How the DVMS Builds a Governance Overlay that Unifies Strategy, Assurance, and Operations
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
Introduction: Governance as the Integrative Fabric
In the digital era, governance cannot be confined to oversight or compliance—it must be a dynamic overlay that unifies strategy, assurance, and operations. The Digital Value Management System® (DVMS) achieves this by constructing a governance overlay—a holistic, adaptive system that embeds governance into every layer of organizational behavior. This overlay aligns strategic intent with operational reality, utilizing assurance as the connective tissue that validates and reinforces trust and accountability across the enterprise. Drawing on the NIST Cybersecurity Framework (CSF) 2.0, the DVMS Institute’s frameworks, and systems thinking principles, the DVMS redefines governance as a continuous learning and assurance system designed to drive resilient, compliant, and trusted digital business outcomes.
The NIST-CSF 2.0 Foundation for Governance Integration
NIST’s CSF 2.0 introduced a sixth core function—Govern (GV)—positioning governance as the centerpiece of cybersecurity and enterprise risk management. This function establishes the organization’s cybersecurity risk management strategy, expectations, and policies, which inform and prioritize all other functions—Identify, Protect, Detect, Respond, and Recover. By emphasizing governance as the foundation of the framework, NIST reframes cybersecurity as a strategic governance issue rather than a purely technical one. The DVMS builds directly on this concept, using governance not as a department or process, but as an overlay that integrates strategic direction, operational control, and assurance mechanisms across all domains of the enterprise.
This governance overlay provides a mechanism for aligning mission, stakeholder expectations, and organizational risk appetite with operational execution. In doing so, it enables organizations to achieve what NIST calls enterprise-wide cybersecurity risk governance—the ability to consistently apply strategic intent to the protection, detection, and recovery of digital assets in a risk-informed and outcome-focused manner.
The DVMS Overlay: From Framework to System of Systems
The DVMS does not replace frameworks like ITSM, GRC, NIST-CSF, ISO 27001, or COBIT. Instead, it acts as an overlay system—a systems-based architecture that unifies the activities of governance, assurance, and operations into a coherent, adaptive model. This overlay recognizes that organizations are complex adaptive systems (CAS) composed of interconnected sub-systems—strategic, cultural, operational, and technological—that must function in harmony to create and protect digital business value.
The overlay operates through seven minimum viable capabilities (MVCs)—Govern, Assure, Plan, Design, Change, Execute, and Innovate. Each of these capabilities represents a structural pillar of the governance system:
- Govern establishes strategic direction, policies, and risk appetite.
- Assure validates that actions conform to governance principles and performance expectations.
- Plan translates governance intent into actionable objectives.
- Design operationalizes strategies through processes and systems.
- Change enables adaptability and learning.
- Execute delivers outcomes while ensuring compliance with governance constraints.
- Innovate drives continual improvement and cultural evolution.
Together, these capabilities ensure that governance is not static oversight but a living architecture—responsive to feedback, measurable through assurance, and continuously aligned with operational outcomes.
Unifying Strategy and Risk: The Strategy-Risk Construct
The DVMS introduces the concept of strategy-risk, a construct that treats strategic intent and risk management as inseparable aspects of decision-making. Traditional governance often separates strategic planning from risk assessment, leading to fragmentation between what leaders intend and what operations deliver. By contrast, the DVMS governance overlay integrates these two dimensions into a unified loop—ensuring that every strategic decision is risk-informed and every risk control supports strategic outcomes.
This integration occurs through the DVMS Create, Protect, and Deliver (CPD) Model, which connects strategy and governance with execution to ensure digital value is both created and protected concurrently. The DVMS CPD Model reinforces the principle that “unprotected value has no value”—linking the act of value creation to its assurance and protection within a continuous governance loop.
Assurance as the Bridge Between Governance and Operations
In the DVMS, assurance plays the pivotal role of bridging strategy and execution. While governance defines expectations and operations execute them, assurance continuously verifies alignment and effectiveness. It ensures that “the organization does the right things, the right way, within defined tolerances”.
The Govern–Assure loop forms the backbone of quality management in the DVMS. It measures conformance, validates performance, and provides evidence-based feedback to governance functions. This assurance is not limited to audits—it includes adaptive monitoring, cultural assessment, and continuous validation of system behaviors against strategic intent. Through mechanisms like the Goal-Question-Metric (GQM) and Question-Outcome–Question-Metric (QO–QM) approaches, the DVMS transforms assurance from periodic inspection into real-time learning and adaptation.
Assurance, in this context, becomes the governance nervous system—sensing changes, evaluating alignment, and triggering corrective or innovative responses across the organization.
Operationalizing Governance Through the MVC and FastTrack Phases
Operationally, the DVMS governance overlay is implemented through its FastTrack™ phased approach—Initiate, Basic Hygiene, Expand, and Innovate. These phases align directly with NIST-CSF’s tiered approach (Partial, Risk-Informed, Repeatable, Adaptive). This alignment ensures that governance maturity grows in parallel with operational capability and assurance rigor.
- Initiate: Establish governance and assurance baselines; define policies, roles, and risk appetite.
- Basic Hygiene: Stabilize operations and integrate assurance into daily workflows.
- Expand: Broaden governance coverage across supply chains, third parties, and digital ecosystems.
- Innovate: Embed governance into organizational culture, enabling continuous adaptation and innovation.
Each phase strengthens the interdependence of strategic governance, assurance verification, and operational execution, enabling governance to evolve in tandem with the enterprise.
Culture and Systems Thinking: The Human Dimension of Governance
The DVMS treats culture not as an afterthought but as an integral governance component. Culture defines how governance is interpreted and enacted within operations. The DVMS governance overlay incorporates systems thinking to make culture observable and measurable, recognizing that behavior, structure, and mental models are interlinked.
Through the Cultural Web and 3D Knowledge Model, leaders can visualize how governance expectations cascade through structure, processes, and social norms. This ensures that governance decisions are informed by fundamental organizational dynamics, not merely policy. Culture, therefore, becomes both a risk vector and a governance lever—capable of accelerating adaptation or impeding it depending on how well it is aligned and reinforced.
Continuous Feedback: Governance as a Learning System
Unlike static governance frameworks, the DVMS governance overlay functions as a learning system. Using the Governance–Execution loop, it continuously collects data from operational activities, assurance findings, and stakeholder interactions. These insights inform governance adjustments, strategic recalibration, and cultural interventions. This cyclical model reflects the CSF’s emphasis on continuous improvement through Profiles and Tiers, where organizations evolve from ad hoc governance to adaptive, risk-informed decision-making.
By embedding feedback loops into governance, the DVMS transforms compliance-driven oversight into a dynamic system of learning and assurance—capable of detecting weak signals, responding to disruptions, and evolving through experience.
Conclusion: Governance as the Engine of Resilient Performance
The DVMS builds a Governance Overlay that unifies strategy, assurance, and operations into an integrated ecosystem of confidence. It aligns with the NIST-CSF 2.0’s central Govern function and extends it into a full-spectrum system of systems. Through the integration of the MVC capabilities, the CPD Model, and the strategy-risk construct, the DVMS governance overlay ensures that every strategic decision, assurance activity, and operational process contributes coherently to resilient, compliant, and trusted digital outcomes.
In essence, the DVMS transforms governance from a supervisory mechanism into the engine of digital value assurance. It operationalizes strategy, validates assurance, and harmonizes operations—creating a culture of continuous learning and accountability. In a world where uncertainty is the only constant, this governance overlay provides what every digital enterprise needs most: a unified, adaptive system of trust.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
Cyber Resilience Certified Training Solutions
The DVMS Institute’s Cyber Resilience Accredited Publications and Certified Training Courses teach organizations how to transform Fragmented Framework or Standards such as NIST, ITSM, GRC, ISO from static, siloed, compliance-driven best-practices into a unified, adaptive, culture-driven Digital Value Management System® (DVMS) capable of ensuring Resilient, Compliant, and Trusted digital outcomes.
The DVMS, through its MVC, CPD, 3D Knowledge, and FastTrack Models, offers organizations a structured pathway for integrating governance intent, operational execution, and assurance evidence, enabling them to demonstrate measurable resilience, regulatory alignment, and stakeholder confidence in a rapidly evolving digital landscape.
Together, the DVMS models enable organizations to:
- Build a Governance Overlay that unifies strategy, assurance, and operations
- Build a Behavioral Engine that continuously converts risk into resilience
- Build a Learning System that measures, adapts, and innovates over time
DVMS Certified Training Programs
DVMS Cyber Resilience Awareness Training
The DVMS Cyber Resilience Awareness training provides all employees with a comprehensive understanding of the fundamentals of digital business, its associated risks, the NISTCSF, and their role in protecting organizational digital value. This investment fosters a culture that is prepared to transform systemic cyber risks into operational resilience.
NISTCSF Foundation Certification Training
The DVMS NISTCSF Foundation certification training course provides ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role as an integrated, adaptive, and culture-driven governance and assurance management system that drives resilient, compliant, and trusted digital outcomes.
DVMS Practitioner Certification Training
The Digital Value Management System® (DVMS) Practitioner certification training course provides ITSM, GRC, Cybersecurity, and Business professionals a detailed understanding of how to transform systemic cyber risk into operational resilience by uniting Fragmented Frameworks and Standards, such as NIST, ITSM, GRC, and ISO, into a holistic, adaptive, and culture-driven Governance, Assurance, and Accountability overlay system that keeps your digital business resilient, no matter the disruption.
DVMS White Papers
- Moving Beyond GRC to Evidence-Based Operational Resilience
- Turning Policy into Organizational Capability
- A Systems Approach to Outcome-Based Regulation
The DVMS doesn’t replace existing frameworks—it connects, contextualizes, and amplifies them, transforming compliance requirements into actionable intelligence that drives and ensures sustained digital operations and performance.
For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.
For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.
For the CIO, the DVMS provides a structured way to align technology investments and operations with measurable business outcomes.
For the CRO, the DVMS provides a way to embed risk and resilience directly into operational processes, turning risk management into a driver of performance and adaptability.
For the CISO, the DVMS provides a continuous assurance mechanism that demonstrates cyber resilience and digital trust across the enterprise and its supply chain.
For Internal and External Auditors, the DVMS provides verifiable proof that the enterprise can maintain operational continuity under stress.
DVMS Explainer Videos
- Architecture Video: David Moskowitz explains the DVMS System
- Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- Overlay Model – What is an Overlay Model
- MVC ZX Model – Powers the CPD
- CPD Model – Powers DVMS Operations
- 3D Knowledge Model – Powers the DVMS Culture
- FastTrack Model – Enables A Phased DVMS Adoption
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
