Closing the Loop – From Controls to Assurance Evidence– The Assurance in Action Series – Part 3
David Nichols – Co-Founder and Executive Director of the DVMS Institute
The Problem with Controls
Controls are necessary, but they are not enough. Every manager knows the routine: configure the firewall, update the patching cycle, enforce access restrictions, rehearse an incident response plan. Each measure matters, but none of them, standing alone, demonstrates organizational resilience.
This is the core issue. Controls offer a sense of security. We have something in place. We look good on dashboards, produce reassuring reports, and keep auditors satisfied. But as the last decade has demonstrated, organizations with extensive control catalogs still fail under stress. Controls are fragile. They can be misconfigured, bypassed, ignored, or undermined by siloed practices. Unless the entire system shows evidence of performance under pressure, boards and executives are left guessing: are we resilient, can we withstand an attack, and maintain our essential operational capabilities?
Boards do not want to be reassured that controls are in place. They want to know whether the organization can continue to create, protect, and deliver value when disruption strikes.
Why Evidence Matters
Here is where the conversation shifts from controls to evidence.
Evidence differs from the reports, lists, and dashboards managers usually provide. These artifacts, such as patch compliance reports, maturity scores, and audit checklists, demonstrate that activity has occurred; however, they do not indicate whether the organization can perform effectively under stress. They offer reassurance, but they don’t provide proof of operational resilience.
Assurance evidence, by contrast, is forward-looking. It demonstrates capability in action, showing whether systems, people, and culture hold up when conditions change. Evidence enables boards to govern with confidence, rather than relying on assumptions.
DVMS and the Evidence Cycle
In Thriving on the Edge of Chaos and the Practitioner’s Guide to Building Cyber-Resilience (Second Edition), the Digital Value Management System® (DVMS) is described as the overlay that connects governance intent, operational workflows, and assurance evidence.
Strategic intent starts as a policy that clearly states goals in outcome-focused terms. A board might declare: “Customer trust must be preserved during disruption.” That statement of intent isn’t a control or a checklist item, but a strategic direction. Management’s role is to transform that intent into capabilities that bring the outcome to life. For instance, incident response isn’t just a plan on paper, but a capability comprised of people, processes, and practiced actions. Within this capability, multiple outcomes can be set, including the speed of detection, accuracy of escalation, recovery within a specific threshold, and maintaining stakeholder communication. Each outcome is measurable, both in terms of “fit for purpose” (does it meet governance goals?) and “fit for use” (does it work effectively during rehearsals and real events?).
When managers organize capabilities this way, they create a feedback loop. Metrics such as recovery times, escalation effectiveness, and vendor resilience are reported back to the board, showing not only whether the goal has been met but also where gaps still exist. This data reassures directors that resilience is being put into practice and helps management identify where incremental innovation is needed. Policy explains the “why,” capabilities define the “how,” and assurance evidence confirms the “what.”
Policy explains the “why,” capabilities show the “how,” and assurance evidence demonstrates the “what.” While frameworks like the NIST Cybersecurity Framework provide a map, the Digital Value Management System ensures the journey actually takes place.
From Reports to Evidence
To clarify this distinction with familiar terms, consider the documents managers typically present today, such as reports, dashboards, maturity scores, and compliance checklists. In this series, we have referred to these as “artifacts,” meaning they document the existence of a control or capability. Artifacts are important because they make governance defensible and establish a baseline for measuring the effectiveness of efforts. However, they are static and retrospective in nature. They cannot predict whether the organization will succeed tomorrow in the face of disruption.
Assurance evidence is dynamic and forward-looking. It shows whether documented controls actually function under pressure. An artifact might say, “We applied patches.” Evidence says, “In our last three incidents, services were restored within governance thresholds, and customer trust was maintained.” The first provides comfort, the second builds confidence.
A Practical Illustration
Take the common directive: “Ensure operational resilience against a ransomware attack.”
In the traditional approach, managers focus on controls: contracts, patching policies, and backup procedures. Dashboards display completed backup jobs, tests performed, and audits that have been passed. To the board, this appears to be progress, but when ransomware strikes, recovery takes days instead of hours, customers lose access, regulators demand answers, and trust is lost.
In contrast, the DVMS approach has managers align the six NIST CSF functions, Govern, Identify, Protect, Detect, Respond, and Recover, with the CPD outcomes of creating, protecting, and delivering value. They rehearse ransomware scenarios, measure recovery times, and assess the effectiveness of escalation. The evidence is clear: in the last three ransomware exercises, services were restored in under three hours, meeting the four-hour governance threshold, and demonstrating operational resilience. Customer service was maintained, and stakeholders maintained confidence.
The difference is that the first approach shows activity, while the second proves capability.
CPD as the Organizing Principle
The Create, Protect, and Deliver (CPD) Model redefines how managers approach the NIST CSF. Instead of viewing its six functions as separate functions, CPD integrates them around business value. Create ensures services are designed with resilience in mind. Protect guarantees they are safeguarded through monitoring, security practices, and rehearsals. Deliver ensures continuity and recovery, demonstrating that trust is maintained.
When managers view the NIST CSF through the CPD lens, the functions are no longer seen as separate checkboxes. Instead, they become interconnected building blocks that support resilient capabilities. A “Respond” function, for instance, isn’t just a plan stored away. It’s a rehearsed workflow that shows recovery times and measures the effectiveness of escalation. “Recover” isn’t merely a checklist for restoring data. It serves as proof that services can be brought back within governance-defined thresholds, thus safeguarding customer trust.
QO–QM: Closing the Loop
The Practitioner’s Guide to Building Cyber-Resilience (Second Edition) introduces the QO–QM (Question Outcome–Question Metric) model as a practical way to connect governance intent with operational performance. Strategic intent is expressed as an outcome: the board might set a policy goal such as, “Services must be restored within four hours of disruption.” Managers then translate this into capabilities, such as rehearsed recovery processes, and measure the results against the stated outcome. They might report, “In our last three recovery drills, services were restored in an average of 2.5 hours.”
The difference between outcome and metric becomes the driver of continuous improvement. If the measured results fall short, managers adapt and strengthen capabilities until fit-for-purpose outcomes and metrics that are fit for use converge.
As emphasized in Thriving on the Edge of Chaos: Managing at the Intersection of Value and Risk in the Digital Era, leadership is the art of turning complexity into clarity. When the principles from the book are combined with the practical tools of the Practitioner’s Guide, managers gain both the perspective and the method to transform compliance into assurance. This loop turns intent into evidence, proof of resilience that boards and executives can trust.
The Role of AI and Automation
Historically, managers saw assurance as a burden. Gathering, testing, and reporting evidence of resilience was time-consuming, resource-intensive, and often overlooked. Demonstrating that systems could handle disruptions required drills, manual reports, and extensive documentation. As a result, boards usually relied on static reports and retrospective audits, while managers quietly accepted that showing assurance in real time was too costly to maintain.
That reality is evolving. Progress in automation and artificial intelligence is making assurance possible on a large scale. Automated monitoring now offers continuous visibility over infrastructure, applications, and supply chains. AI-driven simulations can dynamically evaluate resilience scenarios, testing for vulnerabilities in ways that mimic real-world disruptions. Agentic systems automatically log performance results into governance dashboards, narrowing the gap between operations and oversight.
For managers, this does not replace responsibility or human judgment; it enhances their ability to make informed decisions. Instead of chasing reports after the fact, managers can focus on interpreting assurance evidence, improving workflows, and building capabilities. The “burden of assurance” is no longer an excuse; it is becoming part of the routine discipline of digital management.
This shift redefines assurance itself. It is no longer endless paperwork that clutters compliance binders. It is real-time confidence, produced by systems that continually test, measure, and report on resilience. Boards no longer have to ask whether policy intent is being fulfilled; they can see the evidence. Managers no longer struggle to provide proof; they can focus on building stronger capabilities.
The Manager’s Paradigm Shift
For most managers, the traditional approach to governance and resilience has been transactional in nature. The task involved implementing controls, producing reports, and preparing for audits. Activity was equated with progress. A patch applied, a system scanned, or a compliance checklist completed all served as proof of diligence. This worked in a world where disruption was occasional and regulators were satisfied with artifacts of compliance.
But disruption today is constant, and boards no longer accept artifacts as evidence. They require assurance, proof that capabilities can perform under stress and that resilience is embedded into daily operations. This is the core of the manager’s paradigm shift: moving from delivering documentation to building capabilities that inspire confidence.
That shift cannot occur gradually. It requires managers to think in terms of systems. The Create, Protect, Deliver (CPD) Model shifts focus from silos to value. Every capability must help create digital business value, protect it from disruptions, and deliver it reliably.
The Minimum Viable Capabilities (MVC) overlay is how managers implement this approach. By comparing policies and current practices to MVC, managers identify the gaps that weaken resilience. These gaps aren’t fixed with a single project. Still, they are closed through ongoing capability improvements, step by step, function by function, until the organization can confidently demonstrate that it meets CPD requirements.
The QO–QM (Question Outcome–Question Metric) model, introduced in The Practitioner’s Guide, connects intent to evidence. The board may ask, “Can we restore services within four hours of disruption?” Managers then develop and practice capabilities, measure actual performance, and report, “In our last three recovery drills, services were restored in an average of 2.5 hours.” This cycle turns policies into measurable outcomes and outcomes into assurance.
Of course, the scale of this change can seem daunting. That’s why the DVMS FastTrack® approach is so essential. Instead of asking managers to overhaul every process all at once, FastTrack offers a phased plan. Managers start with the most critical MVCs, develop integrated capabilities around them, and show early signs of resilience. Each stage builds confidence, simplifies complexity, and facilitates the transition from an abstract idea to a tangible journey.
This is what distinguishes old thinking from new—the old approach centered on managing fragments: controls, metrics, and reports. The new strategy emphasizes managing the system, focusing on governance intent, integrated capabilities, and assurance evidence. Managers who adopt this shift not only satisfy executive demands but also become drivers of cultural change, embedding resilience into the core of their organizations.
From Comfort to Confidence
Boards are no longer satisfied with knowing which controls exist. They want proof that those controls perform under stress. For managers, the essential question is this: are you presenting artifacts that document activity, or assurance evidence that demonstrates capability? The first provides comfort. The second builds confidence.
The Assurance Mandate series made the case for moving from Governance, Risk, and Compliance (GRC) to Governance, Resilience, and Assurance (GRA). Parts 1 and 2 of this series showed how intent must be translated into capabilities and how frameworks like the NIST Cybersecurity Framework can be operationalized through the Digital Value Management System (DVMS). Part 3 closes the loop: managers must ensure every control generates evidence, and every piece of evidence informs governance. Only then does the system move beyond reassurance to deliver absolute confidence.
Looking Ahead
In the following article in the Assurance in Action Series, we will explore culture. Even the best frameworks, systems, and evidence fall short when organizational culture hampers escalation, discourages transparency, or punishes accountability. We will examine how managers can cultivate a culture that fosters resilience rather than eroding it.
About the Author
Dave is the Executive Director of the DVMS Institute.
Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.
DVMS Institute®
NIST Cybersecurity Framework (NISTCSF) Cyber Resilience Certified Training Solutions
The DVMS Institute teaches organizations how to transform the NIST Cybersecurity Framework (or any other framework) from a static, siloed, compliance-driven framework into an adaptive, culture-driven DVMS Governance, Resilience, and Assurance System capable of ensuring resilient, compliant, and trusted digital business outcomes.
The Institute’s Accredited Publications and Certified Training Courses offer a structured pathway for mastering the integration of governance intent, operational execution, and assurance evidence, enabling organizations to demonstrate measurable resilience, regulatory alignment, and stakeholder confidence in a rapidly evolving digital landscape.
Digital Value Management System® (DVMS)
A Digital Value Management System (DVMS) transforms systemic cyber risk into operational resilience by uniting Fragmented Frameworks and Standards, such as NIST, ITSM, GRC, and ISO, into a holistic, adaptive, and culture-driven Governance, Resilience, and Assurance (GRA) overlay system that keeps your digital business running, no matter the disruption.
The DVMS doesn’t replace existing frameworks—it connects, contextualizes, and amplifies them, transforming compliance requirements into actionable intelligence that drives and ensures sustained digital operations and performance.
By adopting a DVMS, organizations are positioned to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Deliver Digital Value and Trust Across A Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.
For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.
For the CIO, the DVMS provides a structured way to align technology investments and operations with measurable business outcomes.
For the CRO, the DVMS provides a way to embed risk and resilience directly into operational processes, turning risk management into a driver of performance and adaptability.
For the CISO, the DVMS provides a continuous assurance mechanism that demonstrates cyber resilience and digital trust across the enterprise and its supply chain.
For Internal and External Auditors, the DVMS provides verifiable proof that the enterprise can maintain operational continuity under stress.
DVMS Explainer Videos
- Architecture Video: David Moskowitz explains the DVMS System
- Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- Overlay Model – What is an Overlay Model
- MVC ZX Model – Powers the CPD
- CPD Model – Powers DVMS Operations
- 3D Knowledge Model – Powers the DVMS Culture
- FastTrack Model – Enables A Phased DVMS Adoption
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
