Running on CPD – How Value-Centered Governance Changes the GRC Game – The GRAA Leadership Series Part 6
David Nichols – Co-Founder and Executive Director of the DVMS Institute
It’s common for an executive to experience two very different meetings in one week. In one meeting, the emphasis is on growth, with discussions focusing on new products, markets, and digital capabilities. The language revolves around revenue, competitiveness, customer experience, and innovation. The atmosphere is energetic, with people discussing how to seize opportunities before competitors do.
In another meeting, the focus is on risk and compliance. Topics include heatmaps, control gaps, remediation plans, regulatory updates, and audit findings. The language revolves around exposure, mitigation, obligations, and assurance. The mood is cautious. People discuss ensuring that nothing goes wrong.
Often, some leaders attend both meetings. They care about both discussions. However, it rarely feels like the two meetings are describing the same system. Value is discussed in one room, while risk is discussed in another. Governance tries to connect the two, but it often arrives late to both.
The outcome is familiar. Risk seems like something added on top of the core business, rather than an inherent part of how the business creates and safeguards value. Executives are expected to switch between optimistic and cautious views, then somehow hold both perspectives in their minds while making decisions.
This article examines the transformations that occur when value becomes the primary principle for governance, rather than a secondary consideration.
The Problem With “Risk First” Governance
Many organizations, even those with advanced GRC capabilities, still operate under a “risk first” approach. They initially conceive business ideas or technology initiatives mainly in commercial and operational terms. Teams focus on features, time to market, cost, competitive edge, and customer impact. Once the idea takes shape, risk and compliance are brought in to review, advise, challenge, and approve. Controls are then designed and implemented. Policies are referenced, and exceptions are negotiated.
This pattern is effective when change is gradual, and systems are simple. In a digital environment, where products continually evolve, dependencies are complex, and decisions are dispersed, weaknesses become more apparent. Teams view risk and compliance as obstacles or late-stage critics, rather than as partners in creating and protecting value. Risk leaders struggle to influence decisions that have already been effectively made. Executives receive two partial stories: one about upside and another about downside. There is no single perspective that treats both as parts of the same flow of work.
In this world, governance is often seen as a series of gates and approvals. It feels like something that surrounds the business rather than being an integral part of it. The organization operates according to one logic and manages risk with another. In a complex, fast-moving environment, this isn’t just inefficient; it is also dangerous.
To fix this, you need to change the way you think. You should explain governance, resilience, assurance, and accountability in terms of how value flows through your system, not just how you defend against risks. That’s where CPD comes into play.
CPD as the Operating Rhythm
At the core of every digital enterprise lies a simple, ongoing rhythm. The organization continually works on three activities simultaneously. It creates new value, which might include a new digital service, an updated feature within an existing platform, a data-driven capability, or a new way to serve a customer or citizen.
It protects value. It aims to defend what it has built against cyber threats, third-party failures, process breakdowns, fraud, reputational harm, and breaches of trust, while delivering value. It fulfills promises to customers and stakeholders daily, reliably, and predictably, to the extent that people feel confident in relying on it. Create, Protect, and Deliver (CPD).
These are not three separate departments; they are stages of the same process. In practice, they constantly overlap. While you are delivering, you are also evolving and creating. While you are creating, you should already be thinking about how to protect and deliver what you are building. While protecting, you are often forced to change and sometimes innovate.
CPD assigns a name to that motion. Once you can describe the business in these terms, you can directly link governance, risk, and assurance to how value flows, rather than treating them as separate layers of analysis.
What Happens When CPD Is Not Explicit
When an organization doesn’t explicitly think in CPD terms, a common pattern occurs. Creative work tends to advance rapidly. It is mainly viewed in terms of opportunity and speed. Energy and senior attention are focused on new products, features, and technologies. Risk is recognized, but it is often viewed as an obstacle to be addressed later.
Protection work is often reactive. It responds to changes that creation pushes through the system. It attempts to incorporate controls and policies into designs that were not originally intended to accommodate them. Cyber, legal, compliance, and audit teams find themselves racing to keep pace with a rapidly evolving target.
Delivery work is caught between two forces. Operations teams are tasked with maintaining service stability while change programs and protection initiatives pull them in opposite directions. They bear the operational consequences of decisions made elsewhere.
In this world, governance becomes a negotiation between competing priorities rather than a cohesive approach to the entire system. Resilience is often an afterthought, usually recognized through incidents and near misses. Assurance is sporadic and incomplete because it attempts to measure a moving target rather than understand a steady flow of information. Accountability is unclear because no one is clearly responsible for the entire process from start to finish.
None of this occurs because people are careless or indifferent about risk. It happens because the system has never been asked to view itself as a single CPD flow.
CPD as the Bridge Between Value and GRAA
When you focus on CPD, the conversation shifts. Governance can then be viewed as setting intent, making trade-offs, and assigning accountability throughout the entire CPD cycle. You’re not just approving individual projects or controls; you’re determining how the organization creates, protects, and delivers value in a specific area, and under what terms.
Resilience shifts from being an abstract idea to an inherent quality of the CPD flow itself. You consider how effectively you can continue creating, protecting, and delivering value under stress, not just how quickly you recover from a single failure. You evaluate how the flow responds when a supplier is lost, a key service is degraded, new regulations are introduced, or an unexpected opportunity arises.
Assurance becomes the discipline of gathering evidence about how CPD actually works in practice. Are we creating value in the way we think we are, or are shortcuts and informal workarounds replacing the intended design? Are we protecting what matters most, or are some risks tolerated without explicit decision? Are we really delivering consistently where it counts, or have we normalized levels of failure that would surprise our stakeholders?
Accountability becomes more defined when linked to CPD. You can ask who is responsible for creating, protecting, and delivering this value stream. You can analyze how those responsibilities interact. When something goes wrong, you can trace it back to CPD decisions and capability gaps, not just individual actions. The key point is straightforward. CPD provides Governance, Resilience, Assurance, and Accountability with something tangible to attach to. Instead of existing as abstract virtues, they become attributes of how value flows through the system.
How CPD Connects to Minimum Viable Capabilities
In the previous article, we discussed Minimum Viable Capabilities, the small set of core abilities an enterprise needs to operate safely and adaptively in a digital world. CPD provides the motion. MVCs offer the abilities that make that motion possible. In other words, the CPD operationalizes the MVC.
When you create, you rely heavily on capabilities like Govern, Plan, Design, Change, and Innovate. You need governance to determine what to pursue and what to decline. You need planning to organize work logically. You need Design to build resilience into the product or service. You need Change and innovation abilities that allow you to evolve what you offer without destabilizing the rest of the system.
When you protect, you rely on Govern, Assure, Design, Execute, and Change. You need governance to define what “acceptable” looks like in practice. You need assurance to see where reality diverges from intention. You need Design to embed controls and safeguards into the way work is done. You need an execution capability that remains stable under stress. You need to Change to close the gaps you have discovered.
When you deliver, you call on Govern, Plan, Execute, and Assure, with Change always in the background. You need governance to determine which obligations and promises are most important. You need to plan to align capacity and demand. You need execution to meet commitments reliably. You need assurance to know whether you are actually doing what you think you are doing. You need to change to respond when any of those things shift.
Viewed this way, CPD and MVC are two sides of the same coin. CPD explains the flow, while MVC outlines the minimum capabilities needed for that flow to function. Together, they transform governance from a broad issue into specific questions about how your organization is structured and how it operates when creating value in the world.
The 3D View on CPD: Leadership, Structure, Behavior
Now bring back the 3D lens we introduced in Part 4: leadership signals, structural design, and behavior over time. Take a real CPD flow in an absolute value stream and look at it through this 3D model.
Begin with leadership. What messages are leaders conveying about creation, protection, and delivery in this part of the business? Is growth prioritized over trust, or vice versa? Do leaders communicate openly about the trade-offs between speed, risk, and ethics, or do they silently favor one aspect and hope the others will resolve themselves?
I was working with a company that adopted the ITIL framework. During the kickoff meeting, the CIO stood in front of the IT division and expressed his unwavering support for the project, concluding with the following: “…but don’t forget, we aren’t going to let process get in the way of getting things done.”
Then examine the structure. How are roles, processes, metrics, and frameworks arranged around CPD? Are “create” and “protect” assigned to different teams with conflicting incentives? Does “deliver” carry unresolved tensions from both? Do governance forums review CPD flows from start to finish, or do function and framework divide them?
Finally, consider behavior. When real-world pressure occurs, such as a deadline, an incident, or a high-stakes opportunity, how do people actually respond? Do they raise concerns early or stay silent until issues become undeniable? Do they take CPD commitments seriously or treat some phases as optional? Where do they cut corners, and why?
When you analyze CPD from all three perspectives simultaneously, you begin to understand why specific patterns recur. You might find that protection work is consistently sidelined when creation and delivery conflict, not because people ignore risk, but because leadership signals, organizational setups, and incentives all favor speed.
You may notice that delivery teams are often blamed for failures caused by poor decision-making or inadequate Change capabilities. You may find that innovation is valued in theory but remains structurally isolated and lacks sufficient support. CPD becomes more than just a cycle; it transforms into a way to identify where the system is misaligned with its declared priorities.
How DVMS Uses CPD to Operationalize GRAA
The DVMS approach is designed to make this value-centered view of governance practical and effective. In DVMS, CPD serves as the perspective through which you examine the business. You don’t conduct separate discussions about “the business” and “GRC.” Instead, you focus on how each significant value stream creates, protects, and delivers digital business value, and what that means for governance, resilience, assurance, and accountability.
Minimum Viable Capabilities provide the foundation beneath that perspective. They ensure that when you say you are creating, protecting, or delivering, you can point to the core abilities that make that claim valid. You do not rely solely on frameworks or tool deployments. Instead, you assess whether the capabilities themselves exist, are owned, and are operating effectively.
The 3D model of leadership, structure, and behavior provides a way to connect the CPD and MVC concepts to real-world practice. It shows where leadership signals hinder protection in favor of creation, where structures trap responsibility for “protect” in functions that are distant from “create” and “deliver,” and where behavioral patterns indicate that the system is not embodying the story written in your policies.
The Adaptive Edge Platform and Kaia operate within this architecture. Their goal is to collect and interpret signals related to culture, capability performance, risk events, and CPD flows, then feed that understanding into governance in a way that busy leaders can actually utilize. Instead of adding yet another static dashboard, they provide a dynamic view of how CPD, capabilities, and behavior evolve over time.
The outcome you aim for is easy to state, even if it’s difficult to attain. GRAA should not operate as a separate program. Instead, it should arise as a result of how CPD is governed, organized, and experienced in your organization.
A CPD Story: One Product, One Flow
Consider a single product, such as a digital platform that is central to your strategy. An executive group gathers, not to evaluate it in terms of “projects” versus “risks,” but in terms of CPD.
They begin with creating. How do new ideas for this platform come about? Who determines what to build next, and on what basis? When are considerations of risk, ethics, and resilience raised? How are skills like designing, planning, and innovating actually demonstrated in this context?
They move to protect. What are the main threats that could weaken trust in this platform? How are cyber, privacy, third-party, and conduct risks identified and managed? Who is responsible for protection efforts, and how is confidence in their effectiveness verified to ensure it is genuine and not just paperwork?
They move to deliver. How is its reliability maintained? How are incidents detected and managed? How do feedback loops from customers, regulators, and partners influence and protect the process? How do change activities interact with delivery, and who has the authority to delay or halt change if delivery is at risk?
As they converse, they introduce the 3D questions. What signals have leaders been sending about CPD in this product, especially under pressure? How have structures facilitated or obstructed the flow? What behaviors have they observed in real incidents and trade-offs?
Very quickly, they begin to see tangible issues. Perhaps “create” is a strong and well-supported term, but “protect” is divided among three different functions and is not fully assured. Perhaps delivery remains stable under normal conditions, but Change capability is so weak that even small adjustments pose risks. Perhaps leaders say the right things about trust, but the metrics used to judge success tell a different story.
This is not a theoretical exercise. It is a way of structuring a practical conversation that leads to real decisions. Change a metric. Clarify accountability. Strengthen a capability. Slow a piece of creation work until protection catches up. Invest in assurance where CPD is moving fastest. CPD gives that conversation a shape.
Implications for Executives and GRC Leaders
For executives, choosing to focus on CPD means they no longer need to treat “risk” and “value” as separate priorities to reconcile mentally. Governance becomes the discipline of guiding CPD in a way that respects both. Board conversations can shift from “compliance versus growth” to “how, in this context, do we choose to create, protect, and deliver value, and what are we willing to accept or reject along the way.”
For GRC leaders and analysts, CPD offers a compelling narrative. Their role is no longer easily misrepresented as merely slowing down processes. Instead, they can define their purpose as shaping and ensuring the “protect” aspect within genuine value flows, and as assisting in creating and delivering solutions that do not compromise the future.
The DVMS approach exists to enable that. It doesn’t run GRC alongside the business. Instead, it manages governance and resilience through how digital business value is created, protected, and delivered.
Looking Ahead: From CPD to AI-Enabled Insight
Throughout this series, we have gradually built a picture, starting with the recognition that traditional GRC investments have not provided the resilience leaders need. We identified the overlay problem: the lack of a shared operating model that can support all existing frameworks and tools. We acknowledged that culture is the most challenging control surface, then introduced a 3D perspective that views leadership, structure, and behavior as a unified system. We added a Minimum Viable Capability foundation and now a CPD lens that directly links everything to value.
The next question is practical. How do you maintain the integrity of this entire model in real-time across a complex organization? How do you prevent being overwhelmed by increasing amounts of information while managing CPD, capabilities, and culture simultaneously?
That is the direction where the next part of the series will go. You do not need more dashboards; you need an AI that understands your system. Because once governance is centered on CPD, the challenge is no longer a lack of data. It is about making sense of the system you have built, at the speed it now operates.
About the Author
Dave is the Executive Director of the DVMS Institute.
Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.
Digital Value Management System® (DVMS)
Digital organizations don’t fail because they lack frameworks and practices.
They fail because those frameworks and practices operate in silos.
The Digital Value Management System® (DVMS) integrates fragmented frameworks and practices such as NISTCSF, GRC, ITSM, DevOps, and AI into a living, three-dimensional governance overlay system — that uses evidence to reveal whether the digital business is operating as intended and how the risks that matter most are being proactively addressed.
DVMS Capabilities Include:
- Adaptive Governance through risk-informed decision-making
- Operational Resilience through culture and adaptation to sustain digital value
- Performance Assurance through outcome-based measurement
- Transparent Accountability through clear ownership of outcome responsibilities
At its core, the DVMS is a simple but powerful integration of:
- Governance Intent – shared expectations and accountabilities
- Operational Capabilities – how the digital business actually performs
- Assured Evidence – proof that outcomes are achieved and accountable
Through its MVC, CPD, 3D Knowledge, and FastTrack Models, a DVMS turns this integration into three distinctive capabilities:
A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.
A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.
A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.
DVMS Organizational Benefits
Instead of replacing existing operational frameworks, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.
By adopting a DVMS, organizations are positioned to:
- Maintain Operational Stability Amidst Constant Digital Disruption
- Deliver Digital Value and Trust Across A Digital Ecosystem
- Satisfy Critical Regulatory and Certification Requirements
- Leverage Cyber Resilience as a Competitive Advantage
DVMS Leadership Benefits
The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.
For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.
For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.
For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability
DVMS White Papers
The whitepapers below present a coherent progression that shifts organizations from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Collectively, the three papers define a comprehensive system for building and governing resilient digital enterprises, grounded in evidence rather than assumptions.
The Assurance Mandate Paper sets the stage by showing why traditional GRC artifacts provide only reassurance—not evidence—and calls boards to demand forward-looking proof that their organizations can continue to create, protect, and deliver value under stress.
The Assurance in Action Paper elevates the conversation from leadership intent to managerial execution, demonstrating how the DVMS operationalizes resilience by translating outcomes into Minimum Viable Capabilities, connecting frameworks through the Create–Protect–Deliver model, and generating measurable assurance evidence that managers can use to demonstrate real performance rather than activity.
The Governing by Assurance Paper elevates the approach to the policy and regulatory level, showing how DVMS functions as a learning overlay system that links governance intent, operational capability, and verifiable evidence into a continuous loop—enabling regulators, agencies, and enterprises to govern by outcomes rather than checklists and to prove capability with measurable, auditable performance data.
DVMS Cyber Resilience Certified Training Programs
DVMS Cyber Resilience Awareness Training
The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.
This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.
DVMS NISTCSF Foundation Certification Training
The DVMS NISTCSF Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.
This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system capable of transforming systemic cyber risks into operational resilience.
DVMS Cyber Resilience Practitioner Certification Training
The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.
This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.
Company Brochures and Presentation
Explainer Videos
- DVMS Architecture Video: David Moskowitz explains the DVMS System
- DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
- DVMS Overlay Model – What is an Overlay Model
- DVMS MVC ZX Model – Powers the CPD
- DVMS CPD Model – Powers DVMS Operations
- DVMS 3D Knowledge Model – Powers the DVMS Culture
- DVMS FastTrack Model – Enables A Phased DVMS Adoption
Digital Value Management System® is a registered trademark of the DVMS Institute LLC.
® DVMS Institute 2025 All Rights Reserved
