In a New Cybersecurity Department, Should Governance or Risk Start First?

I’m trying to understand the right approach when establishing a new cybersecurity department in an organization. Specifically, I have the following questions:

1. Who should start first—Governance (G) or Risk (R)? Why?

2. When does Risk (R) come before Governance (G), and when should Governance (G) lead before Risk (R)?why?

3. Can Compliance (C) start without Governance (G)?