How to Build a Compliance Register from Scratch
UK Business Guide · 7 min read · 6 stepsA compliance register is the backbone of any organised compliance programme. It answers the fundamental question every auditor asks: "What regulations apply to you and how do you demonstrate you meet them?"
Most businesses do not have one - not because they are non-compliant, but because nobody has ever systematically documented their obligations. This guide shows you how to build one.
Step-by-Step Guide
Start with the core obligations that apply to all businesses in your jurisdiction
Every business, regardless of sector, is subject to a foundational set of regulatory obligations. Start your register by identifying these for your jurisdiction. Common universal categories include: Employment law obligations (employment contracts, minimum wage, anti-discrimination, working time or hours limits); Health and safety obligations (employer duty to provide a safe workplace, risk assessments, accident and incident reporting); Tax and financial reporting obligations (income or corporation tax, payroll tax, VAT or sales tax, annual financial statements); Data protection obligations (collection, storage, and processing of personal data, breach notification); Company law obligations (annual returns, director duties, registered office requirements); and any sector-specific licences required simply to trade (general business licence, trading permit). For each, record: the legal basis, how your business currently meets it, and what evidence of compliance you hold.
Add sector-specific, activity-specific, and location-specific obligations
Beyond universal obligations, your register must include everything specific to your industry, the activities you carry out, and where you operate. Sector-specific examples: Construction - occupational safety regulations, contractor management requirements, site safety plans; Healthcare - provider registration or licensing, patient record management, specific clinical standards; Food service - food safety management systems, hygiene certifications, routine inspection compliance; Financial services - financial services authorisation, anti-money laundering compliance, client money rules; Transport - operator licences, driver qualifications, vehicle inspection and roadworthiness certification. Also consider activity-specific obligations (using hazardous substances, operating lifting equipment, running electrical installations, processing payments) and location-specific obligations (some jurisdictions require additional local licences or permits beyond national requirements).
Structure each entry with five standard fields
For every obligation in your register, record five pieces of information: (1) Obligation name and source - state the obligation clearly and cite its source (the specific legislation, regulation, licence condition, or contractual requirement). (2) How you comply - a brief, specific description of what your business does to meet this obligation. This must describe your actual practice, not an aspiration. (3) Current evidence - a reference or link to the document, record, or output that proves current compliance. (4) Next renewal or review date - when the obligation must next be fulfilled, reviewed, or re-evidenced. (5) Owner - the named individual responsible for maintaining compliance with this obligation. These five fields turn the register from a passive reference document into an operational management tool.
Distinguish between what you must do and what could go wrong if you do not
Your compliance register should record obligations - what you must do. A risk register records consequences - what could go wrong if you fail. These are different documents serving different purposes: the obligation is fixed and comes from external law or contract; the risk is an internal assessment of probability and impact. Keep them separate but cross-referenced: each obligation in the compliance register links to the corresponding risk in the risk register. For example, the obligation "hold current employer liability insurance" in the compliance register links to the risk "operation of business without mandatory insurance" in the risk register.
Connect the register to your compliance calendar
The compliance register identifies what must be done. The compliance calendar tracks when it must be done. Every obligation in your register that has a renewal date, inspection frequency, or review cycle should appear in your compliance calendar as a tracked item with a named owner and a reminder schedule. When a calendar item is acted on and the renewal completed, the register must be updated to reflect the new evidence and the new renewal date. The register and the calendar should always be in sync - an obligation showing as "compliant" in the register but with an approaching or lapsed deadline in the calendar is a sign of a system that is not being maintained.
Review and update the register at defined intervals
Regulatory environments change. Business activities expand. Staff change roles. A compliance register that has not been reviewed since it was built will have growing gaps within months. Build in a formal review cycle: quarterly for heavily regulated industries; annually as a minimum for most businesses. At each review, check for: new regulations that have come into force since the last review; changes to your business activities that trigger new obligations; obligations that no longer apply; and changes to ownership or evidence that need updating. Record the date of each review and any changes made - this review history is itself evidence of an active compliance programme.
Frequently Asked Questions
Is a compliance register legally required?
No single law universally requires a "compliance register" by that name. However, ISO 9001, ISO 14001, and ISO 45001 certification all explicitly require a documented register of applicable legal and regulatory requirements. More broadly, the underlying obligation - to know your regulatory requirements and actively manage them - is embedded in health and safety law, data protection law, and most sector-specific regulations across many jurisdictions. In any regulatory investigation, prosecution, or civil dispute, the ability to produce a compliance register demonstrating proactive management is a significant mitigating factor.
What is the best format for a compliance register?
The format matters less than the content and how actively it is maintained. A structured spreadsheet works for a small business with 20–30 obligations. A dedicated compliance management platform is better for businesses with obligations across multiple sites or teams, because it integrates reminder, audit trail, and document storage functions that make the register operationally useful day-to-day - not just at audit time.
How long does it take to build a compliance register from scratch?
For a typical SME, the initial build takes 2–4 hours: 30–60 minutes to list all applicable obligations, 30–60 minutes to confirm current compliance status and evidence for each, and 60–90 minutes to structure each entry with owner, evidence reference, and renewal date. Ongoing maintenance - updating on renewals and quarterly reviews - is significantly less time-intensive and can be largely automated with a compliance management platform.