Where Resilience Actually Breaks, Dependencies, Handoffs, & Suppliers– The GRAA Management Series Part 5

Dave Nichols
January 24, 2026

Share This Post

Where Resilience Actually Breaks, Dependencies, Handoffs, & Suppliers – The GRAA Management Series Part 5

David Nichols – Co-Founder and Executive Director of the DVMS Institute

Managers rarely lose sleep over the things they fully control. We lose sleep over the things we depend on. A service can be well-run, well-staffed, and well-governed within its own boundaries and still fail because the ecosystem it relies on does something unexpected. That is not a complaint. It is the reality of modern digital operations.

This is also why the emotional center of the GRAA Leadership Series – Part Two, “Your Organization Doesn’t Have a Framework Problem: It Has an Overlay Problem” – matters. Framework overlays are not particularly helpful if the system’s fundamental couplings are not visible or manageable. An organization can map controls across multiple frameworks and still be fragile if dependencies are assumed rather than governed.

In this management article, we will focus on where resilience breaks: the seams between teams, functions, and enterprises. The good news is that managers can govern these seams. We cannot eliminate dependencies, but we can stop treating them as invisible. We can establish boundaries, create fallbacks, and gather evidence that the ecosystem can operate within tolerable limits. That shift is how you turn dependency anxiety into operational confidence.

The manager reality: you own an outcome you do not fully control

Most enterprises have been built on a foundation of functional ownership. Teams own platforms, applications, networks, security controls, compliance processes, vendor management, and so on.

Customers, boards, and regulators do not experience the enterprise in the same way. They experience outcomes. Can I place an order? Can I receive care? Can I access my account? Can I get paid? Can I ship a product?

Managers sit in the middle. We are accountable for outcomes, even when they span multiple teams and suppliers. That tension is not going away. It is increasing. Dependencies are multiplying, and shared platforms have become the default. Even when you “own” a system, it relies on identity, data, network, cloud, tooling, and third parties that can fail in ways you cannot predict.

The goal is not to pretend you control the whole ecosystem. The goal is to make the ecosystem governable. This is where DVMS and GRAA are practical. They provide managers with a way to set boundaries and gather evidence across organizational seams.

Why “well-managed suppliers” still take you down

Managers often hear a comforting phrase: “That supplier is well managed.” Sometimes it is true. It still does not mean you are safe. There are a few reasons.

One is a hidden coupling. Two systems can appear independent until they share a platform, a data pipeline, an identity boundary, or a common provider. When that shared dependency fails, both fail in a correlated manner.

Another is synchronized change. If your organization and your supplier are both undergoing rapid changes, the likelihood of unexpected interactions increases. Even if each change is “approved,” the combined effect can still surprise you.

Another is mismatched tolerances. You may need a dependency to recover in two hours, while they may be designed to heal in eight. Their definition of “available” may not match your definition of “usable,” especially if integrity verification differs.

One more is assumption drift. A dependency that behaved one way last year may behave differently today. People change. Platforms change. Business models change. Contracts remain the same. Assumptions grow stale without anyone noticing.

Finally, there is the human factor. During a disruption, the supplier is also under pressure. Their priorities may not align with yours. Their communication may be constrained. Their escalation paths may not be the ones you expected. As a result, your outcome is at risk even if their internal story is “we are handling it.”

None of this is a reason to distrust suppliers. It is a reason to stop relying on assurances that lack evidence. Evidence trumps artifacts, and this is where that principle becomes urgent.

Seams inside the enterprise are the same problem.

Before we focus too much on suppliers, it helps to acknowledge something. Most of the seam problems that arise with suppliers also appear within your own organization.

The seam between product and operations is a classic example. A team may release a change that is correct in its own context yet destabilize an operational dependency. The seam between security and delivery is another. Protective constraints may be designed in a way that creates operational fragility if the control fails or becomes overly aggressive. The seam between risk and operations is another. Risk may be managed as a register, while operations manage risk as live variance. Both are valid. They have to connect.

This is why the GRAA Leadership Series – Part Four, “Seeing the System, A 3D View of Leadership, Structure and Behavior,” is so relevant here. Seams exist where structure does not align with outcomes and where local incentives shape behavior. Managers can’t fix this with slogans. We fix it by making seams visible and governable.

DVMS helps because Create, Protect, Deliver forces you to see the seam

DVMS is useful because it pushes you to view a value stream as a single system. It does not allow you to pretend that Create happens in one group, Protect in another, and Deliver somewhere else. Every outcome depends on all three, and seams exist where those modes are not coordinated. If you approach dependencies through Create, Protect, and Deliver, you ask better questions.

In Create, you define the outcome and tolerance, and identify the essential dependencies required for that outcome. This is where managers clarify what cannot be allowed to fail silently.

In Protect, you define unacceptable harm and constraints and identify which dependencies can cause harm or compromise integrity. This is where you determine where verification is required and where manual modes are necessary.

In Deliver, you define the operational behaviors that will carry you through dependency disruptions. These include degradation modes, alternate routing, fallback processes, and recovery sequencing.

This echoes the practical message of Thriving on the Edge of Chaos: Managing at the Intersection of Value and Risk in the Digital Era. The book advances a simple idea: in a dynamic environment, governance and resilience stem from operating the system at the edge, where value and risk meet. Dependencies are the edge.

Dependency governance: the manager’s version

When managers hear “vendor management,” they often think of contracts, SLAs, and quarterly reviews. Those matter, but they do not build resilience under pressure.

Dependency governance is different. It is outcome-centric and behavior-centric.

A manager’s dependency governance asks:

What outcome does this dependency enable?
What tolerances does our outcome require, including degradation and recovery?
What degradation mode exists if the dependency is impaired?
What manual mode exists if the dependency is unavailable?
What alternate path exists if we need to route around it?
How do we verify integrity when it returns?
What evidence do we have that these behaviors work?

If you can answer those questions, you can manage the dependency with confidence. If you cannot, you will be surprised when disruption hits, even if your supplier is “well managed.”

The Dependency Boundary Card

In Part 1, we introduced the Boundary Card for an outcome. For dependencies, you can create a Dependency Boundary Card. It is straightforward. It is a practical tool that reduces seam risk.

A Dependency Boundary Card includes the shared outcome, the tolerance requirements, the escalation and communication path, the degrade and fallback options, the recovery sequence, and the evidence you expect to see. It also explicitly records assumptions, because assumptions are what decay over time.

You can use the same pattern for internal dependencies and external suppliers. That is a useful trick. It reduces complexity by treating dependencies consistently. This also supports the leadership series paradigm. In the GRAA Leadership Series – Part Six, “Running on CPD,” CPD is described as an operating rhythm. Dependency boundary management is one area where managers can establish that rhythm.

How evidence changes supplier conversations in a positive way

Managers often hesitate to ask suppliers for evidence because they fear it will create conflict. It doesn’t have to. The tone is not “prove you are competent.” The tone is “we want our shared system to behave predictably, and we want to align our recovery behaviors.”

This is collaborative, not adversarial. Instead of asking, “Are you compliant?” a manager can ask:

When you have an outage, what do you degrade first, and why?
What is your recovery sequence, and how do you decide which services return first?
How do you verify integrity before declaring service restored?
What was the result of your last restore test, and what did you learn?
What do you need from us during disruption to recover faster?
How do we communicate when tolerance is threatened?

These are evidence-driven questions. They do not insult the supplier. They invite a joint resilience posture.

They also produce something valuable. They provide proof points you can use internally, both for assurance and for accountability. That aligns with GRAA Leadership Series – Part Seven, “You Do Not Need More Dashboards.” A supplier status dashboard is not an assurance. Evidence of recovery behavior is.

A manager scenario: the dependency that fails, and the fallback that saves you

Imagine a shared payment or authorization service used across multiple business processes. Your team’s outcome depends on it. An incident at the supplier or internal platform causes transactions to slow, time out, or fail.

In an artifact-driven environment, the initial response is uncertain. People debate whether to pause operations. Customer support is flooded. Leadership seeks confidence. Teams scramble for answers from the dependency owner. The outage spreads.

In an evidence-driven environment, the response is different.

The Outcome Boundary Card defines tolerances. The Dependency Boundary Card defines what happens when the dependency is impaired. There is a degrade mode that preserves core transactions while deferring non-critical ones. There is a manual mode for a narrow set of high-value cases. An escalation trigger is tied to the tolerance threshold. Communication is routed through a defined path, and the supplier knows what evidence to provide.

The manager quickly enters degrade mode because decision rights are clear. The team captures evidence as they conduct their operations. Leadership receives a coherent update grounded in tolerances and subsequent actions. As the dependency begins to recover, the team restores it in a known sequence and verifies its integrity before scaling back to normal operations.

From the outside, the customer experience is degraded but not chaotic. From the inside, the operation behaves as designed. That is resilience, and it is built at the seam. This is not theoretical. It is the kind of difference that separates “we had an incident” from “we had a crisis.”

The internal seam: accountability across teams

Dependency resilience also makes accountability fairer. In Part 4, we described accountability anchors: decision rights, escalation obligations, and evidence obligations. Dependencies are where those anchors often break because accountability is split across teams.

If you use Boundary Cards and evidence expectations across seams, accountability becomes shared but clear. Each team understands its obligations. The dependency owner understands the evidence needed to support the consuming outcomes. The consuming team understands the degradation and fallback behaviors it must implement.

That reduces blame. It increases coordination. It makes the system governable. It also helps audit and GRC partners. Evidence is now tied to operational behavior across seams rather than trapped in isolated functional artifacts.

A practical manager plays the dependency drill.

To quickly improve resilience, conduct a dependency drill. Pick one critical outcome that depends on a single critical dependency. The goal is not to simulate every technical detail. The goal is to validate boundaries and behaviors.

Walk through a scenario where the dependency is degraded. Ask: What triggers our degrade mode? Who authorizes it? How do we communicate? What evidence do we capture? What do we do if the dependency is unavailable for longer than the tolerance? What manual modes exist? What do we restore first? What do we verify?

This drill will reveal seams immediately. It will also reveal unclear decision rights, missing fallback paths, unrealistic assumptions, and evidence gaps. Fix one or two of those seams. Update the Boundary Cards. Capture the evidence changes. You will be measurably more resilient, and you will have proof.

This is the management expression of “From Chaos to Capability” in Part Five of the GRAA Leadership Series. Capability is not a claim. It is a behavior, and evidence suggests that it exists.

Dependency resilience is a management discipline, not a supplier problem.

Managers cannot eliminate dependencies, and we do not need to. We need to manage them as part of the system. When you treat dependencies as governable boundaries, you change the game. You move from surprise to predictability. You reduce chaos. You improve recovery. You strengthen accountability. You also make audits less of a paper chase because evidence is generated through normal operations.

In Parts Five and Six of this management series, we will bring everything together into a practical framework. We will discuss how managers can run GRAA as an operating rhythm, week by week and month by month, using Create, Protect, Deliver as the flow of work and boundary, evidence, and accountability practices as the glue that makes resilience real.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

DVMS Cyber Resilience Professional Accredited Certification Training

Governing, Assuring, and Accounting for Resilient Digital Value Outcomes In Complex, Fragmented Systems

Explainer Video – Paper vs. Living System Governed by Assurance

Despite abundant frameworks and dashboards, leaders still struggle to see how their digital value streams perform under real-world stress.

Intent, structure, and day-to-day behavior are examined in isolation, creating flat views that hide how decisions and human responses interact in a living digital system.

The result is governance that looks strong on paper but falters in practice, leaving leaders to juggle disconnected controls instead of actively strengthening the resilience of their digital value.

What’s needed is a framework-agnostic overlay system capable of governing, assuring, and accounting for digital value resilience across complex, fragmented systems.

Digital Value Management System® (DVMS)

An Overlay Management System to Govern, Assure, and Account for Resilient Digital Value Outcomes in Complex, Fragmented Systems

Explainer Video – What is a Digital Value Management System (DVMS)

The Digital Value Management System® (DVMS) training programs teach leadership, practitioners, and employees how to integrate fragmented frameworks and systems such as NISTCSF, GRC, ITSM, and AI into a unified, culture-driven governance and assurance system that accounts for the resilience of digital value within a living digital system.

At its core, the DVMS is a simple but powerful integration of:

Governance Intent – shared expectations and accountabilities
Operational Capabilities – how the digital business actually performs
Assurance Evidence – proof that outcomes are achieved and accountable
Cultural Learning – to continually fine-tune governance intent and operational capabilities

Underpinning this integration are three distinctive DVMS models

Create, Protect, and Deliver (CPD) – The CPD Model™ is a systems-based model within the DVMS that links strategy-risk and governance to execution in order to create, protect, and deliver digital business value as an integrated, continuously adaptive organizational capability.

3D Knowledge (3DK) – The 3DK Model™ is a systems-thinking framework that maps team knowledge over time (past, present, future), cross-team collaboration, and alignment to strategic intent to ensure that organizational behavior, learning, and execution remain integrated and adaptive in delivering digital business value.

Minimum Viable Capabilities (MVC) – The MVC™ model supports the seven essential, system-level organizational capabilities—Govern, Assure, Plan, Design, Change, Execute, and Innovate—required to reliably create, protect, and deliver digital business value in alignment with strategy-risk intent.

The integration of these models then enables three distinctive digital value management organizational capabilities:

A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.

A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.

A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

In summary, A DVMS enables organizations of any size, scale or complexity to:

Govern through risk-informed decision-making
Sustain digital value Resilience through a proactive and adaptive culture
Measure Performance Assurance through evidence-based outcomes
Ensure Accountability by making intent, execution, and evidence inseparable

The People and Culture That Power a DVMS

Explainer Video – The Human Engine of DVMS

Delivering the outcomes of a DVMS requires coordinated action across an enterprise’s strategy, governance, and operational layers.

Each of these business layers contains unique roles that, when aligned, enable organizations to ensure the resilience of their digital value across their complex and fragmented digital systems.

Together, these roles create an adaptive, risk-informed, and resilient culture capable of thriving in a complex and chaotic digital business environment.

Scaling A DVMS Program – Where Do You Start?

Explainer Video – Scaling a DVMS Program

The DVMS FastTrack Model is a phased, iterative approach that helps organizations mature their Digital Value Management System over time, rather than trying to do everything simultaneously.

This approach breaks the DVMS journey into manageable phases of success. It all starts with selecting the first digital service you want to make resilient. Once that service has integrated DVMS at its boundaries, it becomes the blueprint to operationalize DVMS in the remaining digital services

The DVMS training provides an example of how to operationalize the NIST Cybersecurity Framework and ensure its digital value resilience across complex, fragmented systems.

DVMS Program Benefits

Explainer Video – DVMS Organization and Leadership Benefits

DVMS Organizational Benefits

Instead of replacing existing operational frameworks and their management systems, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.

By adopting a DVMS, organizations are positioned to:

Maintain Operational Stability Amidst Constant Digital Disruption
Deliver Digital Value and Trust Across A Digital Ecosystem
Satisfy Critical Regulatory and Certification Requirements
Leverage Cyber Resilience as a Competitive Advantage

DVMS Leadership Benefits

The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability.

The DVMS Certified Training Programs

Explainer Video – The DVMS Training Pathway to Operational Cyber Resilience

The DVMS Institute’s certification training programs and body-of-knowledge publications equip leaders, practitioners, and employees with the skills to govern operational cyber-resilience through an evidence-based system that assures and accounts for digital value outcomes.

Grounded in real-world governance challenges and aligned with NIST CSF 2.0, the DVMS Institute’s training programs teach organizations how to build measurable capability, transparent accountability, and defensible confidence in decision-making.

Through structured learning, applied certification, and authoritative publications, the Institute advances a disciplined, outcome-driven approach to managing digital risk, performance, and resilience as an integrated system.

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS NISTCSF Cyber Resilience Foundation Certification Training

The DVMS NISTCSF Cyber Resilience Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system that transforms systemic cyber risks into operational resilience.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.

This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

The Assurance Mandate White Paper Series

Explainer Video – Why GRAA is the Next Evolution of GRC

The whitepapers below present a clear progression from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Together, they define an evidence-based approach to building and governing resilient digital enterprises.

The Assurance Mandate Paper explains why traditional GRC artifacts offer reassurance, not proof, and challenges boards to demand evidence that value can be created, protected, and delivered under stress.

The Assurance in Action Paper shows how DVMS turns intent into execution by translating outcomes into Minimum Viable Capabilities, aligning frameworks through the Create–Protect–Deliver model, and producing measurable assurance evidence of real performance.

The Governing by Assurance Paper extends this model to policy and regulation, positioning DVMS as a learning overlay that links governance intent, operational capability, and auditable evidence—enabling outcome-based governance and proof of resilience through measurable performance data.

Company Brochures and Presentation

Explainer Videos

DVMS Architecture Video: David Moskowitz explains the DVMS System
DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
DVMS Overlay Model – What is an Overlay Model
DVMS MVC ZX Model – Powers the CPD
DVMS CPD Model – Powers DVMS Operations
DVMS 3D Knowledge Model – Powers the DVMS Culture
DVMS FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

More To Explore

DVMS GRAA Management Series

From Compliance to Continuity, The Upward Bridge Managers Can Use– The GRAA Management Series Part 7

From Compliance to Continuity, The Upward Bridge Managers Can Use– The GRAA Management Series Part 7 David Nichols – Co-Founder and Executive Director of the

Dave Nichols February 8, 2026

DVMS General Blogs

Operationalizing a Digital Value Management System® (DVMS) One Service at a Time

Operationalizing a Digital Value Management System® (DVMS) One Service at a Time Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute Introduction:

Rick Lemieux February 1, 2026

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.