Compliance
Regulatory Compliance Consulting Is Built for Regulated Industries. Most Mid-Market Companies Aren't.
Traditional regulatory compliance consulting assumes a primary regulator, recurring exams, and a Chief Compliance Officer. Most mid-market companies have none of those, yet regulatory exposure keeps growing. Here is the model that actually fits.
By Eric Kennedy · Wed May 06 2026 · 5 min read
If your company is a $200M industrial distributor, a $300M software company, or a $150M manufacturer, you are probably not in a "regulated industry" the way a regulator would define one. You do not have a primary regulator. You do not file quarterly reports with the SEC, the OCC, the FDA, or HIPAA's Office for Civil Rights. You do not have a Chief Compliance Officer.
And yet, you are picking up regulatory exposure faster every year.
This is the gap most CFOs are running into right now. Traditional regulatory compliance consulting is built for industries with a primary regulator, a defined rulebook, and recurring audits. Most mid-market companies do not look like that. The compliance pressure is still showing up, just from different directions, and the consulting market has not caught up.
What regulatory compliance consulting was designed to do
The mature regulatory compliance consulting model was built around three assumptions: a defined regulatory regime, a defined examination cycle, and a defined function inside the company that owns it.
A regional bank has the FDIC, the OCC, and state banking regulators, plus a Chief Compliance Officer and a compliance team. A health system has HIPAA, CMS, state DOH, and a privacy officer. A pharma company has the FDA, EMA, and a regulatory affairs department.
Compliance consulting in those environments works well. The consultant maps regulatory requirements to controls, tests the controls, identifies gaps, and remediates. The internal compliance function owns the result. The regulator inspects on a known cadence. Engagements are scoped around specific regulations: SOX, HIPAA, AML/BSA, PCI, GDPR, FDA 21 CFR Part 11.
This model assumes you already know which regulations apply to you and you already have the function to absorb the work.
Most mid-market companies have neither.
Where the model breaks for non-regulated mid-market
A $250M company that sells to commercial customers in 30 states is not in a regulated industry. But over the last three years, that company has likely picked up exposure to:
State privacy laws. Twenty U.S. states will have comprehensive privacy laws covering roughly half the U.S. population by 2026. Each one has different thresholds, definitions, and consumer rights. Nine states amended their existing privacy laws in 2025, and Connecticut lowered its threshold from 100,000 consumers to 35,000, dramatically expanding which companies are in scope.
Customer contract pass-throughs. Enterprise customers are pushing SOC 2, ISO 27001, GDPR processor obligations, and AI use disclosures into their vendor contracts. Companies that have never been subject to a regulator are now subject to a regulator's requirements through a Fortune 500 customer's procurement team.
AI disclosure and use rules. Colorado, California, and several other states have AI-specific rules in or near effect, on top of FTC enforcement under unfair and deceptive practices authority.
State-level employment, sales tax, and consumer protection rules that vary across the geographies the company sells into.

Four directions regulatory exposure shows up for non-regulated mid-market companies.
None of this fits a "regulatory compliance consulting" engagement structured around a single regulatory regime. The exposure is fragmented, contract-driven, and constantly moving. There is no annual exam to prepare for, but the cumulative liability is real.
What this looks like inside the company
The CFO is usually the one who notices first. A customer contract review surfaces obligations the company is not equipped to meet. A privacy notice is out of date. A vendor questionnaire asks about controls the company has not designed. State sales tax economic nexus thresholds have been crossed without anyone noticing.
There is no compliance function. The work falls to whoever has the bandwidth, usually the controller, the general counsel, the head of IT, or the CFO directly. None of them have time to track 20 state privacy laws, three AI rules, and a rotating set of customer contract obligations.
This is not a compliance program. It is reactive triage.

Two different compliance realities. Most consulting is built for the left column.
The data backs up what mid-market CFOs already feel. According to the AICPA and NC State 2025 State of Risk Oversight Report, only 35% of senior finance leaders report having comprehensive ERM processes in place, and only 32% rate their organization's overall risk oversight as mature or robust. The same study found that only 27% of executives believe their ERM process would help identify and manage a significant risk event impacting reputation and brand. Regulatory exposure that surfaces in a customer contract review or a state AG inquiry is exactly that kind of event.

Source: AICPA and NC State University, 2025 State of Risk Oversight Report.
What mid-market companies actually need
The fix is not a compliance consulting engagement aimed at a specific regulation. It is an integrated risk view that catches regulatory exposure early, regardless of where it comes from.
Three properties matter.
A standing inventory of obligations. Not just regulations. Customer contract obligations, state-level rules, AI use disclosures, and vendor pass-throughs all belong on the same list. Updated quarterly. Owned by one person.
A small set of controls that cover most of it. Most mid-market regulatory exposure is satisfied by a foundational set of 50 to 80 controls covering data handling, access management, vendor diligence, contract review, and incident response. You do not need a regulated-industry control library of 5,000.
An escalation path. When a new regulation, contract clause, or customer ask surfaces, there is one place it goes and one person who decides whether it is in scope, out of scope, or needs review.

One owner, one operating rhythm, one escalation path.
This is risk management, not regulatory compliance. The terminology matters because it changes who runs the program (the CFO and a risk owner, not a Chief Compliance Officer) and how the engagement is structured (one integrated build, not three regulation-specific workstreams).
The buying lesson
If a firm is pitching you regulatory compliance consulting structured around a specific regulation, ask whether you actually have that regulator. If you do not, you are buying a tool for a problem you do not have, while the problem you do have keeps growing.
You do not need traditional regulatory compliance consulting. You need a risk program that catches regulatory exposure as part of how the business already runs.
Frequently Asked Questions
What is the difference between regulatory compliance consulting and risk management consulting?
Regulatory compliance consulting is structured around a specific regulator and rulebook (HIPAA, SOX, FDA, etc.) and assumes the company has an internal compliance function. Risk management consulting is broader and integrates compliance, operational, financial, and strategic risks into one program owned by the CFO or a designated risk leader. Mid-market companies usually need the latter.
Does my company need a Chief Compliance Officer?
Most mid-market companies (under $500M in revenue) do not. What they need is one designated person, often the CFO, controller, or general counsel, who owns the integrated risk and compliance picture and a quarterly operating rhythm to keep it current.
How do I know if my company has picked up regulatory exposure I am not tracking?
A diagnostic review against state privacy laws, customer contract obligations, AI use rules, and state-level operational rules will surface most of it. KRG's ERM Program Diagnostic is designed for exactly this purpose.
What does an integrated mid-market compliance program actually cost?
A focused build typically runs $52K to $70K over 8 to 12 weeks (KRG's ERM Foundation Build). A diagnostic to scope the work first runs $4,500 to $6,500 over 1 to 2 weeks, and the diagnostic cost is credited toward any future engagement.