From Intent to Action – Turning Strategy into Daily Decisions – The Assurance in Action Series – Part 1
David Nichols – Co-Founder and Executive Director of the DVMS Institute
The Mandate for Managers
Resilience is no longer optional. For boards today, it is a clear expectation and, increasingly, a fiduciary obligation. Directors put it plainly: “We must ensure operational resilience to protect stakeholder trust.” That intent becomes the guiding principle for governance.
Executives turn this intent into policies. They create continuity plans, establish statements of cyber risk tolerance, publish vendor dependency guidelines, and set escalation procedures. On paper, it appears to be leadership in action. However, policies, no matter how well written, are not the same as capabilities.
This is where managers step in. They serve as the critical translation layer. Their role is to convert executive intent into integrated, non-siloed capabilities that can endure disruption. More importantly, those capabilities must produce assurance evidence that proves resilience in practice.
The Assurance Mandate Series argued that executives need to go beyond appearances and require evidence to support their decisions. Now, the emphasis shifts. If boards and executives are to govern through assurance, then managers must provide it.
I saw this translation problem firsthand when a CEO once told me, ‘Go implement client-server.’ It was a directive without clarity of intent. Only by reframing the conversation around strategic outcomes could we design the right capabilities.
The Disconnect in Practice
In most organizations, managers inherit siloed directives by function. Cybersecurity leaders respond by tightening controls and strengthening defenses. IT managers focus on uptime, SLAs, and efficiency. Compliance teams prepare for the next audit and update the risk register. Each group believes it is fulfilling the policy’s intent.
Yet, what they are building are fragments, not full capabilities. And when disruption occurs, the cracks become clear.
The 2017 Equifax breach illustrates a clear example. The board prioritized protecting consumer trust. The company had established frameworks, passed its audits, and obtained industry certifications. However, siloed practices resulted in a crucial patch remaining unimplemented. When attackers exploited this vulnerability, over 140 million consumer records were compromised. Policies were in place, frameworks adopted, but essential capabilities were missing.
The 2021 Colonial Pipeline ransomware attack followed a similar pattern. Leadership emphasized continuity of operations, but cyber was still treated as “IT’s problem.” When ransomware struck, technical controls were in place, but there was no integrated ability to keep services running. A regional outage turned into a national crisis.
In 2024, Snowflake’s breach revealed another aspect of this gap. Customers believed their resilience was assured because the platform held certifications and followed industry frameworks. However, when attackers exploited misconfigurations in more than 160 customer environments, the organization was unable to prevent a widespread loss of trust. Compliance had been met. Resilience had not.
In each case, boards had set a clear intent. Executives had written policies. But the translation into non-siloed capabilities never happened.
That conversation with our CEO forced us to confront the difference between slogans and strategy. Once we clarified intent, we were able to build a capability that delivered value to both distributors and customers.
The CPD Model as Scaffolding
This is where the Create, Protect, Deliver (CPD) Model provides managers with an essential scaffolding from which they operationalize the MVC.
As described in our books, Thriving on the Edge of Chaos and the Practitioner’s Guide to Building Cyber-Resilience (Second Edition), CPD redefines resilience as the ability to simultaneously generate digital business value, protect that value from threats and disruptions, and deliver it reliably to stakeholders. It is not a strict checklist. It does not prescribe controls or maturity levels. Instead, it provides a conceptual scaffolding that aligns every activity with the ultimate goal: stakeholder trust.
For managers, CPD is not just an abstract concept; it is a vital component of professional development. It serves as the perspective through which executive policies are understood and translated into operational terms. When boards state, “We must protect customer trust during disruption,” CPD offers the framework for managers to ask: What does this mean for how we design services (or create them)? How do we safeguard them (protect)? And how do we ensure continuity of delivery (deliver)?
But scaffolding alone does not create the structure. Managers need a practical way to turn policy into capabilities. This is where the Minimum Viable Capabilities (MVC) overlay comes into play. MVC acts like a diagnostic tool. By comparing current practices to MVC, managers identify the gaps that prevent the organization from reaching true resilience.
This process is not a one-time overhaul; it is an ongoing process. It is a cycle of incremental innovation. Each identified gap—whether in vendor continuity planning, cross-functional escalation, or incident rehearsal—becomes an opportunity to strengthen capabilities. Over time, these small, systemic improvements compound into demonstrable resilience.
From Policy to Capability
Turning executive policy into capability is not a straightforward process. Managers must adopt a discipline that closes the loop between intent and evidence.
It begins with clarifying intent. A board might declare: “We must ensure customer services remain available during cyber disruption.” Managers must reframe that in CPD terms. Continuity of customer service is not a single control. It is the coordinated ability to create services with continuity features, protect them through rehearsed incident response, and deliver them reliably even under attack.
The next step is mapping to capabilities. Using MVC, managers assess what exists and what is missing. The policy may exist, but if there is no rehearsed recovery capability, no evidence of vendor resilience, or no mechanism for escalation, then the intent remains unrealized.
Third, managers must integrate across functions. Siloed ownership undermines resilience. Vendor management is not just a compliance exercise in reviewing contracts. It is also about protecting through security attestations and delivering through performance monitoring and assurance evidence. Every capability must touch all three CPD dimensions.
Finally, managers must generate assurance evidence. Workflows are insufficient unless they provide proof of performance. This is where the QO–QM (Question Outcome–Question Metric) model, introduced in Practitioner, becomes vital. Boards articulate the desired outcome (“fit for purpose”); managers define the metrics that prove operational performance (“fit for use”). The gap between the two is what drives continuous improvement and innovation.
Without this cycle, managers tend to revert to familiar patterns: controls, reports, and audits that offer comfort but not confidence. With it, managers become the bridge that turns policy into resilience.
What we delivered was an enterprise-wide, integrated service information system that transformed strategic intent into an organizational capability to service our distributors and their customers’ equipment seamlessly, adapting to multiple distribution channels and new and retired products and services.
A Manager’s Paradigm Shift
This requires a profound shift in managerial mindset.
The traditional method focused on controlling processes, generating reports, and passing audits. Managers associated activity with achievement.
The new approach focuses on building capabilities, integrating across functions, and providing assurance evidence. Managers need to stop confusing artifacts with proof. A patch rate is an artifact. A recovery benchmark is assurance. An audit checklist is an artifact. Demonstrating the ability to restore services under stress is an assurance.
As Thriving on the Edge of Chaos reminds us, leadership is the art of turning complexity into clarity. Managers practice leadership every time they translate intent into integrated capabilities that produce evidence of resilience.
My own application of systems thinking, inspired by Peter Senge’s The Fifth Discipline, reinforced this lesson: resilience is not the result of isolated fixes, but of integrated disciplines working in harmony.
A Practical Illustration
Consider again the policy: “Ensure customer services remain available during cyber disruption.”
In the old approach, cybersecurity teams strengthened access controls, IT tracked uptime, and compliance prepared audit reports. Each department reported success in its own way. However, when disruptions occurred, escalation was slow, workflows failed, and continuity was disrupted. The board received reports but not actual results.
In the CPD-driven approach, the same policy appears different. Services are designed with built-in continuity and redundancy to ensure uninterrupted operation. Cross-functional teams safeguard them by conducting rehearsed response and recovery exercises. Evidence of assurance is generated to demonstrate that services are delivered within acceptable thresholds even during disruptions. The board doesn’t just see an artifact; it sees proof.
The difference isn’t in frameworks. Both organizations might align with ISO 27001 or NIST CSF. The real difference lies in whether managers utilize CPD and MVC to transform policies into capabilities that generate assurance evidence.
The Executive Question for Managers
The Assurance Mandate Series ended with a challenge to boards: demand assurance, not artifacts. The Assurance in Action Series begins with a challenge to managers: supply that assurance, not just activity.
The question every manager faces is simple but crucial: Are you focusing on reporting artifacts, patch counts, audit scores, and compliance checklists? Or are you showcasing evidence, recovery times, escalation effectiveness, and continuous delivery under pressure?
Artifacts provide comfort. Evidence builds confidence.
Resilience is no longer optional and cannot be delegated. It is shaped by the daily choices managers make when translating intent into capability. Suppose you develop capabilities that turn strategic intent into action and ensure they are both ready for use and suitable for purpose. In that case, you won’t fear being called into the boardroom — you’ll welcome it.
The path from intent to assurance starts with managers. This is where strategy turns into action, and action turns into proof.
From Maps to Journeys
Frameworks offer maps. Compliance offers snapshots. Culture offers potential. But only systems provide assurance.
The Digital Value Management System (DVMS) ensures that CPD intent is translated into MVC-aligned capabilities and that evidence of resilience is communicated upward to executives and boards. It is not about activity for its own sake. It is about proof that the organization can withstand disruption and keep delivering value.
For managers, this marks a shift in mindset. Stop mixing activity with confidence. Begin developing capabilities that demonstrate resilience.
The journey from intent to assurance begins with managers who turn strategy into daily decisions and then translate those decisions into evidence.
Looking Ahead
In the following article of the Assurance in Action Series, we will explore how managers can implement a widely cited but inconsistently applied framework—the NIST Cybersecurity Framework—using DVMS. We will demonstrate how to transform CSF from a mere compliance checklist into a dynamic assurance system that showcases resilience in practice.
About the Author
Dave is the Executive Director of the DVMS Institute.
Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.
Transforming Cyber Risk into Operational Resilience – DVMS Certified Training Solutions
The DVMS Institute’s Certified Training Solutions teach organizations how to transform the NIST Cybersecurity Framework or any other IT Framework or Standard Based System, into a unified, adaptive, and culture-driven Digital Value Management System® (DVMS)
The DVMS offers organizations a structured pathway for integrating Governance Intent, Operational Execution, and Assurance Evidence, enabling them to demonstrate measurable resilience, regulatory alignment, and stakeholder confidence in a rapidly evolving digital landscape.
Through its MVC, CPD, 3D Knowledge, and FastTrack Models, the DVMS operationalizes a Governance Overlay system that unifies strategy, assurance, and operations, a Behavioral Engine that continuously converts risk into resilience, and a Learning System that measures, adapts, and innovates over time.
DVMS White Papers
- The Assurance Mandate: Moving Beyond GRC to Evidence-Based Operational Resilience
- Assurance in Action: Turning Policy into Organizational Capability
- Governance By Assurance: A Systems Approach to Outcome-Based Regulation
DVMS Institute Certified Training Programs
DVMS Cyber Resilience Awareness Training
The DVMS Cyber Resilience Awareness training provides all employees with a comprehensive understanding of the fundamentals of digital business, its associated risks, the NISTCSF, and their role in protecting organizational digital value. This investment fosters a culture that is prepared to transform systemic cyber risks into operational resilience.
NISTCSF Foundation Certification Training
The DVMS NISTCSF Foundation certification training course provides ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role as an integrated, adaptive, and culture-driven governance and assurance management system that drives resilient, compliant, and trusted digital outcomes.
DVMS Practitioner Certification Training
The Digital Value Management System® (DVMS) Practitioner certification training course provides ITSM, GRC, Cybersecurity, and Business professionals a detailed understanding of how to transform systemic cyber risk into operational resilience by uniting Fragmented Frameworks and Standards, such as NIST, ITSM, GRC, and ISO, into a holistic, adaptive, and culture-driven Governance, Assurance, and Accountability overlay system that keeps your digital business resilient, no matter the disruption.
DVMS Organizational Benefits
The DVMS doesn’t replace existing frameworks—it connects, contextualizes, and amplifies them, transforming compliance requirements into actionable intelligence that drives and ensures sustained digital operations and performance.
By adopting a DVMS, organizations are positioned to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Deliver Digital Value and Trust Across A Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.
For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.
For the CIO, the DVMS provides a structured way to align technology investments and operations with measurable business outcomes.
For the CRO, the DVMS provides a way to embed risk and resilience directly into operational processes, turning risk management into a driver of performance and adaptability.
For the CISO, the DVMS provides a continuous assurance mechanism that demonstrates cyber resilience and digital trust across the enterprise and its supply chain.
For Internal and External Auditors, the DVMS provides verifiable proof that the enterprise can maintain operational continuity under stress.
DVMS Explainer Videos
- Architecture Video: David Moskowitz explains the DVMS System
- Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- Overlay Model – What is an Overlay Model
- MVC ZX Model – Powers the CPD
- CPD Model – Powers DVMS Operations
- 3D Knowledge Model – Powers the DVMS Culture
- FastTrack Model – Enables A Phased DVMS Adoption
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
