Phase 1 · Governance, Risk, Compliance Explained · Lesson 2 of 3
How Governance, Risk, and Compliance Interact
Article
·
10 min
·
+10 pts
Governance, risk, and compliance are not three separate departments doing three separate jobs. They form a feedback loop: governance sets direction, risk assessment determines what to prioritize, and compliance proves that the prioritized work actually happened. When one breaks, the other two drift.
The GRC feedback loop
┌─────────────────────┐
│ GOVERNANCE │
│ │
│ Sets policies and │
│ makes decisions │
│ │
│ "All production │
│ data must be │
│ encrypted with │
│ customer-managed │
│ keys." │
└──────────┬──────────┘
│
Policies create
obligations
│
▼
┌─────────────────────┐ ┌─────────────────────┐
│ COMPLIANCE │ │ RISK │
│ │ │ │
│ Proves controls │ │ Identifies threats │
│ work with evidence │◄────────────│ and prioritizes │
│ │ Risk score │ what to address │
│ "Here is the IAM │ determines │ │
│ credential report,│ which │ "Unencrypted DB │
│ the Okta config, │ controls │ with PHI scores │
│ and the control │ to build │ 20. Missing │
│ narrative." │ first │ training scores │
│ │ │ 6. Encrypt first." │
└──────────┬──────────┘ └─────────────────────┘
│
Evidence feeds back
into governance
decisions
│
└──────────────────────────┐
│
▼
┌─────────────────────┐
│ FEEDBACK LOOP │
│ │
│ "3 of 12 access │
│ reviews were │
│ late. Should we │
│ change the │
│ cadence?" │
│ │
│ → Back to │
│ Governance │
└─────────────────────┘GRC is a continuous cycle, not three separate silos
The core idea
GRC is a feedback loop, not three separate silos. Governance decisions create compliance obligations. Risk scoring determines which obligations to address first. Compliance evidence feeds back into both risk assessments and governance decisions.
Step by step: how the cycle works
Step 1: Governance creates the obligation
The board decides: "All production databases must be encrypted with customer-managed keys." That decision becomes a written policy. The policy creates a compliance obligation: someone must now prove that this is happening.
┌──────────────────┬────────────────────────────────────────────────┐ │ Governance input │ Governance output │ ├──────────────────┼────────────────────────────────────────────────┤ │ Board discussion │ Encryption policy (approved, version- │ │ on data security │ controlled, with an effective date) │ ├──────────────────┼────────────────────────────────────────────────┤ │ Regulatory │ Data retention policy aligned with GDPR │ │ landscape review │ Article 5(1)(e) and CCPA right to delete │ ├──────────────────┼────────────────────────────────────────────────┤ │ Incident │ Updated incident response policy with │ │ post-mortem │ 4-hour SLA for severity-1 incidents │ └──────────────────┴────────────────────────────────────────────────┘
Governance artifacts: the decision trail
Step 2: Risk determines priority
You cannot implement every control at once. Risk assessment tells you which governance decisions to act on first.
┌──────────────────────────────────┬───────┬────────┬───────┬──────────┐ │ Risk │ L │ I │ Score │ Priority │ ├──────────────────────────────────┼───────┼────────┼───────┼──────────┤ │ Unencrypted PHI in production DB │ 4 │ 5 │ 20 │ Now │ │ No MFA on cloud console accounts │ 3 │ 4 │ 12 │ This Q │ │ Access reviews run manually │ 3 │ 3 │ 9 │ Next Q │ │ Missing security awareness train │ 3 │ 2 │ 6 │ Backlog │ └──────────────────────────────────┴───────┴────────┴───────┴──────────┘
Risk scoring drives the compliance roadmap
Step 3: Compliance proves it happened
For the highest-priority risk, the GRC Engineer builds the control and collects evidence. The encryption policy becomes a control narrative ("How we encrypt data at rest using AWS KMS with CMKs"), supported by evidence (KMS key configuration, RDS encryption status, CloudTrail logs showing key usage).
Step 4: Evidence feeds back
When the auditor's report shows that 3 of 12 access reviews were late, that evidence triggers a governance discussion: is the quarterly review cadence realistic, or does the policy need to change? When compliance data shows 100% MFA adoption, the risk register entry for credential theft gets re-scored downward. The loop continues.
What happens when the loop breaks
┌───────────────────────┬──────────────────────────────────────────────┐ │ Broken link │ What it looks like │ ├───────────────────────┼──────────────────────────────────────────────┤ │ Governance without │ The board writes policies disconnected from │ │ risk │ actual threats. You end up with a 40-page │ │ │ acceptable use policy but no encryption │ │ │ standard for the database storing PHI. │ ├───────────────────────┼──────────────────────────────────────────────┤ │ Risk without │ The security team identifies threats and │ │ compliance │ builds controls, but nobody can prove they │ │ │ work. The SOC 2 auditor asks for evidence │ │ │ and gets silence. │ ├───────────────────────┼──────────────────────────────────────────────┤ │ Compliance without │ The GRC team collects evidence for auditors, │ │ governance │ but nobody at leadership has decided what │ │ │ "good" looks like. You pass the audit but │ │ │ miss the risks that actually matter. │ └───────────────────────┴──────────────────────────────────────────────┘
Three ways the GRC loop fails
A real-world cycle in action
Here is the loop playing out over one quarter at a Series B SaaS company:
- Governance: The board approves an encryption-at-rest policy after a competitor suffers a breach.
- Risk: The GRC Engineer scores "unencrypted RDS instance with customer PII" at likelihood 4, impact 5 (score 20, critical). This moves to the top of the Q2 roadmap.
- Implementation: The platform team enables RDS encryption with a customer-managed KMS key and migrates existing data.
- Compliance: The GRC Engineer writes a control narrative, screenshots the RDS encryption configuration, and adds the KMS key policy to the evidence package.
- Feedback: The auditor reviews the evidence and flags that the KMS key rotation period is set to 365 days (should be 90 days). This feeds back to governance: the board updates the encryption policy to require 90-day key rotation.
- Risk re-assessment: With encryption in place, the risk score drops from 20 to 4 (likelihood 1, impact 4). The GRC Engineer moves to the next highest risk: missing MFA on cloud console accounts.
For the GRC Engineer
Your job sits at the center of this loop. You translate governance decisions into auditable controls, use risk data to prioritize which controls to build first, and feed compliance results back to leadership so they can make better decisions. That is the job.