Why Our GRC Investments Aren’t Delivering Resilience …and Everyone Feels It – The GRAA Leadership Series Part 1
David Nichols – Co-Founder and Executive Director of the DVMS Institute
There’s a particular feeling many executives know well but rarely name out loud.
You leave a risk committee or board meeting with a thick stack of slides. The dashboards are mostly green, and the internal audit opinions are positive. You have NIST, ISO, ITIL, NIST Privacy Framework, and ESG obligations, all of which are mapped, tracked, and reported. The GRC platform runs smoothly. On paper, the organization appears mature.
And yet, as you close the door behind you, there’s that small knot in your stomach.
It doesn’t seem like resilience. It feels… fragile. One major incident, one supplier failure, one misjudged AI deployment, and the whole carefully crafted picture might fall apart.
This series is for the people who recognize that feeling.
You haven’t starved GRC of resources, nor have you ignored risk. In fact, you’ve invested heavily. Still, something fundamental isn’t right. This first article focuses on identifying what that “something” is, and why it can’t be fixed with just another framework, tool, or dashboard.
The Investment Side of the Ledger
If you list the actions your organization has taken over the past decade, it reads like a textbook example of “doing the right things.”
You’ve adopted comprehensive frameworks: NIST CSF, ISO standards, ITIL for service management, sector-specific regulations, and an expanding array of ESG and privacy requirements. You’ve deployed one or more GRC platforms to unify policies, risks, controls, and testing. You’ve increased staff in risk, compliance, cybersecurity, privacy, and internal audit. You’ve established board-level oversight structures, risk committees, and escalation pathways.
If someone measured you against a classic GRC maturity model, you wouldn’t fall to the bottom. In many organizations, these investments have closed obvious gaps. Basic hygiene has improved compared to ten years ago. That matters.
But it raises a tougher question: if the inputs are so strong, why doesn’t it still feel safe to take your hand off the wheel, even for a moment?
The Experience Side of the Ledger
Set the investments aside and look at the lived experience.
Incidents still occur unexpectedly, despite risk registers and audit findings warning about similar problems. Different risk and assurance teams sometimes give conflicting advice on priorities; each justified from their own point of view. Business units complain about “control fatigue” and “assessment fatigue,” not because they oppose accountability, but because they see the same questions asked in slightly different ways by different teams.
There are dashboards everywhere, but not enough insight. You can access more data than ever before, but the key question, “Are we behaving as a resilient organization?” remains unclear.
And beneath it all, there’s an unspoken gap between what the board states and what people actually do. The story in the room is that you’re mature and in control. The whisper in the hallways is that some of the most critical decisions about risk, ethics, and resilience are still being made on the fly, under pressure, with incomplete information and unclear accountability.
These aren’t random annoyances. They are symptoms of something structural.
The Old Mental Model of GRC
For years, GRC has been guided by a simple and reasonable mental model:
If we choose robust frameworks, write clear policies, implement appropriate controls, and demonstrate those controls to auditors and regulators, then risk will be “managed.”
In more stable, bounded environments, that model held real power. Regulatory change was slower. Supply chains were shorter and clearer. Digital products developed at a manageable pace. The gap between “policy” and “practice” was smaller because the system itself was less dynamic.
Today, the context is unrecognizable compared to that world.
Digital products, services, and data flows are constantly changing. Critical functions rely on complex supply chains and third parties that you neither control nor fully understand. AI and algorithmic decision-making are moving important decisions to the outer edges of the organization. Societal expectations regarding ethics, sustainability, privacy, and safety are evolving more rapidly than traditional governance cycles can keep pace.
In this environment, the old mental model isn’t wrong, but it’s incomplete. Frameworks, policies, and controls are essential. However, they are not sufficient. As a result, you can have everything “right” at the artifact level, good frameworks, documented controls, clean audits, and still lack a system that behaves resiliently when reality hits.
That’s the knot in your stomach trying to tell you something.
The Real Problem: A System-of-Systems Without a System Design
Most organizations do not lack frameworks. Instead, they face a more subtle issue: they have built up a system-of-systems without a clear system design.
Each framework, including NIST, ISO, ITIL, COBIT, and ESG standards, was entered into the organization for a good reason. Each tool was acquired to solve a real need. Each new risk, compliance, or assurance function was justified by genuine external pressure or internal events.
Over time, however, this layering forms a patchwork of overlapping control sets, inconsistent terminology, and unclear ownership. Cyber, IT operations, enterprise risk, compliance, audit, privacy, ESG, and legal each develop their own way of describing the world. Within each silo, the picture makes sense. Across the entire landscape, it becomes harder to answer basic questions:
Who is truly responsible for resilience in this value stream? Where do we observe the combined impact of technology risk, third-party risk, and conduct risk?
If we were to change this policy, would we understand how it would ripple through behavior, incentives, and delivery?
As an executive, you often have strong components that don’t come together to form a cohesive whole. Beneath that, there’s a deeper problem. The enterprise lacks a shared operating system, no simple, agreed-upon way to:
- organize all those frameworks and tools into a coherent capability model,
- connect that model to how the business actually creates value,
- and link governance decisions to real behavior in a transparent, repeatable way.
Without that operating system, GRC remains a collection of earnest and busy activities. It doesn’t yet function as a single, integrated, adaptive system. What is missing is not another framework. What is missing is a behavioral overlay: a way to see and manage the organization that unifies governance, risk, and compliance with culture, structure, and digital value.
The Goal Beyond GRC: Governance, Resilience, Assurance, and Accountability
When most executives approve investments in GRC, they are not thinking in terms of control libraries and maturity grids. They are aiming at something more ambitious, even if they don’t always give it a name.
At the top of the organization, the real goal looks more like this:
- Governance that is clear, coherent, and aligned with how the organization genuinely creates value.
- Resilience that is designed into products, services, and partnerships, not retrofitted after each incident.
- Assurance that is evidence-based, continuous, and sufficiently trusted that the board can make decisions with confidence.
- Accountability that is fair, transparent, and tied to fundamental decision rights, rather than scattered across charts and committees.
- Together, that is Governance, Resilience, Assurance, and Accountability—GRAA.
Many leaders assumed, quite reasonably, that investing in “modern GRC” would lead them to GRAA. What they have found is that while frameworks and platforms can support GRAA, they do not guarantee it. You can have perfect compliance and still be vulnerable. You can have excellent audit ratings and still be caught off guard.
GRAA is not a product. It is an outcome. Achieving it requires consistency in leadership signals, structures, and behavior across the entire digital value chain. That consistency is precisely what the current patchwork lacks.
A Different Way of Thinking: Enter the Digital Value Management System
This is where the Digital Value Management System, the DVMS, enters the conversation.
The DVMS isn’t a new framework to just add on. It’s an approach that views the organization as a complex adaptive system and offers an overlay, or operating model, for how all the existing pieces can work together.
At its core, the DVMS addresses three key areas that executives care deeply about.
First, it focuses attention on how the enterprise creates, protects, and delivers digital business value. Instead of viewing GRC as a separate domain, it integrates governance, risk, and assurance into the daily flow of value creation. GRC shifts from being about maintaining a distinct compliance sphere to about managing the digital business responsibly.
Second, it offers a simple, shared structure that allows you to map all existing frameworks and processes. Instead of existing in ten different dialects simultaneously, the organization gains a shared vocabulary for capabilities, roles, and responsibilities. Cyber, IT, operations, risk, and audit can still utilize their specialized tools and standards, but they interact through a unified overlay.
Third, it reveals the connections between leadership intent, organizational structure, and actual behavior. The DVMS does not view culture as a static entity on a wall. Instead, it considers culture as a pattern of behavior that emerges under stress and can be observed, understood, and managed. When leadership states one thing, structures reward another, and behavior follows a third logic, the DVMS provides a way to recognize and address that misalignment.
The key point is what DVMS does not require. It does not demand abandoning NIST, ISO, or ITIL. It does not force you to replace your GRC platforms. It does not expect executives to become experts in another specialized framework. Instead, it builds on what you already have and provides it with a solid foundation. Think of it as delivering your enterprise with the behavioral operating system that GRC 7.0 aspires to, but has not yet fully described.
From Problem Recognition to Practical Change
Executives are understandably cautious about grand transformation stories. Many have seen enough “next big thing” projects to be hesitant when someone proposes yet another reinvention. The move toward GRAA and an overlay like the DVMS isn’t about tearing everything down. It’s about rethinking and reconnecting with what you already have.
In practice, the journey often begins with a shift in perspective rather than a change in tools. Leaders start to ask different questions: not just “Do we have control here?” but “How does this control, or the lack of it, interact with the way this value stream is governed, structured, and actually behaves?” They assess risk and resilience based on how the organization creates, protects, and delivers value, rather than viewing these as separate categories.
From there, it becomes possible to align existing frameworks and processes into a simple, shared capability model, and to use that model for more explicit conversations about accountability, investment, and change. The upcoming articles in this series will delve more deeply into the overlay issue, examine culture as the most challenging control surface in your enterprise, and demonstrate how a minimal set of capabilities can provide the structure that has been missing.
For now, it is worth sitting with a simple, candid question: If your current GRC system were truly delivering the governance, resilience, assurance, and accountability you thought you were buying, would it still feel this fragile? If the answer is no, or even “I’m not sure,” then the issue is not your effort, your people, or your frameworks. It is the absence of a coherent operating model that allows all of that work to add up to more than the sum of its parts.
The DVMS was designed to be precisely that.
About the Author
Dave is the Executive Director of the DVMS Institute.
Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.
Digital Value Management System® (DVMS)
The DVMS is an adaptive Culture-Enabled Governance System that enables businesses of any size to move from a static, paper-based system of cyber controls to a living, evidence-based system of Governance, Resilience, Assurance, and Accountability (GRAA).
At its core, the DVMS is a simple but powerful integration of:
-
Governance Intent – shared expectations and accountabilities.
-
Operational Capability – how the business actually performs
-
Assurance Evidence – proof that intended outcomes are being achieved
Rather than adding more complexity, a DVMS integrates fragmented frameworks and practices such as NIST CSF, GRC, ITSM, DevOps, and AI into a unified overlay system that enables leaders and regulators to see, in real time, whether the digital business is working as intended—and whether the risks that matter most are being managed proactively.
Through its MVC, CPD, 3D Knowledge, and FastTrack Models, a DVMS turns this integration into three distinctive capabilities:
A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.
A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.
A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.
DVMS Organizational Benefits
Instead of replacing existing operational frameworks, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.
By adopting a DVMS, organizations are positioned to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Deliver Digital Value and Trust Across A Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
DVMS Leadership Benefits
The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.
For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.
For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.
For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability
DVMS White Papers
The three whitepapers below present a coherent progression that shifts organizations from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Collectively, the three papers define a comprehensive system for building and governing resilient digital enterprises, grounded in evidence rather than assumptions.
The Assurance Mandate Paper sets the stage by showing why traditional GRC artifacts provide only reassurance—not evidence—and calls boards to demand forward-looking proof that their organizations can continue to create, protect, and deliver value under stress.
The Assurance in Action Paper elevates the conversation from leadership intent to managerial execution, demonstrating how the DVMS operationalizes resilience by translating outcomes into Minimum Viable Capabilities, connecting frameworks through the Create–Protect–Deliver model, and generating measurable assurance evidence that managers can use to demonstrate real performance rather than activity.
The Governing by Assurance Paper elevates the approach to the policy and regulatory level, showing how DVMS functions as a learning overlay system that links governance intent, operational capability, and verifiable evidence into a continuous loop—enabling regulators, agencies, and enterprises to govern by outcomes rather than checklists and to prove capability with measurable, auditable performance data.
DVMS Cyber Resilience Certified Training Programs
DVMS Cyber Resilience Awareness Training
The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.
This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.
DVMS NISTCSF Foundation Certification Training
The DVMS NISTCSF Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.
This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system capable of transforming systemic cyber risks into operational resilience.
DVMS Cyber Resilience Practitioner Certification Training
The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.
This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.
Company Brochures and Presentation
Explainer Videos
- DVMS Architecture Video: David Moskowitz explains the DVMS System
- DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- DVMS Overlay Model – What is an Overlay Model
- DVMS MVC ZX Model – Powers the CPD
- DVMS CPD Model – Powers DVMS Operations
- DVMS 3D Knowledge Model – Powers the DVMS Culture
- DVMS FastTrack Model – Enables A Phased DVMS Adoption
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
