Seeing the System – A 3D View of Leadership, Structure, and Behavior – The GRAA Leadership Series Part 4

Seeing the System – A 3D View of Leadership, Structure, and Behavior – The GRAA Leadership Series Part 4

David Nichols – Co-Founder and Executive Director of the DVMS Institute

Picture the scene.

An executive sits at their desk, examining a screen filled with reports. Cyber risk heatmaps are on one side, while operational KPIs and service levels are on the other. Internal audit findings are summarized in tidy matrices. Culture survey results are broken into colorful charts. Third-party risk dashboards, regulatory updates, and compliance attestations are also displayed.

Each report makes sense on its own terms. Each has been carefully prepared by competent teams using reputable frameworks. However, when the executive leans back and tries to answer a simple question, “How is this system actually behaving?” the overall picture feels strangely flat.

There is no shortage of data. However, it remains hard to see how leadership decisions, structural choices, and frontline actions work together as a single system. The executive often ends up doing what many experienced leaders do: scanning the numbers, relying on their memory and intuition, and making a judgment call.

The question underneath that experience is straightforward enough: What would it look like to see the organization in three dimensions, rather than as disconnected slices of information?

The Limits of Flat Views

Most organizations today work with a set of “flat” views of themselves.

There is a leadership perspective, encompassing strategies, vision statements, risk appetite documents, operating model slides, and speeches at town halls. This perspective shares a story about intent—where the organization aims to go and how it wants to act.

There is a structural perspective: organization charts, process maps, RACI diagrams, governance forums, frameworks, and tools. This perspective outlines the formal mechanisms—the way work is intended to be coordinated and managed.

Then there is the behavioral view, which encompasses incidents, near-misses, HR data, culture surveys, whistleblower reports, customer complaints, and supplier escalations. This perspective captures what actually happens when the system interacts with reality.

You can see how these perspectives are managed. The executive and strategy teams mainly hold the leadership perspective. The structural perspective tends to be with operations, technology, and various risk and control groups. The behavioral perspective is spread across HR, risk, audit, and line management.

They appear on various decks, at different times, in different forums. Sometimes they interact, but more often they just pass by each other.

The consequence is practical. You can tune each view separately. You can refine the strategy, adjust the structure, or address behavioral issues as needed. However, you’re doing so with only partial views. Rarely do you see how leadership, structure, and behavior come together in the exact moment around the same value stream.

When that’s the case, you can invest heavily in Governance, Resilience, Assurance, and Accountability and still find that the system behaves in ways that surprise you. You are managing components, not the whole. To change that, you need a way of seeing the system itself.

Introducing the 3D View in Plain Language

One way to do that, and the way we use within the DVMS, is to look at the organization through a 3D lens. You can think of it this way: instead of treating leadership, structure, and behaviour as three separate topics, imagine them as three axes of a single model. Where they intersect, you get the lived reality of how your organization creates, protects, and delivers value.

In human terms:

Leadership is the vertical axis, the Z-axis. It represents the pull of intent, priorities, narrative, and risk appetite. What do leaders say matters? What do they ask about repeatedly? What are they prepared to slow down or stop when risk questions arise?

Structure is the horizontal axis, the Y-axis. It captures the arrangement of roles, processes, frameworks, governance forums, and tools. How is work divided and joined up? Who has decision rights? Which metrics and incentives shape day-to-day trade-offs?

Behavior is the axis of movement over time, the X-axis. It is what people actually do as conditions change, especially when they are at the edge of chaos—under time pressure, with incomplete information, facing conflicting demands.

The goal of this model isn’t to add jargon. It’s to provide leaders and GRC professionals with a disciplined way to focus their attention. When you examine a real situation and ask, “What are the leadership signals here? What is the structural context? What behaviors are we observing?”, you’re already starting to see in 3D.

What You Miss Without the Third Dimension

It helps to consider what happens when you can only see one or two axes at a time. When you focus on leadership and structure but overlook behavior, you can create elegant strategies and operating models that ultimately fail to succeed. The target operating model appears coherent. The governance framework looks well-organized. The RACI diagrams seem convincing. Yet, incidents, near misses, and value leakage continue to emerge in areas that the design did not anticipate.

On paper, everything lines up. In practice, people often find workarounds, revert to old habits, or respond to incentives that were not discussed during the design sessions.

When you observe structure and behavior but not leadership, you can improve processes and tools on the fringes while missing the fact that executives are sending conflicting signals. Teams may act in ways that seem suboptimal, but if you listen carefully, you’ll realize they are responding logically to what leaders emphasize, reward, and neglect. The system functions as designed; it just isn’t set up as leadership believes it should be.

You can fix local processes all year without addressing the real issue: misaligned intent and reality. When you focus solely on leadership and behavior, rather than structure, you can have meaningful conversations about culture and values; however, you’re essentially asking people to change their behavior without altering the constraints within which they work. You praise early escalation but keep metrics that penalize “unnecessary noise.” You discuss collaboration, but maintain structures that pit functions against each other.

In that world, people hear the speeches, see the posters, and still decide that following the unofficial rules is the safest choice. A 3D view doesn’t eliminate complexity; instead, it prevents you from being blindsided by interactions that were invisible when working with flat images.

Walking a Value Stream in 3D

To clarify this, imagine tracking a single digital value stream from start to finish. It could be an online service, a data-driven product, or an operation dependent on supplies. At some point within this value stream, a risk appears. A developer notices a pattern indicating a possible data breach. A supplier misses a critical milestone that threatens continuity. A team realizes an AI-enabled feature might have unintended ethical or regulatory effects. Seen from two perspectives, you might immediately ask, “Which control failed?” or “Which process wasn’t followed?” That’s the typical GRC instinct.

Viewed in 3D, your perspective begins differently. First, assess leadership. What signals have leaders in this part of the business been sending regarding risk and value? Have they prioritized growth at all costs, or have they consistently emphasized trust and long-term resilience? When they review performance, do they focus more on short-term numbers than on emerging risks? When someone has slowed down a launch for safety reasons in the past, how has leadership responded?

Next, examine the structure. How are responsibilities actually divided among product, technology, security, legal, operations, and suppliers within this value stream? Where do frameworks like NIST, ITIL, or sector regulations appear in the daily flow of work? Is there a straightforward process for escalating issues that cross boundaries, or does every route lead back to a narrow functional perspective?

Finally, examine behavior. When this issue arose, who first noticed it? Did they speak up? If so, whom did they approach? How did those individuals respond? Was there curiosity or defensiveness? Did the issue become clear and owned quickly, or did it bounce around, waiting for someone with sufficient authority to take it seriously?

Viewed this way, you are no longer just asking, “Which control did we have or not have?” Instead, you are asking, “How did leadership signals, structural design, and human behavior combine in this specific situation?” You might find, for instance, that the formal process would have been effective if people had felt safe using it. Or that people did their best, but the structure offered no clear path. Or that the structure was solid, but leadership messages undermined its use. The goal isn’t to assign blame. It’s to see the system clearly enough to improve it.

Why This Matters to Executives and GRC Analysts

For executives, this 3D lens shifts the type of questions you ask. Instead of stopping at “Are we compliant?” or “Do we have the right controls in place?”, you can dig deeper: “In this critical value stream, how are our leadership signals, structures, and behaviors interacting? Are we sending one message, designing for another, and experiencing a third in practice?”

This is the difference between being a consumer of GRC reports and being a system governor. For GRC analysts and leaders, the 3D model offers a way to unify work that might otherwise feel disconnected. A risk assessment is no longer just a list of threats and controls; it reveals how the structure either supports or weakens the desired behavior. An audit finding isn’t just a gap in process; it hints at how leadership focus and structural constraints influence behavior. Culture survey results are not just an appendix; they provide one perspective on how the three axes interact.

When executives and GRC professionals share a 3D vocabulary, the conversation changes. It becomes less about defending individual domains, such as cyber, operations, audit, and HR, and more about jointly understanding the system that all of those domains inhabit.

How the DVMS Uses the 3D Knowledge Model

Within the DVMS, this 3D perspective is not just a side note; it is a core design choice. When the DVMS examines a value stream, it does not begin by cataloging controls. Instead, it starts by asking three questions:

• What is leadership really signaling in this space, both explicitly and implicitly?
• How are the necessary capabilities, governance, assurance, planning, design, execution, change, and innovation structured around the work?
• What behaviors are we observing over time, especially when the system is under stress?

This is where the earlier parts of the series come together. The overlay discussed in the second GRAA article ensures that capabilities are defined consistently across the organization. The cultural perspective from the third GRAA article emphasizes that behavior is a key control element. The 3D model combines leadership, structure, and behavior into a unified framework.

From there, the DVMS can form more well-founded judgments about GRAA. Governance isn’t judged solely by the existence of committees and charters, but by whether leadership, structure, and behavior are aligned in a way that reflects how decisions actually flow. Resilience isn’t assessed only through continuity plans, but by how the system responds and adapts when plans meet reality. Assurance isn’t just a testing schedule, but a changing view of how the system performs over time. Accountability isn’t just about job titles, but about who takes responsibility, who makes decisions, and who learns.

As digital signals accumulate, through incidents, changes, supplier performance, and everyday decisions, tools like the Adaptive Edge Platform and Kaia are there to surface patterns in this 3D space, rather than simply adding more flat dashboards.

From 3D Insight to 3D Action

Seeing the system in three dimensions is helpful, but it is not the goal. The key is to act differently. When a misalignment is visible in 3D, you have more options for where and how to intervene. You might realize that the main issue in a value stream is leadership signals. The structure and behaviors are logical responses to a story that over-prioritizes speed, cost, or growth. In that case, the most effective intervention is for leaders to change what they emphasize, what they are willing to delay, and which trade-offs they make visible.

The core issue appears to be structural. People are asked to operate in inherently conflicting ways: dual reporting lines pull in opposite directions, metrics undermine desired behaviors, and processes trap issues in departmental dead ends. In such cases, redesigning roles, handoffs, or metrics will likely have a greater impact than another awareness campaign.

You may find that leadership signals and structures are broadly aligned, but behaviors lag because people have never seen the new expectations lived through tough decisions. Here, the work is to create and amplify visible examples—to show, not just tell—that it is safe and expected to act differently.

The value of the 3D model is not that it gives you a magic answer. It is what stops you from choosing interventions in the dark. You are no longer guessing whether to change the policy, the process, the leadership message, or the training. You can see which layer is out of step.

And when your view and your actions become three-dimensional, GRAA has a better chance of becoming something the system does, not just something it says.

Looking Ahead: From Seeing the System to Structuring the Work

So far in this series, we have accepted an uncomfortable truth: our traditional GRC investments have not provided the resilience we believed we were buying. We have identified the overlay problem—strong frameworks without a shared operating model. We have recognized culture as the most difficult control surface, where governance either becomes real or dissolves under pressure. And now, with a 3D perspective, we can see leadership, structure, and behavior as a single system rather than as separate themes.

The natural next question is simple:

If this is how we see the system, how do we structure the work itself?

That is where Minimum Viable Capabilities come in—the simple, shared capability spine that the DVMS uses as the foundation for all other elements. It is the practical answer to the question, “What are the essential abilities this enterprise must possess, regardless of which framework or tool we are using?”

We will explore that in the next article: “From Chaos to Capability.”

Once you can visualize your system in 3D, the next step is to give it a backbone that everyone can recognize, use, and improve together.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

Digital Value Management System® (DVMS)

The DVMS is an adaptive, culture-enabled overlay system designed to help organizations of any size transition from static, paper-based governance systems to a living, evidence-based system of Governance, Resilience, Assurance, and Accountability (GRAA).

At its core, the DVMS is a simple but powerful integration of:

• Governance Intent – shared expectations and accountabilities.

• Operational Capability – how the business actually performs

• Assurance Evidence – proof that intended outcomes are being achieved

Rather than adding more complexity, a DVMS integrates Fragmented Governance Frameworks and Practices such as NIST CSF, GRC, ITSM, DevOps, and AI into a unified overlay system that enables leaders and regulators to see, in real time, whether the digital business is working as intended—and whether the risks that matter most are being managed proactively.

Through its MVC, CPD, 3D Knowledge, and FastTrack Models, a DVMS turns this integration into three distinctive capabilities:

A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.

A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.

A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

DVMS Organizational Benefits

Instead of replacing existing operational frameworks, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.

By adopting a DVMS, organizations are positioned to:

• Maintain Operational Stability Amidst Constant Digital Disruption
• Deliver Digital Value and Trust Across A Digital Ecosystem
• Satisfy Critical Regulatory and Certification Requirements
• Leverage Cyber Resilience as a Competitive Advantage

DVMS Leadership Benefits

The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability

DVMS White Papers

The three whitepapers below present a coherent progression that shifts organizations from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Collectively, the three papers define a comprehensive system for building and governing resilient digital enterprises, grounded in evidence rather than assumptions.

The Assurance Mandate Paper sets the stage by showing why traditional GRC artifacts provide only reassurance—not evidence—and calls boards to demand forward-looking proof that their organizations can continue to create, protect, and deliver value under stress.

The Assurance in Action Paper elevates the conversation from leadership intent to managerial execution, demonstrating how the DVMS operationalizes resilience by translating outcomes into Minimum Viable Capabilities, connecting frameworks through the Create–Protect–Deliver model, and generating measurable assurance evidence that managers can use to demonstrate real performance rather than activity.

The Governing by Assurance Paper elevates the approach to the policy and regulatory level, showing how DVMS functions as a learning overlay system that links governance intent, operational capability, and verifiable evidence into a continuous loop—enabling regulators, agencies, and enterprises to govern by outcomes rather than checklists and to prove capability with measurable, auditable performance data.

DVMS Cyber Resilience Certified Training Programs

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS NISTCSF Foundation Certification Training

The DVMS NISTCSF Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.

This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

Company Brochures and Presentation

• DVMS Company Brochure
• DVMS Product Brochure
• DVMS Company Presentation

Explainer Videos

• DVMS Architecture Video: David Moskowitz explains the DVMS System
• DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
• DVMS Overlay Model – What is an Overlay Model
• DVMS MVC ZX Model – Powers the CPD
• DVMS CPD Model – Powers  DVMS Operations
• DVMS 3D Knowledge Model – Powers the DVMS Culture
• DVMS FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved