The Manager Playbook for GRAA Using DVMS– The GRAA Management Series Part 6

The Manager Playbook for GRAA Using DVMS – The GRAA Management Series Part 6

David Nichols – Co-Founder and Executive Director of the DVMS Institute

Managers do not need another program to run. We already have plenty. What we need is an operating rhythm that makes governance executable, resilience repeatable, assurance provable, and accountability fair. That is what GRAA becomes when it moves from a concept to a management cadence.

Across this series, we have built the pieces. In Part One, governance evolved into boundary-setting, enabling decisions to be made at the edge without compromising control. In Part Two, resilience became a daily delivery behavior, especially in degrade-and-recover playbooks. In Part Three, assurance became operational evidence rather than compliance artifacts. In Part Four, accountability became decision rights, escalation obligations, and evidence ownership. In Part Five, we treated dependencies as seams that must be governed with the same boundary and evidence discipline as internal work. Now we pull those pieces into a playbook that managers can actually run.

This also closes the loop with the GRAA Leadership Series. In Part Six, “Running on CPD,” the point is that Create, Protect, and Deliver is the operational flow of the enterprise. In Part Seven, “You Do Not Need More Dashboards,” the key point is that status reporting is not a substitute for a thorough understanding of the system and operational evidence. The management version of those points is simple. If you can run CPD as an operating rhythm and produce evidence from regular work, you can govern and assure resilience without turning it into bureaucracy.

This article provides a clear and practical approach. It recognizes the existence of GRC and audit. It reduces the paper chase by making evidence a byproduct of operations. It also acknowledges that managers must make trade-offs under pressure.

The playbook in one sentence

Set boundaries for outcomes, design degrade and recover behaviors, gather evidence through regular work, assign decision rights and obligations, and update the system based on what you learn. That one sentence is the playbook. The rest is how you operationalize it.

Start with one outcome, not the whole enterprise.

Managers often get stuck because they think “operational resilience” means modeling everything. It doesn’t. It means being disciplined about what is critical and then making that critical slice governable.

Pick one critical outcome. If you are unsure how to pick, use a practical criterion. Choose the outcome that would cause the most customer harm, regulatory exposure, or business disruption if it failed for a day. Then treat that outcome as your unit of management. Not the system. Not the team. The outcome.

This aligns with the logic in Thriving on the Edge of Chaos: Managing at the Intersection of Value and Risk in the Digital Era. The book’s practical contribution is that value and risk appear at the same point in the system, where outcomes are produced. Managing outcomes is where resilience truly becomes a reality.

The four artifacts that matter, and why they are not “paperwork.”

To run the cadence, you need a small set of living management objects. Think of them as control surfaces, not documents. You need an Outcome Boundary Card. It defines what matters, tolerances, decision rights, escalation triggers, and evidence expectations. This comes from Part One.

You need a Degrade and Recover Playbook. It defines what happens when tolerances are threatened, including controlled degradation, recovery sequencing, and verification. This is from Part Two.

You need a Minimum Evidence Portfolio. It defines the evidence you maintain to show that the outcome can be sustained and recovered predictably. This came from Part Three.

You need a Decision Rights Map. It defines who can authorize, who must escalate, and who is responsible for maintaining specific evidence. This is from Part Four.

If you treat these as static documents, you will recreate the problem. If you treat them as living tools used in daily work, they become the mechanism that produces resilience and assurance.

The weekly cadence, 30 to 45 minutes

A weekly cadence should be short, focused, and grounded in operational reality. The goal is not to review everything. The goal is to maintain current boundaries and evidence, and to catch any drift before it becomes impactful. In a healthy weekly meeting, you cover four things.

First, you review operational signals, including incidents, near-misses, and exceptions. You also review changes that introduce unexpected variance, because change is where drift often begins. If you have key suppliers or internal dependencies, you include their variance signals as well.

Second, you check boundary health. Are we operating within tolerance? Are we approaching a tolerance threshold? Are there conditions that would trigger a controlled degrade if they worsen? This is where governance becomes real. The conversation is not “Are we green?” It is “Are we within boundaries, and what do we do if we are not?”

Third, you briefly review the evidence portfolio. The question is not “do we have documents?” The question is “do we have current proof?” If a restore test is due, a verification check is stale, or a drill is overdue, you will see it early.

Fourth, you record decisions. This is lightweight. If you decide to accept an exception, delay a change, update a tolerance, or schedule a drill, you capture the decision and the rationale. Two or three sentences are enough. The point is traceability.

That weekly rhythm gives you something managers value. It reduces surprises. It shortens time-to-decision when something happens because the boundaries and evidence are already current. It also has a side benefit. It makes audits easier. Evidence is already being produced and refreshed.

The monthly cadence is 60 to 90 minutes.

Monthly is where you validate behavior. Pick one scenario. It can be a short tabletop. It can be a limited technical drill. The point is to validate that your degrade and recover playbook still works, and that decision rights and verification steps are understood.

In the drill, focus on three things:

• Can we detect drift early enough to act within tolerance?
• Can we execute a controlled degrade predictably?
• Can we recover in sequence and verify integrity before declaring normal?

You will quickly learn where seams exist. Perhaps the dependency owner is unclear on escalation. Possibly, recovery sequencing is debated. Perhaps verification steps are missing or not automated. Perhaps manual modes are not realistic.

Do not try to fix everything. Choose one or two improvements. Update the playbook. Update the boundary card. Update the evidence portfolio. Then record that you did it. That record is evidence. It demonstrates that the system is not only documented but also thoroughly rehearsed. This is the operational version of what was described in the GRAA Leadership Series – Part Five, “From Chaos to Capability.” Capability is built through practice, and practice creates evidence.

The quarterly cadence, cross-team, and supplier alignment

Quarterly is where you make the ecosystem behave. A quarterly exercise should cross seams. That means it includes at least one key internal dependency and, where feasible, at least one key supplier. The goal is not to run a giant simulation. The goal is to validate boundary alignment and communication.

Here are the management questions a quarterly session should answer:

• Do our tolerances align with the dependency’s recovery behavior?
• Do we have a shared understanding of escalation triggers and communication paths?
• Do we have a shared view of what “restored” means, including integrity verification?
• Do we know what we need from each other during disruption?
• Do we have evidence from the last quarter that these behaviors were tested?

This is where managers build absolute confidence. Not the comfort of a report, the confidence that a system of organizations can behave predictably. This also reduces the “supplier surprise” problem we discussed in Part 5. Supplier management becomes outcome management.

How accountability is maintained without becoming punitive

Accountability is what makes this cadence stable. Without accountability, a cadence becomes a meeting. With accountability, it becomes an operating discipline. In this playbook, accountability is not about blame. It is about obligations.

• Someone owns keeping the Outcome Boundary Card current.
• Someone owns the Degrade and Recover Playbook and ensures it reflects real operational behavior.
• Someone owns the Minimum Evidence Portfolio, not as a librarian, but as a manager responsible for ensuring evidence exists and stays fresh.
• Someone owns decision rights clarity, especially when roles change.

These are not huge jobs if the scope is one outcome. The point is that they are explicit. When they are explicit, they survive turnover and pressure.

This aligns with the culture and structure themes from the GRAA Leadership Series. In Part Three, culture is described as the hardest control surface. In Part Four, the 3D model highlights misalignment. A cadence like this helps managers shape culture and align behavior. It makes escalation normal. It makes verification normal. It makes learning normal.

Where AE-P fits, without turning the playbook into a sales pitch

Since your enterprise offering will be delivered through partners and the platform is licensed, it is helpful to clearly state the platform’s role. A platform like Adaptive Edge Platform can help by making boundary objects visible, capturing evidence, connecting signals to tolerances, and maintaining traceability of decisions. It can reduce the overhead of gathering evidence by allowing it to be collected from operational sources rather than compiled manually.

It can also help scale the cadence across multiple outcomes, as consistency is challenging when every team invents its own approach. The key is that the platform supports the management discipline. It does not replace it. The discipline produces resilience. The platform reduces friction and improves consistency and proof.

This aligns with the intent of the GRAA Leadership Series – Part Seven, “You Do Not Need More Dashboards.” A platform should not be a prettier dashboard. It should support system understanding and evidence, tied to boundaries and decisions.

A practical rollout approach that managers can actually live with

If you want to introduce this playbook into an organization without overwhelming people, use a staged approach. Start with one outcome. Build the four management objects. Run the weekly cadence for a month. Run one monthly drill. Then select a second outcome.

When you expand, keep the same structure. The structure creates coherence. Variation should be in the tolerances and playbooks, not in the method.

If you are working with delivery partners, this is also how partner facilitation adds value. Partners can help teams create boundary cards, design playbooks, set up evidence capture, and run drills, while the enterprise retains ownership of outcomes and decisions.

How managers know it is working

Managers like measurable improvement. The playbook produces it. You should see decision speed increase during incidents, because decision rights and boundaries are clear:

• You should see recovery become more predictable because sequencing and verification are rehearsed.
• You should see fewer “surprise escalations” because escalation triggers are condition-based and drift is detected earlier.
• You should see audits become less painful because the evidence is current and linked to operational behavior.
• You should also see a subtle culture shift. Teams become more willing to escalate early. They become more consistent about verification. They become more comfortable making decisions within tolerances.

These are not soft outcomes. They are operational outcomes that managers can feel.

Make GRAA a cadence, not a campaign.

If you take one message from this series, let it be this. GRAA is not something managers should implement as a new campaign. It is something managers can run as an operating rhythm, anchored in Create, Protect, Deliver, and expressed through clear boundaries, consistent behaviors, tangible evidence, and effective accountability.

To begin, select one outcome and commit to a ninety-day timeframe. Conduct weekly boundary and evidence reviews. Hold one monthly drill. Include a quarterly seam exercise if possible. Keep it positive. Keep it practical. Keep it grounded in evidence.

You will not eliminate disruption. You will reduce chaos. You will make decisions more quickly and with greater confidence. You will recover with greater predictability. You will walk into audits with less dread because the system will already be producing proof.

That is what operational resilience looks like when it is managed, not merely described.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

Digital Value Management System® (DVMS)

Governing Operational Cyber-Resilience Through an Evidence-Based System for Assured and Accountable Digital Value Outcomes (GRAA)

Despite abundant frameworks and dashboards, leadership still struggles to see how their digital value streams actually perform under stress.

Leadership intent, structure, and day-to-day behavior are viewed separately, creating fragmented, flat perspectives that hide how real decisions and human responses interact within their living digital system and its digital value streams.

As a result, organizations can look well-governed on paper while still experiencing performance or catastrophic events in their living digital system. Without an integrated view, leaders end up managing isolated components and controls rather than governing the living system as a whole.

The Digital Value Management System® (DVMS) training programs teach leadership, practitioners, and employees how to integrate fragmented frameworks and systems such as NISTCSF, GRC, ITSM, and AI into a unified, culture-driven, living management system that:

• Enables Adaptive Governance through risk-informed decision-making
• Sustains Operational Resilience through a proactive and adaptive culture
• Measures Performance Assurance through evidence-based outcomes
• Ensures Transparent Accountability by making intent, execution, and evidence inseparable

At its core, the DVMS is a simple but powerful integration of:

• Governance Intent – shared expectations and accountabilities
• Operational Capabilities – how the digital business actually performs
• Assurance Evidence – proof that outcomes are achieved and accountable

Through its MVC, CPD, 3D Knowledge, and FastTrack Models, a DVMS turns this integration into three distinctive capabilities:

A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.

A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.

A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

DVMS Organizational Benefits

Instead of replacing existing operational frameworks, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.

By adopting a DVMS, organizations are positioned to:

• Maintain Operational Stability Amidst Constant Digital Disruption
• Deliver Digital Value and Trust Across A Digital Ecosystem
• Satisfy Critical Regulatory and Certification Requirements
• Leverage Cyber Resilience as a Competitive Advantage

DVMS Leadership Benefits

The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability

DVMS White Papers

The whitepapers below present a coherent progression that shifts organizations from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Collectively, the three papers define a comprehensive system for building and governing resilient digital enterprises, grounded in evidence rather than assumptions.

The Assurance Mandate Paper sets the stage by showing why traditional GRC artifacts provide only reassurance—not evidence—and calls boards to demand forward-looking proof that their organizations can continue to create, protect, and deliver value under stress.

The Assurance in Action Paper elevates the conversation from leadership intent to managerial execution, demonstrating how the DVMS operationalizes resilience by translating outcomes into Minimum Viable Capabilities, connecting frameworks through the Create–Protect–Deliver model, and generating measurable assurance evidence that managers can use to demonstrate real performance rather than activity.

The Governing by Assurance Paper elevates the approach to the policy and regulatory level, showing how DVMS functions as a learning overlay system that links governance intent, operational capability, and verifiable evidence into a continuous loop—enabling regulators, agencies, and enterprises to govern by outcomes rather than checklists and to prove capability with measurable, auditable performance data.

DVMS Cyber Resilience Certified Training Programs

The DVMS Institute’s certification training programs and publications equip leaders, practitioners, and organizations to govern operational cyber-resilience through an evidence-based system that assures and accounts for digital value outcomes.

Grounded in real-world governance challenges and aligned to NIST CSF 2.0, DVMS Institute offerings go beyond frameworks and compliance checklists to build measurable capability, clear accountability, and defensible confidence in decision-making.

Through structured learning, applied certification, and authoritative publications, the Institute advances a disciplined, outcome-driven approach to managing digital risk, performance, and resilience as an integrated system.

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS NISTCSF Foundation Certification Training

The DVMS NISTCSF Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.

This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

Company Brochures and Presentation

• DVMS Company Brochure
• DVMS Product Brochure
• DVMS Company Presentation

Explainer Videos

• DVMS Architecture Video: David Moskowitz explains the DVMS System
• DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
• DVMS Overlay Model – What is an Overlay Model
• DVMS MVC ZX Model – Powers the CPD
• DVMS CPD Model – Powers  DVMS Operations
• DVMS 3D Knowledge Model – Powers the DVMS Culture
• DVMS FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved