Skip to content

Key components of a compliance framework: the Obligations Register.

What is the definition of compliance?

Compliance is an outcome of conforming to a rule. That rule may arise from an external source such as a law or regulation, or an internal source such as a policy, code or control. Compliance with these two main sources gives rise to external and internal compliance.

The issue for an organisation is how to conform to these rules? This is the key objective of a compliance function. This blog provides an overview of one of the components of compliance that need to be considered when building an optimal compliance function.

Subscribe to our Knowledge Hub to make sure you catch our regular blog updates:

Subscribe now

Understanding the relevant rules: plain English Obligations Registers

Before we can consider conforming to a rule, we need to comprehend what the rules are and what they mean. For external compliance, this necessitates having an understanding of relevant laws and regulations and how they apply to our organisation. This is typically achieved through an Obligations Register that contains information such as:

  • Act or regulation
  • Sections of relevant legislation
  • Penalties for non-compliance
  • Frequency that obligation occurs
  • Obligation owners and interested parties
  • Risk rating
  • Compliance status

However, these Obligations Registers are often driven from the legislation and regulations with limited linkage to internal policies and procedures or day to day activities. Damage is done to the compliance team by them, asking a raft of ‘compliance attestation’ questions to the business that merely ask “Are you compliant with this legislation”, with no value-add as to what it means to the organisation in practice.

An alternative approach

Rather than starting with the legislation, an alternative approach is to start with What are the key obligations the organisation faces? and then link that to both legislation and internal policy & procedures. For example, if protection of customer data is the obligation, what does this practically mean for our staff in terms of their day to day activities?

We then link this interpretation to the various sources of our rules – privacy legislation, PCI DSS, ISO 27000, Internal Policies and Procedures and so on. If we are unable to link all key components of the legislation to our plain English interpretations, then we have missed an obligation.

Any update to linked legislation, or policy and procedures can then trigger a review of the plain English obligation. Our approach to the Obligations Register, therefore, is to add two new fields to the above list: Obligation Title and Our Interpretation. The other fields are modified to store multiple acts and sections along with an additional field to link to relevant policies and procedures. 

Updates to the Obligations Register may be maintained internally, which will require dedicated compliance or legal staff to remain aware of all relevant obligations and process them into the obligations content.

Alternatively, obligation updates may be automatically processed through a subscription service with a content provider. Protecht is currently working with LexisNexis to deliver industry specific content in Protecht ERM.

A business intelligence engine can then be used to aggregate and visually display obligations by rating, outstanding reviews etc:

Compliance Regulatory Obligations

Conclusions and next steps for your organisation

We live in a world of rules. Compliance with those rules is critical, not only to protect your organisation from regulatory actions, fines and reputation damage but also because it’s the right thing to do to protect our stakeholders from risk we bring to them.

However, managing compliance is a formidable task for most organisations due to the sheer quantity of compliance requirements.

Download Protecht's Compliance and Compliance Management eBook to gain a practical overview of this process and assist you in better managing your compliance obligations across your business:

Find out more


Originally published July 2016, updated September 2023.

About the author

David Bergmark is the Chief Executive Officer and co-founder of the Protecht Group. David’s vision and passion is to use technology to drive best practice risk management and embed risk management within each one of Protecht’s clients. He is the driving force behind the Protecht.ERM system and the integration of Protecht’s Software, Advisory, Training and Consulting capabilities to provide a consistent and seamless risk management experience for clients.