Your Organization Doesn’t Have a Framework Problem, It Has an Overlay Problem – The GRAA Leadership Series Part 2

David Nichols – Co-Founder and Executive Director of the DVMS Institute

A familiar sequence often plays out in many organizations.

A new regulation arrives. A peer in your industry experiences a highly publicized incident. A board member returns from a conference with a strong opinion about “what good looks like.” Someone suggests a reasonable response: we should adopt this framework, align with that standard, or implement the latest “best practice” model.

A project is initiated. Workshops are scheduled. Someone creates a mapping between the new framework and existing systems. Training sessions are conducted. For a while, it seems like progress is being made. Tasks are checked off. Stakeholders feel reassured. Another badge is added to the organizational jacket.

Then the dust settles—the daily reality resumes. Yet beneath the surface, almost nothing seems more straightforward. You still see overlapping requests being sent to the same people from different risk and assurance teams. You still struggle to obtain a clear and unified view of risk across a single value stream. You still have that uneasy feeling that your frameworks are multiplying faster than your clarity. If frameworks are meant to bring order and coherence, why does each new one seem to add another layer of complexity? That question lies at the core of this article.

Frameworks Are Not the Enemy

Before we go any further, it is important to be clear: this is not an argument against frameworks. Frameworks exist for solid reasons. They organize experience, evidence, and regulatory standards. They provide a common language with regulators, partners, and auditors. They help you speed up learning instead of starting from scratch. Each one, on its own, is reasonable and often essential.

The NIST CSF provides your cybersecurity team with a framework to organize its work and discussions. ITIL establishes a shared vocabulary for service management. ISO standards help standardize expectations for information security, quality, or continuity. ESG standards and sector regulations clarify emerging obligations that might otherwise be interpreted variably by different actors.

The issue isn’t about NIST versus ISO, or ITIL versus COBIT, or any other pair of acronyms you might choose. When someone mentions “we have a framework problem,” they rarely mean that a particular standard was a poor idea. Instead, what they’re hinting at, sometimes without having the exact words, is that the more successful they are at adopting frameworks, the more they feel vulnerable to a different kind of risk. They’ve created a system-of-systems without a shared map.

When Good Frameworks Collide

Inside the enterprise, you can watch this play out in slow motion.

The cybersecurity function centers on the NIST CSF. Service and operations teams are fluent in ITIL. Internal audit relies on IIA standards and often considers COSO. Financial risk uses its own models. ESG and sustainability come with their own reference architectures and metrics. Privacy, safety, legal, and procurement each have their own logic and vocabulary.

Within each silo, the picture makes sense. The cyber perspective of the world aligns with the NIST framework. The service perspective aligns with ITIL. The audit perspective aligns with its standards. When you enter one of those worlds and speak its language, everything is internally consistent.

Now move back up to the executive vantage point and ask a few basic questions:

In this particular value stream, who is truly accountable for resilience when you combine technology risk, third-party risk, conduct risk, and regulatory exposure? When three different teams ask the business essentially the same question in three slightly different ways, which answer is the “real” one? When two frameworks both claim authority over a given control, which one governs the way the work is actually done?

These are not just theoretical puzzles. They manifest as duplicated efforts on the ground, confusion over decision-making authority, and friction between functions that should be natural allies. What you are experiencing in those moments is not “framework fatigue” in the sense of being tired of standards. It is a framework collision. Multiple, well-intentioned logics clash without a shared structure to absorb and reconcile them.

You do not have a framework problem. You have an overlay problem, or more precisely, a lack of an overlay problem.

The Missing Concept: An Overlay

The word “overlay” can sound abstract, so let’s keep it simple. An overlay is not another framework. It is a way of organizing and connecting the frameworks you already have so that, from an executive and operational point of view, they function as one system.

Your frameworks were never designed to address some of the questions you, as a leader, must answer. For example, when you follow an end-to-end product or service from idea to retirement, how do these frameworks all fit together in that process? Which core capabilities, decision-making, assurance, change, execution, innovation, do you rely on regardless of whether you’re using NIST, ISO, ITIL, or ESG? How can you discuss accountability for these capabilities using a standard set of terms, rather than switching languages every time a different function enters the room?

An overlay provides a small, shared set of “slots” where you can map existing controls, processes, and responsibilities. It does not eliminate the standards. Instead, it shows you where each standard is expressed within your system. Without an overlay, each framework behaves like a separate operating system running on the same hardware. With an overlay, they become applications running on a shared platform. The code may differ, but the way you understand and govern the system is unified.

What an Overlay Is Not

Whenever you introduce a new concept, the mind quickly tries to relate it to something familiar. Therefore, it’s worth taking a moment to clarify what an overlay is not. It is not a rebranding effort where one of your existing frameworks is labeled “the master,” and everything else is made to fit into it. Such an approach often leads to quiet rebellion, as functions continue to operate according to their own logic underneath.

It’s not just another software platform, even though technology can certainly aid in implementing and visualizing it. Purchasing a new system without changing how you think about capabilities and accountability only leads to piling “GRC 3.0” on top of “GRC 2.0” and “GRC 1.0.” It’s not a consulting trend layered over everything else you do. Adding new terminology without simplifying the core structure is actually the opposite of what you need.

An overlay is more like an architectural decision. It states that whatever frameworks, tools, or standards we use, these principles will guide us in describing our core capabilities, discussing decision rights, and assigning and demonstrating accountability. It is a choice to treat the enterprise as a single system rather than as a collection of loosely connected professional groups.

Symptoms of an Overlay Problem

If you’re wondering whether you have an overlay problem, you probably already know the answer. However, it can be helpful to examine a few patterns from this perspective.

You sit with your team and walk through a critical value stream from start to finish, only to find that no one can explain how cyber risk, third-party risk, continuity, and conduct risk are collectively managed. Someone owns each area, but the overall approach is missing.

You sponsor initiatives to “harmonize” or “rationalize” controls. Extensive mapping exercises are conducted. Spreadsheets and repositories are created. For a while, it appears organized. Then, gradually, each function reverts to its preferred language, and the harmonization becomes just another static artifact rather than a dynamic structure.

You spend disproportionate time in RACI discussions that never quite resolve who is truly accountable versus who is merely informed. Job descriptions, committees, and charters proliferate, yet in high-pressure situations, decisions still feel unclear.

Your boards are getting thicker, but the questions from non-executive directors mostly stay the same: Where exactly are we most exposed? Who is responsible for that risk in practice? How sure are we that our cultural behavior aligns with the story in the slides?

None of this suggests that you have weak individuals or unproductive teams. It simply results from an organization running multiple frameworks and toolsets without a shared framework or toolset overlay. The system is doing its best with the architecture it has been given.

How an Overlay Changes the Conversation

When you introduce a genuine overlay, the first shift isn’t in tooling. It’s in the questions you ask. Instead of starting with, “Which framework are we using for this?”, leaders ask, “Which capability does this belong to, and who is responsible for that capability in this value stream?” The focus shifts from lists of controls to the organization’s fundamental abilities to govern, assure, plan, design, execute, change, and innovate safely.

Cyber, IT operations, risk, compliance, and audit no longer need to argue about which framework is “right.” They can align their requirements with the same set of enterprise capabilities and identify where they support each other and where they diverge.

This, in turn, enables more concrete discussions about Governance, Resilience, Assurance, and Accountability. Governance transforms from a collection of charters into the actual flow of decisions across shared capabilities. Resilience shifts from being a slogan to a characteristic of how those capabilities perform under stress. Assurance moves beyond an annual ritual to a continuous assessment of how well those capabilities function. Accountability changes from a negotiation between functions to an inherent part of the overall framework.

The architecture changes the conversation. The conversation changes the behavior.

The DVMS Overlay in Principle

The Digital Value Management System, the DVMS, is a way to provide that overlay. Without going into all its details here, you can think of the DVMS as a method for identifying and organizing a small set of Minimum Viable Capabilities that every organization needs to create, protect, and deliver digital business value. Those capabilities fill the slots of the overlay.

Frameworks like NIST, ISO, ITIL, ESG standards, and sector regulations are not discarded. They are mapped into those capabilities. Controls, processes, and tools find a home. Instead of being the primary organizing principle, each framework becomes a way of enriching a capability the enterprise has already agreed it must own.

From an executive perspective, this means you can examine a value stream and see, in one place, how governance, assurance, planning, design, execution, change, and innovation are actually collaborating. You can identify where your frameworks strengthen these capabilities and where they leave gaps or create contradictions.

The DVMS does not promise that frameworks will suddenly disappear. It promises that they will stop competing to define your reality. The overlay determines your reality. Frameworks contribute to it. That is the difference between having “a lot of GRC activity” and having an operating model capable of delivering GRAA.

Looking Ahead: From Overlay to Culture

It’s natural to feel a bit cautious now. Many leaders have seen control harmonization projects come and go. They understand how easily a new organizing idea can become just another layer of complexity. The overlay conversation differs because it extends beyond simply listing elements. It explores how the organization perceives itself and how that perception influences actions when it truly matters.

In the next article, we will shift from structure to the most challenging control surface of all: culture. Even with a clean overlay, the system won’t behave as intended if people don’t use it under stress. The map matters, but so do the patterns of behavior that emerge when pressure is applied.

That is why Part Three is titled “The Hardest Control Surface in Your Enterprise Is Culture.”

If you recognize the patterns described here and can sense the friction of frameworks without an overlay, then you are already beginning to see the outline of the real problem. The good news is that once you name it, you can start to design your way out of it.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

DVMS Cyber Resilience Professional Accredited Certification Training

Enabling Enterprises to Govern, Assure, and Account for Digital Value, Operational Resilience, and Regulatory Outcomes in Living Digital Systems

Why Enterprises Must Move from Paper to Practice-Based Assurance

Explainer Video – Governing By  Assurance

Despite an abundance of frameworks, metrics, and dashboards, many leaders still lack a clear line of sight into how their digital value streams perform when conditions deteriorate.

Strategic intent, organizational structures, and day-to-day behaviors are evaluated separately, producing static snapshots that fail to reveal how decisions, dependencies, and human actions interact within a dynamic digital system.

The result is governance that appears comprehensive in documentation yet proves fragile under pressure, leaving leaders to reconcile disconnected controls rather than systematically strengthen operational resilience.

What’s needed is a framework-agnostic operating overlay that enables digital value, operational resilience, and regulatory outcomes to be governed, assured, and accounted for coherently across living digital systems.

DVMS Institute White Papers – The Assurance Mandate Series

Explainer Video –  From Compliance Rituals to Evidence-Based Resilience  

The whitepapers below present a clear progression from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Together, they define an evidence-based approach to building and governing resilient digital enterprises.

The Assurance Mandate Paper explains why traditional compliance artifacts offer reassurance, not proof, and challenges boards to demand evidence that value can be created, protected, and delivered under stress.

The Assurance in Action Paper shows how DVMS turns intent into execution by translating outcomes into Minimum Viable Capabilities, aligning frameworks through the Create–Protect–Deliver model, and producing measurable assurance evidence of real performance.

The Governing by Assurance Paper extends this model to policy and regulation, positioning DVMS as a learning overlay that links governance intent, operational capability, and auditable evidence—enabling outcome-based governance and proof of resilience through measurable performance data.

The Digital Value Management System® (DVMS)

Explainer Video – What is a Digital Value Management System (DVMS)

The DVMS is an overlay system that governs, assures, and accounts for digital value, operational resilience, and regulatory outcomes in living digital ecosystems. 

At its core, the DVMS is a simple but powerful integration of:

• Governance Intent – shared expectations and accountabilities
• Operational Capabilities – how the digital business performs
• Assurance Evidence – proof that outcomes are achieved and accountable
• Cultural Learning – for governance intent and operational capability fine-tuning

Underpinning this integration are the following DVMS models and approaches:

Create, Protect, and Deliver (CPD) – The CPD Model™ is a systems-based model within the DVMS that links strategy-risk and governance to execution to create, protect, and deliver digital business value as an integrated, continuously adaptive capability.

3D Knowledge (3DK) – The 3D Knowledge Model is a systems-thinking framework that maps team knowledge over time (past, present, future), cross-team collaboration, and alignment to strategic intent to ensure that organizational behavior, learning, and execution remain integrated and adaptive in delivering digital business value.

Minimum Viable Capabilities (MVC) – The Minimum Viable Capabilities (MVCs) model supports the seven essential, system-level organizational capabilities—Govern, Assure, Plan, Design, Change, Execute, and Innovate—required to reliably create, protect, and deliver digital business value in alignment with strategy-risk intent.

Question Outcome / Question Metric (QO/QM) –  This approach supports governance as testable intent by defining a clear Question Outcome (QO), the specific value or resilience condition that must be true at a given boundary, and pairing it with one or more Question Metrics (QM) that provide observable, decision-relevant evidence that the system can actually create, protect, and deliver that outcome under complex, living system operating conditions

These models and approaches work together to enable three organizational capabilities:

A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance across every system responsible for digital value.

A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.

A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

DVMS Benefits – Organizational and Leadership

Explainer Video – DVMS Organization and Leadership Benefits

Organizational Benefits

Instead of replacing existing operational frameworks and platforms, the DVMS elevates them, connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.

By adopting a DVMS, enterprises are positioned to:

• Maintain Operational Stability Amidst Constant Digital Disruption
• Deliver Digital Value and Trust Across A Digital Ecosystem
• Satisfy Critical Regulatory and Certification Requirements
• Leverage Cyber Resilience as a Competitive Advantage

Leadership Benefits

The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, CRO, CISO, and Auditors, an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability.

DVMS – Accredited Certification Training Program

Explainer Video – The DVMS Training Pathway to Cyber Resilience

The Digital Value Management System® (DVMS) training programs teach leadership, practitioners, and employees how to integrate fragmented systems into a unified, culture-driven governance and assurance system that accounts for the resilience of digital value within a living digital ecosystem.

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

DVMS NISTCSF Cyber Resilience Foundation Certification Training

The DVMS NISTCSF Cyber Resilience Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.

A FastTrack Approach to Launching Your DVMS Program

Explainer Video – Scaling a DVMS Program

 The DVMS FastTrack approach is a phased, iterative approach that helps organizations mature their DVMS over time, rather than trying to do everything simultaneously.

This approach breaks the DVMS journey into manageable phases of success. It all starts with selecting the first digital service you want to make cyber resilient. Once that service becomes resilient, it becomes the blueprint for operationalizing cyber resilience across the enterprise and its supply chain.

Company Brochures and Presentation

• DVMS Briefing Paper
• DVMS Company Brochure
• DVMS Product Brochure
• DVMS Company Presentation

Explainer Videos

• DVMS Architecture Video: David Moskowitz explains the DVMS System
• DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
• DVMS Overlay Model – What is an Overlay Model
• DVMS MVC ZX Model – Powers the CPD
• DVMS CPD Model – Powers  DVMS Operations
• DVMS 3D Knowledge Model – Powers the DVMS Culture
• DVMS FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved