Governing by Assurance – Integrating Governance, Resilience, and Assurance into a Single System – The Assurance in Action Series – Part 6

David Nichols – Co-Founder and Executive Director of the DVMS Institute

The Next Evolution in Management Discipline

In the first five parts of this series, we explored how assurance moves from executive intent to daily practice:

• Part 1 showed how managers translate strategic intent into actionable capabilities.
• Part 2 demonstrated how frameworks such as the NIST Cybersecurity Framework (NIST CSF) can be operationalized through the Digital Value Management System® (DVMS).
• Part 3 closed the loop between controls and evidence.
• Part 4 established culture as a measurable capability.
• Part 5 described how continual learning transforms resilience from aspiration to discipline.

Part 6 brings it all together. It poses a defining yet straightforward question: How do managers govern through assurance, rather than just reporting it?

The answer marks a new phase in management maturity, one where governance, resilience, and assurance are not separate domains but a single, self-reinforcing system.

The Shift from Managing Activities to Governing Systems

Traditional management emphasizes activity, focusing on maintaining controls, producing reports, and passing audits. This approach was effective when disruptions were infrequent and outcomes predictable. However, in today’s fast-changing environment—where digital reliance, AI-driven transformation, and global volatility are constant—focusing on activity alone no longer instills confidence.

Managers must shift from supervising tasks to managing systems.
Every decision, workflow, and rehearsal impacts governance results when aligned with a clear purpose and evaluated by evidence. The DVMS enables this by combining governance intent, operational execution, and assurance feedback into a single continuous cycle.

Governance through assurance signifies something fundamental: managers are no longer just implementers of policy; they are the operational stewards of resilience. They don’t wait for oversight to occur; they create it in real time.

Governance in the GRA Context

The Assurance Mandate Whitepaper introduced a significant shift in organizational oversight — from Governance, Risk, and Compliance (GRC) to Governance, Resilience, and Assurance (GRA).

Under GRC, management showed diligence by documenting policies, risk registers, and audit reports. Under GRA, management must demonstrate capability, providing evidence that the organization can operate under pressure, recover quickly, and continue to Create, Protect, and Deliver (CPD) value.

In this new model:

• Governance defines intent — the “why.”
• Resilience delivers capability — the “how.”
• Assurance provides evidence — the “what.”

When managers govern through assurance, they complete the final stage of GRA. They turn intent into capability, measure outcomes, and use evidence to feed back into governance, ensuring the system continually learns and adapts.

This is the managerial expression of GRA,  governance not by policy, but by proof.

The DVMS as the Governance Engine

The Digital Value Management System® (DVMS) operationalizes GRA by acting as the link between boardroom plans and frontline actions.

As described in Thriving on the Edge of Chaos: Managing at the Intersection of Value and Risk in the Digital Era and The Practitioner’s Guide to Building Cyber-Resilience (Second Edition), the DVMS is not another framework; it is an operating system that translates strategy into measurable capability.

Within the DVMS, governance intent flows downward through Create, Protect, and Deliver (CPD) value streams, while assurance evidence flows upward through measurable outcomes. Each Minimum Viable Capability (MVC) acts as a node within this system, linking policy to practice.

This system-based approach offers managers a new perspective. Instead of examining separate reports from cybersecurity, IT, and compliance departments, they gain a unified view of organizational resilience — one that updates in real time and shows the organization’s ability to withstand disruptions.

The result is governance as a living process, not an annual event.

The Manager’s New Role: From Reporter to Governor

This integrated model redefines what it means to be a leader. Managers have long been trained to report results upward. Now, they must oversee outcomes across functions, disciplines, and value streams.

Their responsibility is no longer to prove that the activity happened, but to demonstrate that capabilities operate under stress. They ensure systems are designed to adapt, not just to comply.

This is the manager as an assurance governor, a role that requires both operational insight and systems thinking.

Managers govern through evidence when they:

• Define intent clearly, linking every policy to measurable outcomes.
• Integrate capabilities across CPD value streams.
• Rehearse performance and report assurance evidence instead of activity metrics.
• Continuously refine systems using insights from near misses, simulations, and real-world events.

This shift from oversight to operational governance aligns with the principle in Thriving on the Edge of Chaos: leadership is the art of turning complexity into clarity. Managers achieve that clarity by building systems that communicate through evidence.

AI, Automation, and the Future of Assurance

For years, the scope of assurance constrained its practice. Managers faced a tough trade-off — gather enough data to prove assurance or focus on daily operations. That tension is now easing.

Automation and artificial intelligence are extending managerial reach.

• Automated monitoring delivers continuous visibility across systems, supply chains, and workflows.
• AI-driven simulations test resilience scenarios in real time, identifying weaknesses before they escalate.
• Agentic systems record performance data directly into governance dashboards, providing an immediate link between operational evidence and executive oversight.

These technologies don’t replace human judgment; they enhance it. Managers no longer spend their energy assembling static reports — they interpret dynamic data, apply insights, and promote improvement.

The “burden of assurance,” once seen as expensive and complicated, is now becoming a standard part of digital management.

The Learning Governance Cycle

Resilience, as Thriving on the Edge of Chaos emphasizes, is not a fixed state but an emergent property of systems that learn. The DVMS turns that principle into practice.

Through its structured feedback loop — intent → capability → evidence → learning — managers formalize improvement within governance. Each cycle of this process enhances capability, sharpens evidence, and boosts assurance.

When combined with FastTrack, this cycle becomes manageable and measurable. Managers begin with foundational MVCs, target improvement efforts where confidence is weakest, and iterate through phases to achieve their goals. Learning is no longer a side effect of failure; it is an inherent part of governance.

This is how organizations stop reacting to disruption and start adapting because of it.

The Executive Question for Managers

Every manager, regardless of function, should be prepared to answer a single question: “Can you provide assurance evidence, not reports, that our organization can continue to Create, Protect, and Deliver value under stress?”

This question defines what maturity means in the era of assurance. It shifts the focus from “Are we compliant?” to “Are we resilient?”

Managers who provide evidence are no longer just participants in governance; they are its practitioners.

From Confidence to Trust

Boards seek confidence. Stakeholders demand trust. Managers establish both by governing through assurance. Confidence stems from evidence, from seeing that the organization functions as designed under real conditions. Trust develops when that confidence is maintained over time through transparency, accountability, and proof.

In this final step of the Assurance in Action series, managers transition from creating assurance systems to actively living them. Governance, resilience, and assurance come together into a single discipline, one that ensures the organization not only survives disruption but also continues to deliver value through it.

This captures the essence of governance through assurance, where intent, capability, and evidence combine to create a seamless system of trust.

Wrapping things up

With Part 6, the Assurance in Action series for managers comes to a close. Together, the six parts create a roadmap for turning assurance into a managerial discipline.

1. From Intent to Action
2. Operationalizing NIST CSF Through DVMS
3. Closing the Loop – From Controls to Assurance Evidence
4. Culture as Capability
5. Continual Improvement and Learning Systems
6. Governing by Assurance

Stay tuned for the upcoming “Assurance in Action” whitepaper.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2026 All Rights Reserved