Governing by Assurance Integrating Governance, Resilience, and Assurance into a Single System – The Assurance in Action Series – Part 6
David Nichols – Co-Founder and Executive Director of the DVMS Institute
The Next Evolution in Management Discipline
In the first five parts of this series, we explored how assurance moves from executive intent to daily practice:
- Part 1 showed how managers translate strategic intent into actionable capabilities.
- Part 2 demonstrated how frameworks such as the NIST Cybersecurity Framework (NIST CSF) can be operationalized through the Digital Value Management System® (DVMS).
- Part 3 closed the loop between controls and evidence.
- Part 4 established culture as a measurable capability.
- Part 5 described how continual learning transforms resilience from aspiration to discipline.
Part 6 brings it all together. It poses a defining yet straightforward question: How do managers govern through assurance, rather than just reporting it?
The answer marks a new phase in management maturity, one where governance, resilience, and assurance are not separate domains but a single, self-reinforcing system.
The Shift from Managing Activities to Governing Systems
Traditional management emphasizes activity, focusing on maintaining controls, producing reports, and passing audits. This approach was effective when disruptions were infrequent and outcomes predictable. However, in today’s fast-changing environment—where digital reliance, AI-driven transformation, and global volatility are constant—focusing on activity alone no longer instills confidence.
Managers must shift from supervising tasks to managing systems.
Every decision, workflow, and rehearsal impacts governance results when aligned with a clear purpose and evaluated by evidence. The DVMS enables this by combining governance intent, operational execution, and assurance feedback into a single continuous cycle.
Governance through assurance signifies something fundamental: managers are no longer just implementers of policy; they are the operational stewards of resilience. They don’t wait for oversight to occur; they create it in real time.
Governance in the GRA Context
The Assurance Mandate Whitepaper introduced a significant shift in organizational oversight — from Governance, Risk, and Compliance (GRC) to Governance, Resilience, and Assurance (GRA).
Under GRC, management showed diligence by documenting policies, risk registers, and audit reports. Under GRA, management must demonstrate capability, providing evidence that the organization can operate under pressure, recover quickly, and continue to Create, Protect, and Deliver (CPD) value.
In this new model:
- Governance defines intent — the “why.”
- Resilience delivers capability — the “how.”
- Assurance provides evidence — the “what.”
When managers govern through assurance, they complete the final stage of GRA. They turn intent into capability, measure outcomes, and use evidence to feed back into governance, ensuring the system continually learns and adapts.
This is the managerial expression of GRA, governance not by policy, but by proof.
The DVMS as the Governance Engine
The Digital Value Management System® (DVMS) operationalizes GRA by acting as the link between boardroom plans and frontline actions.
As described in Thriving on the Edge of Chaos: Managing at the Intersection of Value and Risk in the Digital Era and The Practitioner’s Guide to Building Cyber-Resilience (Second Edition), the DVMS is not another framework; it is an operating system that translates strategy into measurable capability.
Within the DVMS, governance intent flows downward through Create, Protect, and Deliver (CPD) value streams, while assurance evidence flows upward through measurable outcomes. Each Minimum Viable Capability (MVC) acts as a node within this system, linking policy to practice.
This system-based approach offers managers a new perspective. Instead of examining separate reports from cybersecurity, IT, and compliance departments, they gain a unified view of organizational resilience — one that updates in real time and shows the organization’s ability to withstand disruptions.
The result is governance as a living process, not an annual event.
The Manager’s New Role: From Reporter to Governor
This integrated model redefines what it means to be a leader. Managers have long been trained to report results upward. Now, they must oversee outcomes across functions, disciplines, and value streams.
Their responsibility is no longer to prove that the activity happened, but to demonstrate that capabilities operate under stress. They ensure systems are designed to adapt, not just to comply.
This is the manager as an assurance governor, a role that requires both operational insight and systems thinking.
Managers govern through evidence when they:
- Define intent clearly, linking every policy to measurable outcomes.
- Integrate capabilities across CPD value streams.
- Rehearse performance and report assurance evidence instead of activity metrics.
- Continuously refine systems using insights from near misses, simulations, and real-world events.
This shift from oversight to operational governance aligns with the principle in Thriving on the Edge of Chaos: leadership is the art of turning complexity into clarity. Managers achieve that clarity by building systems that communicate through evidence.
AI, Automation, and the Future of Assurance
For years, the scope of assurance constrained its practice. Managers faced a tough trade-off — gather enough data to prove assurance or focus on daily operations. That tension is now easing.
Automation and artificial intelligence are extending managerial reach.
- Automated monitoring delivers continuous visibility across systems, supply chains, and workflows.
- AI-driven simulations test resilience scenarios in real time, identifying weaknesses before they escalate.
- Agentic systems record performance data directly into governance dashboards, providing an immediate link between operational evidence and executive oversight.
These technologies don’t replace human judgment; they enhance it. Managers no longer spend their energy assembling static reports — they interpret dynamic data, apply insights, and promote improvement.
The “burden of assurance,” once seen as expensive and complicated, is now becoming a standard part of digital management.
The Learning Governance Cycle
Resilience, as Thriving on the Edge of Chaos emphasizes, is not a fixed state but an emergent property of systems that learn. The DVMS turns that principle into practice.
Through its structured feedback loop — intent → capability → evidence → learning — managers formalize improvement within governance. Each cycle of this process enhances capability, sharpens evidence, and boosts assurance.
When combined with FastTrack, this cycle becomes manageable and measurable. Managers begin with foundational MVCs, target improvement efforts where confidence is weakest, and iterate through phases to achieve their goals. Learning is no longer a side effect of failure; it is an inherent part of governance.
This is how organizations stop reacting to disruption and start adapting because of it.
The Executive Question for Managers
Every manager, regardless of function, should be prepared to answer a single question: “Can you provide assurance evidence, not reports, that our organization can continue to Create, Protect, and Deliver value under stress?”
This question defines what maturity means in the era of assurance. It shifts the focus from “Are we compliant?” to “Are we resilient?”
Managers who provide evidence are no longer just participants in governance; they are its practitioners.
From Confidence to Trust
Boards seek confidence. Stakeholders demand trust. Managers establish both by governing through assurance. Confidence stems from evidence, from seeing that the organization functions as designed under real conditions. Trust develops when that confidence is maintained over time through transparency, accountability, and proof.
In this final step of the Assurance in Action series, managers transition from creating assurance systems to actively living them. Governance, resilience, and assurance come together into a single discipline, one that ensures the organization not only survives disruption but also continues to deliver value through it.
This captures the essence of governance through assurance, where intent, capability, and evidence combine to create a seamless system of trust.
Wrapping things up
With Part 6, the Assurance in Action series for managers comes to a close. Together, the six parts create a roadmap for turning assurance into a managerial discipline.
- From Intent to Action
- Operationalizing NIST CSF Through DVMS
- Closing the Loop – From Controls to Assurance Evidence
- Culture as Capability
- Continual Improvement and Learning Systems
- Governing by Assurance
Stay tuned for the upcoming “Assurance in Action” whitepaper.
About the Author
Dave is the Executive Director of the DVMS Institute.
Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.
Digital Value Management System® (DVMS)
A Unified Intelligence System that Governs, Assures, and Sustains Digital Business Value, Resilience, and Trust
The DVMS Institute’s Certified Training Solutions teach organizations how to transform best-practice programs such as NIST, ITSM, GRC, and ISO into a unified, adaptive, and culture-driven Governance and Assurance Intelligence System that sustains digital value, resilience, and trust.
The DVMS establishes a structured, intelligence-driven pathway that unites Governance Intent, Operational Capability, and Assurance Evidence for each program— empowering organizations to achieve a unified approach for measurable performance, operational resilience, and client trust.
Through its MVC, CPD, 3D Knowledge, and FastTrack Models, the DVMS operationalizes a:
- Governance Overlay system that unifies strategy, assurance, and operations
- Behavioral Engine that transforms how organizations think, decide, and act in uncertainty
- Learning System that measures, adapts, and innovates the digital business over time.
DVMS White Papers
- The Assurance Mandate – Moving to Evidence-Based Operational Resilience
- Assurance in Action – Turning Policy into Organizational Capability
- Governance By Assurance – A Systems Approach to Outcome-Based Regulation
DVMS Organizational Benefits
The DVMS doesn’t replace existing frameworks—it connects, contextualizes, and amplifies them, transforming compliance requirements into actionable intelligence that drives and ensures sustained digital value, resilience, and trust.
By adopting a DVMS, organizations are positioned to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Deliver Digital Value and Trust Across A Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
DVMS Leadership Benefits
- For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.
- For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.
- For the CIO, CRO, CISO, and Auditors: a unified, measurable, and adaptive system for governing and assuring digital value.
DVMS Institute Certified Training Programs
DVMS Cyber Resilience Awareness Training
The DVMS Cyber Resilience Awareness training provides all employees with a comprehensive understanding of the fundamentals of digital business, its associated risks, the NISTCSF, and their role in protecting organizational digital value. This investment fosters a culture that is prepared to transform systemic cyber risks into operational resilience.
DVMS NISTCSF Foundation Certification Training
The DVMS NISTCSF Foundation certification training course provides ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role as an integrated, adaptive, and culture-driven governance and assurance management system that drives resilient, compliant, and trusted digital outcomes.
DVMS Cyber Resilience Practitioner Certification Training
The Digital Value Management System® (DVMS) Practitioner certification training course provides ITSM, GRC, Cybersecurity, and Business professionals a detailed understanding of how to transform systemic cyber risk into operational resilience by uniting Fragmented Frameworks and Standards, such as NIST, ITSM, GRC, and ISO, into a holistic, adaptive, and culture-driven Governance, Assurance, and Accountability overlay system that keeps your digital business resilient, no matter the disruption.
DVMS Brochures and Explainer Videos
DVMS Brochures
DVMS Explainer Videos
- Architecture Video: David Moskowitz explains the DVMS System
- Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- Overlay Model – What is an Overlay Model
- MVC ZX Model – Powers the CPD
- CPD Model – Powers DVMS Operations
- 3D Knowledge Model – Powers the DVMS Culture
- FastTrack Model – Enables A Phased DVMS Adoption
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
