Policy is created to control risk exposure. Failing to establish coherent and adequate policy drives risk. Classify your assets, test your systems, educate your employees - says the policy. Risk reduction through compliance.
And the other way round. Ensure that design decisions are explicitly risk-based, says the policy. Compliance through risk management.
Can you see other ways in which the risk (manage potential consequences) and compliance (do as we're told) perspectives are interrelated?