NGRBC Principle 9 — Customer Value

What Principle 9 covers

The National Guidelines on Responsible Business Conduct (NGRBC) were issued by the Ministry of Corporate Affairs in 2018 and form the backbone of SEBI’s Business Responsibility and Sustainability Report (BRSR) format. Of the nine NGRBC Principles, Principle 9 covers customer value — the entity’s responsibility to its customers across product / service quality, transparency, fair advertising, complaint redressal, and the increasingly central area of customer-data protection.

In BRSR-format terms, Principle 9 covers customer value through:

• Essential disclosures on mechanisms to receive and address customer complaints, product recall events during the reporting year, customer satisfaction posture, compliance with advertising-related regulations, and the entity’s cyber-security and data-privacy framework (including any data-breach incidents)
• Leadership disclosures (for the Top 1,000 listed entities) on product / service information transparency on labels, customer feedback channels, and additional cyber-security and customer-data governance items — with applicability judgement on scope where the indicator depends on entity-specific facts

The contextual legal background includes the Consumer Protection Act, 2019, sector-specific consumer-grievance regimes (RBI Banking Ombudsman, IRDAI grievance redressal, etc.), the Digital Personal Data Protection Act, 2023 (for personal-data handling), the Drugs and Cosmetics Act and FSSAI Act (for product safety in pharma and food), and the Cable TV / Press Council / advertising self-regulation frameworks (for advertising compliance). These statutes underlie specific P9 disclosures but are separate regimes from the BRSR itself — the BRSR disclosures are sustainability-reporting constructs that sit on top of, not re-disclosures of, the statutory compliance framework.

This page is the reference hub for Batchwise’s coverage of P9.

---

The Essential indicators (mandatory for every BRSR filer)

The BRSR format Section C, Principle 9 Essential indicators cover the items below — illustrative paraphrases; the SEBI BRSR format itself is the authoritative source for the exact wording and reporting structure of each indicator:

• Customer complaints — mechanism and disposition — the entity’s complaint-receipt and redressal mechanism, and the count of complaints received / addressed / pending during the reporting year, broken by complaint category (data privacy, advertising, cyber-security, delivery / quality, other)
• Product recall events — voluntary recalls, regulator-mandated recalls, and reason / resolution status for the reporting year
• Customer satisfaction posture — typically a qualitative disclosure plus, where the entity tracks it, a customer satisfaction score (NPS or equivalent)
• Advertising compliance — proceedings or notices related to advertising standards during the year, with action taken
• Cyber-security and data-privacy framework — the entity’s documented framework for data-fiduciary obligations under the DPDP Act and broader cyber-security posture, plus disclosure of any data-breach incidents during the year
• Disclosure on display of product / service information — how the entity makes information about its products and services available to consumers (labels, packaging, online disclosures, point-of-sale information)

Several of these indicators feed the Annual Report’s broader customer-protection narrative and reconcile to sector-specific regulator filings (RBI Banking Ombudsman complaints register for banks, IRDAI complaint statistics for insurance, FSSAI product-recall logs for FMCG, etc.).

---

The Leadership indicators (Top 1,000 listed entities)

The Leadership indicators below are part of the BRSR format for the Top 1,000 listed entities, and voluntary for entities outside the Top 1,000.

The Leadership indicators are outside the BRSR Core KPI assurance set — Principle 9 has no Core KPI mapped to it, so neither Essential nor Leadership disclosures under P9 are part of the BRSR Core reasonable-assurance mandate. Entities can request limited-assurance procedures over selected P9 disclosures as an extended-scope engagement (a separate matter from the Core mandate); customer-data-breach disclosure and customer-complaint statistics are common candidates where lender ESG covenants or Western enterprise customers reference them.

For several Leadership items, the entity must make an applicability judgement on scope before responding — the cyber-security training disclosure depends on which employee cohorts are in scope; the customer-feedback-channels disclosure depends on the entity’s documented channel taxonomy. Where applicability or scope judgement is involved, the disclosure includes both the response and the documented basis for the applicability call.

Leadership indicators (illustrative practical paraphrases — refer to the SEBI BRSR Format for exact wording):

1. Channels for receiving customer feedback — coverage and effectiveness of the entity’s customer-feedback channels beyond the basic complaint mechanism
2. Steps taken to inform customers about product use and risks — beyond the Essential disclosure on display of product information
3. Cyber-security training and awareness for employees — coverage and content of cyber-security training extended to the workforce
4. Surveys / studies on customer satisfaction — methodology, scope, and outcomes of any customer-satisfaction studies conducted during the year
5. Data privacy and personal-data protection beyond statutory minima — additional governance, audit, or third-party assessment of the entity’s data-protection posture

A “not applicable” against a Leadership indicator that involves applicability judgement should be substantiated in the entity’s documentation.

---

How Principle 9 sits in the BRSR Core landscape

None of the nine BRSR Core KPIs sits under Principle 9. That is a feature of the Core subset’s scope (concentrated in environmental, employee, inclusive-growth, and ethics-transparency KPIs) — not a statement about Principle 9’s importance. For sectors where customer-data handling is central to the business model (IT services, banking, financial services, healthcare technology), Principle 9’s native disclosures on cyber-security and data privacy are typically the most-watched BRSR section by international ESG-rating agencies and Western enterprise customers — even though those disclosures are not in the BRSR Core reasonable-assurance scope.

The nine Core KPIs are clustered under:

Principle	Core KPIs
P6 — Environment	GHG intensity, water intensity, energy intensity, waste recycled (4 KPIs — see P6 pillar)
P3 — Employee Wellbeing	Wellbeing spend, Female Wages, POSH Complaints (3 KPIs — see P3 pillar)
P8 — Inclusive Growth	Job Creation in Smaller Towns (1 KPI)
P1 — Ethics, Transparency, Accountability	Openness of Business (1 KPI)

P9 has no native Core KPI but its complaints register typically reconciles in part with the P5 (Human Rights) complaints disclosure — customer complaints involving discrimination or human-rights matters can surface in both pillars and need consistent classification.

---

Source-document evidence

The full evidence-document inventory is on Document Evidence Requirements. For Principle 9 specifically:

Customer complaints

• Customer complaint register for the reporting year, broken by category (data privacy, advertising, cyber-security, quality, other)
• Sector-specific regulator filings where applicable — RBI Banking Ombudsman complaint statistics, IRDAI complaint reports, sectoral consumer-forum filings
• Resolution audit-trail — disposition records for each complaint, with cross-reference to the entity’s grievance-mechanism policy

Product recalls

• Recall register for the reporting year — voluntary and regulator-mandated, with reason and resolution status
• Statutory recall filings where applicable — Drugs and Cosmetics Act (CDSCO) filings for pharma, FSSAI filings for food, BIS filings for consumer products under standards
• Customer communication records for recalls — public notice, customer-direct outreach evidence

Cyber-security and data privacy

• Documented cyber-security and data-privacy framework — typically a board-approved policy with periodic refresh
• Data-breach register for the reporting year — incidents identified, scope, response, notifications made under DPDP Act and any sector-specific breach-notification regimes
• Periodic cyber-security audit reports — internal or third-party assessments
• DPDP compliance documentation — data-fiduciary obligations evidence (consent management, data-principal rights process, breach-notification framework)

Advertising compliance

• Advertising approvals register — for sectors with statutory advertising controls (pharma, financial services), the regulator-approved versions of advertising material
• Advertising-standards proceedings register — any notices or proceedings under the Advertising Standards Council of India (ASCI), Cable Television Network Rules, sectoral advertising regulations, or Consumer Protection Act 2019 misleading-advertisement provisions

Customer satisfaction

• Customer satisfaction survey reports for the reporting period (where the entity conducts them)
• Net Promoter Score / equivalent metric working — methodology and underlying data

---

Sector context

Sector	P9 emphasis
Banking, NBFCs, financial services	RBI Banking Ombudsman complaint statistics and resolution metrics; data-privacy under DPDP Act + RBI cyber-security framework; customer-data handling is central to business model — P9 disclosures here are heavily scrutinised by ESG-rating agencies
IT services, BPO, KPO	Cyber-security and data privacy are the headline P9 disclosures; client-data-breach incidents (where they materialise) are highly material; advertising is light. Western enterprise customers explicitly reference P9 disclosures in vendor-due-diligence questionnaires
Pharma, healthcare	Product recalls under the Drugs and Cosmetics Act; advertising under DCGI / Drugs and Magic Remedies (Objectionable Advertisements) Act; patient-data privacy under DPDP Act + sectoral health-data regulations
FMCG, food, retail	Product recalls under FSSAI; advertising compliance; customer-complaint volumes can be high; data-privacy growing in importance with direct-to-consumer brands
Public infrastructure, utilities	Customer service quality metrics, complaint redressal, billing-related disputes; data privacy increasingly material as utilities digitise consumer interfaces
Manufacturing, cement, steel	Customer base typically B2B — fewer end-consumer complaints; product safety where applicable; data privacy is light unless the entity has B2C product lines

The sector-specific industry guides (in /industries/) cover the operational nuances per sector — those publish over Phase C Weeks 7-8.

---

Common practice patterns

Common practice patterns observed in BRSR engagements — not SEBI-recognised categories of finding:

1. Customer-complaint scope inconsistency with sector-specific regulator filings. Banks typically have RBI Banking Ombudsman complaint statistics; insurers have IRDAI complaints. The BRSR P9 disclosure should reconcile to those statutory filings — material differences (different period basis, different category groupings) need to be explainable.
2. Product-recall scope misclassification. Voluntary recalls and regulator-mandated recalls are sometimes aggregated; the disclosure typically asks for both with the underlying reason. Treating a market-driven product withdrawal (commercial reasons, not safety) as a “recall” inflates the count and is not the BRSR intent.
3. Cyber-security framework disclosure vague. The Essential indicator on cyber-security framework is sometimes met with a one-line “we have a policy” disclosure. The credible disclosure references the specific framework adopted (ISO 27001, NIST, DPDP Act compliance posture, sector-specific cyber-security framework) and any periodic audit / certification.
4. Data-breach disclosure narrow vs broad. The BRSR disclosure on data breaches asks for incidents during the year. The classification of what counts as a “breach” varies — entities should disclose the threshold applied (e.g., breaches that required DPDP Act notification vs all incidents). The threshold should be disclosed alongside the figure.
5. Customer satisfaction methodology undisclosed. Where the entity reports a customer satisfaction score (NPS or equivalent), the methodology — survey scope, response rate, calculation basis — should be disclosed. A bare number without methodology is less interpretable.
6. Advertising compliance — proceedings vs notices. Same distinction as fines vs notices in P1 (Ethics) — the disclosure should distinguish concluded proceedings from open notices, and material pending matters should be separately narrativised.

---

How P9 sits relative to the BRSR Core engagement

P9 has no BRSR Core KPI of its own — the signed BRSR Core assurance opinion does not directly attest P9 disclosures. However, several P9 disclosures are commonly engaged for limited-assurance scope as an extended-scope engagement alongside the Core mandate, particularly:

• Customer-data-breach incidents — investor / lender / Western enterprise customer scrutiny
• Customer-complaint statistics — particularly for banks, NBFCs, and insurers where the BRSR figure should reconcile to RBI / IRDAI filings
• Product-recall disclosure — particularly for pharma, food, and consumer-products entities where statutory recall obligations exist

For SME suppliers being asked by their Top-1,000 listed customer to provide assured cyber-security or data-privacy posture data as part of the customer’s value-chain disclosure, see BRSR Value Chain Verification — increasingly common as Western enterprise customers extend their data-protection obligations down the value chain.

---

Related reading

• NGRBC Principle 1 — Ethics, Transparency, Accountability — sibling pillar (advertising and data-handling integrity overlap)
• NGRBC Principle 5 — Human Rights — sibling pillar (customer complaints involving human-rights matters can overlap)
• NGRBC Principle 3 — Wellbeing of Employees — sibling pillar (cyber-security training overlap)
• NGRBC Principle 6 — Environment — sibling pillar
• NGRBC Principle 8 — Inclusive Growth — sibling pillar
• Openness of Business — BRSR Core KPI — under P1, but customer-related party transactions data overlaps with P9 customer-relationship governance
• Document Evidence Requirements — full per-attribute evidence checklist
• NGRBC to BRSR Metric Mapping — full P1–P9 to BRSR-format metric crosswalk
• BRSR Core Assurance — service
• BRSR Value Chain Verification — service