a seriousness method and to the current-year and prior-year split, so the scope and method need to explain how breaches were classified and how the periods were separated. Keep the explanation tied to the datapoints on the page and the evidence you can show. ↑ section
Who should own the GRI 2-27 data collection if the information sits across HR, legal, finance and compliance?
The page is aimed at sustainability/ESG managers, HR or data owners, and assurance reviewers, so ownership should sit with whoever can evidence the breach and fine records and coordinate the inputs. In practice, assign clear owners for the breach log, fine values, and the seriousness assessment so the pack is complete. ↑ section
How do I build an evidence pack for GRI 2-27 that is ready for assurance?
The page includes an evidence pack with five items and four assurance claims to verify, so the aim is to keep the source records, calculations and supporting explanations together. Use the pack to show how the counts and values were derived and how the seriousness method was applied. ↑ section
What are the four assurance claims on the GRI 2-27 page and how do I use them?
The page says there are four claims to verify, each with a claim, risk and evidence prompt. Use them as an assurance checklist to test whether the disclosure is complete, consistent and backed by documents before it goes into the report. ↑ section
What common mistakes does the GRI 2-27 page warn about when reporting serious breaches and fines?
The page lists common reporting gaps and mistakes, so it is useful for a final quality check before sign-off. Use it to catch missing datapoints, inconsistent splits, weak descriptions or unsupported calculations. ↑ section
How do I turn the GRI 2-27 data into a draft disclosure and narrative?
The page includes draft-output guidance with visualisation ideas, narrative starters and a content-index line. That means you can use the prepared numbers and breach descriptions to produce a first draft, then refine the wording for clarity and consistency. ↑ section
Can I use the synthetic example disclosure on the GRI 2-27 page as a template for my own numbers?
Yes, as an illustration only. The page says the example is synthetic and includes a quantitative table, so it can help you see how the disclosure may look, but you still need to replace it with your own internally consistent data. ↑ section
Where can I download the GRI 2-27 workbook and printable card, and what are they for?
The Download Centre includes a Prep & Assurance workbook in .xlsx format and a printable Library Card in .pdf format. Use the workbook to organise the data and evidence, and the card as a quick reference while preparing the disclosure. ↑ section
- GRI 2-27 serious breaches and fines: what datapoints should be in my source file?
- How do I split current-year and prior-year fines for GRI 2-27?
- What evidence should I keep for GRI 2-27 breach descriptions and fine values?
- How do I write a first draft for GRI 2-27 using the workbook?
- What are the most common GRI 2-27 reporting gaps to check before submission?
- How should I document the seriousness method for GRI 2-27?
- What does the GRI 2-27 example disclosure show about formatting the data table?
- How do I assign ownership across teams for GRI 2-27 reporting?
- What should an assurance reviewer look for in a GRI 2-27 evidence pack?
- Where can I find real company reports that disclose GRI 2-27 topics?
- How do I use the GRI 2-27 content-index line in a report draft?
- What is the best way to check that my GRI 2-27 counts and values are internally consistent?
Get a practical answer for your reporting context. Your first answer is free — create a free account to continue the conversation.
Sources, status and disclaimer
This LRA assistance tool is designed for educational and internal data-collection purposes. It is not an official interpretation of the GRI Standards, IFRS Sustainability Disclosure Standards or EU CSRD/ESRS requirements. When applying these frameworks in professional practice, users should consult and double-check the official standards, guidance and applicable regulatory sources.