From Compliance to Continuity, The Upward Bridge Managers Can Use– The GRAA Management Series Part 7

Share This Post

From Compliance to Continuity, The Upward Bridge Managers Can Use– The GRAA Management Series Part 7

David Nichols – Co-Founder and Executive Director of the DVMS Institute

Managers spend a lot of time translating. We translate strategy into action. We translate constraints into decisions. We translate incidents into lessons. We also translate operational reality upward so leaders can govern without getting bogged down in every detail.

That last translation is more complicated than it appears, particularly in organizations that have invested heavily in GRC and still feel vulnerable. Not because GRC is bad, but because the questions leaders are asking have shifted. They are not only asking, “Are we compliant?” They are also asking, “Can we sustain outcomes under stress, and can we prove it?”

That tension is exactly what I described in the GRAA Leadership Series – Part One, “Why Our GRC Investments Aren’t Delivering Resilience… and Everyone Feels It.” The felt experience is real. Managers feel it when an outage turns into a scramble for proof. Leaders feel it when the dashboards look fine, but the operation is not.

This final article is the bridge. It is written for managers who want to communicate in a way that aligns with the leadership paradigm, without diminishing the value of GRC and audit, and without turning every update into a deep dive.

The simplest framing is this. Compliance matters. Continuity matters. Evidence connects them. When managers speak in terms of boundaries, tolerances, dependencies, verification, and evidence, leaders get what they need. They can govern. They can set priorities and constraints. They can delegate with confidence. They can respond to boards, regulators, customers, and insurers with a defensible narrative grounded in operational proof.

Why this bridge matters now

Traditional audit discipline was built for a world where many controls could be evaluated as relatively static. You could ask, “Is the control present?” and “Is it documented?” and that was often a reasonable proxy for safety and reliability.

Modern digital operations have changed the math. Systems are more tightly coupled, change is more frequent, and critical outcomes often depend on suppliers and shared platforms. Controls can be present yet still fail in practice if the system’s behavior is not designed and rehearsed.

That is why the GRAA Leadership Series – Part Two, “Your Organization Doesn’t Have a Framework Problem: It Has an Overlay Problem,” matters. Leaders are learning that stacking frameworks does not automatically produce a coherent operating model. Managers experience this as friction at the seams.

This is also why the DVMS approach is useful as a common language. It grounds governance and resilience in Create, Protect, Deliver. It provides managers with a way to explain operational reality without delving into technical details.

If you have read Thriving on the Edge of Chaos: Managing at the Intersection of Value and Risk in the Digital Era, you will recognize the core idea. The book does not argue for less governance. It advocates for governance that operates at the intersection of value and risk, where outcomes are achieved, and trade-offs are genuine. Managers live at that intersection. Our job is to help leadership see it in a way that supports decisions.

The shift leaders are making, and how managers can support it

Leaders are not abandoning GRC. They are trying to make it effective in a world where assurance must be evidence-based. You can see this in the arc of the leadership series.

In Part Three, “The Hardest Control Surface in Your Enterprise Is Culture,” the focus is on behavior. Leaders acknowledge that policies do not execute themselves. Culture shapes how people respond to uncertainty, how early they escalate, how consistently they verify, and whether they treat risk as real.

In Part Four, “Seeing the System, A 3D View of Leadership, Structure and Behavior,” the focus is on alignment. Leaders are learning to ask, “Do our structures and incentives produce the behavior we need?”

In Part Six, “Running on CPD,” the focus is on operational flow. Leaders recognize that Create, Protect, Deliver must be managed as one system, not as silos.

In Part Seven, “You Do Not Need More Dashboards,” the focus is on proof. Leaders are tired of status summaries that cannot explain behavior during disruptions.

So what does leadership need from managers? They need managers to speak in terms that connect operational reality to leadership decisions. They need the boundaries, evidence, dependencies, and trade-offs to be expressed in a way that supports effective governance.

The good news is that if you have been following the GRAA Management series, you already have the components:

  • Boundaries from Part One.
  • Degrade and recover behaviors from Part Two.
  • Evidence portfolio from Part Three.
  • Decision rights and obligations from Part Four.
  • Dependency governance from Part Five.
  • A cadence from Part Six.

 

This article shows you how to transform those components into a compelling upward narrative.

The manager’s continuity narrative

Most leaders do not need more detail. They need the right detail. A continuity narrative is a concise, well-supported story that addresses four key questions.

  • What outcome is at risk?
  • How close are we to a tolerance boundary?
  • What are we doing now, and what options are available?
  • What evidence supports our confidence?

 

If your update consistently answers those questions, leaders can govern. They can decide when to intervene, when to delegate, when to escalate, and what trade-offs to accept. This is also why evidence trumps artifacts. Artifacts support legitimacy and repeatability. Evidence supports confidence and decision-making.

A continuity narrative should always be grounded in operational evidence, not because you are trying to impress anyone but because it keeps the conversation anchored to reality and reduces emotional escalation.

How DVMS and CPD keep the narrative coherent

A standard failure mode in executive updates is that the story gets fragmented. One group reports “delivery status.” Another reports “security status.” Another reports “risk status.” Another reports “supplier status.” Leaders end up with four partial views and no integrated picture of the system.

DVMS solves that communication problem because it is inherently integrative.

  • Create gives you the outcome and the value at stake.
  • Protect gives you the constraints and unacceptable harm.
  • Deliver gives you the operational behavior, the dependency chain, and the recovery path.

 

If you structure your narrative implicitly around Create, Protect, Deliver, your update stays coherent.

You do not need to say, “Now I will talk about Create.” Simply write the update so that it naturally covers the outcome, constraints, and operational behavior.

The manager’s upward translation: what to say instead of what to show

Managers often lead with a dashboard. Leaders often respond with questions that feel frustrating because the dashboard did not provide answers.

A better pattern is to lead with the boundaries and the evidence, and use dashboards as supporting details.

  • Instead of, “We are 96% compliant,” say, “We are inside tolerance for the outcome, and here is the evidence.”
  • Instead of “All systems are green,” say, “The outcome is stable, the dependency is showing variance, and we have a degraded mode ready if we approach tolerance.”
  • Instead of, “We have a DR plan,” say, “We tested restore and integrity verification last month, it met tolerance, and here is what we improved since the last test.”
  • Instead of, “The supplier is compliant,” say, “We have evidence of the supplier’s recovery behavior and our fallback path, and we have rehearsed the seam.”

 

None of those statements attacks GRC. They honor it by connecting it to operational proof.

A practical 10-sentence escalation format managers can reuse

This is the tool I promised earlier in the series. It is not a template you fill out for every minor event. It is a format you use when you need leadership attention, leadership trade-offs, or leadership cover. Think of it as a disciplined way to speak upward, grounded in boundaries and evidence.

  1. Here is the outcome at risk, expressed in business terms.
  2. Here is the current condition, and what is changing that makes this risky now.
  3. Here is the tolerance boundary that applies, and how close we are to it.
  4. Here is what we have done so far within our decision rights.
  5. Here is what we are prepared to do next, including a controlled degrade mode if needed.
  6. Here are the top dependencies involved, including any supplier or shared platform variance.
  7. Here is what we have verified, and what we have not yet been able to verify.
  8. Here are the trade-offs, including what we preserve and what we defer if we degrade.
  9. Here is what we need from leadership: a decision, an escalation, resources, or authorization beyond our boundary.
  10. Here is the evidence that supports this recommendation, including recent test results, incident patterns, or observed signals.

 

This format does two things. It keeps you out of vague reassurance and keeps leadership out of unnecessary detail. It also creates accountability without blame by making boundaries and decision rights explicit.

It aligns closely with the governance and culture themes in the leadership series. It makes escalation normal and defensible. It also supports audit readiness by creating a traceable decision record grounded in evidence.

A scenario: the same incident, two different upward narratives

Imagine a service degradation tied to a supplier platform. Customers are experiencing intermittent issues, and the trend line suggests that the issue could worsen. In an artifact-centered narrative, the update often sounds like this. “We are working on the incident. The supplier is engaged. We have continuity plans. We are monitoring the situation and will provide updates.”

None of that is wrong, but it is also not very useful. Leaders cannot govern from that. They cannot see boundaries, options, evidence, or the trade-offs they might be asked to accept.

In an evidence-centered continuity narrative, the update sounds different. “The outcome at risk is customer transaction completion. We are currently within tolerance, but the supplier’s latency variance has increased over the past hour, and we are approaching the threshold that triggers controlled degradation. Within our decision rights, we have implemented throttling to preserve core transactions, and we are prepared to disable non-critical features if we cross tolerance. Our primary dependency is the supplier authorization service, and we have established a direct escalation channel for this purpose. We have verified the core data integrity and are awaiting verification of the supplier’s recovery action. The trade-off is a reduced customer experience in exchange for continuity of core transactions. If the variance persists for another thirty minutes, we will need executive authorization to extend the degraded mode beyond the current boundary. Evidence includes the last recovery drill, which met tolerance, and the current operational signals.”

Leaders can govern from that. They can decide whether to accept the trade-off. They can choose whether to escalate externally. They can decide whether to authorize actions beyond the current boundary. They can also defend the decision later because the rationale is grounded in evidence and tolerances. Notice what happened. The organization did not abandon GRC. It used operational evidence to make governance executable.

How this bridge reduces audit pain without treating audits as the enemy

Managers are often tempted to say, “Audits are a paper chase.” The truth is more nuanced. Many auditors would agree that a purely static review of artifacts does not fully capture operational reality, especially in dynamic environments.

The opportunity here is to make audits easier and more meaningful by shifting the source of evidence. Instead of assembling artifacts late, managers can maintain evidence portfolios as part of normal operations, as we discussed in Part Three. Those evidence portfolios become the primary input for assurance discussions, while artifacts remain the supporting context.

This is a healthy relationship. Audit remains a vital discipline. Managers demonstrate proof through operations. The conversation shifts from binders to behavior. It is also consistent with the leadership series message. Leaders are not seeking to escape governance. They are seeking governance that produces real confidence.

What managers can do to make the bridge stick

A bridge is only useful if people use it consistently. If you want this to become a regular part of your life, you can start with a simple discipline.

  • Use the escalation format for any event that threatens a tolerance boundary.
  • Use boundary language in routine updates, not only in crises, so leaders get used to it.
  • Tie updates to evidence, even lightweight evidence, so reassurance becomes defensible.
  • Keep the focus on outcomes and trade-offs so that leaders can govern rather than investigate.
  • Use Create, Protect, Deliver implicitly, so your narrative stays coherent and does not fragment by function.

 

Over time, this changes the nature of the enterprise conversation. It establishes boundaries and evidence as a common language. It reduces friction among operations, risk, security, and audit. It also strengthens accountability because decision rights and obligations become explicit.

This is one of the most positive changes managers can drive. It enhances how the organization behaves under stress and how it communicates internally.

The coherent paradigm for leaders and managers

The GRAA Leadership Series is the why and the paradigm; GRAA Management is the how and the cadence. Leaders set intent, tolerances, and expectations. Managers operationalize those expectations through boundaries, degrade and recover behaviors, evidence portfolios, decision rights, dependency governance, and a repeatable rhythm.

When that alignment exists, compliance and continuity no longer compete with each other. Compliance becomes easier because evidence is available. Continuity becomes stronger because behavior is designed and rehearsed. Accountability becomes fair because decision rights and obligations are explicit. Auditing becomes less of a scramble because the organization is already producing proof.

That is the bridge, built on standard management practices, not a new program. If you want to do one thing after reading this, pick one critical outcome and practice the upward narrative. Write the Boundary Card. Build the evidence portfolio. Run one drill. Then use the 10-sentence escalation format the next time the outcome is threatened.

You will feel the difference, and leadership will too, because the system will become governable in the moments that matter.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

DVMS Cyber Resilience Professional Accredited Certification Training

Designing an Overlay System to Transform Digital Strategy into Governed, Resilient, Assured, and Accountable (GRAA) Digital Business Outcomes

From Visibility to Viability – The Dual Pillars of Cyber Resilience 

Explainer Video –  The Dual Pillars of Cyber Resilience 

As enterprises accelerated their adoption of complex, cloud-native architectures, they encountered a new order of complexity. Infrastructure dissolved into services, workloads became ephemeral, and security boundaries blurred. In that environment, Wiz emerged as a transformational force in cloud technical security, offering radical visibility and risk prioritization across multi-cloud ecosystems.

At the same time, a broader and more consequential challenge emerged, one that extends well beyond isolated technical misconfigurations or discrete vulnerabilities.

Modern organizations function as dynamic, highly interconnected digital ecosystems shaped by siloed frameworks, technologies, applications, processes, data flows, and human actors, all operating in continuous interaction. Within this complexity, risks and outcomes are not confined to individual components; they arise from the relationships and dependencies between them.

This is the domain in which the Digital Value Management System® (DVMS) operates.

While Wiz redefined how organizations see and secure cloud environments, DVMS is redefining how enterprises govern, assure, and account for resilient digital value as an integrated dimension of digital business performance.

 

The Digital Value Management System® (DVMS)

Explainer Video – What is a Digital Value Management System (DVMS)

The DVMS is an overlay management system designed to transform digital strategy into governed, resilient, assured, and accountable (GRAA) digital business outcomes.

At its core, the DVMS is a simple but powerful integration of:
  • Governance Intent – shared expectations and accountabilities
  • Operational Capabilities – how the digital business performs under stress
  • Assurance Evidence – proof that outcomes are achieved and accountable
  • Cultural Learning – for governance and operational fine-tuning
The DVMS GRAA Engine

Explainer Video – How a DVMS GRAA Engine Works

The overlay GRAA engine is powered by four DVMS models:

Create, Protect, and Deliver (CPD) – The CPD Model™ is a systems-based model within the DVMS that links strategy-risk and governance to execution to create, protect, and deliver digital business value as an integrated, continuously adaptive capability.

Minimum Viable Capabilities (MVC) – The Minimum Viable Capabilities (MVCs) model supports the seven essential, system-level organizational capabilities—Govern, Assure, Plan, Design, Change, Execute, and Innovate—required to reliably create, protect, and deliver digital business value in alignment with strategy-risk intent.

3D Knowledge (3DK) – The 3D Knowledge Model is a systems-thinking framework that maps team knowledge over time (past, present, future), cross-team collaboration, and alignment to strategic intent to ensure that organizational behavior, learning, and execution remain integrated and adaptive in delivering digital business value.

Question Outcome / Question Metric (QO/QM) – The QO/QM approach supports governance as testable intent by defining a clear Question Outcome (QO), the specific value or resilience condition that must be true at a given boundary, and pairing it with one or more Question Metrics (QM) that provide observable, decision-relevant evidence that the system can actually create, protect, and deliver that outcome under complex, living system operating conditions

The models then work together to operationalize the capabilities below that will transform digital strategy into governed, resilient, assured, and accountable digital value outcomes

A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance across every system responsible for digital value.

A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.

A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

 

DVMS Benefits – Organizational and Leadership

Explainer Video – DVMS Organization and Leadership Benefits

Organizational Benefits

Instead of replacing existing operational frameworks and platforms, the DVMS elevates them, connecting and contextualizing their data into actionable intelligence that enables organizations to:

  • Maintain Operational Stability Amidst Constant Digital Disruption
  • Deliver Digital Value and Trust Across Complex Digital Ecosystems
  • Satisfy Critical Regulatory and Certification Requirements
  • Leverage Cyber Resilience as a Competitive Advantage

 

Leadership Benefits

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, CRO, CISO, and Auditors, the DVMS provides a unified approach to organizational digital value management, operational resilience, and regulatory compliance. 

 

DVMS – Accredited Certification Training Programs

Explainer Video – The DVMS Training Pathway to Cyber Resilience

The DVMS Institute’s certification training programs equip leaders, practitioners, and employees with the skills to build a management architecture for governing, assuring, and accounting for resilience in complex digital ecosystems.

Through structured learning, applied certification, and authoritative publications, the Institute teaches a disciplined, outcome-driven approach to managing resilience as an integrated dimension of digital business performance.

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness non-certification course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for resilience in complex digital ecosystems.

DVMS NISTCSF Cyber Resilience Foundation Certification Training

The DVMS NISTCSF Cyber Resilience Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for achieving resilience in complex digital ecosystems.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to build a unified governance, resilience, assurance, and accountability system designed to operationalize resilience in complex digital ecosystems.

 

Launching A DVMS Program

Explainer Video – Scaling a DVMS Program

 The DVMS FastTrack is a phased, iterative approach that helps organizations mature a DVMS program over time, rather than trying to do everything simultaneously. This approach breaks the DVMS journey into manageable phases of success.

It all starts with selecting the first digital service you want to operationalize with the new DVMS capabilities. That service will then serve as the blueprint for operationalizing DVMS across the remaining services.

DVMS Institute White Papers – The Assurance Mandate Series

Explainer Video –  From Compliance Rituals to Evidence-Based Resilience  

The whitepapers below present a clear progression from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Together, they define an evidence-based approach to building and governing resilient digital enterprises.

The Assurance Mandate Paper explains why traditional compliance artifacts offer reassurance, not proof, and challenges boards to demand evidence that value can be created, protected, and delivered under stress.

The Assurance in Action Paper shows how DVMS turns intent into execution by translating outcomes into Minimum Viable Capabilities, aligning frameworks through the Create–Protect–Deliver model, and producing measurable assurance evidence of real performance.

The Governing by Assurance Paper extends this model to policy and regulation, positioning DVMS as a learning overlay that links governance intent, operational capability, and auditable evidence—enabling outcome-based governance and proof of resilience through measurable performance data.

Company Brochures and Presentation

Explainer Videos

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved

More To Explore

It's Time to Protect Your digital business value & resiliency

Publications, Certification Training, Enterprise Solutions & Community

Contact Us