Your Organization Doesn’t Have a Framework Problem, It Has an Overlay Problem – The GRAA Leadership Series Part 2

Your Organization Doesn’t Have a Framework Problem, It Has an Overlay Problem – The GRAA Leadership Series Part 2

David Nichols – Co-Founder and Executive Director of the DVMS Institute

A familiar sequence often plays out in many organizations.

A new regulation arrives. A peer in your industry experiences a highly publicized incident. A board member returns from a conference with a strong opinion about “what good looks like.” Someone suggests a reasonable response: we should adopt this framework, align with that standard, or implement the latest “best practice” model.

A project is initiated. Workshops are scheduled. Someone creates a mapping between the new framework and existing systems. Training sessions are conducted. For a while, it seems like progress is being made. Tasks are checked off. Stakeholders feel reassured. Another badge is added to the organizational jacket.

Then the dust settles—the daily reality resumes. Yet beneath the surface, almost nothing seems more straightforward. You still see overlapping requests being sent to the same people from different risk and assurance teams. You still struggle to obtain a clear and unified view of risk across a single value stream. You still have that uneasy feeling that your frameworks are multiplying faster than your clarity. If frameworks are meant to bring order and coherence, why does each new one seem to add another layer of complexity? That question lies at the core of this article.

Frameworks Are Not the Enemy

Before we go any further, it is important to be clear: this is not an argument against frameworks. Frameworks exist for solid reasons. They organize experience, evidence, and regulatory standards. They provide a common language with regulators, partners, and auditors. They help you speed up learning instead of starting from scratch. Each one, on its own, is reasonable and often essential.

The NIST CSF provides your cybersecurity team with a framework to organize its work and discussions. ITIL establishes a shared vocabulary for service management. ISO standards help standardize expectations for information security, quality, or continuity. ESG standards and sector regulations clarify emerging obligations that might otherwise be interpreted variably by different actors.

The issue isn’t about NIST versus ISO, or ITIL versus COBIT, or any other pair of acronyms you might choose. When someone mentions “we have a framework problem,” they rarely mean that a particular standard was a poor idea. Instead, what they’re hinting at, sometimes without having the exact words, is that the more successful they are at adopting frameworks, the more they feel vulnerable to a different kind of risk. They’ve created a system-of-systems without a shared map.

When Good Frameworks Collide

Inside the enterprise, you can watch this play out in slow motion.

The cybersecurity function centers on the NIST CSF. Service and operations teams are fluent in ITIL. Internal audit relies on IIA standards and often considers COSO. Financial risk uses its own models. ESG and sustainability come with their own reference architectures and metrics. Privacy, safety, legal, and procurement each have their own logic and vocabulary.

Within each silo, the picture makes sense. The cyber perspective of the world aligns with the NIST framework. The service perspective aligns with ITIL. The audit perspective aligns with its standards. When you enter one of those worlds and speak its language, everything is internally consistent.

Now move back up to the executive vantage point and ask a few basic questions:

In this particular value stream, who is truly accountable for resilience when you combine technology risk, third-party risk, conduct risk, and regulatory exposure? When three different teams ask the business essentially the same question in three slightly different ways, which answer is the “real” one? When two frameworks both claim authority over a given control, which one governs the way the work is actually done?

These are not just theoretical puzzles. They manifest as duplicated efforts on the ground, confusion over decision-making authority, and friction between functions that should be natural allies. What you are experiencing in those moments is not “framework fatigue” in the sense of being tired of standards. It is a framework collision. Multiple, well-intentioned logics clash without a shared structure to absorb and reconcile them.

You do not have a framework problem. You have an overlay problem, or more precisely, a lack of an overlay problem.

The Missing Concept: An Overlay

The word “overlay” can sound abstract, so let’s keep it simple. An overlay is not another framework. It is a way of organizing and connecting the frameworks you already have so that, from an executive and operational point of view, they function as one system.

Your frameworks were never designed to address some of the questions you, as a leader, must answer. For example, when you follow an end-to-end product or service from idea to retirement, how do these frameworks all fit together in that process? Which core capabilities, decision-making, assurance, change, execution, innovation, do you rely on regardless of whether you’re using NIST, ISO, ITIL, or ESG? How can you discuss accountability for these capabilities using a standard set of terms, rather than switching languages every time a different function enters the room?

An overlay provides a small, shared set of “slots” where you can map existing controls, processes, and responsibilities. It does not eliminate the standards. Instead, it shows you where each standard is expressed within your system. Without an overlay, each framework behaves like a separate operating system running on the same hardware. With an overlay, they become applications running on a shared platform. The code may differ, but the way you understand and govern the system is unified.

What an Overlay Is Not

Whenever you introduce a new concept, the mind quickly tries to relate it to something familiar. Therefore, it’s worth taking a moment to clarify what an overlay is not. It is not a rebranding effort where one of your existing frameworks is labeled “the master,” and everything else is made to fit into it. Such an approach often leads to quiet rebellion, as functions continue to operate according to their own logic underneath.

It’s not just another software platform, even though technology can certainly aid in implementing and visualizing it. Purchasing a new system without changing how you think about capabilities and accountability only leads to piling “GRC 3.0” on top of “GRC 2.0” and “GRC 1.0.” It’s not a consulting trend layered over everything else you do. Adding new terminology without simplifying the core structure is actually the opposite of what you need.

An overlay is more like an architectural decision. It states that whatever frameworks, tools, or standards we use, these principles will guide us in describing our core capabilities, discussing decision rights, and assigning and demonstrating accountability. It is a choice to treat the enterprise as a single system rather than as a collection of loosely connected professional groups.

Symptoms of an Overlay Problem

If you’re wondering whether you have an overlay problem, you probably already know the answer. However, it can be helpful to examine a few patterns from this perspective.

You sit with your team and walk through a critical value stream from start to finish, only to find that no one can explain how cyber risk, third-party risk, continuity, and conduct risk are collectively managed. Someone owns each area, but the overall approach is missing.

You sponsor initiatives to “harmonize” or “rationalize” controls. Extensive mapping exercises are conducted. Spreadsheets and repositories are created. For a while, it appears organized. Then, gradually, each function reverts to its preferred language, and the harmonization becomes just another static artifact rather than a dynamic structure.

You spend disproportionate time in RACI discussions that never quite resolve who is truly accountable versus who is merely informed. Job descriptions, committees, and charters proliferate, yet in high-pressure situations, decisions still feel unclear.

Your boards are getting thicker, but the questions from non-executive directors mostly stay the same: Where exactly are we most exposed? Who is responsible for that risk in practice? How sure are we that our cultural behavior aligns with the story in the slides?

None of this suggests that you have weak individuals or unproductive teams. It simply results from an organization running multiple frameworks and toolsets without a shared framework or toolset overlay. The system is doing its best with the architecture it has been given.

How an Overlay Changes the Conversation

When you introduce a genuine overlay, the first shift isn’t in tooling. It’s in the questions you ask. Instead of starting with, “Which framework are we using for this?”, leaders ask, “Which capability does this belong to, and who is responsible for that capability in this value stream?” The focus shifts from lists of controls to the organization’s fundamental abilities to govern, assure, plan, design, execute, change, and innovate safely.

Cyber, IT operations, risk, compliance, and audit no longer need to argue about which framework is “right.” They can align their requirements with the same set of enterprise capabilities and identify where they support each other and where they diverge.

This, in turn, enables more concrete discussions about Governance, Resilience, Assurance, and Accountability. Governance transforms from a collection of charters into the actual flow of decisions across shared capabilities. Resilience shifts from being a slogan to a characteristic of how those capabilities perform under stress. Assurance moves beyond an annual ritual to a continuous assessment of how well those capabilities function. Accountability changes from a negotiation between functions to an inherent part of the overall framework.

The architecture changes the conversation. The conversation changes the behavior.

The DVMS Overlay in Principle

The Digital Value Management System, the DVMS, is a way to provide that overlay. Without going into all its details here, you can think of the DVMS as a method for identifying and organizing a small set of Minimum Viable Capabilities that every organization needs to create, protect, and deliver digital business value. Those capabilities fill the slots of the overlay.

Frameworks like NIST, ISO, ITIL, ESG standards, and sector regulations are not discarded. They are mapped into those capabilities. Controls, processes, and tools find a home. Instead of being the primary organizing principle, each framework becomes a way of enriching a capability the enterprise has already agreed it must own.

From an executive perspective, this means you can examine a value stream and see, in one place, how governance, assurance, planning, design, execution, change, and innovation are actually collaborating. You can identify where your frameworks strengthen these capabilities and where they leave gaps or create contradictions.

The DVMS does not promise that frameworks will suddenly disappear. It promises that they will stop competing to define your reality. The overlay determines your reality. Frameworks contribute to it. That is the difference between having “a lot of GRC activity” and having an operating model capable of delivering GRAA.

Looking Ahead: From Overlay to Culture

It’s natural to feel a bit cautious now. Many leaders have seen control harmonization projects come and go. They understand how easily a new organizing idea can become just another layer of complexity. The overlay conversation differs because it extends beyond simply listing elements. It explores how the organization perceives itself and how that perception influences actions when it truly matters.

In the next article, we will shift from structure to the most challenging control surface of all: culture. Even with a clean overlay, the system won’t behave as intended if people don’t use it under stress. The map matters, but so do the patterns of behavior that emerge when pressure is applied.

That is why Part Three is titled “The Hardest Control Surface in Your Enterprise Is Culture.”

If you recognize the patterns described here and can sense the friction of frameworks without an overlay, then you are already beginning to see the outline of the real problem. The good news is that once you name it, you can start to design your way out of it.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

Digital Value Management System® (DVMS)

A Unified Governance Overlay System that Operationalizes Resilience, Elevates Assurance, and Ensures Accountability

A Digital Value Management System (DVMS) is not another framework, standard, or maturity model. It is a Culture-Powered Governance Overlay System that aligns leadership, operations, and business teams around a single purpose of creating, protecting, and delivering digital value.

Where most organizations struggle with fragmented systems, competing priorities, and siloed accountability, a DVMS introduces a unifying model that connects governance, resilience, assurance, and accountability into one integrated digital value management operating system.

Rather than adding more complexity, a DVMS amplifies the value of existing investments in ITSM, GRC, Cybersecurity, and AI by turning them into a coordinated resilience and assurance engine. It enables leaders to see, in real time, whether the business is working as intended—and whether the risks that matter most are being managed proactively.

At the core of the DVMS is a simple but powerful integration of:

• Governance Intent – shared expectations and accountabilities.

• Operational Capability – how the business actually performs

• Assurance Evidence – proof that value is being created and protected

Through its MVC, CPD, 3D Knowledge, and FastTrack Models, a DVMS turns this integration into three distinctive capabilities:

• A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.
• A Behavorial Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavior patterns that help teams think clearly and act confidently, even under uncertainty. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.
• A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

DVMS Organizational Benefits

Instead of replacing existing operational frameworks, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes, including cultural ones.

By adopting a DVMS, organizations are positioned to:

• Maintain Operational Stability Amidst Constant Digital Disruption
• Deliver Digital Value and Trust Across A Digital Ecosystem
• Satisfy Critical Regulatory and Certification Requirements
• Leverage Cyber Resilience as a Competitive Advantage

DVMS Leadership Benefits

The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.

• For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.
• For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.
• For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability

DVMS White Papers

The three whitepapers below present a coherent progression that shifts organizations from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Collectively, the three papers define a comprehensive system for building and governing resilient digital enterprises, grounded in evidence rather than assumptions.

• The Assurance Mandate Paper sets the stage by showing why traditional GRC artifacts provide only reassurance—not evidence—and calls boards to demand forward-looking proof that their organizations can continue to create, protect, and deliver value under stress.
• The Assurance in Action Paper then moves from leadership intent to managerial execution, demonstrating how the DVMS operationalizes resilience by translating outcomes into Minimum Viable Capabilities, connecting frameworks through the Create–Protect–Deliver model, and generating measurable assurance evidence that managers can use to demonstrate real performance rather than activity.
• The Governing by Assurance Paper elevates the approach to the policy and regulatory level, showing how DVMS functions as a learning overlay system that links governance intent, operational capability, and verifiable evidence into a continuous loop—enabling regulators, agencies, and enterprises to govern by outcomes rather than checklists and to prove capability with measurable, auditable performance data.

DVMS Cyber Resilience Certified Training Programs

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS NISTCSF Foundation Certification Training

The DVMS NISTCSF Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.

This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

Company Brochures and Presentation

• DVMS Company Brochure
• DVMS Product Brochure
• DVMS Company Presentation

Explainer Videos

• DVMS Architecture Video: David Moskowitz explains the DVMS System
• DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
• DVMS Overlay Model – What is an Overlay Model
• DVMS MVC ZX Model – Powers the CPD
• DVMS CPD Model – Powers  DVMS Operations
• DVMS 3D Knowledge Model – Powers the DVMS Culture
• DVMS FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved