The 3 Pillars of GRC

Key Takeaways

Pillar	Core Function	Key Activities
Governance	Provides direction and oversight	Strategy setting, policy creation, accountability structures, performance monitoring
Risk Management	Identifies and addresses threats	Risk identification, assessment, treatment, monitoring
Compliance	Ensures adherence to requirements	Regulatory mapping, control implementation, evidence collection, audit management

Quick Answer: The three pillars of GRC are Governance (setting direction and ensuring accountability), Risk Management (identifying and addressing threats), and Compliance (meeting regulatory and contractual requirements). Together, they form an integrated framework for managing organizational challenges.

Pillar 1: Governance

Governance establishes the framework within which an organization operates. It defines who has authority, how decisions are made, and what standards must be followed.

What governance covers

Strategic direction. Governance ensures that security and compliance efforts align with business objectives. This means understanding what the business is trying to achieve and making sure GRC activities support those goals.

Organizational structure. Clear roles and responsibilities are essential. Governance defines who owns security decisions, who manages day-to-day operations, and who has oversight authority.

Policies and standards. Written policies translate organizational values and requirements into actionable rules. They cover everything from acceptable use of systems to incident response procedures.

Accountability mechanisms. Governance establishes how performance is measured, how deviations are addressed, and how improvements are implemented.

Governance in practice

For a startup pursuing SOC 2, governance might include:

• A founder or CTO taking formal responsibility for security
• Core policies covering access management, data handling, and incident response
• Monthly leadership review of security metrics and compliance status
• Clear escalation paths for security issues

For a company pursuing ISO 27001, governance requirements are more explicit:

• Documented Information Security Management System (ISMS) scope and objectives
• Management commitment demonstrated through resource allocation and regular review
• Information security policy approved by leadership
• Defined roles for ISMS operation and maintenance

Key governance documents

Document	Purpose	Update frequency
Information security policy	Sets overall security direction and principles	Annual
Acceptable use policy	Defines appropriate use of company resources	Annual
Data classification policy	Establishes data handling requirements	Annual
Risk management policy	Defines risk assessment and treatment approach	Annual
Incident response plan	Outlines procedures for security incidents	Annual or after incidents
Business continuity plan	Ensures operations continue during disruptions	Annual with testing

Governance challenges

Lack of executive engagement. When leadership treats security as purely a technical concern, governance structures lack authority and resources.

Policy proliferation. Too many policies create confusion and reduce compliance. Focus on essential policies that are actually enforced.

Governance theater. Creating governance structures without real authority or accountability provides false assurance.

Pillar 2: Risk Management

Risk management is the systematic process of identifying, analyzing, and responding to risks that could affect the organization's objectives.

The risk management process

1. Risk identification

Identify potential threats and vulnerabilities across your environment:

• External threats: cyber attacks, regulatory changes, market disruptions
• Internal threats: employee errors, system failures, process breakdowns
• Third-party risks: vendor failures, supply chain compromises
• Emerging risks: new technologies, changing threat landscape

2. Risk assessment

Evaluate each risk based on likelihood and impact:

• Likelihood. How probable is this risk materializing? Consider threat capabilities, vulnerability exposure, and existing controls.
• Impact. What would be the consequence? Consider financial loss, reputational damage, regulatory penalties, and operational disruption.
• Risk level. Combine likelihood and impact to determine overall risk level, typically using a matrix or scoring system.

Impact ↓ / Likelihood →	Low	Medium	High
High	Medium	High	Critical
Medium	Low	Medium	High
Low	Low	Low	Medium

3. Risk treatment

Decide how to handle each risk:

• Mitigate. Implement controls to reduce likelihood or impact. Most common approach for manageable risks.
• Transfer. Shift risk to another party through insurance or contracts. Useful for high-impact, low-likelihood risks.
• Accept. Acknowledge the risk without action. Appropriate for low-level risks or those with prohibitive mitigation costs.
• Avoid. Eliminate the risk by stopping the activity. Sometimes the right choice for risks that exceed risk appetite.

4. Risk monitoring

Continuously track risks and control effectiveness:

• Regular risk register reviews (monthly or quarterly)
• Control testing and validation
• Metrics tracking (key risk indicators)
• Emerging risk identification

Risk management for compliance frameworks

Different frameworks have specific risk management requirements:

Framework	Risk requirement	Documentation
SOC 2	Risk assessment covering Trust Services Criteria	Risk assessment documentation, risk register
ISO 27001	Formal risk assessment methodology, risk treatment plan	Risk assessment report, Statement of Applicability
GDPR	Data Protection Impact Assessments for high-risk processing	DPIA documentation
DORA	ICT risk management framework	ICT risk management policy, risk assessments

Building a risk register

A risk register is the central document tracking identified risks:

Field	Description
Risk ID	Unique identifier
Risk description	Clear statement of the risk
Risk category	Classification (cyber, operational, compliance, etc.)
Likelihood	Probability rating
Impact	Consequence rating
Inherent risk	Risk level before controls
Controls	Mitigating measures in place
Residual risk	Risk level after controls
Risk owner	Person accountable for managing the risk
Treatment plan	Actions to further reduce risk
Review date	When to reassess

Risk management challenges

Analysis paralysis. Spending too much time on risk assessment without taking action. Focus on top risks and iterate.

Risk theater. Creating impressive risk documentation without genuine analysis or follow-through.

Optimism bias. Underestimating likelihood because "it won't happen to us." Use industry data and incident reports for calibration.

Static assessments. Treating risk assessment as an annual exercise rather than ongoing process.

Pillar 3: Compliance

Compliance ensures that the organization meets its obligations, whether from regulations, contracts, or internal standards.

Types of compliance requirements

Regulatory compliance

Laws and regulations that apply based on your industry, location, or activities:

• GDPR for processing EU personal data
• HIPAA for handling US health information
• CCPA for California consumer data
• NIS 2 for essential and important entities in the EU
• DORA for EU financial entities

Certification compliance

Voluntary standards that demonstrate security maturity to customers and partners:

• SOC 2 for SaaS companies selling to enterprises
• ISO 27001 for international security certification
• Cyber Essentials for UK government contracts
• PCI DSS for payment card handling

Contractual compliance

Security requirements specified in customer contracts and service agreements, often referencing industry frameworks or specific controls.

Internal compliance

Adherence to the organization's own policies and standards.

The compliance management process

1. Identify requirements

Map all applicable compliance requirements:

• Which regulations apply based on data types, locations, and activities?
• What certifications do customers require?
• What contractual security obligations exist?
• What internal policies must be followed?

2. Gap analysis

Compare current practices against requirements:

• What controls are already in place?
• Where are gaps between requirements and reality?
• What is the priority for addressing gaps?

3. Implement controls

Deploy necessary measures to meet requirements:

• Technical controls (encryption, access management, monitoring)
• Administrative controls (policies, procedures, training)
• Physical controls (facility security, device management)

4. Collect evidence

Document that controls are implemented and operating:

• Configuration screenshots
• Log extracts
• Policy acknowledgments
• Training records
• Access reviews

5. Audit and validation

Verify compliance through internal and external assessment:

• Internal audits testing control effectiveness
• External audits for certifications
• Regulatory examinations where applicable

6. Maintain and improve

Keep compliance current as requirements and operations change:

• Track regulatory updates
• Review controls when systems change
• Address findings from audits and incidents

Compliance framework mapping

Many requirements overlap across frameworks. Efficient compliance programs map controls to multiple requirements:

Control	SOC 2	ISO 27001	GDPR	NIS 2
Access reviews	CC6.1	A.9.2.5	Art. 32	Art. 21
Encryption at rest	CC6.7	A.10.1.1	Art. 32	Art. 21
Incident response	CC7.4	A.16.1	Art. 33-34	Art. 23
Vendor management	CC9.2	A.15.1	Art. 28	Art. 21
Security training	CC1.4	A.7.2.2	Art. 39	Art. 20

This mapping allows a single control to satisfy multiple frameworks, reducing duplicated effort.

Compliance challenges

Framework fatigue. Managing multiple frameworks with different requirements, terminology, and audit schedules.

Evidence sprawl. Collecting and organizing evidence across many systems and time periods.

Audit crunch. Scrambling before audits rather than maintaining continuous compliance.

Checkbox compliance. Meeting technical requirements without improving actual security.

How the pillars integrate

The three pillars work together as an interconnected system:

Governance drives risk and compliance

• Governance sets the organization's risk appetite, guiding how risks are evaluated and treated
• Governance establishes compliance objectives, determining which frameworks to pursue
• Governance provides resources for risk management and compliance activities
• Governance reviews risk and compliance status to ensure objectives are met

Risk informs governance and compliance

• Risk assessments identify where governance attention is needed
• Risk priorities guide compliance investments
• Risk monitoring reveals whether controls are effective
• Emerging risks may trigger governance or compliance changes

Compliance validates governance and risk

• Compliance evidence demonstrates that governance directives are followed
• Audit findings reveal governance gaps or risk blind spots
• Regulatory changes inform governance updates and risk assessments
• Compliance requirements help define risk criteria

Integration in practice

Consider a scenario where a startup wants to pursue enterprise customers:

1. Governance decision. Leadership decides to pursue SOC 2 certification to enable enterprise sales.
2. Risk assessment. The security team conducts a risk assessment covering the Trust Services Criteria, identifying gaps in access management and incident response.
3. Compliance action. Controls are implemented to address gaps, including access reviews, MFA enforcement, and incident response procedures.
4. Governance monitoring. Leadership tracks progress toward certification and reviews security metrics monthly.
5. Risk update. As controls mature, residual risks decrease, and the risk register is updated.
6. Compliance validation. An external auditor validates controls, issuing a SOC 2 Type 2 report.

Each pillar reinforces the others throughout the process.

Building integrated GRC

Start with clear ownership

Designate someone responsible for GRC coordination. For small teams, this might be part of a broader role. For larger organizations, consider a dedicated GRC function.

Use a unified framework

Adopt a framework that addresses all three pillars, such as:

• COBIT for IT governance
• ISO 27001 for information security management
• NIST Cybersecurity Framework for risk-based security

Implement common processes

Create consistent processes across pillars:

• Regular risk and compliance reviews
• Unified policy management
• Integrated reporting to leadership
• Combined evidence collection

Choose enabling tools

Select GRC tools that support all three pillars rather than siloed point solutions. Look for platforms that provide policy management, risk registers, compliance mapping, and audit support in one place.

Measure integration

Track metrics that span pillars:

• Policy compliance rates (governance + compliance)
• Risk treatment completion (risk + governance)
• Control effectiveness (risk + compliance)
• Audit finding trends (all three)

How Bastion helps

Bastion takes an integrated approach to GRC for startups and SMBs:

• Unified platform. Our GRC platform manages policies, risks, and compliance evidence in one place.
• Expert guidance. A dedicated security engineer helps you build governance structures, conduct risk assessments, and achieve compliance.
• Multi-framework support. We map controls across SOC 2, ISO 27001, GDPR, and other frameworks to maximize efficiency.
• Practical implementation. We focus on what matters for your business, not bureaucratic checkbox exercises.

Ready to build an integrated GRC program? Talk to our team

---

Sources

• ISACA COBIT 2019 Framework - IT governance framework
• ISO 27001:2022 - Information security management standard
• NIST Cybersecurity Framework - Risk-based security framework
• COSO ERM Framework - Enterprise risk management guidance