From Compliance to Continuity, The Upward Bridge Managers Can Use– The GRAA Management Series Part 7

Share This Post

From Compliance to Continuity, The Upward Bridge Managers Can Use– The GRAA Management Series Part 7

David Nichols – Co-Founder and Executive Director of the DVMS Institute

Managers spend a lot of time translating. We translate strategy into action. We translate constraints into decisions. We translate incidents into lessons. We also translate operational reality upward so leaders can govern without getting bogged down in every detail.

That last translation is more complicated than it appears, particularly in organizations that have invested heavily in GRC and still feel vulnerable. Not because GRC is bad, but because the questions leaders are asking have shifted. They are not only asking, “Are we compliant?” They are also asking, “Can we sustain outcomes under stress, and can we prove it?”

That tension is exactly what I described in the GRAA Leadership Series – Part One, “Why Our GRC Investments Aren’t Delivering Resilience… and Everyone Feels It.” The felt experience is real. Managers feel it when an outage turns into a scramble for proof. Leaders feel it when the dashboards look fine, but the operation is not.

This final article is the bridge. It is written for managers who want to communicate in a way that aligns with the leadership paradigm, without diminishing the value of GRC and audit, and without turning every update into a deep dive.

The simplest framing is this. Compliance matters. Continuity matters. Evidence connects them. When managers speak in terms of boundaries, tolerances, dependencies, verification, and evidence, leaders get what they need. They can govern. They can set priorities and constraints. They can delegate with confidence. They can respond to boards, regulators, customers, and insurers with a defensible narrative grounded in operational proof.

Why this bridge matters now

Traditional audit discipline was built for a world where many controls could be evaluated as relatively static. You could ask, “Is the control present?” and “Is it documented?” and that was often a reasonable proxy for safety and reliability.

Modern digital operations have changed the math. Systems are more tightly coupled, change is more frequent, and critical outcomes often depend on suppliers and shared platforms. Controls can be present yet still fail in practice if the system’s behavior is not designed and rehearsed.

That is why the GRAA Leadership Series – Part Two, “Your Organization Doesn’t Have a Framework Problem: It Has an Overlay Problem,” matters. Leaders are learning that stacking frameworks does not automatically produce a coherent operating model. Managers experience this as friction at the seams.

This is also why the DVMS approach is useful as a common language. It grounds governance and resilience in Create, Protect, Deliver. It provides managers with a way to explain operational reality without delving into technical details.

If you have read Thriving on the Edge of Chaos: Managing at the Intersection of Value and Risk in the Digital Era, you will recognize the core idea. The book does not argue for less governance. It advocates for governance that operates at the intersection of value and risk, where outcomes are achieved, and trade-offs are genuine. Managers live at that intersection. Our job is to help leadership see it in a way that supports decisions.

The shift leaders are making, and how managers can support it

Leaders are not abandoning GRC. They are trying to make it effective in a world where assurance must be evidence-based. You can see this in the arc of the leadership series.

In Part Three, “The Hardest Control Surface in Your Enterprise Is Culture,” the focus is on behavior. Leaders acknowledge that policies do not execute themselves. Culture shapes how people respond to uncertainty, how early they escalate, how consistently they verify, and whether they treat risk as real.

In Part Four, “Seeing the System, A 3D View of Leadership, Structure and Behavior,” the focus is on alignment. Leaders are learning to ask, “Do our structures and incentives produce the behavior we need?”

In Part Six, “Running on CPD,” the focus is on operational flow. Leaders recognize that Create, Protect, Deliver must be managed as one system, not as silos.

In Part Seven, “You Do Not Need More Dashboards,” the focus is on proof. Leaders are tired of status summaries that cannot explain behavior during disruptions.

So what does leadership need from managers? They need managers to speak in terms that connect operational reality to leadership decisions. They need the boundaries, evidence, dependencies, and trade-offs to be expressed in a way that supports effective governance.

The good news is that if you have been following the GRAA Management series, you already have the components:

  • Boundaries from Part One.
  • Degrade and recover behaviors from Part Two.
  • Evidence portfolio from Part Three.
  • Decision rights and obligations from Part Four.
  • Dependency governance from Part Five.
  • A cadence from Part Six.

 

This article shows you how to transform those components into a compelling upward narrative.

The manager’s continuity narrative

Most leaders do not need more detail. They need the right detail. A continuity narrative is a concise, well-supported story that addresses four key questions.

  • What outcome is at risk?
  • How close are we to a tolerance boundary?
  • What are we doing now, and what options are available?
  • What evidence supports our confidence?

 

If your update consistently answers those questions, leaders can govern. They can decide when to intervene, when to delegate, when to escalate, and what trade-offs to accept. This is also why evidence trumps artifacts. Artifacts support legitimacy and repeatability. Evidence supports confidence and decision-making.

A continuity narrative should always be grounded in operational evidence, not because you are trying to impress anyone but because it keeps the conversation anchored to reality and reduces emotional escalation.

How DVMS and CPD keep the narrative coherent

A standard failure mode in executive updates is that the story gets fragmented. One group reports “delivery status.” Another reports “security status.” Another reports “risk status.” Another reports “supplier status.” Leaders end up with four partial views and no integrated picture of the system.

DVMS solves that communication problem because it is inherently integrative.

  • Create gives you the outcome and the value at stake.
  • Protect gives you the constraints and unacceptable harm.
  • Deliver gives you the operational behavior, the dependency chain, and the recovery path.

 

If you structure your narrative implicitly around Create, Protect, Deliver, your update stays coherent.

You do not need to say, “Now I will talk about Create.” Simply write the update so that it naturally covers the outcome, constraints, and operational behavior.

The manager’s upward translation: what to say instead of what to show

Managers often lead with a dashboard. Leaders often respond with questions that feel frustrating because the dashboard did not provide answers.

A better pattern is to lead with the boundaries and the evidence, and use dashboards as supporting details.

  • Instead of, “We are 96% compliant,” say, “We are inside tolerance for the outcome, and here is the evidence.”
  • Instead of “All systems are green,” say, “The outcome is stable, the dependency is showing variance, and we have a degraded mode ready if we approach tolerance.”
  • Instead of, “We have a DR plan,” say, “We tested restore and integrity verification last month, it met tolerance, and here is what we improved since the last test.”
  • Instead of, “The supplier is compliant,” say, “We have evidence of the supplier’s recovery behavior and our fallback path, and we have rehearsed the seam.”

 

None of those statements attacks GRC. They honor it by connecting it to operational proof.

A practical 10-sentence escalation format managers can reuse

This is the tool I promised earlier in the series. It is not a template you fill out for every minor event. It is a format you use when you need leadership attention, leadership trade-offs, or leadership cover. Think of it as a disciplined way to speak upward, grounded in boundaries and evidence.

  1. Here is the outcome at risk, expressed in business terms.
  2. Here is the current condition, and what is changing that makes this risky now.
  3. Here is the tolerance boundary that applies, and how close we are to it.
  4. Here is what we have done so far within our decision rights.
  5. Here is what we are prepared to do next, including a controlled degrade mode if needed.
  6. Here are the top dependencies involved, including any supplier or shared platform variance.
  7. Here is what we have verified, and what we have not yet been able to verify.
  8. Here are the trade-offs, including what we preserve and what we defer if we degrade.
  9. Here is what we need from leadership: a decision, an escalation, resources, or authorization beyond our boundary.
  10. Here is the evidence that supports this recommendation, including recent test results, incident patterns, or observed signals.

 

This format does two things. It keeps you out of vague reassurance and keeps leadership out of unnecessary detail. It also creates accountability without blame by making boundaries and decision rights explicit.

It aligns closely with the governance and culture themes in the leadership series. It makes escalation normal and defensible. It also supports audit readiness by creating a traceable decision record grounded in evidence.

A scenario: the same incident, two different upward narratives

Imagine a service degradation tied to a supplier platform. Customers are experiencing intermittent issues, and the trend line suggests that the issue could worsen. In an artifact-centered narrative, the update often sounds like this. “We are working on the incident. The supplier is engaged. We have continuity plans. We are monitoring the situation and will provide updates.”

None of that is wrong, but it is also not very useful. Leaders cannot govern from that. They cannot see boundaries, options, evidence, or the trade-offs they might be asked to accept.

In an evidence-centered continuity narrative, the update sounds different. “The outcome at risk is customer transaction completion. We are currently within tolerance, but the supplier’s latency variance has increased over the past hour, and we are approaching the threshold that triggers controlled degradation. Within our decision rights, we have implemented throttling to preserve core transactions, and we are prepared to disable non-critical features if we cross tolerance. Our primary dependency is the supplier authorization service, and we have established a direct escalation channel for this purpose. We have verified the core data integrity and are awaiting verification of the supplier’s recovery action. The trade-off is a reduced customer experience in exchange for continuity of core transactions. If the variance persists for another thirty minutes, we will need executive authorization to extend the degraded mode beyond the current boundary. Evidence includes the last recovery drill, which met tolerance, and the current operational signals.”

Leaders can govern from that. They can decide whether to accept the trade-off. They can choose whether to escalate externally. They can decide whether to authorize actions beyond the current boundary. They can also defend the decision later because the rationale is grounded in evidence and tolerances. Notice what happened. The organization did not abandon GRC. It used operational evidence to make governance executable.

How this bridge reduces audit pain without treating audits as the enemy

Managers are often tempted to say, “Audits are a paper chase.” The truth is more nuanced. Many auditors would agree that a purely static review of artifacts does not fully capture operational reality, especially in dynamic environments.

The opportunity here is to make audits easier and more meaningful by shifting the source of evidence. Instead of assembling artifacts late, managers can maintain evidence portfolios as part of normal operations, as we discussed in Part Three. Those evidence portfolios become the primary input for assurance discussions, while artifacts remain the supporting context.

This is a healthy relationship. Audit remains a vital discipline. Managers demonstrate proof through operations. The conversation shifts from binders to behavior. It is also consistent with the leadership series message. Leaders are not seeking to escape governance. They are seeking governance that produces real confidence.

What managers can do to make the bridge stick

A bridge is only useful if people use it consistently. If you want this to become a regular part of your life, you can start with a simple discipline.

  • Use the escalation format for any event that threatens a tolerance boundary.
  • Use boundary language in routine updates, not only in crises, so leaders get used to it.
  • Tie updates to evidence, even lightweight evidence, so reassurance becomes defensible.
  • Keep the focus on outcomes and trade-offs so that leaders can govern rather than investigate.
  • Use Create, Protect, Deliver implicitly, so your narrative stays coherent and does not fragment by function.

 

Over time, this changes the nature of the enterprise conversation. It establishes boundaries and evidence as a common language. It reduces friction among operations, risk, security, and audit. It also strengthens accountability because decision rights and obligations become explicit.

This is one of the most positive changes managers can drive. It enhances how the organization behaves under stress and how it communicates internally.

The coherent paradigm for leaders and managers

The GRAA Leadership Series is the why and the paradigm; GRAA Management is the how and the cadence. Leaders set intent, tolerances, and expectations. Managers operationalize those expectations through boundaries, degrade and recover behaviors, evidence portfolios, decision rights, dependency governance, and a repeatable rhythm.

When that alignment exists, compliance and continuity no longer compete with each other. Compliance becomes easier because evidence is available. Continuity becomes stronger because behavior is designed and rehearsed. Accountability becomes fair because decision rights and obligations are explicit. Auditing becomes less of a scramble because the organization is already producing proof.

That is the bridge, built on standard management practices, not a new program. If you want to do one thing after reading this, pick one critical outcome and practice the upward narrative. Write the Boundary Card. Build the evidence portfolio. Run one drill. Then use the 10-sentence escalation format the next time the outcome is threatened.

You will feel the difference, and leadership will too, because the system will become governable in the moments that matter.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

DVMS Institute Certified Training

Learn to Build a System of Governance, Assurance, and Accountability for Resilient Digital Business Operations

Quick Explainer Video – Paper vs. Practice Governance

Despite abundant frameworks and dashboards, leaders still struggle to see how digital value streams actually perform under real-world stress.

Intent, structure, and day-to-day behavior are examined in isolation, creating flat views that hide how decisions and human responses interact in a living digital system.

The result is governance that appears robust on paper but breaks down in execution, forcing leaders to manage fragmented controls rather than assure and account for resilient, system-level performance

The Assurance Mandate White Paper Series

Quick Explainer Video –  The Assurance Mandate

The whitepapers below present a clear progression from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Together, they define an evidence-based approach to building and governing resilient digital enterprises.

The Assurance Mandate Paper explains why traditional GRC artifacts offer reassurance, not proof, and challenges boards to demand evidence that value can be created, protected, and delivered under stress.

The Assurance in Action Paper shows how DVMS turns intent into execution by translating outcomes into Minimum Viable Capabilities, aligning frameworks through the Create–Protect–Deliver model, and producing measurable assurance evidence of real performance.

The Governing by Assurance Paper extends this model to policy and regulation, positioning DVMS as a learning overlay that links governance intent, operational capability, and auditable evidence—enabling outcome-based governance and proof of resilience through measurable performance data.

The Digital Value Management System® (DVMS)

Quick Explainer Video – What is a DVMS

The Digital Value Management System® (DVMS) training programs teach leadership, practitioners, and employees how to easily integrate fragmented frameworks and systems such as NISTCSF, GRC, ITSM, and AI into a unified, culture-driven governance and assurance system that enables organizations to manage the resilience of their living digital system by :

  • Enabling Adaptive Governance through risk-informed decision-making
  • Sustaining Operational Resilience through a proactive and adaptive culture
  • Measuring Performance Assurance through evidence-based outcomes
  • Ensuring Visible Accountability by making intent, execution, and evidence inseparable
At its core, the DVMS is a simple but powerful integration of:
  • Governance Intent – shared expectations and accountabilities
  • Operational Capabilities – how the digital business actually performs
  • Assurance Evidence – proof that outcomes are achieved and accountable
  • Cultural Outcomes – that align people, decisions, and behaviors

Through its MVCCPD3D Knowledgeand FastTrack Models, a DVMS turns this integration into three distinctive capabilities:

A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.

A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.

A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

The People That Power a DVMS Program

Quick Explainer Video – The Human Engine of DVMS

Delivering the outcomes of the DVMS integrated with the NIST CSF, ITSM, GRC, and AI systems requires coordinated action across an enterprise’s strategy, governance, and operational layers.

Each of these business layers contains unique roles that, when aligned and functioning cohesively, enable the organization to protect digital assets and adaptively manage digital business risks while delivering sustained digital value and resilience.

Together, these roles create an adaptive, risk-informed, and resilient organization capable of thriving in a complex, volatile digital environment. 

The DVMS Accredited Certified Training Programs

Quick Explainer Video – The DVMS Training Pathway

The DVMS Institute’s certification training programs and publications equip leaders, practitioners, and organizations to govern operational cyber-resilience through an evidence-based system that assures and accounts for digital value outcomes.

Grounded in real-world governance challenges and aligned to NIST CSF 2.0, DVMS Institute offerings go beyond frameworks and compliance checklists to build measurable capability, clear accountability, and defensible confidence in decision-making.

Through structured learning, applied certification, and authoritative publications, the Institute advances a disciplined, outcome-driven approach to managing digital risk, performance, and resilience as an integrated system.

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS NISTCSF Foundation Certification Training

The DVMS NISTCSF Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.

This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

Launching A DVMS Program – A FastTrack Approach

Quick Explainer Video – Scaling a DVMS Program

The DVMS FastTrack Model is a phased, iterative approach that helps organizations adopt and mature their Digital Value Management System over time, rather than trying to do everything simultaneously. This approach breaks the DVMS journey into manageable phases of success.

DVMS Organizational Benefits

Instead of replacing existing operational frameworks, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.

By adopting a DVMS, organizations are positioned to:

  • Maintain Operational Stability Amidst Constant Digital Disruption
  • Deliver Digital Value and Trust Across A Digital Ecosystem
  • Satisfy Critical Regulatory and Certification Requirements
  • Leverage Cyber Resilience as a Competitive Advantage

DVMS Leadership Benefits

The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability.

Company Brochures and Presentation
Explainer Videos

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved

More To Explore

It's Time to Protect Your digital business value & resiliency

Publications, Certification Training, Enterprise Solutions & Community

Contact Us