Over the past few years we’ve worked with over 100 companies, helping them to design, implement and execute regulatory compliance programs. By distilling our experience down into as simple a form as possible, we’ve identified that a working compliance program has three layers:
- Regulation inventory
- Relationship map
- Obligation register
The first is a current inventory of the regulations that apply to your business, scored for impact and urgency. The second is a structure that groups those regulations into work programs someone can own. The third is a live register of the obligations each regulation produces, with names and dates against them and the current state of compliance.
Most companies we work with have the first layer in some form. The second and third layers are where structured programs deliver consistent results, and where unstructured ones tend to drift and expose operational risk. In this article, we walk through how each layer works and how the three connect into a program that delivers operational compliance.
Layer one: the regulation inventory
The first layer answers two deceptively simple questions: which regulations apply to us, and how much does each one matter? Most companies have a partial answer. They know about a few prominent regulations because they are significant in their industry and someone has been tracking them. The gap is rarely awareness of headline regulations. It is in coverage, in scoring, and in the discipline of treating the inventory as something that has to be maintained rather than built once.
A complete inventory covers more than the regulations already in force. It includes proposals making their way through legislative processes, transpositions of directives into national law, and guidance notes that change how existing rules are interpreted in practice. It covers every jurisdiction the business operates in or sells into.
Not every regulation sits at the same level of importance. We score each one across a consistent set of dimensions:
- Scope
- Deadline proximity
- Penalty exposure
- Gap to required state
- Cross-functional reach
Each dimension is scored on a consistent scale and combined using weights we calibrate to the client’s risk profile, producing a single number that can be compared across the inventory.
We then set a threshold by working backwards from capacity. This threshold is typically reviewed monthly to establish an operational budget of resources. Everything above the threshold enters into active management. Everything below it remains scored and tracked, ready to move up when the score changes. This avoids two common failure modes: trying to actively manage everything and managing none of it well, or actively managing only the regulations someone has heard of while others quietly accumulate higher scores.
Layer two: the relationship map
Once the inventory is in place, the next question is how to organise the work. The instinct most teams have is to organise by regulation: one workstream per regulation, one owner per regulation. It looks tidy on paper, and in our experience it is the wrong shape.
Regulations overlap. They overlap in the data they require, in the parts of the business they touch, and in the people who have the expertise to address them. Organising by regulation forces the same people to do similar work in parallel streams and obscures the fact that several regulations are often addressing the same underlying issue.
We organise by what the regulations require, which helps us aggregate related activity. The primary unit is the Working Group, defined by the category of obligation a regulation creates rather than by the regulation itself. We typically work with five across most client programs: Product Sustainability, Due Diligence, Disclosure & Reporting, Product Compliance, and Packaging & Labelling. These are typical for most large enterprises, but we work with clients to determine the right categorisation for them in every program. Each has an owner, a remit, and a set of regulations assigned to it.
Within each Working Group, the work breaks down further into Sub-Working Groups. Chemical Compliance is a good illustration. It pulls together the EU CLP regulation, REACH, the REACH PFAS restriction, and a set of US state-level PFAS regulations from Maryland, New York, and elsewhere. These are different laws on paper. In practice they require the same work which generally comes down to a current substance inventory, a clear position on restricted substances, and supplier engagement to confirm composition. Running them as a single workstream is faster and produces more consistent answers than running each as a separate project.
Layer three: the obligation register
A regulation is not a single thing to comply with. It is a collection of discrete obligations, each with its own deadline, its own evidence requirement, and its own owner. The third layer is where the broad set of obligations is converted into actions.
Each regulation in active management goes through an impact assessment that produces a list of obligations. PPWR, for example, produces obligations across packaging design, recyclability assessment, recycled content thresholds, labelling, and declarations of conformity. Packaging design sits with product management; declarations are typically a compliance team activity; and supplier management teams capture composition data from suppliers. Each is its own piece of work, owned by a different function. The decomposition matters because “comply with PPWR” cannot be allocated to a person and tracked. “Produce a recyclability assessment for packaging type X by Q2” can. The relationship map is what makes this kind of aggregation visible, which in turn enables better resource allocation.
Every obligation in the register carries the same fields: priority, gap rating, compliance status, evidence reference, due date, and owner. The first two tell you what to focus on, the third tells you where you are, the fourth tells you how much time is left, and the fifth tells you who to talk to.
The register has to be live. Regulations evolve, the business changes, and the gap between current and required state shifts continuously. A register that is accurate in January and stale by April is no better than not having one.
How the three layers work together
The three layers should be considered interwoven elements, not a linear execution model. Each layer plays a vital role and supports the others. The inventory feeds into the map, so a regulation that crosses the threshold has to land in a Working Group. The map feeds the register, so the decomposition of each regulation into obligations happens inside the Sub-Working Group that owns it. Changes propagate in both directions, and we use a dashboard to ensure all of this is visible at once.
A working compliance program is the sum of these three layers, kept current, with the right people accountable at each level. The dashboard we use is a useful tool for running the program, not a substitute for doing the work. What it does is make the work visible, which is critically important for both operational planning and governance needs.
Where to start
Start by listing the regulations you already track, scoring them on the five dimensions, and setting a threshold based on the capacity you can realistically commit. Building a compliance management program is a lot of work, but the benefits are significant. With a single regulatory compliance register, your organisation has clarity on its obligations, can identify gaps and prioritise resources accordingly, and when auditors or regulators perform an inspection, you have a clear system of record to show them.
Companies we’ve helped build compliance management programs have reduced the effort required to meet their obligations by up to 30%. That’s a significant impact as they adapt to the increasing number of regulations affecting their business.
If you need support to advance your regulatory compliance program, we offer a free assessment to help you identify gaps and areas of improvement. Get in touch at hello@jordisk.com to arrange your free assessment.
