Compliance Register
A centralised document listing all regulatory obligations that apply to a business, the current status of each, and the responsible person - used as the backbone of a compliance management system.
For business owners, operations managers & HR teamsWhat is Compliance Register?
A compliance register is a structured record of every regulatory, legal, and contractual obligation that applies to your business. For each obligation it records: what the requirement is, which law or regulation it comes from, how your business currently meets it, when the next deadline falls, and who is responsible.
Unlike a simple list of licences or certificates, a compliance register is a living document that connects each obligation to a status, an owner, and an action. It is the cornerstone of any serious compliance management system and the first document an auditor or regulator asks for.
Under ISO 9001 (quality management), ISO 14001 (environmental), and ISO 45001 (health and safety), maintaining a compliance register is a documented requirement. Even businesses not seeking ISO certification benefit from the discipline it imposes: you cannot manage what you have not identified.
Key Elements
Obligation Identification
The name of the regulatory requirement and its source - the specific legislation, regulation, licence condition, or contractual obligation. For example: "Employer Liability Insurance - [applicable local legislation]" or "Food Safety Certificate - [applicable local health authority requirement]".Applicability
Confirms the obligation applies to your business - by sector, size, activity, or location. Not every regulation applies to every business; recording applicability decisions prevents both gaps and unnecessary burden.How You Comply
A brief description of what your business does to meet the obligation. For insurance, this might be "Annual renewal with [broker], certificate stored in compliance system". For safety inspections, "Annual inspection by qualified engineer, certificate uploaded to ExpiryEdge".Evidence Location
Where the proof of compliance is stored. A compliance register without linked evidence is just a list of intentions. The evidence (certificate, policy, record) must be locatable and retrievable.Next Review / Renewal Date
The date when the obligation must next be fulfilled or reviewed. This feeds directly into your compliance calendar.Owner
A named individual responsible for maintaining compliance with this obligation. Without named ownership, obligations fall through the cracks.Real-World Example
An ISO 14001 auditor visits a manufacturing company for their annual surveillance audit. The first question: "Can you show me your compliance register?" The operations manager opens a spreadsheet that was last updated 14 months ago.
Three obligations on the register have lapsed without being updated: a waste carrier licence that expired six months ago (making all waste disposal in that period technically unlicensed), an annual environmental permit review that was not recorded, and a training certification for two staff members that lapsed three months ago. The audit results in a Major Non-Conformance. The company must re-audit within 90 days at significant cost. A live, automated compliance register - updated every time a document is renewed - would have flagged all three months earlier.
Watch Out For
Treating it as a one-time exercise
A compliance register created for an ISO audit and then forgotten is a liability. Regulators and auditors check the date of last review. A stale register raises more questions than no register at all.Missing implied obligations
Some compliance obligations do not come from primary legislation - they are embedded in insurance policy conditions, planning permissions, or supplier contracts. These are easy to miss in an initial register build but carry real consequences.No link between the register and the calendar
A compliance register listing an obligation means nothing if there is no connected alert when the obligation approaches expiry. The register and the compliance calendar must be integrated.How to Use This in Your Favour
Use it to get ahead of regulatory change
A well-maintained compliance register includes a column for upcoming regulatory changes - new legislation or amendments that will require action. Businesses that track this proactively avoid the scramble when a new regulation comes into force.Share an excerpt as a marketing asset
For businesses that sell to the public sector or large enterprises, sharing a sanitised version of your compliance register summary - showing the breadth of your compliance programme - can accelerate procurement approval.Build it once, maintain it automatically
The initial build of a compliance register requires human expertise. But maintenance - updating statuses, recording renewals, tracking new obligations - can be almost entirely automated with the right software. This turns a burdensome document into a live operational tool.Frequently Asked Questions
Is a compliance register legally required?
There is no single global law that universally requires a compliance register by name. However, many regulatory frameworks require the substance of one: ISO 9001 and ISO 45001 certification requires it explicitly. Safety regulators expect businesses to be able to demonstrate awareness of and compliance with their health and safety obligations. Tax authorities expect businesses to know and meet their obligations. In practice, any business that cannot produce a compliance register is at a significant disadvantage in an audit, inspection, or legal dispute.
What is the difference between a compliance register and a risk register?
A compliance register focuses on regulatory obligations - what laws and requirements apply to your business and whether you are meeting them. A risk register focuses on potential future events that could harm the business - financial, operational, reputational, or strategic risks. The two overlap when a compliance failure is also a risk: the risk register might record "lapsed employer liability insurance" as a risk, while the compliance register tracks whether the insurance is actually current.
How often should a compliance register be reviewed?
The register should be updated whenever an obligation changes status (renewed, lapsed, or modified). A formal review of the whole register - checking for new obligations, removed obligations, and changed regulatory requirements - should happen at least annually. Businesses in heavily regulated industries (healthcare, financial services, construction) should review quarterly.
Can ExpiryEdge serve as a compliance register?
ExpiryEdge functions as the operational layer of a compliance register: it stores your obligations, tracks their expiry dates, assigns owners, sends reminders, and records when each obligation was fulfilled. For ISO audits or formal regulatory inspections, you can export a complete obligations report showing current status, renewal history, and the responsible person for each item - giving auditors exactly what they ask for.
What should go into a business's compliance register?
At minimum: all legally required insurance policies; applicable health and safety obligations; relevant environmental permits; data protection obligations; employment law requirements; sector-specific licences and registrations; contractor document requirements; and any contractual compliance commitments. The full list should be tailored to your industry, size, and the jurisdictions in which you operate. Consulting a local legal or compliance advisor when building your initial register is strongly recommended.