Why Industry Analysts Are Missing the Shift from Governance, Risk, and Compliance (GRC) to Governance, Resilience, and Assurance (GRA)
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
Introduction: Time to Rethink the Framework
For decades, organizations have built their governance programs around the triad of Governance, Risk, and Compliance (GRC) — a model that promised control, order, and accountability. But as digital transformation accelerates, and disruption becomes the norm rather than the exception, it’s increasingly clear that GRC has reached its limits.
Today’s environment demands more than risk registers and compliance reports. It requires organizations to govern with intent, build resilience into their systems, and ensure continuous performance and trust. In this new era, the future belongs to those who embrace Governance, Resilience, and Assurance (GRA). This model reflects how modern enterprises must operate in a world of constant change.
Unfortunately, many industry analysts — who influence how executives interpret these ideas — remain tethered to a legacy GRC mindset. Their reports continue to measure maturity in terms of controls, audits, and tool adoption rather than in terms of adaptability, assurance, and culture. As a result, their guidance is helping organizations look compliant, not resilient.
From GRC to GRA: Moving Beyond Control to Confidence
GRC made sense in a more predictable world. Its purpose was to establish accountability and ensure compliance. But in a digital economy, where interdependence and disruption are the norm, risk management is no longer the core challenge — resilience is.
The GRA model redefines the focus:
- Governance remains the foundation — but now it must enable agility, not bureaucracy.
- Resilience replaces “risk” as the central organizing principle — emphasizing adaptation, continuity, and learning.
- Assurance replaces “compliance” — shifting from static audits to dynamic, evidence-based confidence in performance and trustworthiness.
This shift isn’t just semantic; it’s structural. GRA integrates governance, operations, and assurance into a continuous system — where resilience is measured not by how well you comply, but by how well you recover, adapt, and evolve.
Analysts and the Legacy of Fragmentation
Industry analysts have historically reinforced fragmentation by treating GRC, IT Service Management (ITSM), and cybersecurity as separate markets. They’ve built distinct models, each with its own metrics, toolsets, and vendors — all optimized within silos.
- GRC analysts rank platforms that automate policies and audits.
- ITSM analysts focus on efficiency, automation, and service performance.
- Cybersecurity analysts rate tools for detection, identity, and protection.
Each area has value. But when these functions operate independently, organizations end up with three different definitions of success — one for compliance, one for service delivery, and one for security. The result is duplication, confusion, and diminished resilience.
A GRA-based approach unites these perspectives under one model of digital assurance — where governance links intent to action, resilience ensures continuity under stress, and assurance validates trust across all domains.
The Compliance Trap: Mistaking Maturity for Resilience
A core weakness in the analyst community’s approach is its obsession with compliance maturity models. Analysts often measure progress by how many controls have been implemented or how closely an organization aligns to frameworks like ISO 27001 or SOC 2. While these standards are necessary, they are not sufficient.
Compliance provides a snapshot in time; assurance provides a living view of capability.
In other words, compliance tells you if you met the standard — assurance tells you if you can keep performing under pressure.
Resilience can’t be audited into existence. It emerges from how systems, people, and culture respond to change. Until analysts begin evaluating adaptability, learning, and continuity — not just control adoption — they will continue to measure what’s easy, not what matters.
Efficiency Without Assurance: ITSM’s Missed Opportunity
ITSM analysts have long defined success through operational efficiency — faster ticket resolutions, automated workflows, and higher service-level compliance. But efficiency doesn’t guarantee assurance. A perfectly optimized ITSM environment can still fail under disruption if it isn’t aligned to governance and resilience objectives.
By repositioning ITSM within a GRA framework, service management becomes an integral part of the organization’s assurance engine, directly linking operational performance to business resilience and governance outcomes. Analysts could play a vital role in promoting this connection — yet most continue to frame ITSM as an efficiency pursuit rather than a resilience discipline.
Cybersecurity Without Context: Defending the Wrong Thing
Cybersecurity analysts also contribute to the problem by defining resilience in terms of defense — emphasizing tools and controls over integration and context. Firewalls, endpoint protection, and identity systems are all essential, but without alignment to governance and assurance, they create the illusion of safety rather than the reality of resilience.
A highly secure organization can still be vulnerable if it lacks effective coordination, robust recovery planning, or visibility into dependencies. GRA reframes cybersecurity as part of a trust and assurance system, ensuring that defense contributes to resilience rather than existing in isolation.
Culture: The Hidden Core of Assurance
The most prominent blind spot in analyst models is culture. They quantify everything but culture — yet culture determines whether governance is lived or merely documented. Genuine assurance depends on shared accountability, open communication, and adaptive learning.
Governance, Resilience, and Assurance thrive only when teams trust one another to act with purpose, guided by governance structures that empower rather than constrain. Analysts who ignore culture overlook the foundation upon which every resilience framework depends.
The Integrative Future: GRA as the New Paradigm
At the heart of the shift from GRC to GRA lies integration. Governance, service management, and cybersecurity cannot exist as isolated programs; they must operate as a single, integrated, and adaptive system. Frameworks such as the NIST Cybersecurity Framework (CSF) 2.0 and the Digital Value Management System® (DVMS) already embody this approach, linking governance, resilience, and assurance in a way that drives continuous value.
Industry analysts have a unique opportunity — even a responsibility — to evolve from evaluators of tools to integrators of meaning. They can help organizations transition from compliance-driven maturity to capability-driven assurance. But to do so, they must adopt the GRA lens — one that measures resilience as a living system rather than a checklist.
Conclusion: The Path Forward
The world has outgrown Governance, Risk, and Compliance. What it needs now is Governance, Resilience, and Assurance — a system that ensures organizations are not only compliant but also capable, confident, and trustworthy in the face of disruption.
Analysts who continue to define resilience through static controls and isolated quadrants will remain trapped in the past. Those who embrace GRA will shape the future — helping organizations replace compliance with confidence, control with culture, and risk management with resilience management.
The next era of trust won’t be audited. It will be assured.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
Traditional best-practice approaches to IT Service Management (ITSM), Governance, Risk and Compliance (GRC), and Cybersecurity are insufficient to manage the resilience, compliance, and trust requirements of today’s complex digital ecosystems.
The DVMS Cyber Resilience Professional Certified Training programs teach Organizations the skills to evolve any best-practice program into an integrated, adaptive, and culture-driven Governance and Assurance System that drives operational resilience, compliance, and trust.
For ITSM
The DVMS elevates ITSM from a process-aligned service-delivery program into an integrated, adaptive, and culture-driven governance and assurance overlay system, ensuring the delivery of high-performance and resilient digital business outcomes.
For GRC
The DVMS elevates GRC from a compliance checklist activity to an integrated, adaptive, and culture-driven governance and assurance overlay system, ensuring the resilient, compliant, and trusted digital business outcomes regulators expect.
For Cybersecurity
The DVMS elevates any cybersecurity program (NISTCSF, ISO, etc.) from a control-centric defense program into an integrated, adaptive, and culture-driven governance and assurance overlay system, transforming systemic cyber risk into compliant and trusted operational resilience.
By adopting a DVMS, organizations are positioned to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Deliver Digital Value and Trust Across A Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
DVMS Explainer Videos
- Architecture Video: David Moskowitz explains the DVMS System
- Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- Overlay Model – What is an Overlay Model
- MVC ZX Model – Powers the CPD
- CPD Model – Powers DVMS Operations
- 3D Knowledge Model – Powers the DVMS Culture
- FastTrack Model – Enables A Phased DVMS Adoption
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved