Every compliance consulting practice hits the same wall. Revenue is capped by the number of senior consultants you can hire, retain, and keep billable. You can't scale the business without scaling the team — and scaling the team is expensive, slow, and risky.
Where the Time Actually Goes
A single ISO 27001 audit preparation requires reviewing 500-700 files across 1-2 months. Your most experienced (and most expensive) consultants spend the majority of their time on tasks that require thoroughness, not expertise:
- Document ingestion and review (reading every policy, procedure, and evidence file)
- Control mapping (matching evidence to framework requirements manually)
- Gap identification (comparing current state to target state across hundreds of controls)
- Cross-framework reconciliation (ISO 27001, SOC 2, NIST, CPS 234 — overlapping but different)
- Evidence collection chasing (following up on missing documentation)
This is work that demands accuracy and completeness. It doesn't demand 20 years of experience. But because the tools don't exist to do it faster, your seniors do it anyway.
The Economics
| Metric | Typical Practice |
|---|---|
| Average engagement value | $30K – $80K per client |
| Average engagement duration | 4 – 8 weeks |
| Senior consultant utilisation | 70 – 80% (ceiling) |
| Time on document review | 60 – 70% of total |
| Concurrent engagements per senior | 2 – 3 (maximum) |
| Graduate ramp to independent work | 12 – 18 months |
The Hiring Trap
The obvious answer is "hire more seniors." But senior GRC consultants take 6-12 months to recruit, command premium salaries, and have no shortage of options. Even when you hire successfully, each new senior adds revenue capacity linearly — you don't get leverage, you get more of the same constraint.
The question isn't how to hire faster. It's how to change the ratio of consultants to engagements.