False Comfort, Naked Risk – Why Leaders Must Move Beyond GRC – Assurance Mandate Series – Part 1
David Nichols – Co-Founder and Executive Director of the DVMS Institute
Are You Good, or Just Lucky?
If your organization relies on Governance, Risk, and Compliance (GRC) as its core governance model and you haven’t suffered a breach or disruption, do you know whether you’re good—or just lucky?
Or to quote Dirty Harry: “You have to ask yourself one question: ‘Do I feel lucky? Well, do you, punk?’”
That question goes to the heart of today’s leadership challenge.
Luck isn’t a strategy. It offers no assurance for the future, only a story of surviving the past. Still, across industries, leaders often mistake compliance for capability, confusing audit reports and analyst rankings with evidence of resilience.
It is a dangerous illusion. GRC offers comfort, but not confidence. It can show how thoroughly you’ve documented controls, how closely you’ve followed a framework, and how mature your compliance efforts appear. But it cannot tell you whether your organization can withstand disruption, recover under stress, and continue delivering value when the unexpected happens.
In short, GRC can assess appearances. Only Governance, Resilience, and Assurance (GRA) can demonstrate substance.
The Static Nature of GRC
To understand why the shift matters, leaders must revisit the assumptions baked into GRC.
The model was created for a more stable environment — one where risks could be identified, controls standardized, and compliance linked with security. Its goal was order, predictability, and control. For many years, it worked pretty well.
But disruption is no longer the exception; it has become the norm of the digital age. Business models depend on each other, technology underpins every process, and threats evolve daily. In such a setting, GRC’s static systems are no longer effective.
- Compliance is retrospective. Audit reports show whether you met a standard at a point in time. They cannot tell you whether your organization is prepared for tomorrow’s disruption.
- Controls are fragile. A control that works under one set of conditions may fail the moment the environment shifts. Yet, GRC measures success by whether controls exist, not whether they are effective.
- Risk registers are obsolete almost as soon as they are written. They give a false sense of coverage while threats mutate in real time.
Even with recent efforts to “modernize” GRC, the results remain the same: organizations that appear compliant on paper but are brittle in practice. Leaders who rely on GRC are not managing resilience—they are managing appearances. It’s lipstick on a pig.
SolarWinds: A Case of Compliance Without Resilience
The SolarWinds breach of 2020 illustrates this problem with brutal clarity.
SolarWinds was a market leader, trusted by government agencies and Fortune 500 companies. It was compliant with industry standards, certified to international frameworks, and widely endorsed by analysts. On paper, it was a mature, well-governed company.
And yet, attackers infiltrated its Orion software platform, spreading malicious code to thousands of customers, including key U.S. government agencies. For months, the breach went undetected. The result was one of the most significant supply chain compromises in history.
SolarWinds checked the compliance boxes. It aligned with standards. It earned analyst approval. However, none of that mattered when resilience was put to the test. Its systems were not designed for adaptive assurance; its customers’ trust evaporated overnight.
And SolarWinds is not alone. Equifax was ISO certified the year before its massive breach. Target had passed PCI compliance audits just months before attackers siphoned off millions of credit card records. Colonial Pipeline had obtained regulatory approvals before the ransomware shut down fuel supplies across the eastern U.S.
The lesson is clear: compliance does not guarantee safety; certification does not equate to resilience. An organization can be fully “mature” according to GRC metrics and still be catastrophically vulnerable.
The Analyst Blind Spot
This illusion is reinforced by industry analysts, whose influence on leadership thinking is profound.
Analyst reports still define success in terms of GRC maturity, which encompasses the number of controls adopted, the degree of audit readiness, and the sophistication of tooling. They treat GRC, IT service management, and cybersecurity as separate markets, each with its own benchmarks and vendors.
- GRC analysts rank platforms that automate policies and audits.
- ITSM analysts measure efficiency and workflow optimization.
- Cybersecurity analysts evaluate detection and defense capabilities.
Each silo has value. But when leaders adopt these fragmented definitions of success, they inherit three conflicting narratives: compliance, efficiency, and security. None of them answers the crucial question: Can we continue to deliver value under stress?
Here’s the core problem: analysts measure what can be counted—controls, tools, and certifications—not what truly counts: adaptability, recovery, and assurance.
This is why many boards remain in a state of compliance comfort. They can cite certifications, ISO standards, SOC 2 reports, or analyst quadrant placements. But none of these demonstrate resilience. They only show that the organization has checked the right boxes.
The result is a false sense of security. Leaders think they are competent when, in fact, they may simply have been lucky. They are whistling past the graveyard, hoping the shadows they see are only illusions.
Compliance Is Not Assurance
This distinction between compliance and assurance is critical and cannot be overstated.
Compliance offers a snapshot in time: did you meet the standard, yes or no? Assurance provides proof of ongoing ability: can you continue to perform, adapt, and deliver value under pressure?
Think of it in human terms. Passing a physical exam proves you were healthy on the day of the test. Assurance is the confidence that you can run five miles tomorrow, recover from injury, and keep improving. Compliance is a certificate. Assurance is lived evidence.
Resilience cannot be audited into existence. It emerges from how systems, people, and culture respond to change. Until leaders demand assurance over compliance, they will continue to measure what is simple rather than what matters.
The Shift from GRC to GRA
This is where Governance, Resilience, and Assurance (GRA) redefine the entire conversation.
GRA is not a cosmetic update to GRC. It is a structural reordering of priorities:
- Governance remains foundational, but it must be about intent—not bureaucracy. It provides clarity of purpose, direction, and priorities that enable agility and flexibility.
- Resilience replaces “risk” as the organizing principle. Risks can be cataloged; resilience determines whether those risks break you or make you stronger. It is measured by adaptability, continuity, and learning.
- Assurance replaces “compliance.” Assurance is evidence-based confidence that standards are met and that performance continues under disruption.
The difference is clear: GRC shows if you are compliant. GRA demonstrates if you are capable.
Culture: The Invisible Variable
One of the most overlooked factors in resilience is culture.
Analysts assess tools, controls, and processes, but they often ignore how culture shapes behavior. Yet culture decides whether governance is practiced or neglected.
Consider Boeing after the 737 MAX disasters: controls were in place, certifications were secured, but a culture of silencing engineers and prioritizing delivery schedules over safety undermined resilience. In contrast, organizations that promote transparency, accountability, and learning cultures are better equipped to recover from shocks—even when technical systems fail.
Resilience, in other words, is more than just technical; it is a cultural phenomenon. Without cultural alignment, no framework or platform can provide assurance.
DVMS: Operationalizing GRA
Conceptual models matter, but they must be put into action. That is where the Digital Value Management System® (DVMS) comes in.
DVMS operationalizes GRA by integrating governance, resilience, and assurance into a single adaptive approach. Governance sets intent. Resilience is designed into workflows and capabilities. Assurance is delivered continuously through evidence of adaptability and trust.
Combined with frameworks like the NIST Cybersecurity Framework 2.0, DVMS provides leaders with a practical way to measure what truly matters: the ability to create, protect, and deliver digital business value under stress.
In a GRC world, the question is: Do you have the control?
In a GRA world, the question is: Do you have the evidence of resilience?
Leadership’s Challenge
This shift is not theoretical. It demands a new leadership paradigm.
Executives must stop outsourcing their understanding of resilience to analysts and auditors. Compliance scores don’t demonstrate capability. Analyst rankings don’t guarantee assurance. Leaders must demand proof: clear, evidence-based confirmation that their organizations can adapt, recover, and continue delivering value.
The questions leadership should be asking are simple, but deeply uncomfortable:
- Do you understand the complexity of your digital ecosystem?
- Do you understand the business processes and controls that drive your value chain?
- Do you understand the business side of cybersecurity—not just the technical one?
- Are we resilient because we are good, or because we have been lucky?
The Path Forward
The world has moved beyond GRC. Compliance remains essential, but it is no longer enough. Leaders must now adopt Governance, Resilience, and Assurance (GRA) as their operating model for the digital age.
That means governing with intent instead of bureaucracy. It means making resilience—not risk—the organizing principle of enterprise design. And it means demanding assurance as proof, not just accepting compliance as a proxy for trust.
When leaders adopt this paradigm, they move beyond appearances. They build confidence not because they have passed an audit, but because they can prove capability in action.
The next era of trust won’t be audited into existence. It will be assured through evidence-based resilience.
And so the challenge remains: If you depend on GRC and haven’t been breached, are you good—or just lucky? If you rely on GRA, you will know.
Afterword
This isn’t just a theoretical exercise; it’s a leadership necessity. Organizations that adopt this change will not only survive disruption—they will thrive in it. Those who don’t will continue to mistake luck for skill until luck finally runs out.
Do you feel lucky? Well, do you?
About the Author
Dave is the Executive Director of the DVMS Institute.
Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.
DVMS Cyber Resilience Professional Accredited Certification Training
Governing, Assuring, and Accounting for Resilient Digital Value Outcomes In Complex, Fragmented Systems
Explainer Video – Paper vs. Living System Governed by Assurance
Despite abundant frameworks and dashboards, leaders still struggle to see how their digital value streams perform under real-world stress.
Intent, structure, and day-to-day behavior are examined in isolation, creating flat views that hide how decisions and human responses interact in a living digital system.
The result is governance that looks strong on paper but falters in practice, leaving leaders to juggle disconnected controls instead of actively strengthening the resilience of their digital value.
What’s needed is a framework-agnostic overlay system capable of governing, assuring, and accounting for digital value resilience across complex, fragmented systems.
Digital Value Management System® (DVMS)
An Overlay Management System to Govern, Assure, and Account for Resilient Digital Value Outcomes in Complex, Fragmented Systems
Explainer Video – What is a Digital Value Management System (DVMS)
The Digital Value Management System® (DVMS) training programs teach leadership, practitioners, and employees how to integrate fragmented frameworks and systems such as NISTCSF, GRC, ITSM, and AI into a unified, culture-driven governance and assurance system that accounts for the resilience of digital value within a living digital system.
At its core, the DVMS is a simple but powerful integration of:
- Governance Intent – shared expectations and accountabilities
- Operational Capabilities – how the digital business actually performs
- Assurance Evidence – proof that outcomes are achieved and accountable
- Cultural Learning – to continually fine-tune governance intent and operational capabilities
Underpinning this integration are three distinctive DVMS models
Create, Protect, and Deliver (CPD) – The CPD Model™ is a systems-based model within the DVMS that links strategy-risk and governance to execution in order to create, protect, and deliver digital business value as an integrated, continuously adaptive organizational capability.
3D Knowledge (3DK) – The 3DK Model™ is a systems-thinking framework that maps team knowledge over time (past, present, future), cross-team collaboration, and alignment to strategic intent to ensure that organizational behavior, learning, and execution remain integrated and adaptive in delivering digital business value.
Minimum Viable Capabilities (MVC) – The MVC™ model supports the seven essential, system-level organizational capabilities—Govern, Assure, Plan, Design, Change, Execute, and Innovate—required to reliably create, protect, and deliver digital business value in alignment with strategy-risk intent.
The integration of these models then enables three distinctive digital value management organizational capabilities:
A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.
A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.
A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.
In summary, A DVMS enables organizations of any size, scale or complexity to:
- Govern through risk-informed decision-making
- Sustain digital value Resilience through a proactive and adaptive culture
- Measure Performance Assurance through evidence-based outcomes
- Ensure Accountability by making intent, execution, and evidence inseparable
The People and Culture That Power a DVMS
Explainer Video – The Human Engine of DVMS
Delivering the outcomes of a DVMS requires coordinated action across an enterprise’s strategy, governance, and operational layers.
Each of these business layers contains unique roles that, when aligned, enable organizations to ensure the resilience of their digital value across their complex and fragmented digital systems.
Together, these roles create an adaptive, risk-informed, and resilient culture capable of thriving in a complex and chaotic digital business environment.
Scaling A DVMS Program – Where Do You Start?
Explainer Video – Scaling a DVMS Program
The DVMS FastTrack Model is a phased, iterative approach that helps organizations mature their Digital Value Management System over time, rather than trying to do everything simultaneously.
This approach breaks the DVMS journey into manageable phases of success. It all starts with selecting the first digital service you want to make resilient. Once that service has integrated DVMS at its boundaries, it becomes the blueprint to operationalize DVMS in the remaining digital services
The DVMS training provides an example of how to operationalize the NIST Cybersecurity Framework and ensure its digital value resilience across complex, fragmented systems.
DVMS Program Benefits
Explainer Video – DVMS Organization and Leadership Benefits
DVMS Organizational Benefits
Instead of replacing existing operational frameworks and their management systems, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.
By adopting a DVMS, organizations are positioned to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Deliver Digital Value and Trust Across A Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
DVMS Leadership Benefits
The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.
For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.
For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.
For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability.
The DVMS Certified Training Programs
Explainer Video – The DVMS Training Pathway to Operational Cyber Resilience
The DVMS Institute’s certification training programs and body-of-knowledge publications equip leaders, practitioners, and employees with the skills to govern operational cyber-resilience through an evidence-based system that assures and accounts for digital value outcomes.
Grounded in real-world governance challenges and aligned with NIST CSF 2.0, the DVMS Institute’s training programs teach organizations how to build measurable capability, transparent accountability, and defensible confidence in decision-making.
Through structured learning, applied certification, and authoritative publications, the Institute advances a disciplined, outcome-driven approach to managing digital risk, performance, and resilience as an integrated system.
DVMS Cyber Resilience Awareness Training
The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.
This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.
DVMS NISTCSF Cyber Resilience Foundation Certification Training
The DVMS NISTCSF Cyber Resilience Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.
This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system that transforms systemic cyber risks into operational resilience.
DVMS Cyber Resilience Practitioner Certification Training
The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.
This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.
The Assurance Mandate White Paper Series
Explainer Video – Why GRAA is the Next Evolution of GRC
The whitepapers below present a clear progression from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Together, they define an evidence-based approach to building and governing resilient digital enterprises.
The Assurance Mandate Paper explains why traditional GRC artifacts offer reassurance, not proof, and challenges boards to demand evidence that value can be created, protected, and delivered under stress.
The Assurance in Action Paper shows how DVMS turns intent into execution by translating outcomes into Minimum Viable Capabilities, aligning frameworks through the Create–Protect–Deliver model, and producing measurable assurance evidence of real performance.
The Governing by Assurance Paper extends this model to policy and regulation, positioning DVMS as a learning overlay that links governance intent, operational capability, and auditable evidence—enabling outcome-based governance and proof of resilience through measurable performance data.
Company Brochures and Presentation
Explainer Videos
- DVMS Architecture Video: David Moskowitz explains the DVMS System
- DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- DVMS Overlay Model – What is an Overlay Model
- DVMS MVC ZX Model – Powers the CPD
- DVMS CPD Model – Powers DVMS Operations
- DVMS 3D Knowledge Model – Powers the DVMS Culture
- DVMS FastTrack Model – Enables A Phased DVMS Adoption
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
