Building a System That Learns – The Discipline of Continual Improvement – The Assurance in Action Series – Part 5

David Nichols – Co-Founder and Executive Director of the DVMS Institute

The Next Frontier of Assurance

Assurance is not a destination; it’s a discipline. Once boards and managers can demonstrate that intent has been translated into capability, that controls produce measurable evidence, and that culture reinforces resilience, the question then becomes: Can the organization learn faster than it changes?

In a digital economy characterized by volatility, uncertainty, complexity, and ambiguity, static resilience is an illusion. Technologies evolve, threats change, and customer expectations shift. What mattered last quarter might be irrelevant today. The real test of assurance is whether an organization’s system of governance, capabilities, and culture can continuously adapt to maintain stakeholder trust and business value under these conditions.

That is the essence of continual improvement.

Why Continual Improvement Matters

Frameworks like the NIST Cybersecurity Framework (NIST CSF) and ISO management systems have long recognized the importance of continuous improvement cycles. However, in many organizations, this idea remains abstract, functioning more as a clause at the end of a document rather than a central part of daily practice.

Managers know the cycle by heart: Plan, Do, Check, Action. Yet in practice, “Check” often means little more than a compliance review, and “Action” becomes another project or policy update. Improvement becomes episodic rather than systemic.

In the Digital Value Management System® (DVMS), ongoing improvement is fundamental. It serves as the core process that sustains the entire assurance system. It guarantees that the organization remains aligned with its governance goals and that each capability progresses in step with the environment in which it operates.

Ongoing improvement, when embedded into the DVMS, transforms governance from a reactive process into a dynamic, adaptive system—one that learns, adjusts, and improves in real time.

The Feedback Engine of DVMS

In Thriving on the Edge of Chaos: Managing at the Intersection of Value and Risk in the Digital Era, continual improvement is seen as a result of complexity—systems succeed not by being rigid but by being responsive. The DVMS incorporates this responsiveness into its design.

Every DVMS cycle—Create, Protect, Deliver (CPD)—relies on feedback loops. These loops ensure that assurance evidence, operational data, and cultural insights flow upward to governance, where they inform new strategic direction, resource allocation, and policy updates.

1. Create: The organization builds capabilities designed to achieve specific outcomes.
2. Protect: Those capabilities are tested, monitored, and refined to safeguard performance under stress.
3. Deliver: Real-world results provide evidence that value is being sustained—and that evidence becomes input for the next iteration of “Create.”

It is a cycle, not a straight line. Every turn improves both performance and confidence. The DVMS transforms data into knowledge, and knowledge into confidence.

From Event-Driven Improvement to Systemic Learning

Most organizations tend to improve only after experiencing failure. An incident, outage, or audit finding prompts a brief increase in effort, but it typically reverts to previous levels. This type of improvement is event-driven—reactive, short-term, and crisis-dependent.

The DVMS model replaces this with systemic learning. Instead of reacting to disruptions, the organization uses assurance evidence to anticipate issues and continuously refine its approach.

For example:

• If incident rehearsals reveal repeated delays in escalation, the DVMS identifies this as a systemic weakness in “Protect” and “Deliver,” not merely a performance gap. Managers modify roles, thresholds, or tools, and evaluate the improvement in later cycles.
• If supplier continuity metrics indicate declining recovery performance, governance can act proactively, reviewing vendor assurance standards or allocating extra resources before a real incident happens.

Systemic learning is proactive assurance in action. It considers every data point an opportunity to strengthen resilience before disruption tests it.

QO–QM as the Engine of Continual Improvement

The Practitioner’s Guide to Building Cyber-Resilience (Second Edition) describes the QO–QM (Question Outcome–Question Metric) model as the mechanism that connects governance intent with measurable evidence.

In continual improvement, QO–QM becomes the engine that drives adaptive learning.

• Question Outcome (QO): “Can we restore services within four hours of disruption?”
• Question Metric (QM): “Our last three rehearsals achieved an average restoration time of 3.2 hours.”

The difference between these two measures, intent and evidence, is what drives continuous improvement. Managers use this gap to prioritize building skills, refining processes, or retraining teams. Over time, outcomes and metrics align.

Essentially, when the environment changes, such as with the introduction of new technologies, regulations, or threats, the QO–QM model enables the organization to adapt quickly. It prevents complacency by ensuring every metric remains relevant to the business context.

This is how assurance evolves from static reporting into dynamic governance.

The Cultural Prerequisite

Continuous improvement relies on culture. Without psychological safety, near misses go unreported. Without openness, feedback loops are incomplete. Without accountability, lessons are forgotten.

Part 4 of this series defined culture as a measurable skill. Here, culture becomes the foundation for continuous improvement. Managers must make review and adaptation a daily habit, something that occurs openly, without assigning blame.

When a culture values learning as much as success, improvement comes easily. When it doesn’t, confidence turns into ritual.

As Thriving on the Edge of Chaos reminds us, organizations that refuse to learn are not resilient; they are fragile, merely waiting for the next shock to come.

FastTrack: Making Improvement Achievable

For many managers, the concept of ongoing improvement across numerous capabilities can seem overwhelming. The DVMS FastTrack approach was designed to facilitate this transformation without chaos or burnout.

FastTrack structures continual improvement as a phased journey rather than a single leap. Managers begin by identifying critical Minimum Viable Capabilities (MVC) tied to governance outcomes. These form the initial focus of improvement cycles.

1. Phase 1 – Establish Assurance Foundations: Align governance intent, define QO–QM pairs, and map current capabilities.
2. Phase 2 – Surface Gaps and Prioritize Improvements: Use the MVC overlay to identify where resilience is weakest and where incremental gains have the highest value.
3. Phase 3 – Build and Measure: Develop capabilities, capture assurance evidence, and feed results back into governance.
4. Phase 4 – Institutionalize Learning: Embed improvement into regular operating rhythms, linking it with performance management, budgeting, and strategy.

The goal isn’t perfection; it’s velocity. Each iteration gathers evidence, enhances capability, and boosts confidence. FastTrack transforms ongoing improvement from a goal into a practical, measurable practice.

The Manager’s Role

Managers are the key to ongoing improvement. Boards set the vision, but managers maintain the momentum. Their roles go beyond just making changes—they need to make learning a routine. This involves creating teams that can analyze assurance data, conduct effective after-action reviews, and share lessons across departments.

Managers must also allocate time for reflection. In fast-paced digital environments, teams often move quickly from one project to the next without taking the time to review what they have learned. This “velocity trap” weakens resilience. DVMS disciplines—especially QO–QM reporting and CPD-based rehearsals—offer the structure to pause, assess, and adjust intentionally.

Managers who adopt this mindset become drivers of assurance maturity. They move beyond merely ticking compliance checkboxes and start building organizations that think, adapt, and continually improve.

The Executive Imperative

For executives and boards, continual improvement is the key to greater success. It shifts governance from just oversight to proactive foresight. Instead of waiting for quarterly reports, directors can identify trends—how resilience capabilities are developing, how gaps are closing, and where systemic risks are emerging.

This level of visibility raises the board’s role from just assessing performance to actively guiding development. The question is no longer “Are we compliant?” but “Are we learning quickly enough to remain resilient?”

In the DVMS model, continuous improvement is more than a management practice—it is a fiduciary duty. The capacity to learn under pressure now influences enterprise value.

Resilience Through Learning

Resilience isn’t built by just surviving disruption; it’s built by learning from it. Every incident, rehearsal, and near-miss offers data that enhances the organization’s ability to anticipate, respond, and adapt. In this way, continuous improvement isn’t just a management practice—it’s the process that makes resilience real.

The DVMS provides the architecture that turns learning into capability. Each cycle of Create, Protect, and Deliver transforms operational experience into evidence of assurance. That evidence, in turn, informs governance, guiding new policies, better priorities, and smarter investments. Over time, this feedback loop embeds learning into the structure of decision-making itself.

Thriving on the Edge of Chaos: Managing at the Intersection of Value and Risk in the Digital Era describes this as the hallmark of a learning organization, one that grows stronger not because disruption disappears, but because its systems are designed to evolve through adaptation. When organizations adopt the DVMS approach, they stop treating resilience as a goal to be achieved and begin managing it as a capability to be continually refined.

From Comfort to Confidence

Boards no longer need to depend on snapshots of compliance. They can observe resilience develop through evidence. Managers no longer need to justify why assurance is hard—they can demonstrate that it is ongoing.

The Assurance Mandate whitepaper argued for shifting from Governance, Risk, and Compliance (GRC) to Governance, Resilience, and Assurance (GRA). Parts 1 through 4 established the framework, encompassing intent, capability, evidence, and culture.

Part 5 closes the circle: assurance is not static. It learns. It evolves. It strengthens.

The first provides comfort. The second builds confidence. The fifth ensures that confidence lasts.

Looking Ahead

In the next article of the Assurance in Action Series, we will examine adaptive assurance—how real-time data, agentic AI systems, and predictive analytics are coming together to make dynamic assurance not only possible but also inevitable.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

DVMS Cyber Resilience Professional Accredited Certification Training

Teaching Enterprises How to Govern, Assure, and Account for Operational Resilience in Living Digital Ecosystems

Moving From Paper to Practice-Based Operational Resilience 

Explainer Video – Governing By  Assurance

Despite an abundance of frameworks, metrics, and dashboards, many leaders still lack a clear line of sight into how their digital value streams perform when conditions deteriorate.

Strategic intent, organizational structures, and day-to-day behaviors are evaluated separately, producing static snapshots that fail to reveal how decisions, dependencies, and human actions interact within a dynamic digital system.

The result is governance that appears comprehensive in documentation yet proves fragile under pressure, leaving leaders to reconcile disconnected controls rather than systematically strengthen operational resilience.

What is needed is a framework-agnostic operating overlay that enables operational resilience to be governed, assured, and accounted for coherently across complex, living digital ecosystems.

DVMS Institute White Papers – The Assurance Mandate Series

Explainer Video –  From Compliance Rituals to Evidence-Based Resilience  

The whitepapers below present a clear progression from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Together, they define an evidence-based approach to building and governing resilient digital enterprises.

The Assurance Mandate Paper explains why traditional compliance artifacts offer reassurance, not proof, and challenges boards to demand evidence that value can be created, protected, and delivered under stress.

The Assurance in Action Paper shows how DVMS turns intent into execution by translating outcomes into Minimum Viable Capabilities, aligning frameworks through the Create–Protect–Deliver model, and producing measurable assurance evidence of real performance.

The Governing by Assurance Paper extends this model to policy and regulation, positioning DVMS as a learning overlay that links governance intent, operational capability, and auditable evidence—enabling outcome-based governance and proof of resilience through measurable performance data.

The Digital Value Management System® (DVMS)

Explainer Video – What is a Digital Value Management System (DVMS)

The DVMS is an overlay management system that governs, assures, and accounts for operational resilience in complex, living digital ecosystems. It does so by ensuring living-system outcomes account for paper-system intent.

At its core, the DVMS is a simple but powerful integration of:

• Governance Intent – shared expectations and accountabilities
• Operational Capabilities – how the digital business performs
• Assurance Evidence – proof that outcomes are achieved and accountable
• Cultural Learning – for governance intent and operational capability fine-tuning

Underpinning this integration are three distinctive DVMS models

Create, Protect, and Deliver (CPD) – The CPD Model™ is a systems-based model within the DVMS that links strategy-risk and governance to execution to create, protect, and deliver digital business value as an integrated, continuously adaptive capability.

3D Knowledge (3DK) – The 3D Knowledge Model is a systems-thinking framework that maps team knowledge over time (past, present, future), cross-team collaboration, and alignment to strategic intent to ensure that organizational behavior, learning, and execution remain integrated and adaptive in delivering digital business value.

Minimum Viable Capabilities (MVC) – The Minimum Viable Capabilities (MVCs) model supports the seven essential, system-level organizational capabilities—Govern, Assure, Plan, Design, Change, Execute, and Innovate—required to reliably create, protect, and deliver digital business value in alignment with strategy-risk intent.

The models work together to enable the following organizational capabilities:

A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance across every system responsible for digital value.

A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.

A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

DVMS Benefits – Organizational and Leadership

Explainer Video – DVMS Organization and Leadership Benefits

Organizational Benefits

Instead of replacing existing operational frameworks and platforms, the DVMS elevates them, connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.

By adopting a DVMS, enterprises are positioned to:

• Maintain Operational Stability Amidst Constant Digital Disruption
• Deliver Digital Value and Trust Across A Digital Ecosystem
• Satisfy Critical Regulatory and Certification Requirements
• Leverage Cyber Resilience as a Competitive Advantage

Leadership Benefits

The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, CRO, CISO, and Auditors, an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability.

DVMS – Accredited Certification Training Program

Explainer Video – The DVMS Training Pathway to Cyber Resilience

The Digital Value Management System® (DVMS) training programs teach leadership, practitioners, and employees how to integrate fragmented systems into a unified, culture-driven governance and assurance system that accounts for the resilience of digital value within a living digital ecosystem.

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

DVMS NISTCSF Cyber Resilience Foundation Certification Training

The DVMS NISTCSF Cyber Resilience Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.

A FastTrack Approach to Launching Your DVMS Program

Explainer Video – Scaling a DVMS Program

 The DVMS FastTrack approach is a phased, iterative approach that helps organizations mature their DVMS over time, rather than trying to do everything simultaneously.

This approach breaks the DVMS journey into manageable phases of success. It all starts with selecting the first digital service you want to make cyber resilient. Once that service becomes resilient, it becomes the blueprint for operationalizing cyber resilience across the enterprise and its supply chain.

Company Brochures and Presentation

• DVMS Briefing Paper
• DVMS Company Brochure
• DVMS Product Brochure
• DVMS Company Presentation

Explainer Videos

• DVMS Architecture Video: David Moskowitz explains the DVMS System
• DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
• DVMS Overlay Model – What is an Overlay Model
• DVMS MVC ZX Model – Powers the CPD
• DVMS CPD Model – Powers  DVMS Operations
• DVMS 3D Knowledge Model – Powers the DVMS Culture
• DVMS FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved