runbookify
← All plans
Compliance, Quality & Risk / Regulatory Change & Compliance Calendar

Compliance Obligations Register: Turn the Rules into Owned, Evidenced Obligations

Break the laws, regulations, and standards that apply to you into atomic, plain-language obligations — each with an owner, evidence, and a compliant/partial/gap status — so 'are we compliant?' finally has a documented answer your compliance officer approves before it's published.

IntermediateA weekendBuilds onNext.jsSupabaseResend
What you'll build

A web tool where you capture the regulations and standards that apply to you, AI breaks each one into atomic, plain-language obligations, you assign an owner and evidence reference to each, the owner sets a compliant/partial/gap status, your compliance officer reviews and approves before anything is published to the official register, owners get emailed their obligations, and you export a clean obligations register CSV.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.

Before you start

  • A Supabase account (free)
  • A Vercel account (free)
  • A Resend account (free)
  • A list of the regulations/standards that apply to you and their requirements (CSV/Sheet or pasted)
  • Your obligation owners and current evidence references
  • Claude Code or any AI coding agent

The problem this kills

An auditor asks one deceptively simple question: "Show me which rules apply to you and how you meet each one." And the room goes quiet. The regulations live in PDFs nobody has opened since onboarding. The "evidence" is scattered across SharePoint folders, email threads, and someone's memory. There's a spreadsheet somewhere, but it lists the laws by name — not the actual obligations inside them — and half the owners have left the company.

The real problem is that a regulation isn't one thing you're either compliant with or not. It's dozens of distinct obligations, each of which somebody has to own, do, and be able to prove. Until you break the rules down to that atomic level — one plain-language requirement, one owner, one piece of evidence, one status — "are we compliant?" can only ever be answered with a shrug. You don't need a six-figure GRC platform to fix this, and you don't need to be a developer.

What you'll build

A simple internal web tool. You capture the regulations and standards that apply to you (paste them or import a CSV/Sheet). The tool helps break each one into atomic obligations — short, plain-language statements of a single thing you must do — and you assign each one a responsible owner, an evidence reference (the document, record, or system that proves it), and link it to a control if you track those. The owner sets a status: compliant, partial, or gap. Then your compliance officer reviews and approves each obligation's owner, status, and evidence before it goes into the official register — and any later status change is reviewed too. Owners get emailed the obligations they own via Resend, and you can export the whole obligations register as a clean CSV with status and owners, ready for the audit binder.

What's inside the Implementation Plan

The downloadable plan is a step-by-step file you paste into an AI coding agent. It opens by interviewing you about your business — which regulations and standards actually apply to you, how your requirements are worded and numbered, who your owners are, what counts as evidence in your shop, whether you already track controls, your typical and peak obligation volumes, your review cadence, and your messy edge cases — and then it tailors the data model, the status rules, and every later step to your answers. This is not a generic template; the agent reflects a short spec back to you and waits for your thumbs-up before it builds anything. From there it walks the agent through capturing regulations, breaking them into atomic obligations, assigning owners and evidence, the owner status workflow, the compliance-officer review-and-approve gate, the owner notification emails, and the register export — each step with a ready-to-copy prompt. There's also a fallback so you can build and run the whole thing today on CSV in and CSV out, with no integration to any existing GRC system.

The governance it includes (this is the point)

This is the register an auditor will read, so it ships with the controls a compliance function needs: login so only your team can use it, row-level security so you only ever see your own organization's obligations, a complete audit trail of who created, edited, set a status, reviewed, and approved each obligation and when, a hard human-approval gate so no obligation (and no status change) is published to the official register until the compliance officer signs off, and duplicate guards keyed on regulation + obligation-id so the same requirement can't be entered twice. Gaps and partials are surfaced, not buried, so you always know what's outstanding.

Who it's for

Compliance officers, quality managers, and legal-ops who must demonstrate which rules apply and how they're met. If you can describe how your organization decides what it's obligated to do — and who's on the hook for each piece — you can build this.

You've got this — start with the plan, paste the first prompt, answer the interview, and you'll watch your first regulation break apart into owned, evidenced obligations the same afternoon.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.