Running on CPD – How Value-Centered Governance Changes the GRC Game – The GRAA Leadership Series Part 6

David Nichols – Co-Founder and Executive Director of the DVMS Institute

It’s common for an executive to experience two very different meetings in one week. In one meeting, the emphasis is on growth, with discussions focusing on new products, markets, and digital capabilities. The language revolves around revenue, competitiveness, customer experience, and innovation. The atmosphere is energetic, with people discussing how to seize opportunities before competitors do.

In another meeting, the focus is on risk and compliance. Topics include heatmaps, control gaps, remediation plans, regulatory updates, and audit findings. The language revolves around exposure, mitigation, obligations, and assurance. The mood is cautious. People discuss ensuring that nothing goes wrong.

Often, some leaders attend both meetings. They care about both discussions. However, it rarely feels like the two meetings are describing the same system. Value is discussed in one room, while risk is discussed in another. Governance tries to connect the two, but it often arrives late to both.

The outcome is familiar. Risk seems like something added on top of the core business, rather than an inherent part of how the business creates and safeguards value. Executives are expected to switch between optimistic and cautious views, then somehow hold both perspectives in their minds while making decisions.

This article examines the transformations that occur when value becomes the primary principle for governance, rather than a secondary consideration.

The Problem With “Risk First” Governance

Many organizations, even those with advanced GRC capabilities, still operate under a “risk first” approach. They initially conceive business ideas or technology initiatives mainly in commercial and operational terms. Teams focus on features, time to market, cost, competitive edge, and customer impact. Once the idea takes shape, risk and compliance are brought in to review, advise, challenge, and approve. Controls are then designed and implemented. Policies are referenced, and exceptions are negotiated.

This pattern is effective when change is gradual, and systems are simple. In a digital environment, where products continually evolve, dependencies are complex, and decisions are dispersed, weaknesses become more apparent. Teams view risk and compliance as obstacles or late-stage critics, rather than as partners in creating and protecting value. Risk leaders struggle to influence decisions that have already been effectively made. Executives receive two partial stories: one about upside and another about downside. There is no single perspective that treats both as parts of the same flow of work.

In this world, governance is often seen as a series of gates and approvals. It feels like something that surrounds the business rather than being an integral part of it. The organization operates according to one logic and manages risk with another. In a complex, fast-moving environment, this isn’t just inefficient; it is also dangerous.

To fix this, you need to change the way you think. You should explain governance, resilience, assurance, and accountability in terms of how value flows through your system, not just how you defend against risks. That’s where CPD comes into play.

CPD as the Operating Rhythm

At the core of every digital enterprise lies a simple, ongoing rhythm. The organization continually works on three activities simultaneously. It creates new value, which might include a new digital service, an updated feature within an existing platform, a data-driven capability, or a new way to serve a customer or citizen.

It protects value. It aims to defend what it has built against cyber threats, third-party failures, process breakdowns, fraud, reputational harm, and breaches of trust, while delivering value. It fulfills promises to customers and stakeholders daily, reliably, and predictably, to the extent that people feel confident in relying on it. Create, Protect, and Deliver (CPD).

These are not three separate departments; they are stages of the same process. In practice, they constantly overlap. While you are delivering, you are also evolving and creating. While you are creating, you should already be thinking about how to protect and deliver what you are building. While protecting, you are often forced to change and sometimes innovate.

CPD assigns a name to that motion. Once you can describe the business in these terms, you can directly link governance, risk, and assurance to how value flows, rather than treating them as separate layers of analysis.

What Happens When CPD Is Not Explicit

When an organization doesn’t explicitly think in CPD terms, a common pattern occurs. Creative work tends to advance rapidly. It is mainly viewed in terms of opportunity and speed. Energy and senior attention are focused on new products, features, and technologies. Risk is recognized, but it is often viewed as an obstacle to be addressed later.

Protection work is often reactive. It responds to changes that creation pushes through the system. It attempts to incorporate controls and policies into designs that were not originally intended to accommodate them. Cyber, legal, compliance, and audit teams find themselves racing to keep pace with a rapidly evolving target.

Delivery work is caught between two forces. Operations teams are tasked with maintaining service stability while change programs and protection initiatives pull them in opposite directions. They bear the operational consequences of decisions made elsewhere.

In this world, governance becomes a negotiation between competing priorities rather than a cohesive approach to the entire system. Resilience is often an afterthought, usually recognized through incidents and near misses. Assurance is sporadic and incomplete because it attempts to measure a moving target rather than understand a steady flow of information. Accountability is unclear because no one is clearly responsible for the entire process from start to finish.

None of this occurs because people are careless or indifferent about risk. It happens because the system has never been asked to view itself as a single CPD flow.

CPD as the Bridge Between Value and GRAA

When you focus on CPD, the conversation shifts. Governance can then be viewed as setting intent, making trade-offs, and assigning accountability throughout the entire CPD cycle. You’re not just approving individual projects or controls; you’re determining how the organization creates, protects, and delivers value in a specific area, and under what terms.

Resilience shifts from being an abstract idea to an inherent quality of the CPD flow itself. You consider how effectively you can continue creating, protecting, and delivering value under stress, not just how quickly you recover from a single failure. You evaluate how the flow responds when a supplier is lost, a key service is degraded, new regulations are introduced, or an unexpected opportunity arises.

Assurance becomes the discipline of gathering evidence about how CPD actually works in practice. Are we creating value in the way we think we are, or are shortcuts and informal workarounds replacing the intended design? Are we protecting what matters most, or are some risks tolerated without explicit decision? Are we really delivering consistently where it counts, or have we normalized levels of failure that would surprise our stakeholders?

Accountability becomes more defined when linked to CPD. You can ask who is responsible for creating, protecting, and delivering this value stream. You can analyze how those responsibilities interact. When something goes wrong, you can trace it back to CPD decisions and capability gaps, not just individual actions. The key point is straightforward. CPD provides Governance, Resilience, Assurance, and Accountability with something tangible to attach to. Instead of existing as abstract virtues, they become attributes of how value flows through the system.

How CPD Connects to Minimum Viable Capabilities

In the previous article, we discussed Minimum Viable Capabilities, the small set of core abilities an enterprise needs to operate safely and adaptively in a digital world. CPD provides the motion. MVCs offer the abilities that make that motion possible. In other words, the CPD operationalizes the MVC.

When you create, you rely heavily on capabilities like Govern, Plan, Design, Change, and Innovate. You need governance to determine what to pursue and what to decline. You need planning to organize work logically. You need Design to build resilience into the product or service. You need Change and innovation abilities that allow you to evolve what you offer without destabilizing the rest of the system.

When you protect, you rely on Govern, Assure, Design, Execute, and Change. You need governance to define what “acceptable” looks like in practice. You need assurance to see where reality diverges from intention. You need Design to embed controls and safeguards into the way work is done. You need an execution capability that remains stable under stress. You need to Change to close the gaps you have discovered.

When you deliver, you call on Govern, Plan, Execute, and Assure, with Change always in the background. You need governance to determine which obligations and promises are most important. You need to plan to align capacity and demand. You need execution to meet commitments reliably. You need assurance to know whether you are actually doing what you think you are doing. You need to change to respond when any of those things shift.

Viewed this way, CPD and MVC are two sides of the same coin. CPD explains the flow, while MVC outlines the minimum capabilities needed for that flow to function. Together, they transform governance from a broad issue into specific questions about how your organization is structured and how it operates when creating value in the world.

The 3D View on CPD: Leadership, Structure, Behavior

Now bring back the 3D lens we introduced in Part 4: leadership signals, structural design, and behavior over time. Take a real CPD flow in an absolute value stream and look at it through this 3D model.

Begin with leadership. What messages are leaders conveying about creation, protection, and delivery in this part of the business? Is growth prioritized over trust, or vice versa? Do leaders communicate openly about the trade-offs between speed, risk, and ethics, or do they silently favor one aspect and hope the others will resolve themselves?

I was working with a company that adopted the ITIL framework. During the kickoff meeting, the CIO stood in front of the IT division and expressed his unwavering support for the project, concluding with the following: “…but don’t forget, we aren’t going to let process get in the way of getting things done.”

Then examine the structure. How are roles, processes, metrics, and frameworks arranged around CPD? Are “create” and “protect” assigned to different teams with conflicting incentives? Does “deliver” carry unresolved tensions from both? Do governance forums review CPD flows from start to finish, or do function and framework divide them?

Finally, consider behavior. When real-world pressure occurs, such as a deadline, an incident, or a high-stakes opportunity, how do people actually respond? Do they raise concerns early or stay silent until issues become undeniable? Do they take CPD commitments seriously or treat some phases as optional? Where do they cut corners, and why?

When you analyze CPD from all three perspectives simultaneously, you begin to understand why specific patterns recur. You might find that protection work is consistently sidelined when creation and delivery conflict, not because people ignore risk, but because leadership signals, organizational setups, and incentives all favor speed.

You may notice that delivery teams are often blamed for failures caused by poor decision-making or inadequate Change capabilities. You may find that innovation is valued in theory but remains structurally isolated and lacks sufficient support. CPD becomes more than just a cycle; it transforms into a way to identify where the system is misaligned with its declared priorities.

How DVMS Uses CPD to Operationalize GRAA

The DVMS approach is designed to make this value-centered view of governance practical and effective. In DVMS, CPD serves as the perspective through which you examine the business. You don’t conduct separate discussions about “the business” and “GRC.” Instead, you focus on how each significant value stream creates, protects, and delivers digital business value, and what that means for governance, resilience, assurance, and accountability.

Minimum Viable Capabilities provide the foundation beneath that perspective. They ensure that when you say you are creating, protecting, or delivering, you can point to the core abilities that make that claim valid. You do not rely solely on frameworks or tool deployments. Instead, you assess whether the capabilities themselves exist, are owned, and are operating effectively.

The 3D model of leadership, structure, and behavior provides a way to connect the CPD and MVC concepts to real-world practice. It shows where leadership signals hinder protection in favor of creation, where structures trap responsibility for “protect” in functions that are distant from “create” and “deliver,” and where behavioral patterns indicate that the system is not embodying the story written in your policies.

The Adaptive Edge Platform and Kaia operate within this architecture. Their goal is to collect and interpret signals related to culture, capability performance, risk events, and CPD flows, then feed that understanding into governance in a way that busy leaders can actually utilize. Instead of adding yet another static dashboard, they provide a dynamic view of how CPD, capabilities, and behavior evolve over time.

The outcome you aim for is easy to state, even if it’s difficult to attain. GRAA should not operate as a separate program. Instead, it should arise as a result of how CPD is governed, organized, and experienced in your organization.

A CPD Story: One Product, One Flow

Consider a single product, such as a digital platform that is central to your strategy. An executive group gathers, not to evaluate it in terms of “projects” versus “risks,” but in terms of CPD.

They begin with creating. How do new ideas for this platform come about? Who determines what to build next, and on what basis? When are considerations of risk, ethics, and resilience raised? How are skills like designing, planning, and innovating actually demonstrated in this context?

They move to protect. What are the main threats that could weaken trust in this platform? How are cyber, privacy, third-party, and conduct risks identified and managed? Who is responsible for protection efforts, and how is confidence in their effectiveness verified to ensure it is genuine and not just paperwork?

They move to deliver. How is its reliability maintained? How are incidents detected and managed? How do feedback loops from customers, regulators, and partners influence and protect the process? How do change activities interact with delivery, and who has the authority to delay or halt change if delivery is at risk?

As they converse, they introduce the 3D questions. What signals have leaders been sending about CPD in this product, especially under pressure? How have structures facilitated or obstructed the flow? What behaviors have they observed in real incidents and trade-offs?

Very quickly, they begin to see tangible issues. Perhaps “create” is a strong and well-supported term, but “protect” is divided among three different functions and is not fully assured. Perhaps delivery remains stable under normal conditions, but Change capability is so weak that even small adjustments pose risks. Perhaps leaders say the right things about trust, but the metrics used to judge success tell a different story.

This is not a theoretical exercise. It is a way of structuring a practical conversation that leads to real decisions. Change a metric. Clarify accountability. Strengthen a capability. Slow a piece of creation work until protection catches up. Invest in assurance where CPD is moving fastest. CPD gives that conversation a shape.

Implications for Executives and GRC Leaders

For executives, choosing to focus on CPD means they no longer need to treat “risk” and “value” as separate priorities to reconcile mentally. Governance becomes the discipline of guiding CPD in a way that respects both. Board conversations can shift from “compliance versus growth” to “how, in this context, do we choose to create, protect, and deliver value, and what are we willing to accept or reject along the way.”

For GRC leaders and analysts, CPD offers a compelling narrative. Their role is no longer easily misrepresented as merely slowing down processes. Instead, they can define their purpose as shaping and ensuring the “protect” aspect within genuine value flows, and as assisting in creating and delivering solutions that do not compromise the future.

The DVMS approach exists to enable that. It doesn’t run GRC alongside the business. Instead, it manages governance and resilience through how digital business value is created, protected, and delivered.

Looking Ahead: From CPD to AI-Enabled Insight

Throughout this series, we have gradually built a picture, starting with the recognition that traditional GRC investments have not provided the resilience leaders need. We identified the overlay problem: the lack of a shared operating model that can support all existing frameworks and tools. We acknowledged that culture is the most challenging control surface, then introduced a 3D perspective that views leadership, structure, and behavior as a unified system. We added a Minimum Viable Capability foundation and now a CPD lens that directly links everything to value.

The next question is practical. How do you maintain the integrity of this entire model in real-time across a complex organization? How do you prevent being overwhelmed by increasing amounts of information while managing CPD, capabilities, and culture simultaneously?

That is the direction where the next part of the series will go. You do not need more dashboards; you need an AI that understands your system. Because once governance is centered on CPD, the challenge is no longer a lack of data. It is about making sense of the system you have built, at the speed it now operates.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2026 All Rights Reserved