“We need the proposal today. And the SAMA compliance questionnaire, completed. We submit tomorrow.”
The submission date was set months ago. It only reached you yesterday.
This is the rhythm of selling into regulated financial services here. The work behind it is real: under SAMA’s cyber security framework, a regulated buyer has to satisfy specific controls for its providers before it can sign, let alone go live. The questionnaire is not box-ticking. It is the buyer discharging an obligation it genuinely cannot avoid.
What gets compressed is the lead time, not the requirement. The regulatory clock has been running for a quarter. The supplier finds out when there are days left on it.
You can treat that as chaos and scramble every time it lands. Or you can read the market for what it is, and have the answer ready before the question arrives: controls documented, evidence current, the responses to a framework you already knew was coming sitting in a folder rather than a panic.
In regulated buying, the fast supplier rarely wins. The ready one does.