Organizations operating in today’s volatile, hyperconnected digital landscape must evolve beyond traditional Governance, Risk, and Compliance (GRC) practices. While GRC was designed for an industrial-age environment with slower change, the Digital Value Management System (DVMS)—as outlined in Thriving on the Edge of Chaos—offers a modern alternative built around Governance, Resilience, and Assurance (GRA). This evolution enables organizations to adapt, respond, and grow in dynamic conditions while continually delivering digital business value.
Rethinking the Purpose of Governance
Traditional GRC:
Governance in the GRC model tends to be compliance-centric and policy-bound, often focused on box-checking activities that ensure conformity with regulatory and internal standards. Risk is managed reactively, and compliance is typically the end goal.
DVMS Approach to Governance:
The DVMS reframes governance as a strategic enabler—coordinating decision rights, capabilities, and performance monitoring that align stakeholders across the Create, Protect, and Deliver (CPD) value lifecycle. Rather than a siloed function, governance is embedded into the organizational fabric, guiding action through intentional design and iteration. It enables informed, distributed decision-making and adaptability over rigidity, focusing on enabling value rather than preventing failure.
Resilience as a Core Competency
Traditional GRC:
Risk in the GRC model is often managed through static frameworks, focusing on risk avoidance or transfer, using assessments and controls that may quickly become outdated. This approach assumes a relatively predictable world.
DVMS Approach to Resilience:
The DVMS replaces this outdated risk posture with organizational resilience—the ability to adapt to, recover from, and even capitalize on disruption. It recognizes that uncertainty is not an exception but the norm. Resilience is developed through cyclical learning, capability development, and real-time sensing rather than static policies. It is about surviving shocks and continuously evolving in response to complexity and change.
DVMS builds resilience through the Minimum Viable Competencies (MVC). This flexible overlay helps identify and close gaps in the organizational capacity to generate value safely and reliably, even under stress. This creates an organization that can Thrive on the Edge of Chaos rather than merely survive in stable conditions.
Assurance in a Complex World
Traditional GRC:
Compliance dominates the “C” in GRC. It is often backward-looking and audit-driven—focused on what went wrong and whether policies were followed, not whether value was protected or created.
DVMS Approach to Assurance:
In the DVMS, assurance is a forward-looking, trust-building mechanism. It is grounded in transparency, evidence, and continual validation of whether digital business value is being created, protected, and delivered. Assurance supports internal and external trust, not just regulatory compliance.
DVMS encourages organizations to move from periodic, externally driven audits toward internal mechanisms of verification, monitoring, and feedback loops that support continuous improvement. It ensures stakeholders at all levels have confidence that the system is functioning as intended—even under conditions of volatility and ambiguity.
Integrated Learning and Adaptation
At its core, the DVMS is an adaptive system that enables learning across three domains:
- Technical (work-as-done): ensuring the organization can technically execute its value streams.
- Socio-technical (work-as-imagined): aligning teams, goals, and decisions with strategic intent.
- Contextual (work-as-improvised): adapting to conditions in real time.
This learning feeds into governance, fuels resilience, and strengthens assurance mechanisms. Unlike GRC’s reactive posture, DVMS helps organizations become proactive, generative, and self-correcting.
A Holistic, Value-Driven Architecture
The DVMS positions digital business value as the central organizing principle, not compliance. Organizations use the CPD value lifecycle to manage how value is Created, Protected, and Delivered across interconnected systems. This architecture provides the structure for:
- Governance to align and optimize flow.
- Resilience to maintain and evolve capability.
- Assurance to build trust through evidence and transparency.
It replaces GRC’s static control mindset with a dynamic, feedback-rich system that prioritizes learning, agility, and value co-creation.
Conclusion: Building Trust at Digital Speed
The move from GRC to GRA is not a superficial change in terminology—it is a paradigm shift. In a world where disruption is normal, and certainty is fleeting, DVMS provides the mechanisms to build trust at digital speed. It enables organizations to embed governance into the flow, harden resilience into capability, and evolve assurance into confidence.
In doing so, DVMS equips organizations to meet compliance requirements and lead, adapt, and thrive in the digital economy.
About the Author
Dave is the Executive Director of the DVMS Institute.
Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.
DVMS Institute is a renowned provider of accredited (APMG International), Assured (NCSC-GCHQ-UK), and Recognized (DHS-CISA-NICCS-USA) NIST Cybersecurity Framework, Digital Value Management System® body of knowledge publications, certification trainings, assessment platforms and real-life desktop simulation trainings.
The Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach businesses of any size, scale, or complexity the skills to build a Performance Driven Overlay System for Cyber Resilience capable of anticipating and mitigating the systemic risk digital businesses face today.
By embedding systemic risk management into strategic decision-making and aligning it with employee cultural values, organizations can build resilience—a dynamic capability to withstand digital business disruption and comply with any cybersecurity regulation (SEC, UK, DORA, NIS2, SAMA, SOCI, IMO, etc.) or maturity model mandates (HITRUST, CMMC, C2M2 etc.).
® DVMS Institute 2024 All Rights Reserved
