From Compliance to Resilience – Making the Paradigm Shift to Value
David Nichols – Co-Founder and Executive Director of the DVMS Institute
Owning the Next Step
In Part One of this series, we faced a tough truth: organizations heavily invested in ITIL® and other frameworks rarely achieve the strategic benefits they anticipated. Service stability may improve, change control may tighten, and delivery processes may become more predictable. These improvements matter, but they do not address the boardroom question: Has this investment generated strategic advantage?
The answer, more often than not, is disappointing. Frameworks alone do not build resilience, adaptability, or stakeholder trust. At best, they support current operations. At worst, they reinforce silos and entrench the status quo. Leaders who responded to Part One’s call to action recognized this issue and took responsibility for the problem. That was the first step. The second step—this one—is adopting a new way of thinking.
The Paradigm of Value
As Donella Meadows noted in Thinking in Systems, “Paradigms are the sources of systems. From them, everything else follows.” To genuinely change outcomes, leaders must move beyond their existing organizational paradigm and challenge the assumptions that keep it in place. This is tough because paradigms influence not only how systems function but also how we view what is possible. However, it is also very powerful: once a paradigm shifts, every rule, process, and measure of success can be rethought.
So, the new paradigm is deceptively straightforward: create, protect, and deliver value to stakeholders.
This is the core of the DVMS Create–Protect–Deliver (CPD) Model. It shifts success metrics from process efficiency to an enterprise’s capacity to:
- Continuously generate value
- Defend it against disruption
- Reliably deliver it to those who depend on it
When leaders adopt this perspective, compliance ceases to be the main goal. Instead, it becomes a natural result of effective governance, resilient operations, and embedded assurance. In other words, the CPD mindset shifts organizations from a GRC culture to a GRA culture.
GRC vs. GRA: The Critical Shift
For decades, most organizations have operated under Governance, Risk, and Compliance (GRC). In this model:
- Governance centers on oversight and control
- Risk management leans toward avoidance, often stifling innovation
- Compliance drives the agenda, with success defined by passing audits
While GRC offers stability, it is reactive. It avoids penalties but does little to prepare enterprises for volatility.
Governance, Resilience, and Assurance (GRA) embody a different mindset:
- Governance becomes purposeful—aligning decisions with enterprise strategy
- Resilience replaces compliance as the operational focus, enabling adaptation and continuity under stress
- Assurance is demonstrated through outcomes, not checklists—customers, regulators, and investors can see that the enterprise is dependable and trustworthy
As my co-author, David Moskowitz, and I stated in Thriving on the Edge of Chaos: “Resilience is not achieved by compliance; it is the natural byproduct of creating, protecting, and delivering value.”
Why Leadership Matters
This shift is not technical—it is cultural. And culture is shaped from the top.
Leadership shapes whether ITIL® is seen as a checklist or a resilience tool. It determines if risk is viewed as a barrier or an inherent part of change. It establishes whether compliance is the ultimate goal or merely the baseline for competing in a digital trust-driven marketplace.
When leaders embrace the CPD paradigm, the ripple effects are significant:
- Incident response evolves from closing tickets to preserving trust
- Change management shifts from gatekeeping to balancing innovation with protection
- Service delivery grows from efficiency-focused to ensuring consistent digital value, even under pressure
These are not process tweaks. They are cultural shifts—and only leaders can set the standard.
The Byproduct: Operational Resilience
Resilience is not something you bolt on. It is a core capability and an outcome. It’s not something you do, it’s something you become.
When the organizational paradigm shifts to CPD, resilience naturally develops. It doesn’t need extra overhead or committees. Instead, it arises from intentional governance, embedded safeguards, and dependable execution.
In practice, this is what transitioning from GRC to GRA looks like. Compliance remains important, but it no longer defines success. Resilience demonstrates that the organization can handle disruptions while fulfilling commitments. Assurance becomes the tangible symbol of trust.
From Vision to Practice
The challenge isn’t to abandon ITIL® or other frameworks. It’s to see them differently: as tools that deliver value, not as goals themselves.
- ITIL provides stability
- NIST-CSF strengthens risk management
- ISO emphasizes security
- Agile and DevOps accelerate delivery
Each element has value on its own. Together, within the CPD paradigm, they form a resilient fabric necessary for today’s environment.
This is where the Digital Value Management System (DVMS) becomes essential. DVMS isn’t just another framework to add; it is a strategic approach that acts as a management overlay, consolidating existing investments within a CPD-focused system. It transforms the shift from GRC to GRA from an aspiration into a practical reality—integrating resilience and assurance into the core of the enterprise.
A Call to Leadership
The decision before leaders is stark:
- One path centers on compliance, where reports and certifications create the appearance of success
- The other emphasizes resilience, where success is defined by adaptability, trust, and the ability to deliver value under stress
Compliance may keep you out of the headlines. Resilience will keep you in business.
The moment has come for leaders to decide. The old methods have reached their limits. The new approach—Create, Protect, Deliver—is not just a management technique; it is a leadership necessity. It redefines governance, reimagines resilience, and demonstrates confidence in ways that build stakeholder trust.
Looking Ahead to Part Three
In Part One, we faced the uncomfortable truth: adopting ITIL and similar frameworks provides operational stability but rarely results in strategic advantage. In Part Two, we presented the paradigm shift—from focusing on compliance to emphasizing resilience—as the goal, based on the DVMS Create–Protect–Deliver model.
Part Three will build on these ideas. It will show how the Digital Value Management System (DVMS) provides a practical framework that combines ITIL, NIST-CSF, ISO, Agile, and other investments into a unified systems management approach. DVMS transforms the CPD paradigm into a dynamic system, where governance guides strategy, resilience naturally develops, and assurance is demonstrated through outcomes that build lasting trust.
The journey progresses from adoption (Part One), through paradigm shift (Part Two), to integration and strategic advantage (Part Three). That final step turns your existing efforts into a cohesive whole—one capable not just of surviving disruption, but of thriving because of it.
About the Author
Dave is the Executive Director of the DVMS Institute.
Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.
Traditional siloed approaches to ITSM, GRC, and NISTCSF are no longer sufficient to manage the’ complexity, interdependencies, and compliance requirements of modern digital supply chains.
The DVMS Institute Certified Training Programs teach organizations how to transform ITSM, GRC, and NISTCSF programs into an integrated, culture-driven Digital Value Management System® (DVMS) that drives adaptive governance, operational resilience, and performance assurance across today’s complex digital supply chains.
The DVMS—driven by its MVC, CPD, 3D Knowledge, and FastTrack models seamlessly aligns organizational digital Strategy, Governance, Operations, and Culture into a unified and adaptive governance and assurance system that drives trusted, resilient, and compliant digital outcomes.
By adopting a DVMS, organizations are positioned to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Deliver Digital Value and Trust Across A Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
DVMS Explainer Videos
- Architecture Video: David Moskowitz explains the DVMS System
- Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- Overlay Model – What is an Overlay Model
- MVC ZX Model – Powers the CPD
- CPD Model – Powers DVMS Operations
- 3D Knowledge Model – Powers the DVMS Culture
- FastTrack Model – Enables A Phased DVMS Adoption
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
