Stop Managing 21st-Century Problems with 20th-Century Solutions
David Nichols – Co-Founder and Executive Director of the DVMS Institute
In the increasingly volatile, uncertain, complex, and ambiguous (VUCA) digital world, many organizations cling to legacy paradigms that no longer serve them. Chief among these is the GRC triad—Governance, Risk, and Compliance—a backward-looking model born in an era of industrial stability and regulatory certainty. However, once appropriate, GRC is no longer sufficient to thrive amid digital chaos.
It’s time for leaders to reframe their perspective and embrace a forward-looking, value-driven alternative: Governance, Risk, and Assurance (GRA) contextualized within the Digital Value Management System (DVMS) Create, Protect, and Deliver (CPD) Model. This shift is not merely operational—it demands a cultural revolution within organizations, and that revolution must be led from the top.
The Obsolescence of GRC in a Digital Age
Compliance, the “C” in GRC, is fundamentally reactive. It enshrines a check-the-box mentality that assumes stability and linearity in markets and operations. It operates from the premise that yesterday’s threats and requirements are still valid today. But in a world of accelerating disruption—AI, cyber threats, geopolitical shocks—such assumptions are dangerous.
When approached through GRC, risk tends to be decontextualized. It is often seen as an external hazard to avoid or insure against rather than as a strategic variable to understand and leverage. Meanwhile, compliance implies the possibility of containment—a notion rapidly undermined by digital ecosystems’ dynamic, interdependent nature.
This is the heart of the problem. GRC encourages management by constraint—minimizing exposure, limiting uncertainty, and enforcing compliance. However, digital value is created not by avoiding change but by mastering it.
Compliance as an External Requirement in GRA
In contrast, the GRA model repositions compliance within a broader, more adaptive governance structure. As articulated in Thriving on the Edge of Chaos, compliance becomes an external requirement—a necessary but subordinate function. It is something to be assured of, not to design a system around.
Governance sets the vision, aligns resources, and ensures purposefully directed value creation. Risk is integrated as a contextual, strategic force, not merely a threat. And assurance becomes the mechanism by which stakeholders are confident that both value and compliance are being achieved, not because the organization checked a box, but because it has the capability to thrive in the face of continuous change.
In this model, Minimum Viable Capabilities (MVCs) underpin the organization’s ability to demonstrate resilience. Compliance is a byproduct of a system that works, not the foundation of one that hopes to.
Risk in Context: Strategy, Risk, and the DVMS CPD Model
Where GRC isolates risk, the DVMS embeds it.
The DVMS CPD Model—Create, Protect, and Deliver digital business value provides a lifecycle through which risk is continuously contextualized and managed. Therefore, in this view:
• Strategy is not separate from risk—it is informed by it.
• Protection is not just about controls—it is about ensuring resilience.
• Delivery is not just about outputs—it is about outcomes that matter in the real world.
As described in The Fundamentals of Adopting the NIST Cybersecurity Framework, 2nd edition, and The Practitioner’s Guide to Adapting the NIST Cybersecurity Framework, 2nd edition, this holistic approach enables organizations to surface gaps, iterate faster, and adjust to new realities as they emerge. Risk ceases to be a siloed activity and becomes an integral part of decision-making across the enterprise.
This is not risk management as insurance. This is risk as foresight, adaptation, and learning.
The Cultural Paradigm Shift: Leading a Revolution
But systems do not change unless people do. And people don’t change unless their worldview does.
Thriving on the Edge of Chaos identifies the need for an organizational paradigm shift—a reframing of how organizations think, act, and lead in complexity. This shift cannot be accomplished by process improvement alone. It requires leadership to sponsor and model a new way of thinking.
GRC is rooted in predictive logic—if we do X, Y will result. But in complex systems, causality is opaque, and change is emergent. Leadership must therefore move from command and control to sense and respond. They must foster a culture that welcomes uncertainty, not one that seeks to eliminate it.
This is the leadership paradox of our time: to provide stability not by preventing change, but by enabling the organization to adapt continuously.
Cultural transformation doesn’t happen through memos and mandates. It happens when leaders courageously abandon outdated models, embrace complexity, and empower their people to learn and evolve.
Resilience as a Capability and Outcome
Resilience is often misunderstood as “bouncing back.” But in the DVMS, resilience is not just about recovery—it is about maintaining and evolving capability in the face of stress.
This is why the MVCs are so critical. They represent the minimum conditions necessary for an organization to thrive, not just survive, in a digital world. These capabilities are not static checklists, but dynamic enablers that support value creation, protection, and delivery under pressure.
When GRA is implemented through the DVMS and contextualized by CPD, resilience emerges not as a project, but as a system property. Compliance happens because the organization is resilient, not the other way around.
From GRC to GRA: A Call to Action
The choice before today’s leaders is stark: evolve or be disrupted.
GRC is a relic of a simpler time. It cannot account for the digital economy’s interconnected risks, exponential change, and dynamic value flows. As implemented through the DVMS CPD Model, GRA offers a pathway to strategic agility, stakeholder assurance, and operational resilience.
However, this pathway requires more than tools and processes. It requires a revolution in thinking, led by those who see beyond compliance and control.
It’s not that we lack a solution. We have one.
The real question is whether leadership is ready to acknowledge the problem.
About the Author
Dave is the Executive Director of the DVMS Institute.
DVMS Institute is a renowned provider of accredited (APMG International), Assured (NCSC-GCHQ-UK), and Recognized (DHS-CISA-NICCS-USA) NIST Cybersecurity Framework, Digital Value Management System® body of knowledge publications, certification trainings, assessment platforms and real-life desktop simulation trainings.
The Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach businesses of any size, scale, or complexity the skills to build a Holistic, Adaptive, and Culture-Powered Overlay System capable of anticipating and mitigating the systemic risk that will impact organizational cyber resilience.
By embedding systemic risk management into strategic decision-making and aligning it with employee cultural values, organizations can build resilience—a dynamic capability to withstand digital business disruption and comply with any cybersecurity regulation (SEC, UK, DORA, NIS2, SAMA, SOCI, IMO, etc.) or maturity model mandates (HITRUST, CMMC, C2M2 etc.).
® DVMS Institute 2024 All Rights Reserved
