The words “governance, risk, and compliance” (GRC) usually come packaged together and likely conjure up images of insurance agents and auditors. You might also think that these concepts only matter to large organizations and enterprises. But in fact, they’re crucial components to maintaining secure operations for businesses of every size – especially in today’s digital business world filled with cyber threats such as ransomware.


These three concepts are intrinsically connected and flow from each other. At their most simplified, you can think of them this way:


Governance: What your company does

Risk: The inherent risks based on what your company does

Compliance: The policies and controls your company should follow to mitigate those risks


Below, we’ll dive deeper into each of these concepts to discuss why they matter to your business and ways you can start to build them into your IT operations to improve security.



Proper governance ensures that day-to-day operations align with overarching business goals. This is achieved through policies and processes that coordinate and drive performance —ensuring that resources are functioning how they’re meant to function and are achieving what they’re meant to achieve.


In IT, governance is usually discussed in relation to technology resource management and data protection. This of course depends on what’s relevant to your specific organization. For example, as a cloud-only company, Pax8 doesn’t transfer hardware — so we don’t have any risks related to hardware transfers and don’t need to build policies for them.



Risk comes in many forms across a business and are often interconnected and highly dependent on circumstances such as your industry, geographical location, and supply chain. A simple example would be if your business is located in California, you are at a heightened earthquake risk with a potential for severe damage. Therefore, steps need to be taken to mitigate that risk; in this case, most likely through an insurance policy.


Risk mitigation often involves procedures such as a risk assessment, business impact analysis, and business continuity/disaster recovery (BC/DR) plan. When identifying and assessing risks, you need to consider:


– What is the risk?


– What is the likelihood of dealing with that risk? The potential damage of a risk might be high, but if the chance of it happening is extremely low, then it’s not a high priority for risk planning. For example, if your business is located in a year-round warm climate, you likely have less need to plan for the possible disruption of a snowstorm. However, in today’s cybersecurity landscape, nearly every business is at high risk for a ransomware attack and must plan accordingly to prevent and mitigate that threat.


– What is the potential impact or disruption that risk can cause? This can be financial, such as lost productivity, sales and revenue, or regulatory fines and penalties. It can also be intrinsic damage such as loss of brand reputation, customer trust, employee morale, or legal consequences.


Once you have defined a risk, you then need to look at it from several perspectives to ask yourself:


– Is that a risk that we can minimize or mitigate with planning? Some risks can be almost entirely prevented through proper solutions or planning, while others can at least be reduced to some extent.


– Can we transfer the risk? For example, by taking out an insurance policy or through partnership with another company?


– Can we accept that risk? This comes down to weighing the potential damage against your investment — for example, you wouldn’t bother to insure a $200 office chair (yes, even if it has adjustable lumbar support)! However, your business data is extremely valuable and, if stolen or held hostage, has the potential to cause severe disruption, so it’s worth investing upfront to properly protect your data with a comprehensive security and continuity stack.


The National Institute of Standards and Technology (NIST) has a Risk Management Framework (RMF) that provides a repeatable, measurable 7-step process you can use to manage your information security and privacy risk.



Compliance entails developing and putting into practice guidelines, policies, and procedures to mitigate risk and meet legal and regulatory requirements. This is basically all about proving that you “walk the walk” and adhere to the processes you say that you will follow.


Measuring compliance often requires some form of external validation, usually in the form of audits and certifications. Achieving a third-party certification can boost client/prospect confidence in your brand. They often entail an external auditing organization assessing your vulnerabilities and verifying your policies and procedures related to critical activities, technologies, and interdependencies.


Different certifications are more relevant to specific industries, but some examples include:


ISO/IEC 27001 – Standard published by the International Organization for Standardization for managing information security


ISO 9001 – Standard published by the International Organization for Standardization for quality management


CMMC Levels 1 to 5 – Cybersecurity Maturity Model Certification standards for the defense industry


FedRAMP – Federal Risk and Authorization Management Program that provides a government-approved cybersecurity risk management for cloud products and services


Compliance has also become increasingly important when it comes to regulations. More and more companies of all sizes are now subject to data privacy and protection regulations — such as the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), and the General Data Protection Regulation (GDPR) of the European Union.


Failing to meet relevant regulations can lead to serious fines and penalties. To help manage compliance for themselves and clients, MSPs can take advantage of cloud solutions such as HIPAA compliance software.


Understanding the big picture

Applying a GRC framework allows you to gain a holistic view of your operational landscape to better understand the interdependencies and cascading effects of different risks, policies, and processes throughout the organization. This helps you avoid communication siloes, overcomplicated mitigation strategies, and competing or conflicting processes. It also helps you establish a standardized organizational vocabulary.


For smaller businesses trying to understand the bigger picture, a gap analysis can be a great launching off point. A gap analysis compares existing operations and performance with your ideal state to identify areas for improvement. You can use a gap analysis to examine any area of the business — in IT, it’s commonly used to assess security posture.


A SWOT analysis is one well-known gap analysis tool that helps you identify the strengths, weaknesses, opportunities, and threats to your organization. For MSPs, the Cybersecurity Tech Accord has a 4-step gap analysis process that is an excellent template to help you and your clients develop a security roadmap to address security gaps everywhere, from endpoint and email security to password management and end user training.


Start somewhere (and we can help)

With so many frameworks, certifications, plans, and analysis templates out there related to GRC planning, it can be especially hard for smaller businesses to know where to start.


At Pax8, we recommend just starting somewhere. Find the lowest-hanging fruit of security gaps and identify ways to address them quickly, such as deploying multifactor authentication or an anti-phishing solution. You can continue to build on your security roadmap to layer in solutions, policies, and controls as you mature.


You’re not alone! Pax8 can talk you through guiding security principles and offer resources, such as security controls documentation and policy templates. Our Professional Services team offers security advisory sessions to provide advice on your security roadmap, budget, compliance and regulatory requirements, and more.


We also offer an 8-week instructor-led Security Foundations course in Pax8 Academy designed specifically to help MSPs assess their security posture, identify gaps, and develop an action plan. Remember — just start somewhere!