The DRHP Rulebook

There exists a document in the Indian capital markets that precedes every bell rung on Dalal Street, every ticker update, every front-page financial headline, the Draft Red Herring Prospectus (“DRHP”). A DRHP is the first thing you hand the Regulator, i.e. Securities and Exchange Board of India (“SEBI”) or an Exchange, which tends to be a voluminous, information-laden, and data-filled document. It is not a mere disclosure document; it is the crucible where vision is tested against regulation, ambition is weighed against risk, and storytelling is married to statutory rigours.

The DRHP blends law, finance, strategy, and reputation with the Risk Factors chapter being the most demanding test. Where a company stands under the spotlight before the public, confessing their vulnerabilities while asserting their readiness. This is not a box-ticking exercise but rather an excavation driven by the conviction that the DRHP is more than a regulatory formality; it is a living instrument whose architecture, nuance, and implications must be understood in totality through the 'series' of practice notes that have been curated into four installments, the present note marks the first in the series.

Each Practice Note in this series focuses not merely on explaining chapters of the DRHP but on dissecting them with clarity, drawing from a corpus of SEBI observations, market precedents, judicial pronouncements, and most crucially, mistakes that never made it past the regulator's pen. The spirit of this exercise is not to prescribe a one-size-fits-all formula, but to offer a practitioner's compass a body of work that respects the fluidity of markets, the granularity of compliance, and the moral responsibility of full and fair disclosure.

In 2024, the volume of equity deals in India, including Initial Public Offering (“IPO”) reached a record $70 billion, which is second only to the United States. IPOs made up around $19 billion of this volume, with an average deal size of $275 million. As many as 11 IPOs were priced at above $500 million. In this regard, when Ms. Madhabi Puri Buch, (the then Chairperson of SEBI) took the podium at the FICCI's 21^st Annual Capital Markets Conference (2024), her words were not just an address but a rallying cry for reform in India's IPO ecosystem. She debunked several myths engulfing the IPO application process (and rejections) and painted a picturesque of India's spurt of growth as a global IPO powerhouse. Pertinently, her keynote was not merely a report on numbers but rather a clarion call to all stakeholders navigating the corridors of Indian capital markets.

Ms. Buch continued to underscore the issues that plague IPO filings in the form of glaring discrepancies within filed DRHPs. This compels a question: What are issuer companies consistently getting wrong in Risk Factor drafting? To distil actionable guidance from regulatory expectations, this Practice Note draws from a review of over 50 DRHPs and 30 SEBI Observation Letters issued between 2023 and 2024, spanning a wide range of industries and sectors. This exercise culminated in the identification and analysis of more than 250 distinct observations, each tailored for patterns, omissions, and drafting lapses. Focused specifically on the Risk Factors chapter, the insights presented here reflect not abstract theory, but recurring regulatory concerns that have shaped real-world IPO outcomes.

The present Practice Note focuses on the Risk Factors chapter to the extent of the bandwidth of Observation Letters examined that directly impact regulatory scrutiny and investor perception.

RISK FACTORS

The Risk Factors section of a DRHP is the point of entry for potential investors to become aware of existing as well as future problems, vulnerabilities, and functional complexities being faced by the issuing company. Schedule VI, Part A, Point 5(G) of the Securities and Exchange Board of India (Issue of Capital and Disclosure Requirements) Regulations, 2018 (“ICDR Regulations”) offers useful guidelines to issuer companies regarding disclosure of risk factors in a DRHP. These offer minimum requirements and uniformity in disclosures in all DRHPs. Significantly, issuers are to prioritise and identify the most material risk factors in the top 10 of the Risk Factor chapter.

A full-scope risk factor assessment must include elementary tools, specifically the SWOT (Strengths, Weaknesses, Opportunities, and Threats) and PESTEL (Political, Economic, Social, Technological, Environmental, and Legal) models to obtain an overall assessment of likely vulnerabilities of the issuing company. Both tools enable the issuing company to methodically examine internal and external elements of risk, thereby facilitating the disclosures to be balanced, material, and investor relevant.

To even more precisely define the notion of risk factors disclosure, a holistic analysis of various industries such as manufacturing, renewable energy, logistics, finance, engineering, and construction was deemed vital. This inclusion provided an understanding of how issuer companies in various sectors make disclosures about the risks of their business operations and the prevailing industry conditions. This research revealed certain patterns of risk disclosures and led to the grouping of risks into three broad classes, conveniently addressed hereinafter as:

• Universally Relevant Risks, transacting across industries (e.g., governance, regulatory compliance, and financial instability);
• Situational Risks, specific to a particular issuer's business model, operating dynamics, or record. (e.g., dependence on a single supplier, geographic concentration, or litigation history);
• Sector-Specific Risks, which are particular to particular industries (e.g., renewable energy price volatility, supply chain disruption in logistics, or demand cycle variability in manufacturing).

Building on the general framework of risk factors, SEBI's observations reveal several recurring patterns of common issues which are explored in the sections that follow:

General Considerations for Drafting Risk Factors

1. Materiality

A risk to be included in DRHP is pertinent not due to the likelihood or apparent nature but due to the 'Materiality' of its effect (even if hypothetically!). The test of Materiality with regard to a public issue is a litmus test. A materiality policy has to be defined by each issuer company, taking into account a varied assortment of both quantitative as well as qualitative considerations, aware of the realities of the situation. Not only that, but this policy has also to be harmonized with regulatory benchmarks (such as for the definition of group companies' definition under ICDR and AS-18 and AS-24 should be referred) and has to apply uniformly for testing materiality with the aim of effectively searching for risks for reporting to investors so that they would be able to make well-informed investment decisions according to their risk appetite.

Crucially, this issuer-level materiality policy does not operate in isolation as it gains impetus and flows from the cantenas of Regulation 30 of SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (“LODR Regulations”) which asserts that listed entities are obligated to disclose any material event or information that can influence the performance or financial position of the company, as it is considered important to give investors complete information on possible risks. The LODR Regulations hence, seek to promote transparency on any risks that can change the direction of the company materially. Hence, the determination of material risks has to travel beyond a simple checklist solution as under statute, taking cognizance of each risk's individual and overall collective impact on the issuer's business and financial well-being as a whole.

The Regulator, in the Observation Letter, frequently requests the issuer company to reframe risks or split them into several points for clarity. During drafting, the most material risk needs to be numbered as the first risk, highlighting a materiality-based numbering scheme. Furthermore, risks that individually might not be material but are material when taken together should also be disclosed. For example, Corporate Strategic Allianz Ltd. v. SEBI^[1], upheld that non-disclosure of material financial obligations (such as bridge loans) is a serious default, although that may be considered "technical." It is critical that due diligence is done to ensure all material disclosures.

2. Language and Precision

The Risk Factors chapter should be a definite and trustworthy guide to investors into the unknowns of an issuer company. The language should be easy, simple, consistent, without promotional lingo or unsubstantiated assertions. The application of qualitative statements and adjectives, particularly those that imply a value judgement, such as but not limited to "leading," "strong," "prominent," "well established," or "robust" is strictly discouraged throughout the DRHP. The application should only be added if supported by independently verifiable information.

In addition, the issuer company ought not to employ inclusive and non-descriptive phrases like "certain risks" or "material adverse effects." The SAT's ruling in P.G. Electroplast Ltd. v. SEBI, 2019 SCC Online SAT 148^[2] again emphasizes the utmost significance of precision and clarity in risk disclosures and also stated that imprecise or ill-placed risk disclosures tend to trigger regulatory concerns and IPO approval delays.

To demonstrate the significance of being clear and specific in risk disclosures, imagine a situation where the business of a company is heavily exposed to exchange rate fluctuations. A company with a high amount of international revenue (i.e., from operations in Europe) is exposed to the Euro/US Dollar exchange rate. Fluctuations in the exchange rate can have a direct impact on the financial performance of the company, such as revenue generation, and profit margins. If the risk is defined in obscure or general terms, the disclosure can fail to meet the mark in describing the real nature and extent of the underlying risk. On suggestive basis consider:

Avoid: "The company may be impacted by currency exchange fluctuations."

Prefer: "With considerable revenue from Europe, we are subject to volatility in the exchange rate between the Euro and US Dollar. In Q1 2024, the Euro lost 5% value, causing a 5% drop in revenue from our European operations. This currency risk exposure may persist to impact profitability if the exchange rate is more volatile."

3. Data-Backed Disclosures and Visual Clarity

Clear risk disclosures wherever possible should be supplemented by verifiable quantitative data, past trends, financial ratios, or other factual bases. Expressing risks in the language of concrete numbers, the issuer company is then in a position to communicate more clearly to investors a sense of material risks and their probable effect. Visual representations like graphs, charts, and table presentations may go a long way in making it more accessible and better understood by investors.

However, data-driven disclosures on their own are not enough unless they are coupled with due diligence and verification procedures. Regulatory enforcement actions in this regard indicate a red flag. In PNB Investment Services Ltd. (2014 SCC OnLine SEBI 178), SEBI observed due diligence failures in the IPO process itself, such as lapses in verifying material facts like cancellation of allotment of land, incorrect disclosure of the presence of employees, and non-disclosures of related party dealings. These failures resulted in regulatory action in the form of the suspension of registration of the said intermediary. Though this was a case of merchant bankers, the broader lesson holds true for all the concerned stakeholders dealing with IPO disclosures.

4. Consistency Across the DRHP

The Risk Factors chapter does not have to be read as an isolated story, but it must be logically linked and harmonised with the rest of the DRHP. SEBI, in its observation letters and scrutiny process, has, time and again, stressed the importance of internal consistency and correct cross-referencing between the chapter of Risk Factors and the rest of the major chapters of the DRHP, including but not limited to Objects of the Issue, Our Business, Financial Information, Outstanding Litigations and Material Contracts.

Both Corporate Strategic Allianz Ltd. and P.G. Electroplast Ltd. Orders of the SAT emphasize the role of correct internal cross-referencing in the DRHP. The Tribunal observed that risk factors must explicitly direct investors to elaborate descriptions elsewhere in the document, including financial disclosures and litigation summaries, with specific page numbers.

Thus, in order to enhance clarity and usability, all material risk factors need to include accurate cross-references to the accurate sections (and exact page numbers) where supportive information is held. This cross-referencing ensures that investors can trace risk disclosures back to the relevant chapters for further clarity and detailed explanations. Drawing an example:

Avoid: "This risk could adversely impact our financial performance and business operations."
Prefer: "Disputes that might occur from our joint venture transactions or other strategic partnerships might lead to suspension, delay, or cancellation of projects, which might negatively affect our business operations, financial performance, market reputation, operational efficiency, and viability in the long run. For more details regarding such joint venture transactions and alliances, please refer to the section headed 'Our Business' on page [●] of this Draft Red Herring Prospectus."

Having addressed the general guidelines regarding the sequencing of the risk factors, it becomes pertinent to outline some of the specific risks that are compulsory for all issuer companies to make known in their DRHP. The list is not complete, but the following group of options highlights the disclosure points identified by SEBI and found to be material risks across industries.

Business and External Risk Disclosures: A Structured Approach

1. Business Related Risk

Business-related risks have direct implications on an issuer company's revenue, cost bases, and market positioning. These risks span a wide range including but not limited to:

• Core Business Operations: Any risk of production, logistics, inventory, and distribution model inefficiencies that affect output quality, cost structures, or the customer experience.
• Availability and Capacity Risks: Disclose risks to human or capital resources that can prevent the company from reaching production targets, impacting profitability or market share.
• Outsourcing Risks: Indicate whether the company has outsourced core activities.
• Over-reliance on Suppliers and Vendors: Dependence on particular suppliers of major raw materials or services is a key component in the company's operations. Disclosure should reflect the concentration of such partners, sourcing practices, and supply stability measures.
• Customer Concentration: Over-reliance/loss/decline on a limited number of customers can be a high proportion of revenues.
• Technological and Infrastructure Risks: Disclose, if any, manufacturing/production/operation/process methodology, workspace, IT systems, risks that would affect business operations.
• Workforce and Labour Risks: Include risks related to labour shortages, staff turnover, and union conflicts.
• Market Volatility and Demand Fluctuations: Describe risks of economic recession, market volatility, or consumer demand fluctuations that may affect operational profitability and efficiency.
• Business Continuity and Disaster Recovery: Address the likelihood of business disruption due to natural disasters, pandemics, or other unforeseen circumstances. Offer details on the company's disaster recovery backup plans and how it will carry on business in the event of that.

In the estimation of such risks, the issuer company must account for financial and operational consequences, with disclosures being representative of real-world contingencies. For example, where revenue is 60% from five customers, there is higher risk; losing one, for example in FY23 when a large client loss resulted in revenue declining by 15%, can cause volatility.

Peer comparison is another critical business risk disclosure by means of which the relative competitive standing of an issuer can be determined by investors. Industry benchmarks, market share data, and differentiators should be disclosed by the companies.

The pitfalls to avoid and the preferred position to take are presented as:

Avoid: “We face intense competition that may impact our market position.”

Prefer: “Our company faces competition from three major industry players who collectively control over 60% of the market share. In FY2023, aggressive price reductions by these competitors led to a 12% decrease in our average selling price, reducing our gross margins by approximately 4 percentage points. Continued pricing pressure may constrain our revenue growth and profitability.”

Avoid: “Our company may face operational risks due to reliance on third-party suppliers and key customers.”

Prefer: “Our company relies on three major suppliers for 50% of our raw material needs. Any disruption in their supply chain, as seen in Q1 2023 when one supplier faced a delay, resulted in a 10% decrease in production, directly impacting revenue.”

2. Governance Related Risk

Proper balancing of board composition to have adequate numbers of independent and executive directors to prevent concentration of powers must be addressed when managing governance-related risks. The companies should also implement extension of compliance with corporate governance norms as per the regulations and be open and transparent.

Leadership is not ceremonial per contra it happens to be the backbone of governance. Any cracks in stability or succession planning raise red flags. When boards lean too heavily on founder-family members or lack domain expertise among independent directors, strategic judgment and oversight suffer. Governance weakens, risks multiply. Frequent churn at the managerial level breaks continuity and blurs long-term vision. That is why issuer companies must lay bare promoter guarantees, director and Key Managerial Personnel (“KMP”) pay structures, and any gaps in secretarial filings; each a signal to regulators of how seriously governance is taken. Pertinently, the Regulator peers closely: recent KMP exits or new hires, their credentials and tenure, must be disclosed because consistency at the top speaks volumes about what's ahead. Consider:

Avoid: “The company may face governance-related risks due to a lack of leadership stability.”

Prefer: “The company's board is currently composed of 30% family members, with no independent director having more than 5 years of experience in the industry. The lack of industry-specific expertise on the board may impair strategic oversight and hinder effective decision-making.”

Therefore, the Governance risks are not theoretical but have tangible impacts on risk management, strategic cohesiveness, and public markets readiness. Issuers should thus be proactive in highlighting and disclosing such risks enhancing market confidence in the firm's leadership and corporate culture.

3. Regulatory Compliance Risk

Regulatory compliance reflects the firm's compliance history with levels required by statutes and governance standards, and thus open disclosure is imperative by law. The issuer must make known all regulatory audits, results, sanctions, and any differences in a transparent, tabular form wherever required. In the event of missing documents or outstanding issues, this must be disclosed with adequate explanations, for failure to do so can trigger questions on compliance integrity.

For instance, in cases of compounding applications or application for settlement, the issuer needs to disclose the date of application, the concerned authority, the reason for non-compliance, supporting documents, and the status of the application. This allows investors to evaluate the gravity of the issue and the status of its settlement.

Also, the issuer is required to make disclosure of litigation risks in terms of regulatory defaults or show-cause notices by the authorities such as but not limited to MCA, ITAT or RBI. All regulatory default penalties or orders (e.g., delay in financial filings, non-governance in disclosures) should be clearly stated along with the corrective action taken to avoid recurrence. As in:

Avoid “The company faces risk from non-compliance with Companies Act, 2013.”

Prefer “In FY 2023, the company identified certain related party transactions that were entered into without obtaining the requisite prior approval from the Audit Committee and shareholders as mandated under Section 188 of the Companies Act, 2013. This oversight was due to gaps in the internal compliance monitoring system. Upon discovery, the company immediately took corrective measures by convening the Audit Committee and shareholders' meetings to ratify the transactions, and filed necessary disclosures with the Registrar of Companies. The company has since strengthened its internal controls and compliance framework by implementing enhanced monitoring and review procedures to ensure all future related party transactions receive timely approvals in accordance with statutory requirements.”

4. Financial Risk

Financial risks adversely affect the financial integrity, transparency, or regulatory compliance of the issuer. Strict compliance with accounting guidelines, disclosure requirements, and SEBI regulations for the purpose of avoiding regulatory overreach is necessary. These include, but not limited to:

• Related-Party Transactions (RPTs) Risks

RPTs that are not at arm's length may imply governance problems or financial dependences suboptimal for the issuer. Inadequate disclosure of the nature, terms, and quantity of such RPTs can hide possible conflicts of interest and deceive the issuer's financial independence.

• Disclosure of Indebtedness and Debt Aging

The issuer must also provide comprehensive details regarding ageing of outstanding borrowings and terms and nature (secured/unsecured) of borrowings. Transparency in this regard can mask the true leverage position and alarm investors and the regulator alike.

• Financial Risks Involving Insurance Coverage

Insurance is a useful risk management instrument but issuer companies do not usually report the amount of cover and past claims experience. Where a firm does not have cyber, business disruption, operational breakdown, or third-party liability insurance, it should report clear limitations accordingly. Inadequate cover can leave the firm exposed to material financial exposures on an unanticipated event occurrence, reducing its business resilience and investor confidence.

5. Miscellaneous Risk

Miscellaneous risks encompass a diverse range of issues that, while not neatly classified under a single operational or regulatory category, have material implications for an issuer company's financial health, governance structure, and regulatory standing. These risks must be identified and disclosed with the same level of diligence and clarity as primary risk categories, ensuring that no aspect of material concern is omitted or under-represented. Some examples are listed below:

• Contractual Risks and Adverse Covenants in Contracts

The majority of issuer firms operate under agreements with third-party sanctions or binding restrictive clauses that significantly impact business continuity. For example, an agreement for the loan could include a No Objection Certificate (NOC) from a key vendor as the condition precedent to the release of project funds. Failure to acquire or non-acquisition of such sanctions could put implementation on hold, and this attracts monetary penalties and extended project durations.

On exemplar basis the one curated down under may be consider:

"We have a financing arrangement involving the procurement of a No Objection Certificate (NOC) from a key supplier before funding a new project. Project delays due to slow procuring of this NOC will incur penalty and loss of revenue. Delays in such approvals in the past collectively added six months to project timelines."

• Cybersecurity Threats and Digitalization

In the era of digitalization, issuer companies increasingly depend on technology, AI, and digital platforms to function. But in this shift, there are also new dangers with cybersecurity vulnerabilities, data privacy concerns, and failures of IT infrastructure. Malware, ransomware, and adherence to data protection laws are now topmost issues for issuers within the digitally driven ecosystem. Companies that use AI-based procedures are also required to make disclosure of the risk of algorithm breakdown, reliance on third-party services, and possible data leaks.

On suggestive basis the one down under may be articulated as:

“We have increasingly automated our operations for greater efficiency. This puts us at risk of data breach, malware attack, and privacy invasion, though. Malware attacks grew 22% globally in the last year, and though we've had no such attack, we cannot eliminate chances for such an attack. We've invested in strong firewalls, frequent vulnerability scanning, and cybersecurity insurance protection to protect ourselves from these risks.”

6. External Risks

Many internal risks outlined earlier, be it customer concentration, overdependence on key suppliers, or exposure to related-party transactions, do not arise in a vacuum. They're often set in motion by external developments such as macroeconomic shifts, trade restrictions, or geopolitical tensions. When the external landscape shifts, the internal structure absorbs the shock. It is this interplay that makes external risks not just relevant, but central to business continuity and disclosure integrity. Revealing external risks is necessary to build a complete image of the surroundings in which the company is working. They are caused by events in the wider economic, regulatory, and industry context that are likely to have a material impact on the business outcomes of the issuer. They are macroeconomic drivers like inflation, interest rates, currency changes, and changes in GDP growth, all of which are capable of influencing input costs, consumer demand, or pricing power. Policy and regulatory changes, either in taxation, sector-specific legislation, or government programs, could change compliance expenses or business models. Industry trends, such as technological disruptors, changing business models, or increased competition, could exert pressure on the positioning of the company.

Additionally, geopolitical happenings and global trade trends could influence sourcing, exports, or the availability of capital. In contrast to internal threats, they cannot be avoided or controlled by the company, but their influence can be expected, limited, and made known openly. By laying out how such occurrences have affected the company historically, and what was or would be undertaken in the future, the issuer is presenting investors with an honest reflection of the company's vulnerability and readiness for risk within an uncertain outside world.

Practitioners' Takeaways

Post wrapping up the comprehensive excavation of the Risk Factors chapter in the DRHP, it becomes conspicuous that the said chapter exceeds the threshold of merely being a statutory requirement. In essentia, the chapter connotes a crucial opportunity for an issuer company to transparently lay out and communicate potential challenges and contingencies, fostering a relationship of trust and openness with prospective investors. As gatekeepers of disclosure, an issuer company ought to ensure that Risk Factors are not only aligned with regulatory requirements but also resonates with investor expectations and withstands the scrutiny of the regulator's pen. Lastly, the present Practice Note distills a few takeaways:

• Materiality is the cornerstone: Disclosures must be guided by a clearly defined, SEBI-aligned materiality policy rooted in Regulation 30 of the LODR Regulations. Assess risks not by their likelihood alone but by their potential impact (even hypothetically).
• Structure with clarity: Adopt analytical models like SWOT and PESTEL to identify and classify risks across internal, external, situational, and sectoral dimensions. The top 10 risks are not standardized and the ought to capture and showcase what is most material to the issuer company's unique business and context.
• Precision is power: Vague terms and generic phrasing dilute disclosure quality. Use data-backed, context-rich language supported by examples and illustrations. Avoid promotional language unless it is independently verifiable.
• Let data speak: Support risk narratives with quantitative evidence: financial trends, historical impact, ratios, and forecasts. Enhance accessibility through visual tools like charts and tables, while maintaining rigorous due diligence.
• Ensure consistency throughout the DRHP: Cross-reference risk factors with related disclosures in “Our Business,” “Objects of the Issue,” “Litigations,” and “Financials.” Disjointed narratives erode credibility and invite delays.
• Know your risk categories: Address Business Risks (operational inefficiencies, capacity constraints), Governance Risks (board composition, KMP attrition), Regulatory Risks (audit findings, compliance gaps), Financial Risks (RPTs, debt levels), Miscellaneous Risks (contractual restrictions, cybersecurity threats), and External Risks (macroeconomic volatility, geopolitical influences) with tailored specificity.
• Avoid boilerplate, prefer candour: Replace generic disclosures with real-world metrics and grounded risk events. Whether it is customer concentration, leadership instability, or exposure to FX volatility, “show not just tell investors” what the risk actually means.

As the series unfolds further, the intellectual excavation continues into the heart of the DRHP with an in-depth examination of critical chapters, including but not limited to Capital Structure, Financial Information, Industry Overview, Our Business, Our Management, and Outstanding Litigation. The aforementioned chapters collectively shape the story of the issuer company's strength, strategy, and governance, providing the next layer of insight that every issuer and legal team must master. Last but not least, the analysis is limited to the bandwidth of a specific Observation Letters of SEBI and Judgments which rules out a trail of guidance and the above-referred Series and the analysis therein by no means exhaustive or one-size-fits-all in respect of making a DRHP, as there is no 'Perfect DRHP'.

Author: Adv. Ravi Prakash (Associate Partner), Adv. Menali Jain (Associate), Adv. Mahek Gupta (Associate), Adv. Mohit Sirohi (Associate) Adv. Vaibhav Malhotra (Associate) at Corportae Professionals Advisers & Advocates. Views are personal. 

[1] Corporate Strategic Allianz Ltd. V. SEBI, 2019 SSC OnLine SAT 40, Appeal No. 224 of 2017, Decided on March 29, 2019.

[2] P.G. Electroplast Ltd. And Others v. SEBI, 2019 SCC OnLine SAT 148, Appeal No. 281 of 2017, Decided on August 2, 2019.