From Chaos to Capability – Building the MVC Core of Your Enterprise – The GRAA Leadership Series Part 5

From Chaos to Capability – Building the MVC Core of Your Enterprise  – The GRAA Leadership Series Part 5

David Nichols – Co-Founder and Executive Director of the DVMS Institute

There’s a specific kind of conversation that has become more common in boardrooms and executive teams. An executive looks at a wall of initiative names: a cyber uplift program here, a privacy enhancement project there, ESG workstreams, third-party remediation, business continuity upgrades, “digital transformation” efforts, data governance initiatives, and AI ethics pilots. Each has its own business case, roadmap, steering committee, and reporting rhythm.

No one doubts that these things are necessary. Each responds to genuine pressures, regulatory expectations, past incidents, strategic bets, and stakeholder demands. However, when the executive pauses and asks a simple question, “What, exactly, are we getting better at as an enterprise?” the room usually falls silent.

People talk about milestones, deliverables, and compliance deadlines. They mention tool deployments and processes “going live.” However, there’s often no shared language for the core skills the organization needs to develop. It feels overwhelming yet insufficient at the same time, with too many programs and not enough clarity about the foundation that unites them.

This article is about the missing Minimum Viable Capability core.

Why “More Programs” Isn’t Solving the Problem

When organizations respond to risk, regulation, and disruption over time, a pattern emerges. A new regulation shows up. A major incident occurs in your own operations or within your industry. A regulator, investor, or board member begins asking more challenging questions. New technologies, such as cloud computing, AI, and automation, alter the risk landscape.

The natural response is to establish various programs, such as a cyber maturity program, a privacy enhancement program, an ESG program, a “trust and safety” or “responsible AI” program, and a supplier resilience initiative. Each program has its own governance, metrics, and commitments. From the front line, this can seem like a growing forest of requirements. People are asked to complete similar assessments in slightly different formats, join multiple forums with overlapping goals, and align with various frameworks that don’t perfectly match. Fatigue naturally sets in.

Starting from the beginning, the problem seems to manifest differently. It becomes unexpectedly difficult to answer simple questions like:

• Across all these efforts, what are we actually getting better at?
• Where are we still weak in a way that really matters to our ability to create and protect value?
• Which abilities are being touched repeatedly, and which are barely being addressed at all?

The issue isn’t the number of programs in itself, but that activity isn’t organized around a common core of essential capabilities. Effort increases, but it doesn’t form a unified whole. If Governance, Resilience, Assurance, and Accountability are to be more than just reports, they need a more stable foundation than a shifting collection of initiatives.

Shifting the Lens: From Controls and Processes to Capabilities

One way to escape this pattern is to change the question. Most traditional GRC work involves asking, “Which controls and processes do we need to be compliant with this framework or regulation?” That is a necessary question, but it is not the foundational one.

A stronger starting point is to ask, “What can we reliably do as an enterprise, under pressure, from start to finish?” That is a capability question. Controls and processes matter, but they are not the end goal. They are the tools through which the enterprise develops and demonstrates its abilities: the ability to govern decisions, to see what is really happening, to design resilient services, to execute safely at scale, and to adapt and innovate without losing control.

When you shift from “Do we have this control?” to “Do we have this capability?”, the conversation shifts in three ways. First, it becomes easier to identify duplication and gaps. You see where multiple programs are all trying, in different ways, to improve the same core ability. You also recognize where a critical ability is being overlooked, with no clear owner.

Second, it becomes easier to talk across silos. Different functions, frameworks, and tools can still use their specialist language, but they are all contributing to a smaller set of shared capabilities that everyone recognizes.

Third, it becomes easier to connect investment to outcomes. Instead of treating GRC programs as a never-ending list of obligations, you can ask, “How does this initiative strengthen a capability we know we need, in a part of the business that matters?” That’s where the idea of Minimum Viable Capabilities comes in.

Introducing Minimum Viable Capabilities in Human Terms

In the DVMS, we discuss Minimum Viable Capabilities (MVC) because we’ve learned that, beneath frameworks and tools, every digital enterprise relies on a small set of essential capabilities. The names are less important than the core idea, but they can be described clearly and concisely.

Every organization needs the ability to govern: to set direction, make informed trade-offs, define its risk appetite, and stand firm on its values when pressures increase. Governance is not only about charters and committees; it is the ongoing ability to decide what is acceptable, what is not, and how to respond when new tensions arise.

Every organization must be able to ensure that it understands what is truly happening, not just what is presented to it. Assurance goes beyond audits. It is about gathering reliable evidence of how the system functions and using that evidence to challenge assumptions and make informed decisions.

Every organization must have the ability to plan: to anticipate, prioritize, and sequence work in a way that balances risk and opportunity. Planning isn’t just about long-term strategy; it’s also about the ongoing ability to make informed decisions about what to do next based on what we currently know.

Every organization must be able to design: to create products, services, processes, and controls that incorporate resilience, safety, and ethics from the start, rather than adding them later. Design is where you decide how value, risk, and responsibility are allocated.

Every organization needs the ability to execute: to run what has been designed, day after day, at scale. Execution shows how the organization performs under normal conditions—predictable, consistent, reliable.

Every organization needs the ability to change: to adapt services and controls as the environment shifts, without losing control or breaking trust. Change is the process of moving from one state to another without harming the system.

Every organization must have the ability to innovate: to explore and implement new ways of creating value, including new technologies and business models, without transforming the enterprise into an uncontrolled experiment.

Different organizations use different terminology and distribute these capabilities in various ways. However, the underlying pattern remains remarkably consistent. If you lack any of these capabilities in a critical value stream, you will eventually pay the price.

Minimum Viable Capabilities are simply the smallest set of abilities you must be able to identify and assert, “Yes, we own this. We know who is responsible for it. We know how well it is performing, and we have a story about what we are doing to improve it.”

MVC as the Capability Core for Frameworks and Tools

Once you name these capabilities, something important happens.

Instead of viewing frameworks like NIST, ISO, ITIL, ESG standards, and sector regulations as competing principles, you can see them as resources to plug into the same core capabilities.

Some elements of NIST and ISO, for example, contribute to how you govern and assure cyber and information risk. Parts of ITIL contribute to how you design and execute services. ESG frameworks influence how you govern, plan, and assure your environmental and social impacts. Sector regulations dictate requirements that must be designed into products and processes and then assured in operation.

The DVMS overlay uses MVCs as the “slots.” Each control, process, or tool must find its place within one or more capabilities. Nothing remains unassigned.

This has several practical effects. First, duplication becomes apparent. When three different programs attempt to address the same capability problem from various perspectives, you can observe the overlap and merge their efforts. Instead of separate committees debating “resilience” in isolation, you can enhance the underlying capabilities that support resilience.

Second, gaps become apparent. You might realize that you’ve invested heavily in execution in one area, but nearly nothing in structured change. The system can operate, but it can’t adapt safely. Or you may find that innovation efforts are lively and passionate, but assurance remains weak. You’re experimenting without clear visibility into the consequences.

Third, discussions about investment become more focused. When someone suggests a new initiative, you can ask, “Which capability does this strengthen? Where does that capability currently sit on our radar? Is this the most important place to invest right now?” You shift from reacting to each new pressure individually to managing the capabilities that decide how the enterprise responds to all pressures.

MVC in the Flow of Value: Connecting to CPD

Capabilities matter only because of what they allow the organization to do with value. In earlier articles, we used the terms Create, Protect, Deliver (CPD) to describe the flow of a digital business. The enterprise constantly seeks to create new value, protect existing value, and deliver value reliably to customers, citizens, and stakeholders.

MVCs enable safe motion. When you create new value, such as launching a new digital product, entering a new market, or adopting new technology, you rely heavily on govern, plan, design, change, and innovate. If any of these capabilities are weak, your creation efforts may stall or conceal risks.

When you protect value, such as defending against cyber threats, managing third-party risk, maintaining continuity, and meeting ethical expectations, you rely heavily on govern, assure, design, execute, and change. For instance, a weakness in assurance can mean you might not realize that value is at risk until it’s too late.

When you deliver value, keeping services running, meeting commitments, sustaining trust over time, you depend on govern, plan, execute, and assure, with change always in the background as the environment shifts.

The same set of capabilities appears in different combinations across CPD. That is what makes them the core. They are not tied to a single function or framework. They are the muscles and bones through which value moves. If CPD is the motion, MVCs are the body that performs it.

How MVC Supports GRAA in Practice

This is where the connection to Governance, Resilience, Assurance, and Accountability becomes clear. Governance improves when each core capability has a designated owner, or, more precisely, an accountable steward, who is responsible for its health across value streams. Instead of governance being spread thin across many committees with overlapping roles, you have specific capabilities and accountability assigned to individuals.

Resilience improves when you can identify which capabilities are under stress or missing in specific areas. You might excel in a critical product line, but your ability to change it safely is underdeveloped. Or you might innovate aggressively in a new business unit but lack mechanisms to assess the impact of those innovations. From a capability perspective, these are not generic concerns; they are specific weaknesses that can be addressed.

Assurance becomes more meaningful when it is organized by capability rather than by framework alone. Instead of asking, “Are we compliant with Framework X?” you can ask, “How well does our assure capability function in this value stream? What is the evidence? Where are we relying on trust rather than verification?” That kind of questioning gets closer to how systems actually fail.

Accountability becomes more precise and more humane. When something goes wrong, you can trace it back to capability gaps rather than attributing it to an individual fault. Individuals are still responsible for their decisions, but those decisions are understood in the context of the capabilities they were given. Leaders can take responsibility for strengthening those capabilities, rather than only reacting to their absence.

MVCs give GRAA a place to live. They turn high-level aspirations into questions about specific abilities that someone can own, measure, and improve.

One Value Stream, One Core

To bring this down to earth, imagine sitting with the leadership group responsible for a single digital product—a customer-facing platform that is strategically important. With a Minimum Viable Capability core on the table, the conversation takes on a different tone.

You can ask, calmly and specifically:

• In this value stream, who is accountable for governance? Whose job is it to hold the line on risk appetite and values when we face tempting trade-offs?
• How does assurance actually work here? Beyond dashboards and status reports, how do we know whether reality matches our assumptions?
• What does planning look like in this product? Who decides what enters the pipeline, and how do they weigh risk and opportunity?
• How is design done? At what points are resilience, security, compliance, and ethics considered? Who can say “not yet” if the design is weak?
• Who runs execution day-to-day? How do they balance stability with the changes being pushed through?
• How are changes introduced? What is the route from idea to live change, and where can someone stop the line if something feels wrong?
• Where does innovation live in this value stream? Who sponsors it, and how is it governed so that experiments do not inadvertently put customers or the enterprise at risk?

As the group responds, gaps and overlaps quickly become apparent. You might find that “assure” is everyone’s responsibility, but also no one’s at the same time. Or that “change” and “innovate” occur informally in the same spaces, with few guidelines. Or that governance is assumed to rest with a committee that rarely sees the real tensions faced by the product team. The value of MVC is not that it gives you a theoretical model. It gives you a shared map for a conversation about reality.

Implications for Executives and GRC Leaders

For executives, a Minimum Viable Capability core offers a more straightforward way to oversee GRAA than a series of program updates ever could. You can ask, “Across the enterprise, which capabilities are we intentionally investing in, and why? Which capabilities are fragile, and where does that fragility connect with our most critical value streams? How do we know if our governance and assurance functions are keeping pace with our innovation and change?”

You transition from supervising projects to managing capabilities. For GRC leaders and analysts, MVCs provide a method to unify work that can otherwise seem scattered. Risks, controls, tests, incidents, cultural insights, and external obligations can all be organized by the capabilities to which they relate, reporting shifts from simply checking off framework clauses to narrating a story about capability health. This doesn’t add unnecessary complexity; instead, it replaces uncontrolled complexity with a more transparent, shared structure.

Looking Ahead: From Capability Core to Value-Centered GRAA

Up to this point in the series, we’ve acknowledged that traditional GRC investments have not delivered the resilience leaders can feel they need. We’ve recognized the overlay problem, frameworks without a shared operating model. We’ve accepted that culture is the hardest control surface, and we’ve introduced a 3D view of leadership, structure, and behavior.

In this article, we introduced the concept of a Minimum Viable Capability core: a way of organizing work so that everything your organization does for governance and resilience has a clear place to fit.

The next step is to unify all of this around the core of the business itself. Because ultimately, Governance, Resilience, Assurance, and Accountability are not separate efforts. They are byproducts of how you create, protect, and deliver digital business value—if, and only if, the system is designed that way.

That is where we’ll go next in “Running on CPD: How Value-Centered Governance Changes the GRC Game.”

Once you have a shared core of capabilities, the real opportunity is to run your enterprise on CPD—to make value, not just compliance, the organising principle for how GRAA shows up in everyday decisions.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

Digital Value Management System® (DVMS)

DVMS is a living management overlay system that governs digital value outcomes by ensuring operational resilience, performance assurance, and transparent accountability across complex digital ecosystems.

At its core, the DVMS is a simple but powerful integration of:

• Governance Intent – shared expectations and accountabilities.

• Operational Capability – how the business actually performs

• Assurance Evidence – proof that outcomes are achieved and accountable

Rather than adding more complexity, a DVMS integrates Fragmented Frameworks and Practices such as NIST CSF, GRC, ITSM, DevOps, and AI into a unified overlay system that enables leaders and regulators to see, in real time, whether the digital business is working as intended—and whether the risks that matter most are being managed proactively.

Through its MVC, CPD, 3D Knowledge, and FastTrack Models, a DVMS turns this integration into three distinctive capabilities:

A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.

A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.

A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

DVMS Organizational Benefits

Instead of replacing existing operational frameworks, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.

By adopting a DVMS, organizations are positioned to:

• Maintain Operational Stability Amidst Constant Digital Disruption
• Deliver Digital Value and Trust Across A Digital Ecosystem
• Satisfy Critical Regulatory and Certification Requirements
• Leverage Cyber Resilience as a Competitive Advantage

DVMS Leadership Benefits

The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability

DVMS White Papers

The three whitepapers below present a coherent progression that shifts organizations from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Collectively, the three papers define a comprehensive system for building and governing resilient digital enterprises, grounded in evidence rather than assumptions.

The Assurance Mandate Paper sets the stage by showing why traditional GRC artifacts provide only reassurance—not evidence—and calls boards to demand forward-looking proof that their organizations can continue to create, protect, and deliver value under stress.

The Assurance in Action Paper elevates the conversation from leadership intent to managerial execution, demonstrating how the DVMS operationalizes resilience by translating outcomes into Minimum Viable Capabilities, connecting frameworks through the Create–Protect–Deliver model, and generating measurable assurance evidence that managers can use to demonstrate real performance rather than activity.

The Governing by Assurance Paper elevates the approach to the policy and regulatory level, showing how DVMS functions as a learning overlay system that links governance intent, operational capability, and verifiable evidence into a continuous loop—enabling regulators, agencies, and enterprises to govern by outcomes rather than checklists and to prove capability with measurable, auditable performance data.

DVMS Cyber Resilience Certified Training Programs

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS NISTCSF Foundation Certification Training

The DVMS NISTCSF Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.

This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

Company Brochures and Presentation

• DVMS Company Brochure
• DVMS Product Brochure
• DVMS Company Presentation

Explainer Videos

• DVMS Architecture Video: David Moskowitz explains the DVMS System
• DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
• DVMS Overlay Model – What is an Overlay Model
• DVMS MVC ZX Model – Powers the CPD
• DVMS CPD Model – Powers  DVMS Operations
• DVMS 3D Knowledge Model – Powers the DVMS Culture
• DVMS FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved