Relying on external consultants for compliance becomes unsustainable because it creates a structural dependency that organisations were never designed to maintain long-term. Consultants deliver value in bursts — during audits, implementations, or incident response — but continuous governance requires permanent, embedded capability that a rotating cast of external advisors simply cannot provide. If you are wondering whether your current approach is heading toward this problem, feel free to reach out, and we are happy to think along with you. The sections below unpack the most common questions organisations ask when they start to feel the cracks.
What happens to compliance when a consultant leaves?
When a consultant leaves, compliance does not disappear overnight — but the institutional knowledge that kept it functional walks out the door with them. Policies exist on paper, but the reasoning behind decisions, the informal escalation paths, and the awareness of what was deliberately left out of scope are all stored in one person’s head. Within weeks or months, the organisation is flying blind on its own governance.
This is one of the most underestimated risks in compliance management. Because the documentation looks complete, leadership often assumes continuity is intact. In practice, the next audit cycle, the next regulatory update, or the next security incident reveals that nobody internally understands why certain controls were designed the way they were — or what needs to change.
The result is a scramble: either the same consultant is rehired at a premium, a new one is brought in to reverse-engineer the previous work, or internal staff attempt to fill the gap without adequate preparation. All three outcomes are expensive, disruptive, and avoidable. Sustainable compliance requires that governance knowledge lives inside the organisation, not inside an individual contractor.
Why is project-based compliance a structural mismatch for ongoing regulations?
Project-based compliance is a structural mismatch for ongoing regulations because regulations like NIS2, GDPR, ISO 27001, and the EU AI Act are not one-time requirements — they are continuous obligations that evolve alongside your organisation and the regulatory landscape. A project has a start date, an end date, and a deliverable. Governance has none of those things.
When compliance is treated as a project, the organisation optimises for a single milestone: passing an audit, achieving certification, or satisfying a regulatory deadline. Once that milestone is reached, attention shifts elsewhere. But the regulation does not pause. Threats evolve, business processes change, new suppliers are onboarded, and the technical environment shifts — all of which create new compliance obligations that a completed project cannot address.
This mismatch becomes especially visible during certification renewals. Organisations that treated ISO 27001 or DORA alignment as a project often discover during their second or third cycle that they need to rebuild from scratch, because nothing was maintained in the intervening period. The cost of that rebuild consistently exceeds what continuous maintenance would have required. Regulations are designed for organisations that govern continuously. Project-based compliance is an architectural response to a structural requirement, and the gap between the two compounds over time.
What are the hidden costs of recurring compliance consultancy?
The hidden costs of recurring compliance consultancy go well beyond the invoice. The visible cost is the day rate or project fee. The invisible costs include onboarding time for every engagement, context loss between cycles, internal coordination overhead, and the strategic drift that occurs when no single party owns the governance outcome over time.
Consider what happens each time a new consultant engagement begins. Someone inside the organisation must brief the consultant, provide access to documentation, explain what changed since the last engagement, and review deliverables before they can be used. This coordination cost is rarely budgeted and rarely tracked — but it accumulates significantly across a multi-year relationship with rotating external advisors.
There is also a softer but equally real cost: the absence of accountability continuity. A consultant who completes a project and moves on has no stake in whether the controls they designed are still functioning six months later. If something breaks, the organisation absorbs the consequence. This asymmetry means that recurring consultancy often produces technically sound deliverables that gradually become operationally irrelevant, because nobody is responsible for keeping them alive.
Finally, there is the cost of missed improvement. A consultant engaged for a defined scope will deliver within that scope. They are not incentivised to flag emerging risks, recommend process improvements outside the brief, or proactively align governance with new regulatory developments. That proactive function requires a different model entirely.
How does consultant dependency create governance drift over time?
Consultant dependency creates governance drift by removing the internal ownership that keeps compliance controls calibrated to reality. Governance drift is the gradual divergence between documented controls and actual organisational practice — and it accelerates whenever governance responsibility sits outside the organisation rather than within it.
The mechanism is straightforward. When an external consultant owns the governance process, internal staff learn to defer to that expertise rather than developing their own. Policies get updated when the consultant is engaged, not when the organisation changes. Risk assessments reflect the state of the business at the time of the last engagement, not today. Over a 36-month certification cycle, the gap between the governance framework and operational reality can become substantial.
Drift is particularly dangerous because it is invisible until it matters. An organisation can appear fully compliant on paper while operating in a way that bears little resemblance to its documented controls. When an incident occurs, a regulator investigates, or a certification body conducts a surveillance audit, the gap is exposed — often at the worst possible moment.
Preventing governance drift requires continuous attention, not periodic intervention. It requires people inside the organisation who understand the governance framework deeply enough to notice when something has changed and to update the system accordingly. Consultant dependency structurally prevents this from developing, because the knowledge and the accountability remain external.
What’s the difference between consultancy and governance-as-a-service?
The core difference between consultancy and governance-as-a-service is continuity and ownership. Consultancy delivers expertise on demand for a defined scope and duration. Governance-as-a-service provides an ongoing, embedded governance capability that operates as a permanent part of the organisation — combining expert knowledge with tooling, role-based accountability, and proactive maintenance across the full certification lifecycle.
What consultancy delivers
Traditional consultancy is well suited to discrete, time-bounded challenges: designing an initial framework, preparing for a specific audit, or responding to a regulatory change. The consultant brings expertise, produces deliverables, and exits. The organisation is responsible for what happens next. This model works when the need is genuinely episodic — but most regulated organisations face governance requirements that are anything but episodic.
What governance-as-a-service delivers
Governance-as-a-service replaces the project model with a subscription-based, always-active capability. Rather than engaging experts when something breaks or an audit approaches, the organisation has continuous access to governance expertise that is aligned to its specific regulatory obligations — whether that is NIS2, ISO 27001, ISO 42001, GDPR, DORA, or the EU AI Act. Controls are monitored, updated, and tested on an ongoing basis. Risk assessments reflect current reality. And when the certification cycle renews, the organisation is ready — not because it rushed to prepare, but because it never stopped governing.
We built our governance services specifically around this distinction, integrating security, privacy, quality, and AI governance into one unified system rather than treating each domain as a separate engagement. The result is governance that is structurally embedded rather than periodically imported.
When should an organisation stop relying on external compliance consultants?
An organisation should reconsider its reliance on external compliance consultants when governance has become a recurring operational need rather than a one-time project requirement. The clearest signal is when the same consultant is rehired cycle after cycle to maintain work that should have been internalised the first time. At that point, the organisation is paying project rates for what is effectively an ongoing service.
Other signals worth paying attention to include:
- Compliance knowledge is concentrated in one or two external individuals rather than distributed across internal roles
- Governance documentation is updated only when a consultant is engaged, not when the organisation changes
- Internal staff cannot explain the rationale behind key controls or policies
- Audit preparation requires a significant mobilisation effort rather than a routine review
- Regulatory developments are noticed reactively, after they have already created gaps
For scale-ups and mid-market organisations operating under multiple regulatory frameworks simultaneously, the calculus shifts further. Managing NIS2, GDPR, and ISO 27001 obligations in parallel through rotating consultants is not just expensive — it is structurally fragile. The integration between frameworks, the cross-domain dependencies, and the ongoing calibration required across a 36-month cycle demand a model built for continuity, not for projects.
The right moment to make the shift is before the next audit cycle begins — not after a gap has been exposed. If your organisation is approaching a certification renewal, a regulatory deadline, or a period of significant operational change, that is the ideal window to move from episodic consultancy to continuous governance. Get in touch with us to explore what that transition looks like for your organisation.
Frequently Asked Questions
How long does it typically take to transition from consultant-led compliance to an embedded governance model?
The transition timeline depends on your current maturity level, the number of regulatory frameworks in scope, and how much institutional knowledge needs to be rebuilt internally. For most mid-market organisations, a structured transition takes between three and six months — covering knowledge transfer, tooling setup, role assignment, and a first governance cycle under the new model. Starting the transition well before an audit or certification renewal is critical, as it gives the embedded model time to stabilise before it is tested.
Can we run a governance-as-a-service model alongside an existing internal compliance team?
Yes — and in many cases, this is the most effective setup. Governance-as-a-service is not designed to replace internal staff but to provide the continuous expert layer, tooling, and cross-framework integration that most internal teams lack the bandwidth or specialisation to maintain alone. Internal teams handle operational context and day-to-day execution; the governance service provides the regulatory expertise, framework maintenance, and proactive monitoring that keeps the whole system calibrated. The two functions reinforce rather than duplicate each other.
What if we only operate under one regulatory framework — is continuous governance still necessary?
Even under a single framework like ISO 27001 or GDPR, continuous governance adds measurable value over the project-based alternative. Regulations evolve, your organisation changes, and the gap between documented controls and operational reality grows whenever governance attention lapses. The cost of rebuilding for each certification cycle consistently exceeds the cost of maintaining continuously — and the risk exposure during the gaps is real, regardless of how many frameworks are in scope. Single-framework organisations are not immune to governance drift; they are simply less likely to notice it until an audit or incident makes it visible.
How do we avoid the same dependency problem with a governance-as-a-service provider that we had with consultants?
The key difference lies in how knowledge is structured and where it lives. A well-designed governance-as-a-service model embeds knowledge into your organisation through documented processes, role-based accountability, and tooling that your team actively uses — rather than concentrating it in an individual who can walk away. When evaluating providers, look for explicit knowledge transfer mechanisms, internal capability building as part of the service design, and governance tooling that your team owns and operates. The goal is for the provider to make your organisation more capable over time, not more dependent.
What should we do right now if we suspect we already have significant governance drift?
Start with an honest internal assessment: ask your team to explain the rationale behind your five most critical controls, check when your risk register was last updated relative to your last significant operational change, and identify who inside the organisation would notice if a key control stopped functioning. These three checks will quickly surface whether drift is present and how significant it is. From there, the priority is not to rebuild everything at once but to identify the highest-risk gaps — particularly those that would be exposed in an audit or incident — and address those first while putting a continuous maintenance model in place.
How do we make the business case internally for moving away from consultant-led compliance?
The most effective business case combines the visible and hidden costs of the current model. Start by calculating what your organisation has spent on compliance consultancy over the past 36 months — including not just fees, but internal coordination time, onboarding overhead, and any remediation costs following audits where gaps were found. Then model the cost of a continuous governance model over the same period, factoring in reduced audit preparation effort, fewer remediation cycles, and the strategic value of always-ready compliance. For organisations under multiple regulatory frameworks, the integration efficiency of a unified governance model typically strengthens the case further.
Which regulatory frameworks are most poorly served by the project-based consultancy model?
Frameworks with continuous monitoring requirements, surveillance audit cycles, or obligations that evolve with operational changes are the worst fit for project-based compliance. ISO 27001 and ISO 42001 both require ongoing evidence of control operation across a three-year certification cycle — not just a point-in-time snapshot. GDPR imposes continuous accountability obligations that do not reset after an audit. NIS2 and DORA require organisations to demonstrate operational resilience on an ongoing basis, not just at certification. The EU AI Act adds another layer of continuous conformity obligations for high-risk AI systems. Any organisation operating under more than one of these frameworks simultaneously is carrying significant structural risk if governance is managed through episodic consultancy.
Related Articles
- What happens when your entire compliance function depends on one overwhelmed person?
- How do you present governance maturity to a board of directors?
- Why do clients leave when your certification has lapsed?
- What is the relationship between internal control and governance structure?
- How do you evaluate a governance framework before buying a service?