For CISO · GRC Lead · CFO

Compliance Cost of Delay.

Seven inputs estimate the monthly carrying cost of waiting on a regulatory readiness project (SOC 2 · HIPAA · ISO 27001 · PCI · GDPR). Pipeline drag from deals blocked + expected-value penalty drag + ongoing remediation labor. Conservative / Aggressive penalty likelihood mode toggle.

Your inputs

Slide each one. Monthly cost + annualized projection update live.

Open enterprise deals blocked by complianceDeals where buyer's procurement has asked for SOC 2 / HIPAA / etc. and you can't deliver.

Average ARR per blocked deal (USD)Annual recurring revenue. Excludes one-time fees.

Probability deal slips or churns (%)0 = patient buyer · 100 = will go to competitor THIS quarter if not resolved. 35

Sales window (months until deal cools)How long the buyer will wait. Most enterprise B2B is 3–6 months. 4

Worst-case enforcement penalty (USD)Regulator fine + remediation order + private right of action. Sector-dependent.

Probability of enforcement THIS year (%)Industry baseline: low-risk B2B SaaS 2–5% · Healthcare/Financial 8–15% · Public co + previous violation 25%+. 6

Ongoing monthly remediation labor (USD)Internal effort + consultants needed to maintain status quo without progressing readiness.

Monthly carrying cost

—

Monthly cost composition

Where the carrying cost actually shows up.

12-month cumulative projection

What you pay if you defer the project for a year.

Sensitivity tornado

Each row shows how the result changes if you perturb that input. Bigger bar = more sensitive.

Move increases monthly carrying cost Move decreases monthly carrying cost

The math, openly

Pipeline drag (monthly) = (deals × ARR × slipProb) / salesWindowMonths

Expected penalty drag (monthly) = (penalty × enforcementProb × modeMult) / 12

Remediation labor (monthly) = labor (as-entered)

Monthly carrying cost = pipelineDrag + penaltyDrag + remediationLabor

Annualized = monthlyCost × 12

Conservative mode (default)Penalty likelihood × 1.0. Use for board reporting.

Aggressive modePenalty likelihood × 1.75. Use when industry enforcement is rising, regulator has signaled focus on your sector, or you've had prior findings.

The pipeline-drag number is usually the biggest line item — sales teams under-report blocked-on-compliance opportunities until the deal is gone.