2.5 Governance, Risk, and Compliance

GRC turns obligations and risk into a managed program

Governance, Risk, and Compliance (GRC) is an integrated approach that combines policies, operational processes, and technologies so an organization can manage its rules, risk decisions, and obligations in a structured way rather than ad hoc. For SC-900, the essential skill is to distinguish the three words and then recognize which Microsoft capabilities (covered later under Microsoft Purview) help operationalize each.

Governance is the system of rules, practices, and processes an organization uses to direct and control its activities. In a security context, governance includes data-classification policies, identity and access standards, privileged-access approval processes, control ownership, and the overall security strategy. Governance answers three questions: who decides, what rules apply, and who is accountable. If a scenario is about defining a policy, setting standards, or assigning ownership and accountability, the cue is governance.

The three GRC terms at a glance

Risk management and the compliance distinction

Risk management is the process of identifying, assessing, responding to, and monitoring threats or events that could negatively affect objectives or trust. Microsoft frames it as a continuous cycle: identify risks, assess their likelihood and impact, respond, then monitor over time. The goal is not to eliminate every possible risk — that is impossible — but to understand risks well enough to make informed decisions. The four classic risk responses are:

• Accept — tolerate a low or unavoidable risk.
• Mitigate — reduce likelihood or impact with controls.
• Transfer — shift the risk to a third party (for example, insurance).
• Avoid — stop the activity that creates the risk.

Compliance means adhering to applicable laws, regulations, standards, and internal policies. A subtle but tested point from Microsoft Learn: compliance is not the same as security. Compliance often defines minimum requirements an organization must meet, while security is the broader set of processes, technologies, and practices that protect systems and data from threats. An organization can be compliant on paper yet still insecure if it does only the minimum — and the reverse is also possible. Treat them as overlapping but distinct.

Reasoning through GRC scenarios

• Rules and accountability -> governance.
• Likelihood, impact, or a response choice (accept/mitigate/transfer/avoid) -> risk.
• Laws, standards, audits, or required evidence -> compliance.

Residency, sovereignty, and privacy

SC-900 places three related data concepts under security and compliance. They sound similar and are deliberately mixed in distractors, so define each precisely:

Data residency is about geography: an organization may be required to keep customer data within a specific country or region, which affects where it is stored, transferred, processed, or accessed. Data sovereignty goes further than location — even data stored in a given country is subject to that country's laws and may be accessible to its authorities, so the legal jurisdiction matters. Data privacy is about the appropriate handling of personal data: obtaining consent, honoring individuals' rights, limiting use, and protecting the data. A privacy regulation such as GDPR drives many of these requirements.

Where GRC reappears

These concepts return in the Microsoft Purview chapters, because Compliance Manager, sensitivity labels, data loss prevention (DLP), retention, eDiscovery, audit, insider risk management, and Microsoft Priva are the compliance-domain capabilities that operationalize GRC. In Domain 1 your job is to nail the vocabulary; later you select the right product. A candidate who can cleanly define governance, risk, compliance, residency, sovereignty, and privacy is far less likely to confuse a risk-decision scenario with an identity or threat-detection scenario on the exam.

How the three GRC pieces interact

The three components are not independent silos; they form a cycle. Governance sets the rules and accountability that define an organization's risk appetite and required controls. Risk management operates within that governance to identify what could go wrong, assess it, and choose a response (accept, mitigate, transfer, avoid). Compliance then verifies — often with audit evidence — that the controls demanded by governance and risk decisions actually satisfy applicable laws, regulations, and standards. A simple way to remember the flow: governance sets direction, risk makes informed decisions, and compliance proves adherence.

A final exam reminder: regulations and standards (such as GDPR for privacy, or industry frameworks) are external drivers of compliance, while policies are internal rules set by governance. When a question references a specific law or audit requirement, lean toward compliance; when it references an organization's own policy and accountability structure, lean toward governance. Holding these flows in mind keeps the three terms from blurring together under exam pressure.