MSP Poll Reveals Top GRC Fears: Why Compliance Should Not Be Scary

For many MSPs, governance, risk and compliance (GRC) is the monster under the bed — hiding in a dark lair of complexity and high costs, it’s something to fear and keep far from your service stack.

That fear is understandable, but unfounded. We're here to shine some light on the darkness.

In this article, we examine the top GRC concerns among MSPs, as revealed by our recent poll. Come along as we debunk the myths and explore practical strategies to turn GRC from a nightmare into a strategic advantage.

MSP Compliance Survey Results 2024

The great Albert Einstein taught us that to solve a problem, we must first understand it. With a better understanding of what motivates MSP fears around GRC, we can provide practical steps to address them.

That was the motivation behind our recent MSP poll. We asked: “What’s your biggest fear around Governance, Risk and Compliance?” These are the results we got:

25% fear implementing GRC incorrectly
38% worry clients won't pay for this service
31% aren't afraid of GRC but don't see it as solely their responsibility
6% lack GRC knowledge and expertise

Since GRC affects your MSP’s resources, time, and costs, these concerns are more than fair. Let's take a closer look at each fear, its origins, and potential solutions.

Fear #1: MSP Legal Risks in GRC Implementation

About one-quarter of polled MSPs worried about lawsuits and potential litigation should something go wrong with their GRC program.

At the heart of it

Master service agreements (MSAs) are valuable, but they don’t eliminate legal risks. Even a strong MSA only helps manage risk — and in the realm of GRC, risk is significant.

If GRC is mishandled, it can lead to severe consequences for businesses. Some of the most significant risks include regulatory penalties, data breaches, and productivity losses. MSPs fear that the costs of these scenarios fall on their shoulders if they’ve taken responsibility for client GRC programs.

Facing fear

MSPs need strong MSAs whether they offer GRC or not. An MSA sets client expectations by defining your services and obligations. Clear scope definition and liability limitations are especially important when handling data and security for regulated clients.

But a strong MSA that clarifies your role as a facilitator and advisor is only half the battle in shifting the culpability for risks. Guiding your clients toward making informed, risk-based decisions without taking on full responsibility is a fine art. Part of that involves documenting every part of the process.

Help clients understand their ownership of policies and procedures you create. Work with them to understand the need for every policy and procedure you put in place and regularly notify them of their risk. Obtain client signatures on every document and maintain permanent records of versions and authorizations indefinitely. With these practices, MSPs avoid owning risk if something goes wrong.

Fear #2: How to Sell MSP Compliance Services

Most clients ignore compliance until forced by a breach or regulatory requirement. That’s at least what 38% of our polled MSPs fear.

At the heart of it

GRC is a significant investment. There’s a financial investment in software, training, and collaborating with experts. There’s also a time-and-resource investment associated with offering something new. Operational disruption poses additional risks.

Many MSPs question these investments when half their clients ignore compliance until problems arise, while others rely on cyber insurance. With existing services profitable, the shift to GRC seems unnecessary.

Facing fear

When you know how to frame the conversation, selling GRC is easy. In conversations with clients, shift the narrative from compliance as a cost to an investment in security.

Start here: the global average cost of a data breach in 2024 is $4.88 million. The cost alone is enough to bankrupt any small-or-medium-sized business. But even if they could weather regulatory fines, legal fees, and remediation efforts, the ensuing damage to their reputation and loss of investment can devastate even the largest corporations.

And that’s how you position GRC service as a value-add rather than an extra expense. The cost of investing in efforts to mitigate risk is far less than what it would cost to recover from a cyber attack or data breach — it’s just that simple.

Fear #3: Building MSP GRC Expertise

Thankfully, the percentage of MSPs in our poll who replied they are uncertain about GRC is small but we should still address their concern. Their lack of expertise in this field may make them hesitant to add GRC to their stack, preventing them from capitalizing on compliance as a service (CaaS).

At the heart of it

MSPs excel at IT infrastructure and end-user systems. They've mastered day-to-day management services and built their reputation on tech expertise, earning client trust through proven skills.

GRC is a whole new world for MSPs. Regulatory frameworks, policy writing, risk management methodologies, and compliance audits introduce complexity that could jeopardize client trust if handled incorrectly.

Facing fear

MSPs are naturally suited to lead GRC initiatives since most MSPs are already doing the work.

Our qualified guess is that you’re familiar with most pieces of a GRC package, including backups, antivirus, access management, gap analysis, assessments, security awareness and policies and procedures. You may only need to add a couple of services to meet those requirements, right?

What’s more, you don’t need to bear the burden alone. Leverage partnerships and collaborate with other experts along the way. For example, peer groups are a safe space for you to ask questions and attend expert-led training. Or, consider working with a vCISO service provider (virtual Chief Information Security Officer) that gives guidance and oversight while you learn the ropes.

Other Perspectives on GRC

Nearly one-third of our respondents didn’t see GRC as scary at all. Instead, they saw it as a shared responsibility with clients, wherein the MSP provides guidance.

And we completely agree!

MSPs are not the ultimate authority in client GRC programs — they can’t be. Their role is to facilitate and advise, identifying what’s being done, what needs to be done, and offering solutions to get there.

Your clients ultimately own the follow-through, supported by clear expectations and roles defined in contracts.

From Fear to Confidence in GRC

GRC is not going away. Indeed, it’s becoming increasingly crucial for businesses of all sizes. For MSPs, continuing to serve clients as trusted partners means facing their fears around GRC directly.

GRC is a shared responsibility, where you serve as the facilitator. Instead of shouldering the entire burden, let us help you on this journey. Book a live free demo to see how the Compliance Scorecard Compliance-as-a-Service platform works for you.