Why Enterprises Need Integrated Governance and Assurance for Their ERM, GRC, and ITSM Programs
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
Introduction: The Limits of Traditional Risk and Service Programs
Enterprise Risk Management (ERM), Governance Risk and Compliance (GRC), and IT Service Management (ITSM) programs form the backbone of organizational oversight and operations. They provide structure for managing risk, ensuring compliance, and aligning IT with business objectives. Yet, in today’s digital economy, these systems are often insufficient. They tend to operate in silos, focus narrowly on compliance, or treat risk management as a periodic exercise rather than a continuous capability. They lack a unifying mechanism that ensures digital business value is created and protected in a coordinated and resilient manner. A Digital Value Management System (DVMS) Governance and Assurance Overlay becomes essential in this gap.
The Changing Landscape of Digital Business
Digital transformation has expanded the attack surface, increased organizational complexity, and heightened stakeholder expectations around security, privacy, and resilience. Value in a digital enterprise no longer resides solely in physical assets but in data, intellectual property, trust, and service reliability. Unprotected or poorly governed digital value loses its meaning for stakeholders. At the same time, regulators and clients demand demonstrable assurance that digital operations are trustworthy, resilient, and compliant. Traditional ERM and ITSM frameworks often struggle to keep up because they were not designed for today’s digital business environment’s speed, interconnectedness, and volatility.
Why Governance and Assurance Must Be Overlaid
The NIST Cybersecurity Framework (CSF) 2.0 highlights governance as the central function that informs all others—identify, protect, detect, respond, and recover. Governance ensures that risk management strategies are aligned with organizational mission and stakeholder expectations. However, NIST CSF provides desired outcomes rather than detailed guidance on “how” to operationalize those outcomes across disparate organizational systems. A governance and assurance overlay like the DVMS fills this gap by ensuring that strategy and risk are treated as inseparable—what DVMS calls “strategy-risk”. This ensures that value creation and value protection occur concurrently, not sequentially.
Integration Across ERM, GRC, and ITSM
Each of the three existing programs has strengths:
- ERM provides enterprise-wide risk visibility but often lacks integration with IT service realities.
- GRC ensures compliance but risks devolving into checkbox exercises that do not improve resilience.
- ITSM enables consistent service delivery but can be reactive and operationally focused without a strategic view of risk.
The DVMS overlay integrates these disciplines through a systems-based model that organizes capabilities into Govern, Assure, Plan, Design, Change, Execute, and Innovate. By overlaying these onto existing frameworks, organizations expose gaps, align efforts, and build a continuous governance and assurance loop that syncs performance, compliance, and resilience.
Sustaining Digital Business Performance
Performance in a digital business depends on the ability to deliver reliable, high-quality services while adapting to constant change. The DVMS overlay ensures that planning, execution, and innovation are tied directly to governance and assurance mechanisms. This prevents performance trade-offs where speed undermines security or where compliance erodes agility. Instead, performance is sustained because every innovation or service delivery initiative is evaluated for its value creation potential and protection requirements.
Enabling Operational Resilience
Resilience is no longer just about disaster recovery; it is about continuous adaptation in complex environments. Organizations are complex adaptive systems, where small changes in one area can ripple into significant impacts elsewhere. A DVMS overlay brings systems thinking into ERM, GRC, and ITSM practices, helping leaders see interdependencies and anticipate unintended consequences. By embedding assurance and governance across all functions, organizations can withstand shocks—whether cyberattacks, regulatory shifts, or market disruptions—and recover while continuing to deliver value.
Strengthening Regulatory Compliance
Compliance alone does not equal protection. Many high-profile breaches have occurred in organizations that were entirely “compliant” with regulations but had not embedded resilience and assurance into daily operations. A governance and assurance overlay ensures compliance is contextualized within strategy-risk. It shifts compliance from a static obligation to a dynamic outcome of a well-governed system. Organizations can demonstrate regulatory alignment and maturity progression by aligning with NIST CSF Profiles and Tiers, offering regulators and clients confidence that compliance is part of an adaptive resilience strategy.
Building and Maintaining Digital Trust with Clients
Digital trust is the currency of modern business. Clients expect transparency, accountability, and assurance that their data and services are safe. A DVMS overlay operationalizes trust by embedding assurance practices across all value creation activities. This includes technical safeguards, cultural alignment, leadership accountability, and continuous improvement practices. Trust becomes measurable when governance systems can show evidence of doing the right things the right way within defined tolerances. Over time, this builds a reputation for reliability that differentiates organizations in competitive markets.
The Assurance Function: Closing the Loop
One of the unique contributions of the DVMS overlay is the explicit inclusion of Assure as a core capability. Assurance validates that governance intent is realized in practice, closing the loop between policy, execution, and outcomes. This prevents the common problem of “governance without enforcement” or “controls without context.” Assurance provides stakeholders—boards, regulators, and clients—with evidence that risks are managed, value is protected, and performance is sustained.
Conclusion: A Call to Action
ERM, GRC, and ITSM programs remain essential, but in isolation, they are insufficient for today’s digital business realities. A Digital Value Management Governance and Assurance Overlay provides the missing lens, ensuring that digital value creation is always matched by protection, that compliance strengthens rather than constrains, and that resilience is achieved not as an afterthought but as a built-in outcome. By adopting such an overlay, organizations can sustain digital performance, comply with evolving regulations, recover from disruption, and, most importantly, maintain the trust of their clients in an increasingly volatile and interconnected world.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
In today’s digitally driven economy, cyber disruptions are no longer an “if” but a “when.”
The DVMS Institute Certified Training Programs teach organizations how to transform static, fragmented, and control-based management programs (ERM, GRC, ITSM, etc.) into an integrated, adaptive, and culture-driven Digital Value Management System® (DVMS)
The DVMS, through its MVC, CPD, 3D Knowledge, and FastTrack Models, seamlessly aligns organizational Strategy, Governance, Operations, and Culture into a unified governance and assurance overlay management system capable of sustaining digital business performance, resilience, compliance, and trust across a complex digital ecosystem.
By adopting a DVMS, organizations are positioned to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Deliver Digital Value and Trust Across A Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
DVMS Explainer Videos
- Architecture Video: David Moskowitz explains the DVMS System
- Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- Overlay Model – What is an Overlay Model
- MVC ZX Model – Powers the CPD
- CPD Model – Powers DVMS Operations
- 3D Knowledge Model – Powers the DVMS Culture
- FastTrack Model – Enables A Phased DVMS Adoption
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
