Starting the Journey Without Burning the House Down – The GRAA Leadership Series Part 8
David Nichols – Co-Founder and Executive Director of the DVMS Institute
By this point in the series, you may be feeling a mix of recognition and apprehension. Recognition, because the problems we have talked about are familiar. Fragmented frameworks. A culture that quietly ignores or overrules controls. Dashboards that show everything except the thing you really want to know. A sense that you have invested a great deal in GRC, yet still do not feel as resilient as you would like.
Apprehension arises because the picture we’re developing isn’t just a small adjustment. It suggests a distinct approach to viewing and managing the enterprise. CPD is the rhythm centered on value. A foundation of Minimum Viable Capability. A 3D perspective on leadership, structure, and behavior. An overlay that brings frameworks together. AI that analyzes the system, rather than merely listing metrics.
Eventually, a practical question arises: How do we begin this journey without starting another multi-year transformation project that everyone secretly fears? This final article addresses that question. It focuses on what you can do first, using the leadership authority you already possess, the frameworks and tools you already have, and the people who are already working to make this happen.
Accept That You Will Start From Imperfect Reality
The first step is to accept that you will not start from a clean slate. Your organization already has frameworks, tools, committees, contracts, and habits. It already has a culture that has been shaped by years of decisions, crises, successes, and compromises. It already has risk stories that people share in corridors and in quiet one-on-one conversations.
You cannot pause the enterprise to redesign it on a whiteboard. You cannot wait for a perfect model before you act. What you can do is change the way you talk about what you already have.
That may sound small, but it is not. The way leaders discuss the system is one of the primary levers you have for changing it. If you change the questions you ask and the language you use, you begin to rearrange attention. That is usually how real change starts.
Start With Conversations, Not Org Charts
It is tempting, once you see the power of overlays and capability models, to reach immediately for structure. To redraw boxes. To rename committees. To reorganize reporting lines. There may be a time for that, but it is rarely the place to begin.
A better way to start is by introducing the new lenses into conversations you already have. During board and executive meetings, you can begin to frame discussions in terms of CPD. Instead of separate topics like “growth” and “risk,” you can ask, “In this value stream, how are we creating, protecting, and delivering value, and where do we feel the real tension?”
In risk and audit committees, you can start asking capability questions. Not only “Are we compliant with this framework?” but also “In this area, how strong is our ability to govern, to assure, to change, and to design resiliently.”
In culture and people forums, you can apply the 3D lens. When discussing a recurring behavioral pattern, ask, “What are we signaling, how are we structured, and how are people actually behaving when pressure arrives?”
None of this needs a formal program. It simply requires you and a few others to choose to use different vocabulary. Language isn’t just surface-level; it’s a tool for perception. When people see differently, they often start acting differently without being told.
Pick One Value Stream and Make It a Test Bed
Conceptual change needs a practical anchor. Rather than trying to apply CPD, MVC, and the 3D model everywhere at once, pick one value stream that matters and that people care about. It might be a flagship digital product, a critical customer journey, or a core operational process that has given you trouble in the past.
Make that value stream your test bed. Walk it end-to-end with a small group that includes business, technology, risk, and operations leaders. Use the lenses from this series but keep the exercise simple and conversational.
Ask how you create value in this flow. What decisions shape what gets built or changed? Where do risk and assurance show up in that creation work, if at all? Ask how you protect value in this flow. Who worries about cyber, privacy, third-party, and conduct risk here, and how they do it? What they feel confident about, and what they quietly worry about.
Ask how you deliver value, how reliability is maintained, and how incidents are handled. How feedback is gathered and used. Then bring in the 3D questions. What have leaders really signaled in this area, especially under pressure? Where does the structure help or hinder? What behaviors have people seen that do not match the story in the slide deck?
Finally, ask what capabilities appear strong and which appear weak. Do you see clear ownership for govern, assure, plan, design, execute, change, and innovate? Or do some of those feel diffuse, fragile, or informal?
You will not get a perfect answer. You will get a much better picture than any single dashboard will provide. The goal is not to diagnose everything in one session. The goal is to begin viewing the value stream as a system and to agree to treat it accordingly.
Make One or Two Real Changes, Not Twenty
Once you understand how that value stream functions, avoid the temptation to develop a lengthy action plan; focus on one or two changes that are clear, significant, and appropriate.
You might change a metric that you now realize is encouraging the wrong behavior in CPD. You might also adjust a governance forum so that create, protect, and deliver are discussed together, rather than in separate meetings. Additionally, you may clarify accountability for one or two of the Minimum Viable Capabilities within that value stream and provide the necessary support to that person to act.
You might choose to make early escalation safe in that flow, then intentionally support the next person who raises a concern before it is fully developed. You could pause a high-risk task briefly to allow team members to protect and catch up, then share that as an example of leadership.
The point is to demonstrate to yourselves and others that this way of thinking results in different decisions, and that those decisions better align with GRAA and the organization’s stated values. People pay closer attention to what you do than what you say. If they notice that CPD, capabilities, and cultural language are linked to real choices, they will become more engaged.
Use Existing Frameworks and Tools Differently
Adopting the DVMS approach does not require you to abandon NIST, ISO, ITIL, ESG standards, or the GRC platforms you have invested in. What it does require is that you stop allowing any one framework or tool to define your reality. In practical terms, that means beginning to map what you already have into the capability foundation and the CPD flows you have chosen to work with.
You can ask your teams to adopt a specific framework and, instead of reporting on it in isolation, to demonstrate how its controls and obligations align with your Minimum Viable Capabilities within one value stream. You can ask them to describe not just coverage, but how those controls actually support or hinder CPD.
You can review your GRC dashboards and pose various questions to them. Instead of asking, “Where are we red against Framework X,” you can ask, “What does this tell us about our ability to assure in this area, or about how protect is interacting with create and deliver.”
You are not throwing away data. You are reinterpreting it. Over time, as you repeat this discipline, the overlay becomes real. Frameworks and tools take their place as contributors to a larger design, rather than competing as individual designs.
Introduce AI As a Partner, Not a Project
The idea of AI that understands your system can feel remote if you treat it as its own massive initiative. A more practical approach is to introduce it as a partner in specific, bounded use cases where your existing data is rich, but your insight is thin.
For example, you might invite AE-P and Kaia, or an equivalent capability, to focus on the value stream you chose as your test bed. Ask it to look for patterns in incidents, changes, escalations, and feedback that relate to CPD and to the capabilities you care about. Then, sit down as a leadership group and review what you find in human language.
You do not have to believe everything it says. You do not have to act on every suggestion. You do need to engage with it as a serious participant. Ask why it thinks a particular pattern matters. Compare its interpretation with your own experiences. Use the conversation to refine both your model and the way the AI reads your organization.
If this goes well, you’ll likely find that AI can identify drifts and misalignments that are too subtle or too crosscutting for any single human team to notice. You’ll also discover where your own model needs adjustments. By starting small and using AI within a clear architectural framework, you avoid both extremes: ignoring AI’s potential or giving it too much control without enough guardrails.
Be Honest About Limits and Trade-offs
There is a risk that, when you discover a more coherent model of governance and resilience, you may start to think that everything can be optimized simultaneously. Reality doesn’t work that way. You will still face tough trade-offs between speed and safety, between short-term results and long-term trust, between investing in new capabilities and maintaining current margins. There will still be days when you choose to accept more risk than you’re comfortable with, because the alternative is worse.
The difference is that, if you are serious about CPD, MVC, and the 3D lens, those trade-offs will become more visible and explicit. You can say, in clear language, “We are choosing to prioritize create over protect in this specific way, for this specific period, with these safeguards, and with this explicit accountability.” You can ask, “What does that do to our capability foundation in this area, and what will we have to fix later?”
You can admit, “Our culture here is not yet where it needs to be, so we will not get the behavior we want just by changing policy. We need to make different decisions in public if we want people to believe us.” That kind of honesty is a core value of GRAA. Governance and accountability are not about eliminating risk; they are about mitigating it. They are about owning your choices, made fully visible by the system you have built.
Make the Journey Visible, Not Secret
Finally, if you decide to move in this direction, do not treat it as an internal experiment that nobody is allowed to talk about. People in your organization already know that something is not quite working in the current model. They feel the friction of too many frameworks, the fatigue of repeated assessments, the tension between what is said in town halls and what happens in crunch time. If they see leaders openly grappling with these realities, testing new ways of thinking, and making visible choices that align with their stated values, they will often support you.
You don’t need to teach everyone every concept all at once. You can share simple ideas. Focus on discussing how you create, protect, and deliver value more frequently, not just on projects and risks. Show interest in both capabilities and controls. Emphasize how leadership messages, structures, and behaviors align, rather than focusing solely on achieving target results. Utilize AI as a tool to gain a deeper understanding of the system, while maintaining accountability for decisions firmly within yourself. If people believe those statements and see them reflected in action, they will help you build the rest.
Closing the Series
When we began this series, we started with a feeling. The knot in the stomach that tells many executives that, despite years of GRC investment, their organizations still feel fragile. We have followed that feeling through a series of ideas.
The problem is not a lack of frameworks, but a lack of an overlay.
That culture is not a soft topic, but the hardest control surface you have.
You need a 3D perspective on leadership, structure, and behavior as a unified system.
A Minimum Viable Capability foundation provides GRAA with a solid foundation to build upon.
That CPD is the rhythm that connects governance to value.
That AI can help you read the system, if it is grounded in the architecture you choose.
None of these ideas is magic. None of them removes the need for judgment, courage, and persistence. What they can do is give you a more honest, more workable way to lead in a world where value, risk, and resilience are now inseparable.
You don’t have to burn the house down to start. You must be willing to see it as a living system, accept the view that reveals itself, and take the first few steps toward a different way of managing it.
The rest is leadership.
About the Author
Dave is the Executive Director of the DVMS Institute.
Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.
Digital Value Management System® (DVMS)
Despite abundant frameworks and dashboards, organizations still struggle to see how their complex digital system actually behaves at it boundaries under stress.
Leadership intent, structure, and day-to-day behavior are viewed separately, creating fragmented, flat perspectives that hide how real decisions and human responses interact within digital value streams.
As a result, organizations can look well-governed on paper while still experiencing catastrophic events in practice. Without an integrated view, leaders end up managing isolated components rather than governing the system as a whole.
The Digital Value Management System® (DVMS) integrates fragmented frameworks and systems such as NISTCSF, GRC, ITSM, DevOps, and AI into a unified living overlay system that:
- Enables Adaptive Governance through risk-informed decision-making
- Sustains Operational Resilience through a proactive and adaptive culture
- Measures Performance Assurance through evidence-based outcomes
- Ensures Transparent Accountability by making intent, execution, and evidence inseparable
At its core, the DVMS is a simple but powerful integration of:
- Governance Intent – shared expectations and accountabilities
- Operational Capabilities – how the digital business actually performs
- Assured Evidence – proof that outcomes are achieved and accountable
Through its MVC, CPD, 3D Knowledge, and FastTrack Models, a DVMS turns this integration into three distinctive capabilities:
A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.
A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.
A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.
DVMS Organizational Benefits
Instead of replacing existing operational frameworks, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.
By adopting a DVMS, organizations are positioned to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Deliver Digital Value and Trust Across A Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
DVMS Leadership Benefits
The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.
For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.
For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.
For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability
DVMS White Papers
The whitepapers below present a coherent progression that shifts organizations from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Collectively, the three papers define a comprehensive system for building and governing resilient digital enterprises, grounded in evidence rather than assumptions.
The Assurance Mandate Paper sets the stage by showing why traditional GRC artifacts provide only reassurance—not evidence—and calls boards to demand forward-looking proof that their organizations can continue to create, protect, and deliver value under stress.
The Assurance in Action Paper elevates the conversation from leadership intent to managerial execution, demonstrating how the DVMS operationalizes resilience by translating outcomes into Minimum Viable Capabilities, connecting frameworks through the Create–Protect–Deliver model, and generating measurable assurance evidence that managers can use to demonstrate real performance rather than activity.
The Governing by Assurance Paper elevates the approach to the policy and regulatory level, showing how DVMS functions as a learning overlay system that links governance intent, operational capability, and verifiable evidence into a continuous loop—enabling regulators, agencies, and enterprises to govern by outcomes rather than checklists and to prove capability with measurable, auditable performance data.
DVMS Cyber Resilience Certified Training Programs
DVMS Cyber Resilience Awareness Training
The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.
This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.
DVMS NISTCSF Foundation Certification Training
The DVMS NISTCSF Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.
This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system capable of transforming systemic cyber risks into operational resilience.
DVMS Cyber Resilience Practitioner Certification Training
The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.
This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.
Company Brochures and Presentation
Explainer Videos
- DVMS Architecture Video: David Moskowitz explains the DVMS System
- DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- DVMS Overlay Model – What is an Overlay Model
- DVMS MVC ZX Model – Powers the CPD
- DVMS CPD Model – Powers DVMS Operations
- DVMS 3D Knowledge Model – Powers the DVMS Culture
- DVMS FastTrack Model – Enables A Phased DVMS Adoption
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
