From Adoption to Advantage – Integrating ITIL into the DVMS Approach
Leading Through Evidence: Measuring Resilience with QO/QM – A Leadership Call to Action – Part Five
David Nichols – Co-Founder and Executive Director of the DVMS Institute
Introduction: From Assumptions to Evidence
In the first four parts of this series, we examined the leadership challenge of moving beyond simply adopting frameworks. We noted that ITIL, NIST-CSF, ISO, and other frameworks provide stability and standardization but rarely offer resilience or adaptability on their own. We discussed the paradigm shift needed to move from compliance-focused governance (GRC) to governance, resilience, and assurance (GRA). We also examined how the Digital Value Management System (DVMS) integrates existing investments as a management overlay. We also analyzed the restructuring of leadership, structure, and behavior that organizations need to adapt and succeed in volatile conditions.
Now we move on to the next step. If leaders have integrated their frameworks through DVMS and restructured their organizations around Minimum Viable Capabilities, how do they demonstrate resilience? Shareholders, regulators, and customers don’t want confident assertions; they want evidence. It’s no longer enough to claim resilience or point to audit results. The real question is: What evidence shows that our enterprise can withstand disruption and recover quickly enough to protect stakeholders and sustain value?
This is the purpose of the Question Outcome/Question Metric (QO/QM) approach. It is not just a technical task but a leadership discipline. QO/QM turns resilience from an aspiration into a measurable, verifiable result, shifting the leadership conversation from assumptions to evidence.
Why Evidence Matters
In the digital age, trust is fragile. Markets move faster, disruptions spread more widely, and scrutiny from regulators and investors intensifies with each incident. Boards and executives are judged not just on financial results but also on their ability to demonstrate that their organizations are resilient. Evidence has become the new currency of leadership credibility.
Without evidence, resilience becomes just an assumption—a belief that having frameworks in place and passing audits means the enterprise is prepared. However, history has shown that compliance does not equal resilience. Organizations can meet all regulatory requirements and still fail under the pressure of a cyberattack, supply chain disruption, or operational outage. Assumptions provide false reassurance.
Evidence, by contrast, provides confidence. It offers leaders tested, validated, and measurable proof that critical systems can withstand disruptions, that recovery procedures work as intended, and that stakeholders’ trust is justified. In this way, evidence enhances decision-making and safeguards leadership reputations during crises.
The QO/QM Approach: Turning Questions into Proof
The QO/QM approach offers leaders a straightforward yet impactful tool to shift conversations from vague claims to concrete evidence. It starts with the Question Outcome: a straightforward, outcome-oriented question framed from the perspective of stakeholders and enterprise value. For example: “Can our supply chain continue to operate during a ransomware attack tomorrow?” or “Can we demonstrate that our customer data would be restored within minutes after a disruption?”
Once the outcome is defined, leaders ask the Question Metric: “What evidence do we have to demonstrate this outcome?” The focus shifts from belief to proof. If evidence exists, it can be examined and tested. If evidence is absent, the gap becomes clear, and the leadership team knows where to take action.
This approach appears deceptively simple, but its strength lies in its versatility. QO/QM can be used at every level of the organization. Boards can employ it to evaluate strategic risks. Executives can utilize it to assess operational readiness. Teams can implement it to verify specific workflows. In all cases, the discipline produces the same outcome: resilience supported by evidence, not assumptions.
From Compliance Metrics to Resilience Metrics
Most organizations still heavily rely on compliance metrics today. These metrics track whether requirements are met or controls are in place, such as passing audits, logging incidents, and updating policies. They are useful for verifying adherence to standards, but focus on the past. They show leaders what has already been done, not whether the organization is prepared for future disruptions.
Resilience metrics, on the other hand, are oriented toward the future. They assess adaptability, quick recovery, and dependability in real-world scenarios. They look at not just whether a control exists but whether it can withstand stress. A compliance metric might say, “We passed the audit.” A resilience metric, however, asks, “Do we have tested evidence that customer data can be recovered within ten minutes of a system failure?”
This difference is vital for leadership. Compliance metrics reassure regulators, while resilience metrics build trust with markets. Compliance indicates adherence; resilience shows ability. Leaders who rely only on compliance may pass audits but falter during crises. Leaders who prioritize resilience metrics gain the confidence that their organizations can continue to create, protect, and deliver value despite disruptions.
Embedding Evidence into Governance
Evidence cannot be treated as an afterthought. It must be integrated into governance as an ongoing practice. Adaptive governance, as discussed in Part Four, requires real-time coordination of strategy, risk, and value delivery. Evidence acts as the fuel for this coordination.
Boards and executives must demand more than just compliance reports; they need evidence-based reports that are directly connected to enterprise outcomes. This doesn’t mean bombarding the board with technical details, but rather presenting evidence in a way that emphasizes the resilience of key capabilities: the tested continuity of supply chains, the proven speed of recovery processes, and the validated integrity of customer data.
Resilience Offices or GRA hubs can play a vital role here. By collecting, verifying, and presenting resilience evidence across different value streams, they ensure that leaders receive not only performance dashboards but also proof of preparedness. Assurance becomes an ongoing process of gathering evidence, rather than a one-time audit event.
Building a Culture of Evidence
Perhaps the most groundbreaking part of the QO/QM approach is cultural. In most organizations, resilience responsibility is placed within IT, risk, or compliance. Other functions may think resilience is someone else’s problem. The DVMS approach changes that.
With QO/QM, every function becomes a guardian of resilience. Finance can provide evidence of continued payment system operation. Customer service can confirm that support channels stay active during disruptions. Human resources can verify the ongoing flow of workforce communication. Every role has a stake in resilience, and each team bears responsibility for producing proof of it.
This cultural shift is crucial. It transforms resilience from just meeting requirements into a shared success. It motivates employees to move from “trusting processes” to “trusting proof.” It also enables staff to act confidently, knowing that their decisions are aligned with enterprise resilience and backed by evidence.
The Strategic Payoff: Trust as the Currency of Resilience
Leading with evidence enhances both internal clarity and external trust. Customers trust organizations that deliver consistent service, even under stress. Regulators rely on real-time assurance, not just retrospective reports. Investors are confident when organizations demonstrate resilience as part of their value delivery.
In this way, evidence becomes more than just an operational tool—it becomes a strategic asset. It influences how markets view the enterprise, how regulators interact with it, and how customers stay loyal during disruptions. For leaders, this trust is priceless. It’s the currency of resilience in the digital age and is earned only through solid proof.
From Claiming Resilience to Proving It
The first four parts of this series detailed the progression from recognizing frameworks’ limitations to adopting the DVMS paradigm and reorganizing organizations for resilience. Part five continues that journey by tackling the evidence challenge.
Resilience can no longer be assumed; it must be shown. Leaders need to go beyond compliance metrics and adopt resilience benchmarks. They must embed the QO/QM discipline into governance, culture, and daily routines. They should require proof of results and prioritize evidence as the primary basis for assurance.
This represents a fundamental shift in leadership today. In a world of constant upheaval, the real question isn’t whether frameworks have been put in place or audits completed. Instead, it’s: What evidence shows that our organization can withstand tomorrow’s disruptions and emerge stronger on the other side?
Leading through evidence is not optional—it is the only credible path forward.
About the Author
Dave is the Executive Director of the DVMS Institute.
Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.
Traditional best-practice approaches to IT Service Management (ITSM), Governance, Risk and Compliance (GRC), and Cybersecurity are insufficient to manage today’s complex digital ecosystems’ resilience, compliance, and trust requirements.
The DVMS Institute Certified Training programs and publications provide detailed guidance on evolving any best-practice program into an integrated, Digital Value Management System® (DVMS) capable of transforming systemic cyber risk into operational resilience.
The DVMS seamlessly aligns organizational Strategy, Governance, Operations, and Culture into an integrated, adaptive, and culture-driven governance and assurance system capable of ensuring resilient, compliant, and trusted digital outcomes.
By adopting a DVMS, organizations are positioned to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Deliver Digital Value and Trust Across A Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
DVMS Explainer Videos
- Architecture Video: David Moskowitz explains the DVMS System
- Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- Overlay Model – What is an Overlay Model
- MVC ZX Model – Powers the CPD
- CPD Model – Powers DVMS Operations
- 3D Knowledge Model – Powers the DVMS Culture
- FastTrack Model – Enables A Phased DVMS Adoption
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
