Skip to content

How do governance, risk, and compliance differ, and how do they relate?

Short answer

Governance is how leadership sets direction, defines accountability, and aligns security with business objectives — the policies, roles, and oversight that say what 'good' looks like. Risk management is the process of identifying, assessing, treating, and monitoring threats to those objectives. Compliance is demonstrating adherence to obligations — laws, regulations, contracts, and internal policy. Governance drives risk decisions; risk informs which controls you need; compliance evidences that those controls meet required standards. Compliance is an outcome of good GRC, not a substitute for security.

GRC is often treated as one blurry blob. Interviewers ask you to separate the three because people who can articulate the distinction tend to build programs that are actually defensible — instead of chasing audit checkboxes while real risk goes untreated.

Governance

Governance is the leadership layer. It answers who decides, against what objectives, and who is accountable. It produces strategy, policy, roles and responsibilities, risk appetite, and oversight (board and executive reporting). In NIST CSF 2.0 this is formalised as the Govern function. Governance sets the direction everything else follows.

Risk management

Risk management is the engine. It systematically identifies, assesses, treats, and monitors threats to the organisation's objectives. Treatment options are the classic four: mitigate, transfer, avoid, or accept. Risk decisions are made within the risk appetite that governance set, and they determine which controls are worth implementing.

Compliance

Compliance is the proof. It demonstrates adherence to external obligations (GDPR, PCI DSS, HIPAA, ISO 27001) and internal policy. It is evidence-driven: audits, attestations, and control testing.

How they fit together

Governance points the way; risk management decides what to do about threats; compliance evidences that what was done meets the bar. The classic failure mode is "compliant but not secure" — passing an audit while leaving genuine risk untreated, because the team optimised for checkboxes rather than outcomes.

Why this matters

The strongest candidates stress the flow (governance → risk → compliance) and warn against treating compliance as the goal. That distinction is what separates a mature security leader from a checklist-driven one.

Likely follow-ups

  • Why is 'compliant but not secure' a real and common problem?
  • How does risk appetite connect governance to day-to-day control decisions?
  • Where does internal audit sit relative to governance, risk, and compliance?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.