Closing the Loop – From Controls to Assurance Evidence – The Assurance in Action Series – Part 3

Closing the Loop – From Controls to Assurance Evidence – The Assurance in Action Series – Part 3

David Nichols – Co-Founder and Executive Director of the DVMS Institute

The Problem with Controls

Controls are necessary, but they are not enough. Every manager knows the routine: configure the firewall, update the patching cycle, enforce access restrictions, rehearse an incident response plan. Each measure matters, but none of them, standing alone, demonstrates organizational resilience.

This is the core issue. Controls offer a sense of security. We have something in place. We look good on dashboards, produce reassuring reports, and keep auditors satisfied. But as the last decade has demonstrated, organizations with extensive control catalogs still fail under stress. Controls are fragile. They can be misconfigured, bypassed, ignored, or undermined by siloed practices. Unless the entire system shows evidence of performance under pressure, boards and executives are left guessing: are we resilient, can we withstand an attack, and maintain our essential operational capabilities?

Boards do not want to be reassured that controls are in place. They want to know whether the organization can continue to create, protect, and deliver value when disruption strikes.

Why Evidence Matters

Here is where the conversation shifts from controls to evidence.

Evidence differs from the reports, lists, and dashboards managers usually provide. These artifacts, such as patch compliance reports, maturity scores, and audit checklists, demonstrate that activity has occurred; however, they do not indicate whether the organization can perform effectively under stress. They offer reassurance, but they don’t provide proof of operational resilience.

Assurance evidence, by contrast, is forward-looking. It demonstrates capability in action, showing whether systems, people, and culture hold up when conditions change. Evidence enables boards to govern with confidence, rather than relying on assumptions.

DVMS and the Evidence Cycle

In Thriving on the Edge of Chaos and the Practitioner’s Guide to Building Cyber-Resilience (Second Edition), the Digital Value Management System® (DVMS) is described as the overlay that connects governance intent, operational workflows, and assurance evidence.

Strategic intent starts as a policy that clearly states goals in outcome-focused terms. A board might declare: “Customer trust must be preserved during disruption.” That statement of intent isn’t a control or a checklist item, but a strategic direction. Management’s role is to transform that intent into capabilities that bring the outcome to life. For instance, incident response isn’t just a plan on paper, but a capability comprised of people, processes, and practiced actions. Within this capability, multiple outcomes can be set, including the speed of detection, accuracy of escalation, recovery within a specific threshold, and maintaining stakeholder communication. Each outcome is measurable, both in terms of “fit for purpose” (does it meet governance goals?) and “fit for use” (does it work effectively during rehearsals and real events?).

When managers organize capabilities this way, they create a feedback loop. Metrics such as recovery times, escalation effectiveness, and vendor resilience are reported back to the board, showing not only whether the goal has been met but also where gaps still exist. This data reassures directors that resilience is being put into practice and helps management identify where incremental innovation is needed. Policy explains the “why,” capabilities define the “how,” and assurance evidence confirms the “what.”

Policy explains the “why,” capabilities show the “how,” and assurance evidence demonstrates the “what.” While frameworks like the NIST Cybersecurity Framework provide a map, the Digital Value Management System ensures the journey actually takes place.

From Reports to Evidence

To clarify this distinction with familiar terms, consider the documents managers typically present today, such as reports, dashboards, maturity scores, and compliance checklists. In this series, we have referred to these as “artifacts,” meaning they document the existence of a control or capability. Artifacts are important because they make governance defensible and establish a baseline for measuring the effectiveness of efforts. However, they are static and retrospective in nature. They cannot predict whether the organization will succeed tomorrow in the face of disruption.

Assurance evidence is dynamic and forward-looking. It shows whether documented controls actually function under pressure. An artifact might say, “We applied patches.” Evidence says, “In our last three incidents, services were restored within governance thresholds, and customer trust was maintained.” The first provides comfort, the second builds confidence.

A Practical Illustration

Take the common directive: “Ensure operational resilience against a ransomware attack.”

In the traditional approach, managers focus on controls: contracts, patching policies, and backup procedures. Dashboards display completed backup jobs, tests performed, and audits that have been passed. To the board, this appears to be progress, but when ransomware strikes, recovery takes days instead of hours, customers lose access, regulators demand answers, and trust is lost.

In contrast, the DVMS approach has managers align the six NIST CSF functions, Govern, Identify, Protect, Detect, Respond, and Recover, with the CPD outcomes of creating, protecting, and delivering value. They rehearse ransomware scenarios, measure recovery times, and assess the effectiveness of escalation. The evidence is clear: in the last three ransomware exercises, services were restored in under three hours, meeting the four-hour governance threshold, and demonstrating operational resilience. Customer service was maintained, and stakeholders maintained confidence.

The difference is that the first approach shows activity, while the second proves capability.

CPD as the Organizing Principle

The Create, Protect, and Deliver (CPD) Model redefines how managers approach the NIST CSF. Instead of viewing its six functions as separate functions, CPD integrates them around business value. Create ensures services are designed with resilience in mind. Protect guarantees they are safeguarded through monitoring, security practices, and rehearsals. Deliver ensures continuity and recovery, demonstrating that trust is maintained.

When managers view the NIST CSF through the CPD lens, the functions are no longer seen as separate checkboxes. Instead, they become interconnected building blocks that support resilient capabilities. A “Respond” function, for instance, isn’t just a plan stored away. It’s a rehearsed workflow that shows recovery times and measures the effectiveness of escalation. “Recover” isn’t merely a checklist for restoring data. It serves as proof that services can be brought back within governance-defined thresholds, thus safeguarding customer trust.

QO–QM: Closing the Loop

The Practitioner’s Guide to Building Cyber-Resilience (Second Edition) introduces the QO–QM (Question Outcome–Question Metric) model as a practical way to connect governance intent with operational performance. Strategic intent is expressed as an outcome: the board might set a policy goal such as, “Services must be restored within four hours of disruption.” Managers then translate this into capabilities, such as rehearsed recovery processes, and measure the results against the stated outcome. They might report, “In our last three recovery drills, services were restored in an average of 2.5 hours.”

The difference between outcome and metric becomes the driver of continuous improvement. If the measured results fall short, managers adapt and strengthen capabilities until fit-for-purpose outcomes and metrics that are fit for use converge.

As emphasized in Thriving on the Edge of Chaos: Managing at the Intersection of Value and Risk in the Digital Era, leadership is the art of turning complexity into clarity. When the principles from the book are combined with the practical tools of the Practitioner’s Guide, managers gain both the perspective and the method to transform compliance into assurance. This loop turns intent into evidence, proof of resilience that boards and executives can trust.

The Role of AI and Automation

Historically, managers saw assurance as a burden. Gathering, testing, and reporting evidence of resilience was time-consuming, resource-intensive, and often overlooked. Demonstrating that systems could handle disruptions required drills, manual reports, and extensive documentation. As a result, boards usually relied on static reports and retrospective audits, while managers quietly accepted that showing assurance in real time was too costly to maintain.

That reality is evolving. Progress in automation and artificial intelligence is making assurance possible on a large scale. Automated monitoring now offers continuous visibility over infrastructure, applications, and supply chains. AI-driven simulations can dynamically evaluate resilience scenarios, testing for vulnerabilities in ways that mimic real-world disruptions. Agentic systems automatically log performance results into governance dashboards, narrowing the gap between operations and oversight.

For managers, this does not replace responsibility or human judgment; it enhances their ability to make informed decisions. Instead of chasing reports after the fact, managers can focus on interpreting assurance evidence, improving workflows, and building capabilities. The “burden of assurance” is no longer an excuse; it is becoming part of the routine discipline of digital management.

This shift redefines assurance itself. It is no longer endless paperwork that clutters compliance binders. It is real-time confidence, produced by systems that continually test, measure, and report on resilience. Boards no longer have to ask whether policy intent is being fulfilled; they can see the evidence. Managers no longer struggle to provide proof; they can focus on building stronger capabilities.

The Manager’s Paradigm Shift

For most managers, the traditional approach to governance and resilience has been transactional in nature. The task involved implementing controls, producing reports, and preparing for audits. Activity was equated with progress. A patch applied, a system scanned, or a compliance checklist completed all served as proof of diligence. This worked in a world where disruption was occasional and regulators were satisfied with artifacts of compliance.

But disruption today is constant, and boards no longer accept artifacts as evidence. They require assurance, proof that capabilities can perform under stress and that resilience is embedded into daily operations. This is the core of the manager’s paradigm shift: moving from delivering documentation to building capabilities that inspire confidence.

That shift cannot occur gradually. It requires managers to think in terms of systems. The Create, Protect, Deliver (CPD) Model shifts focus from silos to value. Every capability must help create digital business value, protect it from disruptions, and deliver it reliably.

The Minimum Viable Capabilities (MVC) overlay is how managers implement this approach. By comparing policies and current practices to MVC, managers identify the gaps that weaken resilience. These gaps aren’t fixed with a single project. Still, they are closed through ongoing capability improvements, step by step, function by function, until the organization can confidently demonstrate that it meets CPD requirements.

The QO–QM (Question Outcome–Question Metric) model, introduced in The Practitioner’s Guide, connects intent to evidence. The board may ask, “Can we restore services within four hours of disruption?” Managers then develop and practice capabilities, measure actual performance, and report, “In our last three recovery drills, services were restored in an average of 2.5 hours.” This cycle turns policies into measurable outcomes and outcomes into assurance.

Of course, the scale of this change can seem daunting. That’s why the DVMS FastTrack® approach is so essential. Instead of asking managers to overhaul every process all at once, FastTrack offers a phased plan. Managers start with the most critical MVCs, develop integrated capabilities around them, and show early signs of resilience. Each stage builds confidence, simplifies complexity, and facilitates the transition from an abstract idea to a tangible journey.

This is what distinguishes old thinking from new—the old approach centered on managing fragments: controls, metrics, and reports. The new strategy emphasizes managing the system, focusing on governance intent, integrated capabilities, and assurance evidence. Managers who adopt this shift not only satisfy executive demands but also become drivers of cultural change, embedding resilience into the core of their organizations.

From Comfort to Confidence

Boards are no longer satisfied with knowing which controls exist. They want proof that those controls perform under stress. For managers, the essential question is this: are you presenting artifacts that document activity, or assurance evidence that demonstrates capability? The first provides comfort. The second builds confidence.

The Assurance Mandate series made the case for moving from Governance, Risk, and Compliance (GRC) to Governance, Resilience, and Assurance (GRA). Parts 1 and 2 of this series showed how intent must be translated into capabilities and how frameworks like the NIST Cybersecurity Framework can be operationalized through the Digital Value Management System (DVMS). Part 3 closes the loop: managers must ensure every control generates evidence, and every piece of evidence informs governance. Only then does the system move beyond reassurance to deliver absolute confidence.

Looking Ahead

In the following article in the Assurance in Action Series, we will explore culture. Even the best frameworks, systems, and evidence fall short when organizational culture hampers escalation, discourages transparency, or punishes accountability. We will examine how managers can cultivate a culture that fosters resilience rather than eroding it.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

Digital Value Management System® (DVMS)

An Adaptive, Culture-Powered Overlay System for Unified Governance, Resilience, Assurance, and Accountability

A Digital Value Management System (DVMS) is not another framework, standard, or maturity model. It is a Culture-Powered Governance Overlay System that aligns leadership, operations, and business teams around a single purpose of creating, protecting, and delivering digital value.

Where most organizations struggle with fragmented systems, competing priorities, and siloed accountability, a DVMS introduces a unifying model that connects governance, resilience, assurance, and accountability into one integrated digital value management operating system.

Rather than adding more complexity, a DVMS amplifies the value of existing investments in ITSM, GRC, Cybersecurity, and AI by turning them into a coordinated resilience and assurance engine. It enables leaders to see, in real time, whether the business is working as intended—and whether the risks that matter most are being managed proactively.

At the core of the DVMS is a simple but powerful integration of:

• Governance Intent – shared expectations and accountabilities.

• Operational Capability – how the business actually performs

• Assurance Evidence – proof that value is being created and protected

Through its MVC, CPD, 3D Knowledge, and FastTrack Models, a DVMS turns this integration into three distinctive capabilities:

• A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.
• A Behavorial Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavior patterns that help teams think clearly and act confidently, even under uncertainty. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.
• A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

DVMS Organizational Benefits

Instead of replacing existing operational frameworks, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes, including cultural ones.

By adopting a DVMS, organizations are positioned to:

• Maintain Operational Stability Amidst Constant Digital Disruption
• Deliver Digital Value and Trust Across A Digital Ecosystem
• Satisfy Critical Regulatory and Certification Requirements
• Leverage Cyber Resilience as a Competitive Advantage

DVMS Leadership Benefits

The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.

• For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.
• For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.
• For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability

DVMS White Papers

The three whitepapers below present a coherent progression that shifts organizations from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Collectively, the three papers define a comprehensive system for building and governing resilient digital enterprises, grounded in evidence rather than assumptions.

• The Assurance Mandate Paper sets the stage by showing why traditional GRC artifacts provide only reassurance—not evidence—and calls boards to demand forward-looking proof that their organizations can continue to create, protect, and deliver value under stress.
• The Assurance in Action Paper then moves from leadership intent to managerial execution, demonstrating how the DVMS operationalizes resilience by translating outcomes into Minimum Viable Capabilities, connecting frameworks through the Create–Protect–Deliver model, and generating measurable assurance evidence that managers can use to demonstrate real performance rather than activity.
• The Governing by Assurance Paper elevates the approach to the policy and regulatory level, showing how DVMS functions as a learning overlay system that links governance intent, operational capability, and verifiable evidence into a continuous loop—enabling regulators, agencies, and enterprises to govern by outcomes rather than checklists and to prove capability with measurable, auditable performance data.

DVMS Cyber Resilience Certified Training Programs

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS NISTCSF Foundation Certification Training

The DVMS NISTCSF Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.

This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

Company Brochures and Presentation

• DVMS Company Brochure
• DVMS Product Brochure
• DVMS Company Presentation

Explainer Videos

• DVMS Architecture Video: David Moskowitz explains the DVMS System
• DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
• DVMS Overlay Model – What is an Overlay Model
• DVMS MVC ZX Model – Powers the CPD
• DVMS CPD Model – Powers  DVMS Operations
• DVMS 3D Knowledge Model – Powers the DVMS Culture
• DVMS FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved