Why Adaptive Governance is the Future of Digital Trust
David Nichols – Co-Founder of the DVMS Institute
Amid relentless disruption, organizations must reframe their approach to risk—not as a compliance exercise but as a strategic competency. To thrive, they must evolve from traditional Governance, Risk, and Compliance (GRC) toward Governance, Resilience, and Assurance (GRA)—a model anchored in adaptability, trust, and value delivery.
This evolution begins with a core insight: strategy and risk cannot be considered separately. Effectively managing strategy-risk is the pathway to building adaptive governance and organizational resilience—not just as outcomes but as enduring organizational capabilities.
Strategy-Risk: Framing the Future
Strategy-risk refers to the inherent uncertainty in how organizations define, pursue, and realize their strategic objectives. It is not merely the risk to a strategy—it is the risk of the strategy itself. Every strategic direction introduces exposure to volatile markets, technological shifts, emerging threats, and operational constraints. What differentiates resilient organizations isn’t avoidance—how they absorb, adapt to, and capitalize on that exposure.
The DVMS (Digital Value Management System), as outlined in Thriving on the Edge of Chaos, emphasizes this concept. In contrast to GRC’s reactive orientation, DVMS treats strategy-risk as an integrated feature of digital value creation. Governance must protect the enterprise from failure and enable it to navigate ambiguity and unlock opportunity.
“You can’t govern tomorrow’s value with yesterday’s rules.”
— D. M. Nichols, Executive Director, DVMS Institute
The Shift from GRC to GRA
As discussed in my article From GRC to GRA, traditional GRC was designed for an industrial-age world: structured, linear, and slowly evolving. It emphasized compliance, prescriptive controls, and backward-looking audits. But this approach falls short in today’s digital-first, highly interdependent value streams and rapidly evolving threat landscape.
GRA, in contrast, positions Governance, Resilience, and Assurance as mutually reinforcing pillars. It doesn’t discard control but emphasizes capability-building intent alignment and real-time learning.
Governance
In GRA, governance is no longer a centralized bottleneck. It becomes an enabling architecture for distributed decision-making—coordinating intent, action, and accountability across the CPD (Create, Protect, Deliver) value lifecycle. Governance is embedded in operational flow, with policies, roles, and monitoring aligned to real-time value generation.
“The biggest thing is simply progression. If you’re standing still, you’re falling behind. It’s all about evolving the business and maintaining currency in an ever-evolving industry.”
Quinton Woods, Sales and Operations Manager at Gwillimdale Farms
Resilience
Resilience evolves from disaster recovery into a core strategic capability. The DVMS approach defines it not as the ability to bounce back but as the ability to learn, adjust, and grow through disruption. Built through Minimum Viable Competencies (MVC), resilience ensures that teams can continue creating value even under stress, transforming uncertainty from threat into potential.
Assurance
Rather than rely solely on external audits and static controls, assurance under GRA becomes a trust-building mechanism grounded in transparency, evidence, and ongoing verification. It’s not just about proving compliance—it’s about ensuring the system works under real-world conditions.
Strategy-Risk and Adaptive Governance
Managing strategy-risk effectively means designing governance as a dynamic, feedback-rich system that continually aligns strategic intent with operational reality. This is where adaptive governance comes into play.
Adaptive governance is not a department. It’s a capability—a pattern of interaction and decision-making that scales across the organization. It is:
- Intentional: Framed by mission objectives and stakeholder expectations
- Integrated: Embedded across CPC workflows, not siloed or reactive
- Iterative: Continuously adjusted based on internal performance and external change
In DVMS Fundamentals of Adopting the NIST Cybersecurity Framework, adaptive governance is expressed through cross-functional practices that ensure alignment between what the organization is trying to do (strategy), what it can do (capability), and what it is doing (execution).
By managing strategy-risk in this way, organizations can:
- Shorten decision cycles
- Empower teams closer to the edge
- Identify and resolve misalignments early
- Build trust internally and externally
From Outcomes to Capabilities: Resilience as a Systemic Strength
Resilience is often described as something you have. But in the DVMS, resilience is something you build and maintain through ongoing learning and adaptation.
Drawing from the Practitioner’s Guide to Adapting the NIST Cybersecurity Framework, we see that resilience isn’t a single function or tool. It is the emergent property of well-aligned operational, governance, and assurance systems. It includes:
- Work-as-done learning (technical)
- Work-as-imagined coordination (socio-technical)
- Work-as-improvised response (contextual)
These layers ensure that resilience is not just reactive but anticipatory—allowing organizations to evolve in response to both internal dynamics and external shocks.
The Minimum Viable Competencies (MVC) overlay—outlined in Thriving on the Edge of Chaos—helps organizations assess and build this capability. MVCs map how well an organization can Create, Protect, and Deliver digital value across multiple dimensions of practice. MVCs provide a practical overlay for managing strategy-risk in context by surfacing capability gaps.
Assurance at Digital Speed
I spent my formative years on US nuclear submarines, an environment that required high reliability and operational resilience—it’s about predictability under pressure. The same applies to digital ecosystems.
GRA reframes assurance as a continuous trust loop:
- Evidence is generated through real-time telemetry and feedback
- Validation occurs at the pace of change, not quarterly audits
- Stakeholders—from regulators to customers—gain confidence in how the system is operating
As Fundamentals of Adopting the NIST Cybersecurity Framework describes, this approach turns assurance into a strategic enabler that supports compliance and competitive differentiation.
Conclusion: The Future Belongs to the Adaptive
The shift from GRC to GRA isn’t just semantic—it’s strategic. It signals a recognition that compliance alone will not save you, nor will static risk matrices or top-down controls. In a digital-first, always-on world, what matters most is how quickly you can sense, respond, and evolve.
By reframing risk as a strategic driver and embedding governance, resilience, and assurance into the DNA of value creation, organizations can become more than compliant. They can become trusted, adaptive, and resilient by design.
Welcome to the era of GRA.
About the Author
Dave is the Executive Director of the DVMS Institute.
Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.
DVMS Institute is a renowned provider of accredited (APMG International), Assured (NCSC-GCHQ-UK), and Recognized (DHS-CISA-NICCS-USA) NIST Cybersecurity Framework, Digital Value Management System® body of knowledge publications, certification trainings, assessment platforms and real-life desktop simulation trainings.
The Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach businesses of any size, scale, or complexity the skills to build a Performance Driven Overlay System for Cyber Resilience capable of anticipating and mitigating the systemic risk digital businesses face today.
By embedding systemic risk management into strategic decision-making and aligning it with employee cultural values, organizations can build resilience—a dynamic capability to withstand digital business disruption and comply with any cybersecurity regulation (SEC, UK, DORA, NIS2, SAMA, SOCI, IMO, etc.) or maturity model mandates (HITRUST, CMMC, C2M2 etc.).
® DVMS Institute 2024 All Rights Reserved
