Browse PMP Full Exam Guide

PMP Classifying Compliance Obligations So the Team Can Route Them Correctly

March 26, 2026

Study PMP Classifying Compliance Obligations So the Team Can Route Them Correctly: key concepts, common traps, and exam decision cues.

On this page

Compliance categories matter because not every obligation should be managed in the same way. PMP questions here usually test whether the project manager can classify compliance needs clearly enough that the right owners, controls, and evidence paths are chosen.

Categorization Makes Compliance Usable

If the project treats every compliance item as one undifferentiated list, important distinctions disappear. A stronger approach groups obligations into categories such as:

  • regulatory
  • contractual
  • safety
  • security
  • privacy
  • financial or reporting
  • organizational policy

Each category may demand different review cycles, experts, evidence types, and escalation paths.

    flowchart TD
	    A["Compliance obligation identified"] --> B["Classify category"]
	    B --> C["Determine affected work, artifact, or process"]
	    C --> D["Assign control type, owner, and evidence"]
	    D --> E["Track through review, approval, and audit readiness"]

Classification is not just labeling. It determines what happens next.

Categories Help Avoid Control Gaps

For example, a contractual obligation may require supplier oversight and acceptance records, while a privacy obligation may require access restrictions, consent handling, and retention controls. If those are grouped vaguely under one heading like “project compliance,” the response can become generic and weak.

The exam often rewards the answer that organizes the problem into workable categories instead of treating compliance as a vague concern.

Use Categories to Route People and Decisions

Once categorized, the project manager can ask better questions:

  • Which expert or function needs to review this?
  • What evidence would prove compliance later?
  • Is this a design control, process control, approval, or monitoring requirement?
  • Does this belong in procurement, quality, risk, or operational planning?

This routing logic is what makes categorization valuable.

Example

A project must comply with a new client contract, updated internal security policy, and workplace safety standards for site installation. The stronger response is to separate those into contractual, security, and safety categories so each obligation gets the right owner, control, and review path.

Common Pitfalls

  • Using categories so broad that they do not influence action.
  • Treating every compliance item as a legal question.
  • Failing to connect category to evidence and ownership.
  • Letting one category hide another, such as folding privacy into general security without checking specific retention rules.

Check Your Understanding

### Why is classifying compliance obligations useful? - [ ] It removes the need for project controls - [ ] It guarantees that audits will not happen - [ ] It makes every compliance item equally urgent - [x] It helps route each obligation to the right owners, controls, and evidence path > **Explanation:** Categorization supports better control design and ownership. ### Which response is strongest when a project has safety, privacy, and contract obligations? - [x] Separate them into workable categories so each gets the right control and review path - [ ] Combine them into one generic compliance item - [ ] Ignore the differences until audit time - [ ] Treat them all as procurement issues > **Explanation:** Different categories often require different handling. ### What is the weakest use of compliance categories? - [ ] Using them to assign subject matter experts - [x] Using them only as labels without changing ownership or action - [ ] Using them to define evidence needs - [ ] Using them to route items into the right plans and controls > **Explanation:** Categories are valuable only if they influence decisions. ### Which item is most likely to belong in a different category from safety and privacy? - [ ] Access-control rule - [ ] Incident logging rule - [x] Supplier acceptance clause in a customer contract - [ ] Data retention restriction > **Explanation:** A supplier acceptance clause is usually contractual rather than safety or privacy focused.

Sample Exam Question

Scenario: A project includes customer data handling, installation work at a physical site, and third-party supplier deliverables. During planning, the team places all obligations under one item called “compliance” and assigns a single owner. A review later shows the team still has no clear inspection path for site safety, no retention design for data, and no contract acceptance checklist.

Question: What should the project manager have done first?

  • A. Assign all compliance work to legal and wait for their consolidated response
  • B. Leave the list unchanged because one owner simplifies accountability
  • C. Delay categorization until the first audit request arrives
  • D. Classify the obligations into workable categories and map each category to owners, controls, and evidence needs

Best answer: D

Explanation: The strongest answer is D because categorization makes compliance manageable. Safety, privacy, and contractual obligations often need different owners, controls, and proof. Without that classification, the project can easily miss important control paths.

Why the other options are weaker:

  • A: Legal may help, but not every compliance item should be managed only through legal review.
  • B: Single-owner simplicity can hide real control needs.
  • C: Waiting until audit time is reactive and risky.

Key Terms

  • Compliance category: A grouping that helps route an obligation to the right control and review path.
  • Routing: Directing a requirement to the correct owner, process, or control mechanism.
  • Control path: The sequence of checks, approvals, and evidence that supports compliance.
Revised on Monday, April 27, 2026
3.1.1 Compliance Requirements
3.1.3 Threats to Compliance