How do Governance and Risk Management relate in the cybersecurity domains?

The relationship hinges on direction versus execution. Governance sets the strategic direction for cybersecurity—policies, objectives, oversight, and the organization’s risk appetite. Risk management operates within that framework, focusing on what needs protection (the assets), identifying threats and vulnerabilities, assessing risk, and continuously monitoring controls and residual risk. In a cybersecurity program, governance defines what success looks like at the leadership level and what risk tolerance exists, while risk management translates that into actionable work—inventorying assets, evaluating risk, selecting controls, and tracking outcomes. This makes governance oversight and strategic guidance the driver, with risk management handling identification, assessment, and monitoring to keep the program within the defined risk posture. The other descriptions misplace roles (treating them as the same, or assigning governance to operations or risk management to compliance alone), which doesn’t capture how governance guides and risk management executes within that guidance.