Beyond GRC – How Strategy-Risk Enables Resilience in the Age of Digital Trust
David Nichols – Co-Founder of the DVMS Institute
In a world of constant change, an organizational ability to pivot, adapt, and recover isn’t just an asset—it’s a requirement. Yet too many organizations remain rooted in the Governance, Risk, and Compliance (GRC) paradigm, which was built for a slower, more static environment. While GRC helped ensure regulatory conformity and mitigate well-understood risks, it is increasingly ill-suited to the volatile, hyperconnected environments that characterize today’s dynamic digital economy.
Let’s examine the Digital Value Management System (DVMS), a dynamic, outcomes-driven approach introduced in our book, Thriving on the Edge of Chaos. It replaces the static control posture of GRC with an approach based on Governance, Resilience, and Assurance (GRA). At the heart of this evolution lies a critical insight: strategy-risk does not replace traditional risk—it recontextualizes it, unlocking resilience as both a capability and an outcome.
Let’s unpack what this means—and why it matters now more than ever.
GRC and Its Limits: A System of Retrospective Control
The GRC model was born out of necessity during the compliance-heavy era of industrial regulation. It focused on centralized control, standardized assessments, and periodic audits. Its pillars were:
- Governance: Asserting authority through rules and policies
- Risk: Identifying and mitigating threats to compliance
- Compliance: Demonstrating conformity through documentation and reporting
While regulatory compliance is still essential, Governance, Risk, and Compliance often approach risk as something to be avoided or transferred. This retrospective viewpoint does not adequately prepare organizations for the increasing complexity and uncertainty of the digital age.
As discussed in my LinkedIn article, “From GRC to GRA,” GRC’s approach to governance is often centered on compliance and bound by policies, frequently focusing on mere box-checking activities. However, compliance alone does not guarantee cybersecurity. If it did, we wouldn’t have a publication called “Cybersecurity Breach Today.”
Strategy-Risk: A Forward-Looking Pivot Point
Our concept of strategy-risk recognizes that every progressive organization takes risks, as strategy inherently involves making bets on an uncertain future. Instead of viewing risk merely as a hazard, DVMS sees it as a vital part of innovation that must be embraced, monitored, and adjusted continuously.
In “Thriving on the Edge of Chaos,” this idea is referred to as evolutionary resilience: the capability to not only respond to change but also to learn from it and transform through it.
While traditional risk management focuses on avoiding failure, strategy-risk management encourages organizations to tolerate and learn from failure, treating it as a valuable feedback mechanism. This approach is not a substitute for risk analysis; rather, it enhances understanding of risk’s value and role within a dynamic system.
Resilience: The Missing Capability in GRC
Resilience involves not just recovery but also anticipation and adaptation. This is a key theme of the DVMS approach, as emphasized in the “Fundamentals of Adopting the NIST Cybersecurity Framework, 2nd Edition.” In this book, we introduce the Minimum Viable Capabilities (MVC) concept, which is an overlay for assessing and enhancing an organization’s ability to Create, Protect, and Deliver (CPD) digital business value.
While Governance, Risk, and Compliance ask, “Are we in compliance?” Governance, Risk, and Assurance inquires, “Can we adapt and thrive when circumstances change?”
This difference highlights the importance of strategy-risk—it supports learning loops that bolster organizational resilience. As risks are monitored in real-time and connected to decision-making across governance layers, they become a catalyst for adaptation rather than a barrier to progress.
The DVMS: Turning Resilience into Architecture
The DVMS approach, as described in Thriving on the Edge of Chaos, is an adaptive governance method designed to work in environments where uncertainty is common (which is practically everywhere).
DVMS shifts the focus from “compliance with policy” to “capability to create value safely.” It utilizes the CPD Model to guide the creation, protection, and delivery of value across complex and interdependent capabilities, practice areas, and practices. In this model:
- Governance aligns and facilitates the flow of value through distributed decision-making.
- Resilience ensures the ability to evolve, even under stress.
- Assurance provides transparency and confidence, extending beyond mere audit trails.
In the Practitioners Guide to Adapting the NIST Cybersecurity Framework, 2nd Edition, these concepts are implemented by adapting NIST CSF 2.0 informative reference controls, prioritizing outcomes over activities. In this context, strategy-risk serves as the connective tissue, linking business goals, threat landscapes, and operational capabilities. It helps identify organizational vulnerabilities and highlights areas for innovation and growth.
Strategy-Risk in Practice: From Concept to Capability
Consider an organization aligned with Governance, Risk, and Assurance. Rather than simply categorizing risks as red, yellow, or green on a dashboard, it takes a deeper approach by asking key questions:
- What strategic bets are we making?
- What assumptions support those bets?
- How are we testing, validating, and adjusting them in real time?
In this context, strategy and risk become the lens through which governance aligns direction, resilience builds capacity, and assurance verifies progress (ensuring that we are executing and have the evidence to prove it).
For instance, in the Governance function of the NIST Cybersecurity Framework (NIST-CSF) 2.0, organizations are encouraged to establish governance outcomes, such as GV.RM-02 (developing risk appetite and tolerance statements) and GV.RM-04 (setting strategic direction for risk response). Within a Digital Value Management System (DVMS), these outcomes correlate directly with Management Value Creation (MVC) practices that ensure strategy and risk functions are integrated and mutually supportive.
This approach aligns with the central thesis presented in “From GRC to GRA”: governance is not merely about control but about enabling decision-making at the speed of relevance. This is not just a cliché; it reflects the essential method by which organizations can survive and thrive in the 21st century.
Assurance: Building Trust in a High-Velocity World
Finally, let’s address assurance. In GRC, assurance often means passing an audit. However, in DVMS and GRA, assurance establishes confidence that digital value is delivered as intended, even under volatile or emergent conditions.
This is why strategy-risk belongs to assurance as much as governance or resilience. It gives stakeholders visibility into how the organization responds to risk and adjusts course—before those risks become failures.
Assurance becomes a continual validation of performance, trustworthiness, and adaptability. The organization signals to internal and external stakeholders that it is learning and evolving and its capabilities are continuously aligned with its strategic intent.
From GRC to GRA: An Integrated Future
Let’s be clear: Governance, Risk, and Compliance haven’t failed; it simply wasn’t designed for today’s dynamic world. Strategy-risk is not meant to replace “Risk” in GRC but to activate it. This shift aims to move from passive compliance to active capability development, transforming risk from an obstacle into a navigational tool.
Through the lens of the DVMS, resilience is not a product of luck—it is an intentional outcome of strategic governance, value-aligned decision-making, and adaptive systems that learn.
Organizations that embrace this shift—evolving from GRC to Governance, Risk, and Assurance—will survive the next disruption and be prepared for the following ones.
About the Author
Dave is the Executive Director of the DVMS Institute.
Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.
DVMS Institute is a renowned provider of accredited (APMG International), Assured (NCSC-GCHQ-UK), and Recognized (DHS-CISA-NICCS-USA) NIST Cybersecurity Framework, Digital Value Management System® body of knowledge publications, certification trainings, assessment platforms and real-life desktop simulation trainings.
The Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach businesses of any size, scale, or complexity the skills to build a Performance Driven Overlay System for Cyber Resilience capable of anticipating and mitigating the systemic risk digital businesses face today.
By embedding systemic risk management into strategic decision-making and aligning it with employee cultural values, organizations can build resilience—a dynamic capability to withstand digital business disruption and comply with any cybersecurity regulation (SEC, UK, DORA, NIS2, SAMA, SOCI, IMO, etc.) or maturity model mandates (HITRUST, CMMC, C2M2 etc.).
® DVMS Institute 2024 All Rights Reserved
