Governing by Assurance – Integrating Governance, Resilience, and Assurance into a Single System – The Assurance in Action Series – Part 6

Governing by Assurance – Integrating Governance, Resilience, and Assurance into a Single System – The Assurance in Action Series – Part 6

David Nichols – Co-Founder and Executive Director of the DVMS Institute

The Next Evolution in Management Discipline

In the first five parts of this series, we explored how assurance moves from executive intent to daily practice:

• Part 1 showed how managers translate strategic intent into actionable capabilities.
• Part 2 demonstrated how frameworks such as the NIST Cybersecurity Framework (NIST CSF) can be operationalized through the Digital Value Management System® (DVMS).
• Part 3 closed the loop between controls and evidence.
• Part 4 established culture as a measurable capability.
• Part 5 described how continual learning transforms resilience from aspiration to discipline.

Part 6 brings it all together. It poses a defining yet straightforward question: How do managers govern through assurance, rather than just reporting it?

The answer marks a new phase in management maturity, one where governance, resilience, and assurance are not separate domains but a single, self-reinforcing system.

The Shift from Managing Activities to Governing Systems

Traditional management emphasizes activity, focusing on maintaining controls, producing reports, and passing audits. This approach was effective when disruptions were infrequent and outcomes predictable. However, in today’s fast-changing environment—where digital reliance, AI-driven transformation, and global volatility are constant—focusing on activity alone no longer instills confidence.

Managers must shift from supervising tasks to managing systems.
Every decision, workflow, and rehearsal impacts governance results when aligned with a clear purpose and evaluated by evidence. The DVMS enables this by combining governance intent, operational execution, and assurance feedback into a single continuous cycle.

Governance through assurance signifies something fundamental: managers are no longer just implementers of policy; they are the operational stewards of resilience. They don’t wait for oversight to occur; they create it in real time.

Governance in the GRA Context

The Assurance Mandate Whitepaper introduced a significant shift in organizational oversight — from Governance, Risk, and Compliance (GRC) to Governance, Resilience, and Assurance (GRA).

Under GRC, management showed diligence by documenting policies, risk registers, and audit reports. Under GRA, management must demonstrate capability, providing evidence that the organization can operate under pressure, recover quickly, and continue to Create, Protect, and Deliver (CPD) value.

In this new model:

• Governance defines intent — the “why.”
• Resilience delivers capability — the “how.”
• Assurance provides evidence — the “what.”

When managers govern through assurance, they complete the final stage of GRA. They turn intent into capability, measure outcomes, and use evidence to feed back into governance, ensuring the system continually learns and adapts.

This is the managerial expression of GRA,  governance not by policy, but by proof.

The DVMS as the Governance Engine

The Digital Value Management System® (DVMS) operationalizes GRA by acting as the link between boardroom plans and frontline actions.

As described in Thriving on the Edge of Chaos: Managing at the Intersection of Value and Risk in the Digital Era and The Practitioner’s Guide to Building Cyber-Resilience (Second Edition), the DVMS is not another framework; it is an operating system that translates strategy into measurable capability.

Within the DVMS, governance intent flows downward through Create, Protect, and Deliver (CPD) value streams, while assurance evidence flows upward through measurable outcomes. Each Minimum Viable Capability (MVC) acts as a node within this system, linking policy to practice.

This system-based approach offers managers a new perspective. Instead of examining separate reports from cybersecurity, IT, and compliance departments, they gain a unified view of organizational resilience — one that updates in real time and shows the organization’s ability to withstand disruptions.

The result is governance as a living process, not an annual event.

The Manager’s New Role: From Reporter to Governor

This integrated model redefines what it means to be a leader. Managers have long been trained to report results upward. Now, they must oversee outcomes across functions, disciplines, and value streams.

Their responsibility is no longer to prove that the activity happened, but to demonstrate that capabilities operate under stress. They ensure systems are designed to adapt, not just to comply.

This is the manager as an assurance governor, a role that requires both operational insight and systems thinking.

Managers govern through evidence when they:

• Define intent clearly, linking every policy to measurable outcomes.
• Integrate capabilities across CPD value streams.
• Rehearse performance and report assurance evidence instead of activity metrics.
• Continuously refine systems using insights from near misses, simulations, and real-world events.

This shift from oversight to operational governance aligns with the principle in Thriving on the Edge of Chaos: leadership is the art of turning complexity into clarity. Managers achieve that clarity by building systems that communicate through evidence.

AI, Automation, and the Future of Assurance

For years, the scope of assurance constrained its practice. Managers faced a tough trade-off — gather enough data to prove assurance or focus on daily operations. That tension is now easing.

Automation and artificial intelligence are extending managerial reach.

• Automated monitoring delivers continuous visibility across systems, supply chains, and workflows.
• AI-driven simulations test resilience scenarios in real time, identifying weaknesses before they escalate.
• Agentic systems record performance data directly into governance dashboards, providing an immediate link between operational evidence and executive oversight.

These technologies don’t replace human judgment; they enhance it. Managers no longer spend their energy assembling static reports — they interpret dynamic data, apply insights, and promote improvement.

The “burden of assurance,” once seen as expensive and complicated, is now becoming a standard part of digital management.

The Learning Governance Cycle

Resilience, as Thriving on the Edge of Chaos emphasizes, is not a fixed state but an emergent property of systems that learn. The DVMS turns that principle into practice.

Through its structured feedback loop — intent → capability → evidence → learning — managers formalize improvement within governance. Each cycle of this process enhances capability, sharpens evidence, and boosts assurance.

When combined with FastTrack, this cycle becomes manageable and measurable. Managers begin with foundational MVCs, target improvement efforts where confidence is weakest, and iterate through phases to achieve their goals. Learning is no longer a side effect of failure; it is an inherent part of governance.

This is how organizations stop reacting to disruption and start adapting because of it.

The Executive Question for Managers

Every manager, regardless of function, should be prepared to answer a single question: “Can you provide assurance evidence, not reports, that our organization can continue to Create, Protect, and Deliver value under stress?”

This question defines what maturity means in the era of assurance. It shifts the focus from “Are we compliant?” to “Are we resilient?”

Managers who provide evidence are no longer just participants in governance; they are its practitioners.

From Confidence to Trust

Boards seek confidence. Stakeholders demand trust. Managers establish both by governing through assurance. Confidence stems from evidence, from seeing that the organization functions as designed under real conditions. Trust develops when that confidence is maintained over time through transparency, accountability, and proof.

In this final step of the Assurance in Action series, managers transition from creating assurance systems to actively living them. Governance, resilience, and assurance come together into a single discipline, one that ensures the organization not only survives disruption but also continues to deliver value through it.

This captures the essence of governance through assurance, where intent, capability, and evidence combine to create a seamless system of trust.

Wrapping things up

With Part 6, the Assurance in Action series for managers comes to a close. Together, the six parts create a roadmap for turning assurance into a managerial discipline.

1. From Intent to Action
2. Operationalizing NIST CSF Through DVMS
3. Closing the Loop – From Controls to Assurance Evidence
4. Culture as Capability
5. Continual Improvement and Learning Systems
6. Governing by Assurance

Stay tuned for the upcoming “Assurance in Action” whitepaper.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

DVMS Cyber Resilience Professional Accredited Certification Training

Designing an Overlay System for Governing Cyber Resilience Through Assured Evidence and Transparent Accountability (GRAA) Across Complex Digital Ecosystems

From Visibility to Viability – The Dual Pillars of Cyber Resilience 

Explainer Video –  The Dual Pillars of Cyber Resilience 

As enterprises accelerated their adoption of complex, cloud-native architectures, they encountered a new order of complexity. Infrastructure dissolved into services, workloads became ephemeral, and security boundaries blurred. In that environment, Wiz emerged as a transformational force in cloud technical security, offering radical visibility and risk prioritization across multi-cloud ecosystems.

At the same time, a broader and more consequential challenge emerged, one that extends well beyond isolated technical misconfigurations or discrete vulnerabilities.

Modern organizations function as dynamic, highly interconnected digital ecosystems shaped by siloed frameworks, technologies, applications, processes, data flows, and human actors, all operating in continuous interaction. Within this complexity, risks and outcomes are not confined to individual components; they arise from the relationships and dependencies between them.

This is the domain in which the Digital Value Management System® (DVMS) operates.

While Wiz redefined how organizations see and secure cloud environments, DVMS is redefining how enterprises govern, assure, and account for cyber resilience as an integrated dimension of digital business performance.

The Digital Value Management System® (DVMS)

Explainer Video – What is a Digital Value Management System (DVMS)

The DVMS is an overlay management system that governs cyber resilience through assured evidence and transparent accountability (GRAA) across complex digital systems. 

At its core, the DVMS is a simple but powerful integration of:

• Governance Intent – shared expectations and accountabilities
• Operational Capabilities – how the digital business performs under stress
• Assurance Evidence – proof that outcomes are achieved and accountable
• Cultural Learning – for governance and operational fine-tuning

The DVMS GRAA Engine

Explainer Video – How a DVMS GRAA Engine Works

The overlay GRAA engine is powered by four DVMS models:

Create, Protect, and Deliver (CPD) – The CPD Model™ is a systems-based model within the DVMS that links strategy-risk and governance to execution to create, protect, and deliver digital business value as an integrated, continuously adaptive capability.

Minimum Viable Capabilities (MVC) – The Minimum Viable Capabilities (MVCs) model supports the seven essential, system-level organizational capabilities—Govern, Assure, Plan, Design, Change, Execute, and Innovate—required to reliably create, protect, and deliver digital business value in alignment with strategy-risk intent.

3D Knowledge (3DK) – The 3D Knowledge Model is a systems-thinking framework that maps team knowledge over time (past, present, future), cross-team collaboration, and alignment to strategic intent to ensure that organizational behavior, learning, and execution remain integrated and adaptive in delivering digital business value.

Question Outcome / Question Metric (QO/QM) – The QO/QM approach supports governance as testable intent by defining a clear Question Outcome (QO), the specific value or resilience condition that must be true at a given boundary, and pairing it with one or more Question Metrics (QM) that provide observable, decision-relevant evidence that the system can actually create, protect, and deliver that outcome under complex, living system operating conditions

The models then work together to operationalize the capabilities below that will govern the organization’s cyber resilience through assured evidence and transparent accountability

A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance across every system responsible for digital value.

A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.

A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

DVMS Benefits – Organizational and Leadership

Explainer Video – DVMS Organization and Leadership Benefits

Organizational Benefits

Instead of replacing existing operational frameworks and platforms, the DVMS elevates them, connecting and contextualizing their data into actionable intelligence that enables organizations to:

• Maintain Operational Stability Amidst Constant Digital Disruption
• Deliver Digital Value and Trust Across Complex Digital Ecosystems
• Satisfy Critical Regulatory and Certification Requirements
• Leverage Cyber Resilience as a Competitive Advantage

Leadership Benefits

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, CRO, CISO, and Auditors, the DVMS provides a unified approach to organizational digital value management, operational resilience, and regulatory compliance. 

DVMS – Accredited Certification Training Programs

Explainer Video – The DVMS Training Pathway to Cyber Resilience

The DVMS Institute’s certification training programs equip leaders, practitioners, and employees with the skills to build a management architecture for governing, assuring, and accounting for resilience in complex digital ecosystems.

Through structured learning, applied certification, and authoritative publications, the Institute teaches a disciplined, outcome-driven approach to managing resilience as an integrated dimension of digital business performance.

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness non-certification course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for resilience in complex digital ecosystems.

DVMS NISTCSF Cyber Resilience Foundation Certification Training

The DVMS NISTCSF Cyber Resilience Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for achieving resilience in complex digital ecosystems.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to build a unified governance, resilience, assurance, and accountability system designed to operationalize resilience in complex digital ecosystems.

Launching A DVMS Program

Explainer Video – Scaling a DVMS Program

 The DVMS FastTrack is a phased, iterative approach that helps organizations mature a DVMS program over time, rather than trying to do everything simultaneously. This approach breaks the DVMS journey into manageable phases of success.

It all starts with selecting the first digital service you want to make resilient. That service then becomes the blueprint for operationalizing resilience across the remaining digital services. 

DVMS Institute White Papers – The Assurance Mandate Series

Explainer Video –  From Compliance Rituals to Evidence-Based Resilience  

The whitepapers below present a clear progression from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Together, they define an evidence-based approach to building and governing resilient digital enterprises.

The Assurance Mandate Paper explains why traditional compliance artifacts offer reassurance, not proof, and challenges boards to demand evidence that value can be created, protected, and delivered under stress.

The Assurance in Action Paper shows how DVMS turns intent into execution by translating outcomes into Minimum Viable Capabilities, aligning frameworks through the Create–Protect–Deliver model, and producing measurable assurance evidence of real performance.

The Governing by Assurance Paper extends this model to policy and regulation, positioning DVMS as a learning overlay that links governance intent, operational capability, and auditable evidence—enabling outcome-based governance and proof of resilience through measurable performance data.

Company Brochures and Presentation

• DVMS Briefing Paper
• DVMS Company Brochure
• DVMS Product Brochure
• DVMS Company Presentation

Explainer Videos

• DVMS Architecture Video: David Moskowitz explains the DVMS System
• DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
• DVMS Overlay Model – What is an Overlay Model
• DVMS MVC ZX Model – Powers the CPD
• DVMS CPD Model – Powers  DVMS Operations
• DVMS 3D Knowledge Model – Powers the DVMS Culture
• DVMS FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved