Bridging GRC and ITSM: How the DVMS Aligns, Strategy, Governance with Operational Execution
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
Introduction
As a GRC or ITSM practitioner, you’ve likely encountered the tension between strategic governance and day-to-day service operations. Governance, risk, and compliance (GRC) functions focus on risk oversight, policy development, and assurance, while IT Service Management (ITSM) centers on ensuring performance, availability, and service delivery. Yet these functions are often siloed, despite sharing the same objective: enabling the organization to deliver secure, reliable, and resilient digital services.
The Digital Value Management System (DVMS) addresses this challenge head-on. It is a systems-based overlay that connects GRC strategy with ITSM execution, enabling organizations to manage digital business risk in real time while creating, protecting, and delivering digital value.
A Shared Model: The DVMS Overlay
The DVMS is not a replacement for your existing frameworks—whether ITIL, COBIT, NIST CSF, or ISO 27001. Instead, it’s an overlay that helps align them. It maps existing practices to seven Minimum Viable Capabilities (MVCs): Govern, Assure, Plan, Design, Change, Execute, and Innovate12603 DVMS Thriving on ….
- GRC practitioners will recognize “Govern” and “Assure” as policy development, accountability, and control validation mechanisms.
- ITSM practitioners will find their daily practices—incident management, change enablement, service continuity—within “Plan,” “Design,” “Change,” and “Execute.”
Using this overlay, DVMS makes it possible to see how GRC policies translate into operational behaviors and how ITSM outputs provide evidence for compliance and assurance.
Strategy-Risk: A Unified Concept
One of DVMS’s biggest contributions is introducing the concept of strategy-risk—a shift from treating risk and strategy as separate initiatives to seeing them as one. This model supports GRC and ITSM practitioners alike:
- For GRC, it ensures policies are not abstract. They directly influence operational decisions.
- For ITSM, it ensures operations are not reactive. A proactive risk posture guides them.
This is operationalized through the CPD Model—Create, Protect, Deliver—which positions ITSM processes as essential controls for delivering and protecting business value.
Embedding Governance into Execution
The updated NIST Cybersecurity Framework (CSF) 2.0 reinforces this approach. Its new GOVERN function centers governance as the foundation of all risk management activity, enabling integration with enterprise risk management (ERM) strategies. DVMS takes this a step further, embedding governance into everyday workflows.
For example:
- Incident response becomes a governance feedback loop.
- Change management supports assurance through documented control over change.
- Configuration management becomes evidence of security baselines.
Rather than waiting for an audit cycle, compliance becomes continuous, achieved through traceable, service-level activities that GRC can monitor and IT can own.
Systems Thinking: Moving Beyond the Checklist
The DVMS encourages GRC and ITSM teams to adopt systems thinking—to see the organization not as a collection of departments, but as an interconnected system of cause and effect. This is especially important in complex environments, where small changes in one part of the system (e.g., a policy change or a configuration drift) can cascade into major service or compliance issues.
Through tools like the 3D Knowledge Model and the Iceberg Model, practitioners can:
- Trace how a policy (Z-axis) affects team knowledge and collaboration (X and Y axes).
- Identify root causes of incidents that stem from cultural assumptions, not just technical faults.
- Use questioning techniques like “How do you know?” and “Are you sure?” to uncover undocumented risks.
This mindset empowers GRC and ITSM professionals to identify gaps in controls, understanding, alignment, and behavior.
From Protection to Quality: Security as a By-Product
DVMS reframes cybersecurity as an aspect of service quality, not a separate function. It views value protection as inseparable from value creation. For ITSM teams, security controls are not added after the fact—they’re built into your service catalog, SLAs, and support workflows.
For example:
- Access control and identity verification become part of request fulfillment.
- Incident trends help refine governance assumptions.
- Service validation includes checks for control efficacy, not just availability.
This positions ITSM teams as active contributors to assurance, while GRC gains real-time visibility into policy effectiveness.
Phased Execution with DVMS FastTrack™
The DVMS FastTrack approach helps you implement this integration iteratively, using four progressive phases:
- Initiate – Stabilize foundational ITSM and compliance practices.
- Basic Hygiene – Close known gaps (e.g., patching, access control, incident response).
- Expand – Align more GRC controls with ITSM processes (e.g., supplier risk, configuration audits).
- Innovate – Build resilience through adaptive governance, continual learning, and proactive risk posture12603 DVMS Thriving on ….
This phased model supports maturity at your pace, using a roadmap that speaks to both compliance requirements and operational demands.
Breaking Down Silos: A Shared Responsibility Model
By using DVMS, GRC and ITSM teams can replace reactive coordination with proactive collaboration:
- GRC sets the direction through policy and strategy-risk goals.
- ITSM implements and reports on execution through services and metrics.
- Assurance becomes a shared responsibility, not a separate function.
This is especially critical in today’s environment, where organizations must prove that they “have a policy” and that it is consistently followed, monitored, and improved.
Final Thoughts
For GRC and ITSM practitioners, the DVMS provides more than a framework—it offers a shared operating model. It allows you to connect governance with operations, policies with evidence, and risk with reality.
Rather than adding new tools or reinventing processes, DVMS helps you see what you’re already doing—and do it better, together.
If you want to improve cyber resilience, streamline compliance, or strengthen operational governance, the DVMS gives you the language, structure, and roadmap to make it happen.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
In today’s digitally driven economy, cyber disruptions are no longer an “if” but a “when.”
The DVMS Institute’s Certified Training Programs teach organizations the skills to build a Holistic and Culture-Aligned Overlay System capable of coordinating Adaptive, Governance, Resilience, and Assurance actions across a Complex Digital Ecosystem.
Achieving true cyber resilience across a complex digital ecosystem requires seamless alignment between organizational Strategy, Governance, and Operations, underpinned by a culture dedicated to sustaining and continuously innovating organizational digital value.
The DVMS positions cyber resilience as a strategic, enterprise-wide capability powered by the Institute’s CPD, Z-X, and 3D Knowledge models.
This systems-based approach to cyber operational resilience demands active engagement from all members of the Digital Ecosystem, with each member playing a distinct role in proactively identifying and mitigating the systemic risks that threaten digital business operations.
This adaptive, forward-looking approach to Governance, Resilience, and Assurance (GRA) positions businesses to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Drive Agility and Trust Across Your Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
DVMS Explainer Videos
- Architecture Video: David Moskowitz explains the DVMS System
- Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- Overlay Model – What is an Overlay Model
- ZX Model – The MVC’s that power operational resilience
- CPD Model – Adaptable governance and assurance
- 3D Knowledge Model – Enabling holistic organizational learning
- FastTrack Model – A phased approach to cyber resilience
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
