Can you? Absolutely. Risk and compliance are very rarely in conflict. (No *good* examples come to mind...) The entire GRC model created by Michael Rasmussen when he was an analyst at Forrester presumes that compliance is addressed first, and any additional safeguards necessary to protect data assets are then reviewed and applied according to the probability and impact of adverse events affecting the data assets. This is the definition of risk management. Therefore, compliance is addressed first, and any additional measures necessary to protect data – risk management – are applied.
Where are the biggest stresses and strains in the governance, risk and compliance balancing act?
By far – Governance. It's one thing to get your systems compliant, appropriately risk managed, and ready for operations on day one. However, managing day to operations and beyond is extremely difficult. Mature organizations and excellent leadership implement compliance and security hygiene processes, often called entity level controls, and communicate their importance throughout the organization. When this is done well, projects default to security-first and compliance-first postures. The result? Security and compliance are implemented throughout the development and deployment of new systems, becoming part of the solution instead of part of the problem when it's time to go into production.
Do you have any advice on “getting it right”?
You simply cannot manage what you cannot see. Visibility into the inner workings of the workloads and infrastructure the provides insight into your compliance configuration and potential vulnerability exposures is a necessary input for governance processes to manage security and compliance.