Sometimes you find gems into documentation that is not directly related to what you expect to find there.
The SQL Server 2008 Compliance guide is quite old by now but is still filled with lots of good stuff, including a simple definition of the difference of the following three terms:
- risk management is knowing what risks you are taking with the data
- governance means the actions you are doing to prevent, or at least, mitigate those risks
- compliance is the control, or double-check that this governance stuff is really performed