The Hardest Control Surface in Your Enterprise Is Culture – Leading from the Front – The GRAA Leadership Series Part 3

The Hardest Control Surface in Your Enterprise Is Culture – Leading from the Front – The GRAA Leadership Series Part 3

David Nichols – Co-Founder and Executive Director of the DVMS Institute

Every seasoned executive has lived through some version of this story.

On paper, everything appeared correct. The policy was straightforward. The risk assessment was finished. Roles and responsibilities were recorded. People attended the training. There was a process aligned with the framework for incidents or escalations, complete with flowcharts and RACI matrices.

Then something real happened.

An emerging issue developed in a key service. A supplier quietly overlooked a critical checkpoint. A product team identified a risk associated with a rushed release. At that moment, the system transitioned from the slide deck into the actual world. People hesitated. Middle managers debated whether escalating the issue would be seen as “adding noise.” Someone softened the language in an email to avoid alarming an executive sponsor. A team decided to “watch and wait” instead of acting, as the last person to raise a similar concern had been criticized for slowing things down.

Afterward, a review was conducted. New actions were assigned. Perhaps an extra layer of guidance was added. However, everyone in the room understood, at least privately, that the real reason things did not succeed as planned was not due to a missing policy. It came down to how people actually behaved when the stakes were high. At that moment, the most challenging control surface in your enterprise wasn’t a firewall, checklist, or dashboard. It was culture.

How We’ve Traditionally Talked About Culture

Culture has been a part of discussions on risk and governance for years, but notice how it is usually talked about. It often appears as a list of values and behaviors, including integrity, accountability, customer focus, and innovation. It is referred to in regulatory language as “tone at the top” and “culture of risk awareness.” It also exists in HR programs related to engagement, leadership development, and “ways of working.”

None of that is incorrect; it is just incomplete. Usually, culture is seen as a soft, advisory category. It is often placed alongside the “real controls” instead of being considered one of them. When auditors discuss culture, their comments tend to sound more like observations than formal findings. When regulators inquire about culture, organizations usually respond with survey scores and leadership statements.

In practice, the system sends a clear message: controls are rigid; culture is flexible. The tough parts are the frameworks, controls, test plans, and metrics. Culture is what we discuss in town halls and appendices.

That separation is no longer sustainable in a world where critical risk decisions are made in real time under uncertainty by people working at the organization’s edge. The reality is simpler and less comfortable: culture acts as a form of control. Often, it is the control.

Culture as the Hardest Control Surface

If you remove the slides and slogans, culture can be explained in simple terms: Culture is how the organization acts when no one is watching, or when the stakes are high, and the playbook doesn’t quite work.

Consider a few everyday situations. A service manager notices an early sign that could develop into a customer-impacting incident. The process advises “escalate early,” but the unofficial team story is that the last person who escalated a false alarm was labeled as overreacting. The manager hesitates, decides to keep observing, and quietly hopes it passes.

A product owner feels pressure to meet a release date that has been communicated to a major client. The release checklist includes a security review and an operations sign-off. The product is nearly ready, but it’s not quite there yet. With enough creative interpretation, the checklist can be considered “good enough.” The release is scheduled to go forward late on a Friday because nobody wants to be the person who delays the date.

A supplier manager receives a vague but concerning warning that a strategic partner may be cutting corners. Bringing it up formally could embarrass a supporter at the board level. The concern is minimized, described as “something to keep an eye on,” and stored in a notes section instead of being treated as an actual issue.

In each of these cases, the formal system was in place. There were policies, risk assessments, RACI charts, and perhaps dashboards displaying reassuring colors. The frameworks were active, not dormant.

But the real influence, the thing that truly shaped behavior, was culture: the pattern of stories, incentives, and informal rules about what actually happens here when tension arises between targets, risk, and values.

You don’t need a PhD in organizational behavior to see the point. If Governance, Resilience, Assurance, and Accountability never reach this level or influence the real trade-offs people face in moments like these, they mostly stay theoretical.

Why Training and More Rules Don’t Fix a Cultural Control Problem

Organizations are aware of cultural problems. The issue is how they often respond. When an incident clearly has a cultural aspect, such as late escalation, hesitance to challenge, or creative rule reinterpretation, their typical solutions are well-known. They might launch a new awareness campaign, add an extra module to the e-learning, update the policy with stronger language, or require mandatory sign-offs at a higher level.

These responses are understandable and visible. They show that leadership is “taking it seriously.” However, they tend to be short-lived. People quickly learn the new exam answers, so the next time they complete mandatory training, they know exactly which options match the desired behaviors. But when a real decision arises, their thought process remains unchanged. They still experience the same tension between targets and risks. They continue to tell themselves the same stories about what is rewarded and what is punished.

Adding more rules can even backfire. If the official guidance becomes more rigid while the environment becomes more fluid, people learn to treat the rules as theater and rely on informal workarounds. The more you over-specify, the more you tacitly encourage people to stop thinking and start waiting for explicit permission.

You can sense it when this dynamic occurs. It happens when someone says, “Yes, that is what the policy says, but you and I both know how things really work here.” Culture issues aren’t solved by simply adding content on top of the same structure. They require changing the structure itself: how leadership signals are communicated, how roles and incentives are designed, and how behavior is interpreted and responded to.

The Three Layers: Leadership Signals, Structure, and Behavior

To make culture governable, you need to be able to view it in a structured manner. A practical approach is to examine three layers of the system and how they interact.

Leadership signals. Structural design. Behavior.

Leadership signals are what executives and senior leaders truly emphasize, not just in formal messages but also in everyday interactions. This includes what they inquire about in meetings, what they praise, and what they remain silent on. It also covers what they are willing to delay or stop when risk questions arise, as well as what they choose to push through.

Structural design encompasses the internal organizational structure, including roles, decision-making rights, committees, frameworks, processes, and the metrics used to measure success. It also includes how performance goals are set and aligned, as well as how conflicting objectives, such as speed versus safety or cost versus continuity, are effectively managed.

Behavior refers to the actions people take in a specific context. It’s not about what they say they would do, but how they act when leadership signals and structural constraints meet the messy reality of customers, deadlines, and ambiguity.

Culture lives at the intersection of these three layers. It is not a vague cloud of sentiment. It is the emergent pattern that appears when leadership, structure, and behavior interact over time.

Consider a simple example. Leadership repeatedly says, “We want early escalation.” However, the structure sets aggressive targets and measures teams mainly on time, volume, or cost. There are no visible rewards for prudent escalation, and there have been high-profile cases where people who rang the bell early were made to feel naïve. Behavior follows the structure, not the slogans. People learn to escalate only when failure is unavoidable.

In that environment, the cultural message is clear: “We say we want early warning, but we live as if we prefer a clean narrative.” Culture isn’t mysterious. It’s specific and created by the system as designed and led.

How Culture Undermines (or Enables) GRAA

Once you see culture as this emergent control surface, its relationship to Governance, Resilience, Assurance, and Accountability becomes uncomfortably direct.

Governance depends on honest information and timely challenge. In a culture where bringing bad news is career-limiting, the surface between reality and governance is opaque. Committees can be perfectly structured, and minutes can be flawlessly written, but they govern a filtered version of the truth.

Resilience relies on disciplined learning. In a culture that celebrates heroic recovery but rarely conducts root cause analysis, incidents become episodic dramas instead of opportunities for system redesign. The same weaknesses recur, often in slightly different circumstances.

Assurance relies on independent, evidence-based perspectives. In a culture where audits and assessments are viewed as performances to be managed, assurance becomes a form of theater. People prepare for the exam instead of using the process to identify and address real risks.

Accountability relies on clarity and fairness. In a culture where individuals are blamed for systemic failures, people learn to minimize exposure. They become more focused on protecting themselves than the system. Risks exist in the gaps between roles.

Now consider the opposite pattern, where the cultural pattern is to surface issues early without punishment, and governance sees more reality. If the cultural pattern is to treat incidents as learning opportunities, resilience improves with each shock. If the cultural pattern is to welcome scrutiny and share uncomfortable data, assurance becomes more meaningful. Suppose the cultural pattern is to hold people accountable for their decisions within a clear system, rather than for every outcome in a complex environment. In that case, accountability becomes a shared practice rather than a game of defense. Culture does not sit beside GRAA. It is the medium through which GRAA either succeeds or quietly fails (sometimes spectacularly fails).

The Overlay Meets Culture: Will People Use the Map?

In the previous article, we discussed overlays: the need for a shared structure that sits above frameworks and tools. An overlay like the one offered by the DVMS provides a more precise map. It outlines a small set of core capabilities and a consistent language for managing and verifying work across the enterprise. But a map, by itself, does not change outcomes.

The question is whether people will rely on the map when it truly matters. In a constructive culture, the overlay serves as a dynamic reference point. People use it to navigate and orient themselves. They are aware of which capability they are engaging when making decisions. They also know who is responsible for what. When something unusual occurs, they can see where it fits within the system and how to escalate it.

In a fearful or fragmented culture, the overlay risks becoming mere wallpaper. It shows up in presentations and on intranet pages. People can recite the capability names if asked. However, when pressure builds, they revert to local habits, including loyalty to their immediate manager, short-term targets, informal coalitions, and quiet workarounds.

The uncomfortable truth is that overlay and culture are interconnected. The overlay offers structure, but culture decides if that structure manifests in behavior. You might have an elegant overlay that remains unused, or a strong culture that constantly battles the confusion caused by poor structure. Achieving sustainable GRAA requires both elements to develop together.

How the DVMS Makes Culture Visible and Governable

The Digital Value Management System is often described as an overlay for frameworks and capabilities. It is equally a way of treating culture as a first-class object in governance.

It does this in several practical ways. First, it emphasizes that culture should be viewed through the same lens as everything else: how does it influence our ability to create, protect, and deliver digital business value? Culture is not just a side concern for HR; it is a key factor in whether a digital business can survive and adapt.

Second, it uses the three layers, leadership signals, structural design, and behavior, as a deliberate way of examining culture in specific value streams. Rather than talking about culture in the abstract, the DVMS invites leaders to ask:

• In this product line, what are we really signaling about risk and learning?
• How are roles, metrics, and incentives set up?
• What behaviors are we actually seeing when things go wrong?

Those questions are not rhetorical. They drive design choices: adjusting decision rights, rebalancing metrics, and changing who is in the room during trade-offs.

Third, in the context of the Adaptive Edge Platform and Kaia, the DVMS treats culture as something that can be continuously observed. Not just through opinion surveys, but through patterns in decisions, escalations, and outcomes. Which kinds of issues are raised early or late? Where do approvals tend to be bypassed? Which teams learn quickly, and which repeat the same mistakes?

The point is not to judge people. It is to give leadership a clearer view of how the system they built is actually behaving, so they can take responsibility for changing the system, not just correcting individuals.

Culture, GRAA, and the Courage to Adjust the System

If culture is the most challenging control surface, then meaningful progress toward GRAA requires more than just asking people to “live the values.” It calls for the willingness to modify the system that creates culture.

That might mean choosing, in public, to support someone who raised a concern early, even if it turns out to be a false alarm. It might mean delaying a high-profile launch because a team identified a resilience weakness, and framing that delay as a sign of leadership, not failure. It may mean revising metrics that subtly penalize the very behaviors you claim to want.

These are significant choices. They are the moments when leaders either reinforce the current cultural pattern or start to establish a new one.

The DVMS doesn’t create courage. That’s a human decision. What it provides is a straightforward way to identify where courage is needed. It demonstrates how leadership signals, structural design, and behavior converge to shape the current culture. It gives you language and a map to act on that understanding. Culture work stops being a vague, peripheral activity and becomes central to governance.

Looking Ahead: From Culture to Seeing the System in 3D

So far in this series, we have acknowledged that our traditional GRC investments are not delivering the resilience we expect. We have identified the overlay problem as strong frameworks without a shared structure. And we have recognized culture as the ultimate control surface where all of this either comes together or falls apart.

The next step is to integrate structure and culture in a way that enables leaders to work consistently and effectively. That is where the 3D lens of the DVMS comes in, a way of viewing leadership, structure, and behavior as one integrated system rather than as disconnected topics scattered across different departments and decks.

In the next article, we will explore:

“Seeing the System: A 3D View of Leadership, Structure, and Behavior.”

Because once you can see your organization in three dimensions, you can begin to govern the system you actually have, not the one you imagine you built.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

Digital Value Management System® (DVMS)

An Adaptive, Culture-Enabled Governance System Designed to Drive Operational Resilience, Deliver Performance Assurance, and Ensure Evidence-Based Accountability

A Digital Value Management System (DVMS) is not another framework, standard, or maturity model. It is a Adaptive Culture-Enabled Governance System that aligns leadership, operations, and business teams around a single purpose of creating, protecting, and delivering resilient digital business value and operations.

Where most organizations struggle with fragmented systems, competing priorities, and siloed accountability, a DVMS introduces a unifying model that connects strategy, governance, operations, and culture into one integrated digital value management operating system.

Rather than adding more complexity, a DVMS amplifies the value of existing investments in ITSM, GRC, Cybersecurity, and AI by turning them into a coordinated resilience, assurance, and accountability engine. It enables leaders to see, in real time, whether the business is working as intended—and whether the risks that matter most are being managed proactively.

At the core of the DVMS is a simple but powerful integration of:

• Governance Intent – shared expectations and accountabilities.

• Operational Capability – how the business actually performs

• Assurance Evidence – proof that value is being created and protected

Through its MVC, CPD, 3D Knowledge, and FastTrack Models, a DVMS turns this integration into three distinctive capabilities:

• A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.
• A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavior patterns that help teams think clearly and act confidently, even under uncertainty. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.
• A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

DVMS Organizational Benefits

Instead of replacing existing operational frameworks, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes, including cultural ones.

By adopting a DVMS, organizations are positioned to:

• Maintain Operational Stability Amidst Constant Digital Disruption
• Deliver Digital Value and Trust Across A Digital Ecosystem
• Satisfy Critical Regulatory and Certification Requirements
• Leverage Cyber Resilience as a Competitive Advantage

DVMS Leadership Benefits

The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.

• For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.
• For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.
• For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability

DVMS White Papers

The three whitepapers below present a coherent progression that shifts organizations from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Collectively, the three papers define a comprehensive system for building and governing resilient digital enterprises, grounded in evidence rather than assumptions.

• The Assurance Mandate Paper sets the stage by showing why traditional GRC artifacts provide only reassurance—not evidence—and calls boards to demand forward-looking proof that their organizations can continue to create, protect, and deliver value under stress.
• The Assurance in Action Paper elevates the conversation from leadership intent to managerial execution, demonstrating how the DVMS operationalizes resilience by translating outcomes into Minimum Viable Capabilities, connecting frameworks through the Create–Protect–Deliver model, and generating measurable assurance evidence that managers can use to demonstrate real performance rather than activity.
• The Governing by Assurance Paper elevates the approach to the policy and regulatory level, showing how DVMS functions as a learning overlay system that links governance intent, operational capability, and verifiable evidence into a continuous loop—enabling regulators, agencies, and enterprises to govern by outcomes rather than checklists and to prove capability with measurable, auditable performance data.

DVMS Cyber Resilience Certified Training Programs

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS NISTCSF Foundation Certification Training

The DVMS NISTCSF Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.

This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

Company Brochures and Presentation

• DVMS Company Brochure
• DVMS Product Brochure
• DVMS Company Presentation

Explainer Videos

• DVMS Architecture Video: David Moskowitz explains the DVMS System
• DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
• DVMS Overlay Model – What is an Overlay Model
• DVMS MVC ZX Model – Powers the CPD
• DVMS CPD Model – Powers  DVMS Operations
• DVMS 3D Knowledge Model – Powers the DVMS Culture
• DVMS FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved