2.5 Governance, Risk, and Compliance
Key Takeaways
- Governance, risk, and compliance is a structured set of practices for policies, risk decisions, and obligations.
- Governance defines rules, accountability, and direction for security and compliance activities.
- Risk management identifies, assesses, responds to, and monitors threats or events that can affect objectives.
- Compliance means adhering to applicable laws, regulations, standards, and internal policies.
GRC turns obligations and risk into a managed program
Governance, Risk, and Compliance, or GRC, is a set of practices organizations use to manage rules, risk decisions, and obligations in a structured way. Microsoft Learn frames GRC as an integrated approach that combines policies, operational processes, and technologies. For SC-900, the key is to distinguish the three words, then recognize which Microsoft compliance capabilities help operationalize them.
Governance is the system of rules, practices, and processes an organization uses to direct and control activity. In a security context, governance can include data classification policies, identity and access standards, privileged access approval processes, control ownership, and security strategy direction. Governance answers who decides, what rules apply, and who is accountable.
| GRC term | Exam-safe meaning | Common cue |
|---|---|---|
| Governance | Rules, accountability, policies, and control direction | Define policy or assign ownership. |
| Risk | Identify, assess, respond to, and monitor threats | Prioritize likelihood and impact. |
| Compliance | Meet laws, regulations, standards, and policies | Demonstrate adherence or evidence. |
| Data residency | Where data is physically stored | Location of storage and transfer. |
| Data sovereignty | Laws tied to the jurisdiction of data | Country or region legal authority. |
| Data privacy | Proper handling of personal data | Consent, rights, use, and protection. |
Risk management is the process of identifying, assessing, responding to, and monitoring threats or events that can negatively affect objectives or trust. The goal is not to eliminate every possible risk. The goal is to understand risks well enough to make informed decisions, such as accepting, mitigating, transferring, or avoiding a risk.
Compliance means adhering to applicable laws, regulations, standards, and policies. Microsoft Learn also makes an important distinction: compliance is not identical to security. Compliance can define minimum requirements, while security is broader and covers the processes, technologies, and practices that protect systems and data from threats.
SC-900 also includes data residency, data sovereignty, and data privacy under security and compliance concepts. Data residency concerns the physical locations where data is stored and how it may be transferred or accessed. Data sovereignty concerns the laws and regulations of the country or region where data is collected, held, or processed. Data privacy concerns appropriate handling of personal data.
Exam scenario cues
-
If the question asks about rules and accountability, think governance.
-
If it asks about likelihood, impact, or response choices, think risk.
-
If it asks about laws, standards, audits, or required evidence, think compliance.
-
If it asks about personal data rights or handling, think privacy.
GRC appears again in Microsoft Purview chapters because Purview, Compliance Manager, labels, DLP, retention, eDiscovery, audit, and insider risk management are compliance-domain capabilities. In Domain 1, focus on vocabulary. Later, focus on product selection. A candidate who can define GRC clearly will be less likely to confuse a risk scenario with an identity or threat-detection scenario.
Which GRC term is most directly about rules, accountability, policies, and control direction?
Which risk-management sequence is most consistent with the Microsoft Learn framing?
Which concept concerns the physical locations where data is stored and transfer rules may apply?