Governance, Risk, and Compliance. Sounds official. Sounds structured. Sounds like you’ve got everything under control. But what if you’ve really just got the “R” and the “C” duct-taped together while governance is off somewhere on vacation? This episode breaks down why governance isn’t just policies, committees, or fancy tools—it’s the backbone that makes risk management and compliance actually work. If you’ve ever said, “We’re doing security,” but can’t quite prove who decided what, who owns it, or whether it actually got done… this one’s for you.
In this episode:
Do You GRC or Just RC? – Ep 550
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
[02:55]
Do You GRC or Just RC?
Donna’s 3 Rules of Security are joined by Donna’s 3 Questions of Governance
- Who decides?
- Who owns it?
- How do we know it got done?
If you can’t answer those three questions in your organization, you don’t have governance. You have activity.
Security is operational. Governance is structural.
The G in GRC
- Governance, Risk, Compliance
- The order matters
- Governance sets decision rights and accountability
- Risk operates within that structure
- Compliance measures alignment
- Without governance, risk and compliance become reactive
Governance vs Activity
- Policies alone are not governance
- Committees alone are not governance
- IT tools alone are not governance
- Governance requires defined decision authority, ownership, and reporting
HIPAA as a Governance Framework
- Assigned Security Official requirement
- Risk analysis and ongoing risk management
- Periodic evaluation
- Sanctions and training
- HIPAA assumes structured accountability
- The Security Rule focuses more on governance than technology
Red Flags the G Is Missing
- Risk acceptance undocumented
- No defined risk tolerance
- Remediation items without ownership
- Leadership unaware of actual risk posture
- Security treated as an IT silo
Bringing Back Around
- Who formally approves risk acceptance?
- Where is that documented?
- How often is risk reported upward?
Can you clearly answer Donna’s 3 Questions of Governance?
- Who decides?
- Who owns it?
- How do we know it got done?
If you can’t answer those three questions in your organization, you don’t have governance. You have activity.
At the end of the day, security isn’t about activity — it’s about accountability. You can run vulnerability scans all day long and still miss the real problem. If no one formally approves risk acceptance, if remediation items don’t have owners, and if you can’t prove what was done and when, then you don’t have GRC… you just have motion. Real GRC means leadership understands the organization’s actual risk posture, decisions are documented, ownership is clear, and proof exists before anyone asks for it. Otherwise, you’re one lost laptop, failed audit, or awkward board meeting away from realizing that “we thought we were doing that” isn’t a strategy. Governance isn’t extra. It’s first for a reason.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
