Module 05 · Governance

Governance

Governance covers the regulatory control layer — DPDP compliance tracking, maker-checker workflows, penalty and risk registers, regulator communications, and inspection management. These modules ensure nothing falls through the compliance net.

Sub-modulesDPDP · Maker-Checker · Penalty & Risk · Reg. Comms · Inspections

Who uses thisCompliance managers, senior consultants, admin

Section 1

DPDP Compliance

India's Digital Personal Data Protection Act 2023 applies to all regulated entities handling personal data. ZippCRM tracks each client's DPDP compliance status across four domains.

Domain	What's tracked	Minimum requirement
Data Inventory	Personal data categories, processing purposes, retention periods	Inventory complete + approved
Consent Management	Consent records, withdrawal requests, consent dashboard	All processing has a legal basis
Security Controls	Encryption, access logs, breach detection	ISO 27001 or equivalent evidence
Data Fiduciary Register	DPB registration status, appointed DPO	Registered with DPB if significant fiduciary

Open Governance → DPDP → Select client

Loads the DPDP assessment scorecard for that client.

Click 'Start Gap Assessment' if not done

Opens the assessment wizard — 48 questions across the four domains. Answers auto-calculate the compliance score.

Review gap items

Items marked Red (non-compliant) or Amber (partial) need action plans. Assign tasks directly from the gap item.

Mark each item resolved when evidence is uploaded

Evidence is stored in the DPDP vault — separate from the project document vault.

Generate DPDP Report

Click 'Export Report' to produce a formatted PDF compliance report for client delivery.

Section 2

Maker-Checker

Maker-Checker enforces a two-person rule on critical regulatory submissions — one person prepares (maker), another reviews and approves (checker). Required by RBI for many filings.

Maker creates/prepares

→

Submitted for review

→

Checker approves

→

Filed / Published

If the checker rejects, the item returns to the maker with comments. The full audit trail — who made what change, when, and what the checker's decision was — is permanent and cannot be edited.

Critical ruleThe maker and checker cannot be the same person. ZippCRM enforces this at the system level. If you are the maker of a document, the Approve button will be disabled for you.

Section 3

Penalty & Risk Register

Tracks penalties received from regulators, risk events, and show-cause notices across all clients. Every entry requires classification, root cause, and remediation plan.

Field	Required	Notes
Penalty Type	Yes	SCN / Penalty Order / Warning Letter / Compounding
Regulator	Yes	RBI / SEBI / IRDAI / MCA etc.
Penalty Amount	If applicable	In INR. Zero for warnings.
Root Cause	Yes	Classification: Process gap / Control failure / Human error / System error
Remediation Plan	Yes	Linked tasks must be created
Status	Yes	Open / In Remediation / Closed / Appealed

Section 4

Regulatory Communications

Logs all official communications with regulators — letters sent, acknowledgements received, replies, and inspection notices. Creates a permanent, searchable dossier for each client-regulator relationship.

Go to Governance → Reg. Comms → + New Communication

Select client, regulator, communication type (Letter Sent / Letter Received / Notice / Acknowledgement).

Upload the document

Attach the actual letter or notice PDF. This becomes the official record.

Set response due date if required

If the regulator requires a response within N days, set the due date. A task is auto-created for the account manager.

Track status

Status moves: Received → Acknowledged → Response Prepared → Response Sent → Closed.

Audit trailAll regulatory communications are immutable once saved. You can add follow-up entries but cannot edit the original record. This protects you in case of regulatory scrutiny.

Section 5

Inspections

Manages regulator-initiated inspections (RBI IS, SEBI inspections, IRDAI on-site). Each inspection has its own checklist, document request list, and response tracking.

+ New Inspection — enter details

Inspection authority, scheduled date, scope, lead inspector contact if known.

Load inspection checklist template

Pre-built templates for RBI Information Systems inspection, SEBI broker inspection, IRDAI AMC inspection. Customise as needed.

Assign document collection tasks

Each checklist item requiring a document generates a Doc Request automatically. Your team is notified.

Track observation responses

After inspection, regulators issue observations. Log each observation, assign a response owner, and track status until all observations are closed.

Close the inspection

Inspection is closed when all observations are resolved or formally replied to. Generates a closure summary report.