From Compliance to Continuity, The Upward Bridge Managers Can Use– The GRAA Management Series Part 7

David Nichols – Co-Founder and Executive Director of the DVMS Institute

Managers spend a lot of time translating. We translate strategy into action. We translate constraints into decisions. We translate incidents into lessons. We also translate operational reality upward so leaders can govern without getting bogged down in every detail.

That last translation is more complicated than it appears, particularly in organizations that have invested heavily in GRC and still feel vulnerable. Not because GRC is bad, but because the questions leaders are asking have shifted. They are not only asking, “Are we compliant?” They are also asking, “Can we sustain outcomes under stress, and can we prove it?”

That tension is exactly what I described in the GRAA Leadership Series – Part One, “Why Our GRC Investments Aren’t Delivering Resilience… and Everyone Feels It.” The felt experience is real. Managers feel it when an outage turns into a scramble for proof. Leaders feel it when the dashboards look fine, but the operation is not.

This final article is the bridge. It is written for managers who want to communicate in a way that aligns with the leadership paradigm, without diminishing the value of GRC and audit, and without turning every update into a deep dive.

The simplest framing is this. Compliance matters. Continuity matters. Evidence connects them. When managers speak in terms of boundaries, tolerances, dependencies, verification, and evidence, leaders get what they need. They can govern. They can set priorities and constraints. They can delegate with confidence. They can respond to boards, regulators, customers, and insurers with a defensible narrative grounded in operational proof.

Why this bridge matters now

Traditional audit discipline was built for a world where many controls could be evaluated as relatively static. You could ask, “Is the control present?” and “Is it documented?” and that was often a reasonable proxy for safety and reliability.

Modern digital operations have changed the math. Systems are more tightly coupled, change is more frequent, and critical outcomes often depend on suppliers and shared platforms. Controls can be present yet still fail in practice if the system’s behavior is not designed and rehearsed.

That is why the GRAA Leadership Series – Part Two, “Your Organization Doesn’t Have a Framework Problem: It Has an Overlay Problem,” matters. Leaders are learning that stacking frameworks does not automatically produce a coherent operating model. Managers experience this as friction at the seams.

This is also why the DVMS approach is useful as a common language. It grounds governance and resilience in Create, Protect, Deliver. It provides managers with a way to explain operational reality without delving into technical details.

If you have read Thriving on the Edge of Chaos: Managing at the Intersection of Value and Risk in the Digital Era, you will recognize the core idea. The book does not argue for less governance. It advocates for governance that operates at the intersection of value and risk, where outcomes are achieved, and trade-offs are genuine. Managers live at that intersection. Our job is to help leadership see it in a way that supports decisions.

The shift leaders are making, and how managers can support it

Leaders are not abandoning GRC. They are trying to make it effective in a world where assurance must be evidence-based. You can see this in the arc of the leadership series.

In Part Three, “The Hardest Control Surface in Your Enterprise Is Culture,” the focus is on behavior. Leaders acknowledge that policies do not execute themselves. Culture shapes how people respond to uncertainty, how early they escalate, how consistently they verify, and whether they treat risk as real.

In Part Four, “Seeing the System, A 3D View of Leadership, Structure and Behavior,” the focus is on alignment. Leaders are learning to ask, “Do our structures and incentives produce the behavior we need?”

In Part Six, “Running on CPD,” the focus is on operational flow. Leaders recognize that Create, Protect, Deliver must be managed as one system, not as silos.

In Part Seven, “You Do Not Need More Dashboards,” the focus is on proof. Leaders are tired of status summaries that cannot explain behavior during disruptions.

So what does leadership need from managers? They need managers to speak in terms that connect operational reality to leadership decisions. They need the boundaries, evidence, dependencies, and trade-offs to be expressed in a way that supports effective governance.

The good news is that if you have been following the GRAA Management series, you already have the components:

• Boundaries from Part One.
• Degrade and recover behaviors from Part Two.
• Evidence portfolio from Part Three.
• Decision rights and obligations from Part Four.
• Dependency governance from Part Five.
• A cadence from Part Six.

This article shows you how to transform those components into a compelling upward narrative.

The manager’s continuity narrative

Most leaders do not need more detail. They need the right detail. A continuity narrative is a concise, well-supported story that addresses four key questions.

• What outcome is at risk?
• How close are we to a tolerance boundary?
• What are we doing now, and what options are available?
• What evidence supports our confidence?

If your update consistently answers those questions, leaders can govern. They can decide when to intervene, when to delegate, when to escalate, and what trade-offs to accept. This is also why evidence trumps artifacts. Artifacts support legitimacy and repeatability. Evidence supports confidence and decision-making.

A continuity narrative should always be grounded in operational evidence, not because you are trying to impress anyone but because it keeps the conversation anchored to reality and reduces emotional escalation.

How DVMS and CPD keep the narrative coherent

A standard failure mode in executive updates is that the story gets fragmented. One group reports “delivery status.” Another reports “security status.” Another reports “risk status.” Another reports “supplier status.” Leaders end up with four partial views and no integrated picture of the system.

DVMS solves that communication problem because it is inherently integrative.

• Create gives you the outcome and the value at stake.
• Protect gives you the constraints and unacceptable harm.
• Deliver gives you the operational behavior, the dependency chain, and the recovery path.

If you structure your narrative implicitly around Create, Protect, Deliver, your update stays coherent.

You do not need to say, “Now I will talk about Create.” Simply write the update so that it naturally covers the outcome, constraints, and operational behavior.

The manager’s upward translation: what to say instead of what to show

Managers often lead with a dashboard. Leaders often respond with questions that feel frustrating because the dashboard did not provide answers.

A better pattern is to lead with the boundaries and the evidence, and use dashboards as supporting details.

• Instead of, “We are 96% compliant,” say, “We are inside tolerance for the outcome, and here is the evidence.”
• Instead of “All systems are green,” say, “The outcome is stable, the dependency is showing variance, and we have a degraded mode ready if we approach tolerance.”
• Instead of, “We have a DR plan,” say, “We tested restore and integrity verification last month, it met tolerance, and here is what we improved since the last test.”
• Instead of, “The supplier is compliant,” say, “We have evidence of the supplier’s recovery behavior and our fallback path, and we have rehearsed the seam.”

None of those statements attacks GRC. They honor it by connecting it to operational proof.

A practical 10-sentence escalation format managers can reuse

This is the tool I promised earlier in the series. It is not a template you fill out for every minor event. It is a format you use when you need leadership attention, leadership trade-offs, or leadership cover. Think of it as a disciplined way to speak upward, grounded in boundaries and evidence.

1. Here is the outcome at risk, expressed in business terms.
2. Here is the current condition, and what is changing that makes this risky now.
3. Here is the tolerance boundary that applies, and how close we are to it.
4. Here is what we have done so far within our decision rights.
5. Here is what we are prepared to do next, including a controlled degrade mode if needed.
6. Here are the top dependencies involved, including any supplier or shared platform variance.
7. Here is what we have verified, and what we have not yet been able to verify.
8. Here are the trade-offs, including what we preserve and what we defer if we degrade.
9. Here is what we need from leadership: a decision, an escalation, resources, or authorization beyond our boundary.
10. Here is the evidence that supports this recommendation, including recent test results, incident patterns, or observed signals.

This format does two things. It keeps you out of vague reassurance and keeps leadership out of unnecessary detail. It also creates accountability without blame by making boundaries and decision rights explicit.

It aligns closely with the governance and culture themes in the leadership series. It makes escalation normal and defensible. It also supports audit readiness by creating a traceable decision record grounded in evidence.

A scenario: the same incident, two different upward narratives

Imagine a service degradation tied to a supplier platform. Customers are experiencing intermittent issues, and the trend line suggests that the issue could worsen. In an artifact-centered narrative, the update often sounds like this. “We are working on the incident. The supplier is engaged. We have continuity plans. We are monitoring the situation and will provide updates.”

None of that is wrong, but it is also not very useful. Leaders cannot govern from that. They cannot see boundaries, options, evidence, or the trade-offs they might be asked to accept.

In an evidence-centered continuity narrative, the update sounds different. “The outcome at risk is customer transaction completion. We are currently within tolerance, but the supplier’s latency variance has increased over the past hour, and we are approaching the threshold that triggers controlled degradation. Within our decision rights, we have implemented throttling to preserve core transactions, and we are prepared to disable non-critical features if we cross tolerance. Our primary dependency is the supplier authorization service, and we have established a direct escalation channel for this purpose. We have verified the core data integrity and are awaiting verification of the supplier’s recovery action. The trade-off is a reduced customer experience in exchange for continuity of core transactions. If the variance persists for another thirty minutes, we will need executive authorization to extend the degraded mode beyond the current boundary. Evidence includes the last recovery drill, which met tolerance, and the current operational signals.”

Leaders can govern from that. They can decide whether to accept the trade-off. They can choose whether to escalate externally. They can decide whether to authorize actions beyond the current boundary. They can also defend the decision later because the rationale is grounded in evidence and tolerances. Notice what happened. The organization did not abandon GRC. It used operational evidence to make governance executable.

How this bridge reduces audit pain without treating audits as the enemy

Managers are often tempted to say, “Audits are a paper chase.” The truth is more nuanced. Many auditors would agree that a purely static review of artifacts does not fully capture operational reality, especially in dynamic environments.

The opportunity here is to make audits easier and more meaningful by shifting the source of evidence. Instead of assembling artifacts late, managers can maintain evidence portfolios as part of normal operations, as we discussed in Part Three. Those evidence portfolios become the primary input for assurance discussions, while artifacts remain the supporting context.

This is a healthy relationship. Audit remains a vital discipline. Managers demonstrate proof through operations. The conversation shifts from binders to behavior. It is also consistent with the leadership series message. Leaders are not seeking to escape governance. They are seeking governance that produces real confidence.

What managers can do to make the bridge stick

A bridge is only useful if people use it consistently. If you want this to become a regular part of your life, you can start with a simple discipline.

• Use the escalation format for any event that threatens a tolerance boundary.
• Use boundary language in routine updates, not only in crises, so leaders get used to it.
• Tie updates to evidence, even lightweight evidence, so reassurance becomes defensible.
• Keep the focus on outcomes and trade-offs so that leaders can govern rather than investigate.
• Use Create, Protect, Deliver implicitly, so your narrative stays coherent and does not fragment by function.

Over time, this changes the nature of the enterprise conversation. It establishes boundaries and evidence as a common language. It reduces friction among operations, risk, security, and audit. It also strengthens accountability because decision rights and obligations become explicit.

This is one of the most positive changes managers can drive. It enhances how the organization behaves under stress and how it communicates internally.

The coherent paradigm for leaders and managers

The GRAA Leadership Series is the why and the paradigm; GRAA Management is the how and the cadence. Leaders set intent, tolerances, and expectations. Managers operationalize those expectations through boundaries, degrade and recover behaviors, evidence portfolios, decision rights, dependency governance, and a repeatable rhythm.

When that alignment exists, compliance and continuity no longer compete with each other. Compliance becomes easier because evidence is available. Continuity becomes stronger because behavior is designed and rehearsed. Accountability becomes fair because decision rights and obligations are explicit. Auditing becomes less of a scramble because the organization is already producing proof.

That is the bridge, built on standard management practices, not a new program. If you want to do one thing after reading this, pick one critical outcome and practice the upward narrative. Write the Boundary Card. Build the evidence portfolio. Run one drill. Then use the 10-sentence escalation format the next time the outcome is threatened.

You will feel the difference, and leadership will too, because the system will become governable in the moments that matter.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2026 All Rights Reserved