How do governance, risk, and compliance differ, and how do they relate?
Short answer
Governance is how leadership sets direction, defines accountability, and aligns security with business objectives — the policies, roles, and oversight that say what 'good' looks like. Risk management is the process of identifying, assessing, treating, and monitoring threats to those objectives. Compliance is demonstrating adherence to obligations — laws, regulations, contracts, and internal policy. Governance drives risk decisions; risk informs which controls you need; compliance evidences that those controls meet required standards. Compliance is an outcome of good GRC, not a substitute for security.
GRC is often treated as one blurry blob. Interviewers ask you to separate the three because people who can articulate the distinction tend to build programs that are actually defensible — instead of chasing audit checkboxes while real risk goes untreated.
Governance
Governance is the leadership layer. It answers who decides, against what objectives, and who is accountable. It produces strategy, policy, roles and responsibilities, risk appetite, and oversight (board and executive reporting). In NIST CSF 2.0 this is formalised as the Govern function. Governance sets the direction everything else follows.
Risk management
Risk management is the engine. It systematically identifies, assesses, treats, and monitors threats to the organisation's objectives. Treatment options are the classic four: mitigate, transfer, avoid, or accept. Risk decisions are made within the risk appetite that governance set, and they determine which controls are worth implementing.
Compliance
Compliance is the proof. It demonstrates adherence to external obligations (GDPR, PCI DSS, HIPAA, ISO 27001) and internal policy. It is evidence-driven: audits, attestations, and control testing.
How they fit together
Governance points the way; risk management decides what to do about threats; compliance evidences that what was done meets the bar. The classic failure mode is "compliant but not secure" — passing an audit while leaving genuine risk untreated, because the team optimised for checkboxes rather than outcomes.
Why this matters
The strongest candidates stress the flow (governance → risk → compliance) and warn against treating compliance as the goal. That distinction is what separates a mature security leader from a checklist-driven one.
Likely follow-ups
- Why is 'compliant but not secure' a real and common problem?
- How does risk appetite connect governance to day-to-day control decisions?
- Where does internal audit sit relative to governance, risk, and compliance?