The Business of GRC for MSPs: Revenue, Margins, and the Math Nobody Shows You

Not every MSP should.

That's the first thing the GRC software vendors won't tell you. They need you to buy their platform, so every pitch assumes you're offering compliance services. The question of whether you should offer them doesn't come up.

Here's the reality: compliance services require different expertise, different operational models, and different risk tolerance than managed IT. You can't just add “compliance” to your service menu and expect it to work.

Three types of MSPs exist when it comes to GRC:

MSPs who should stay away: You're running a lean operation with commodity clients. Nobody on your team has compliance expertise, and you don't have the capital to invest in training and tooling. Your clients aren't in regulated industries, or if they are, they're not willing to pay for compliance support. Forcing GRC services here will create liability without revenue.

MSPs who should start small: You have some clients in regulated industries. Healthcare, finance, manufacturing with government contracts. They're asking questions about HIPAA, SOC 2, or CMMC. You have someone on the team with compliance interest (or you're willing to hire). You can invest 6-12 months before seeing meaningful returns.

MSPs who should go all-in: Your client base is predominantly regulated. Healthcare providers, defense contractors, financial services. You already have compliance expertise in-house. You're willing to take on advisory-level liability for advisory-level margins.

What percentage of your clients are in regulated industries? If it's under 30%, compliance services will be a distraction. If it's over 50%, you're leaving money on the table by not offering them.

Do you have actual compliance expertise? Not “we've helped clients with audits before.” Do you have someone who understands NIST control families, can interpret a SOC 2 Type II report, or knows the difference between CMMC Level 1 and Level 2 assessment requirements? If not, can you hire or develop that expertise?

Are you willing to accept the liability? When you touch compliance, you create liability exposure. Your MSA can limit it, but it can't eliminate it. If a client fails an audit or gets breached, you will be in the conversation. Are you prepared for that?

Can you invest before you earn? Compliance services don't generate revenue on day one. You need tooling, training, certifications, and pilot engagements before you have a scalable offering. Can you fund 6-12 months of investment before meaningful revenue shows up?

Brian Blakley, now Chief Risk Officer at Compliance Scorecard, has been vocal about this: “Most MSPs aren't equipped or positioned to offer effective vCISO services.” The expertise gap, resource intensity, and liability exposure are fundamentally different from managed IT.

That doesn't mean you can't get there. It means you need to be honest about where you're starting.

The revenue numbers look great in vendor pitch decks. Add compliance services, increase ARPU by $50-150/user, watch the recurring revenue grow.

The margin is where most MSPs get destroyed.

Let's do the actual math.

Scenario: You have 20 clients averaging 50 users each. That's 1,000 users under management. You decide to offer Model 2 compliance services (managed compliance) at $75/user/month.

Gross revenue: $75,000/month. Looks fantastic.

Now subtract the real costs:

• GRC tooling: $500-1,500/month depending on your stack. Let's say $1,000/month.
• Dedicated staff: Half-time minimum at $60,000-80,000/year loaded. Half-time: $2,500-3,300/month. Let's say $3,000/month.
• Training and certification: $10,000/year, or $833/month.
• Your time: 15-20 hours at $200/hour. That's $3,000-4,000/month.
• Framework updates: 10 hours/month at $75/hour: $750/month.

Total costs: $9,083/month

Net margin: $65,917/month, or 88% margin. That looks great. But we're not done.

The hidden costs nobody budgets for:

• Scope creep: Budget 10-15% of gross. That's $7,500-11,250/month.
• Audit panic: Your 20-hour monthly estimate becomes 60 hours in audit prep month.
• Client education: Significant time explaining why they need to do things.

Realistic margin after hidden costs: 30-40% on well-run programs. 10-15% on poorly scoped ones. Some individual clients will be negative.

The MSPs who maintain healthy compliance margins: scope ruthlessly and hold the line on scope creep, price audit preparation separately, and fire clients who won't do their part.

The cardinal sin of compliance pricing: treating it like IT support. For a deep dive on how to price compliance services, see our complete guide.

IT support is operational. You fix things. You maintain things. You respond to tickets. The value is in keeping things running.

Compliance services are advisory. You assess risk. You make recommendations. You interpret frameworks. The value is in your expertise and judgment.

Price accordingly.

Principle 1: Price the risk, not the work

When you provide compliance services, you're taking on liability. If your recommendations are wrong, or if you miss something, you're exposed. Your pricing needs to account for that risk.

Principle 2: Scope ruthlessly

“Compliance support” is not a scope. Which frameworks? Which controls? What's included in “support”?

Every compliance engagement needs a written scope that answers: Which compliance framework(s) are covered? What specific services are included? What is explicitly excluded? What are the client's responsibilities? What triggers out-of-scope billing?

Principle 3: Separate assessment from remediation

Discovery is one engagement. Fixing what you find is another.

• Assessment pricing: Fixed fee based on complexity. $5,000-25,000.
• Remediation pricing: Time and materials, or fixed fee per gap category.
• Ongoing compliance management: Monthly recurring after remediation is complete.

Framework-specific pricing guidance:

• HIPAA compliance support: Assessment $5,000-15,000. Ongoing $50-100/user/month.
• SOC 2 readiness: Gap assessment $10,000-25,000. Ongoing $75-150/user/month or $5,000-15,000/month flat.
• CMMC preparation: Scoping $15,000-50,000. Remediation (Level 2) $50,000-200,000+. Ongoing $5,000-15,000/month.

Here's the conversation nobody wants to have: when you touch compliance, you create liability. For a complete breakdown on protecting your business from compliance liability, see our guide.

Not potential liability. Actual liability that exists the moment you start providing compliance services.

If a client gets breached, you'll be in the conversation. If they fail an audit, you'll be in the conversation. If they get sued by their customers for a data incident, you'll be in the conversation.

Categories of liability exposure:

• Contractual liability: What did your MSA actually promise?
• Professional liability (E&O): Did you provide advice that was wrong?
• Regulatory liability: Under HIPAA and GDPR, service providers have direct obligations.
• Reputational liability: A client publicly blaming you damages your business.

Protection mechanisms:

• Clear scope in every engagement
• Refusal waivers: When clients reject recommendations, document it in writing.
• E&O insurance with cyber coverage
• Client cyber insurance requirements
• Limitation of liability clauses
• Shared responsibility matrix: Every compliance engagement needs one. For CMMC, it's literally required.

Not all compliance clients are good clients. For a complete guide on when to walk away from compliance engagements, see our analysis.

Red flag 1: Client wants certification but won't invest in controls

They need SOC 2 to close a deal. They need CMMC to keep a contract. But they don't want to actually implement the controls required. Walk away.

Red flag 2: Client thinks compliance is your job, not theirs

Compliance requires client participation. Policy enforcement. Employee training. Management decisions about risk acceptance. Walk away.

Red flag 3: Client refuses to sign off on recommendations

If they won't approve or formally reject recommendations, walk away.

Red flag 4: Client wants the cheapest path to “passing”

If their goal is “just pass the audit,” walk away.

Red flag 5: Client's business requires compliance but can't fund it

Help them understand the real costs. If they can't fund it, walk away.

Phase 1: Foundation (Months 1-3)

• Pick one framework: HIPAA for healthcare, CMMC for defense, SOC 2 for tech.
• Invest in training: Budget $5,000-10,000 for initial certification.
• Select minimal tooling: One GRC platform, $300-500/month.
• Build your first engagement scope template
• Price high: Your first engagements are learning experiences.

Phase 2: Pilot (Months 4-6)

• Limit to 3-5 clients
• Over-communicate: weekly status updates
• Over-document: every recommendation in writing
• Track actual hours vs. estimated
• Refine pricing based on reality

Phase 3: Scale (Months 7-12)

• Add frameworks based on client demand
• Hire or train additional staff
• Systematize delivery with templates and checklists
• Shift to recurring revenue

GRC services can add meaningful revenue and margin to an MSP business. They can also create liability exposure and margin destruction if done wrong.

The MSPs who win at compliance:

• Understand it's a business model shift, not a service add-on
• Price for the risk and expertise, not just the hours
• Scope ruthlessly and document relentlessly
• Know when to walk away from bad clients
• Build systematically instead of opportunistically

The MSPs who lose at compliance:

• Treat it as a checkbox service
• Underprice to win deals
• Take on clients who won't do their part
• Ignore the liability they're creating
• Scale before they've figured out delivery

The 75% of MSPs who see compliance as “high growth” aren't wrong about the opportunity. But the 50% still tracking compliance in spreadsheets tells you the execution gap is massive.

Close that gap and you have a real business. Ignore it and compliance services will cost you more than they earn.