Governing by Assurance – Transforming Governance Through Continuous Evidence

Share This Post

Governing by Assurance – Transforming Governance Through Continuous Evidence

Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute

Introduction

Governing by Assurance presents a fundamental shift in how organizations think about governance in an increasingly complex digital world.

Rather than viewing governance as the production of policies, reports, control mappings, and compliance artifacts, the book argues that governance should be measured by an organizational demonstrated ability to achieve intended business outcomes under real operating conditions.

At its heart, the book introduces Governance by Assurance as a new operating philosophy built around continuous, evidence-based verification rather than periodic compliance reviews. It proposes that organizations must move beyond proving they have controls in place toward proving those controls work when it matters most.

The Failure of Traditional Governance

The authors begin by examining an uncomfortable reality. Organizations have invested billions of dollars in governance, risk management, compliance programs, cybersecurity frameworks, audits, certifications, and reporting systems. Despite these investments, major operational failures, cyberattacks, supply chain disruptions, and resilience breakdowns continue to occur with alarming frequency.

The book argues that this is not because organizations lack governance, but because governance has become increasingly disconnected from operational reality. Executive dashboards remain green while critical business services fail. Audit reports show mature control environments while organizations struggle to recover from incidents. Policies continue to expand while operational behavior quietly diverges from documented intent.

This disconnect exists because governance has become focused on documenting compliance rather than validating operational capability. Organizations have become exceptionally good at proving they possess policies, frameworks, and controls, but far less effective at demonstrating that these mechanisms consistently produce the intended business outcomes under real-world conditions.

The Gap Between the Paper System and the Living System

One of the book’s most powerful concepts is the distinction between what the authors call the paper system and the living system.

The paper system consists of everything an organization documents. It includes governance frameworks, policies, standards, procedures, risk registers, audit findings, maturity assessments, compliance reports, dashboards, and management presentations. These artifacts are necessary because they establish expectations and communicate organizational intent.

The living system, however, represents how work is performed. It comprises operational decisions, human behavior, informal workarounds, technical configurations, supplier relationships, operational pressures, cultural norms, and the countless adjustments employees make every day to keep critical services running.

Over time, these two systems naturally drift apart. Policies describe how work should occur, while operational realities require people to adapt. Governance, therefore, becomes increasingly focused on maintaining documentation while operational teams focus on keeping systems functioning. The result is a dangerous illusion of control where organizations appear well-governed on paper but remain vulnerable where digital value is created and delivered.

The authors argue that effective governance must continuously reconnect these two systems by validating that documented intent is reflected in actual operational behavior.

Moving Beyond GRC to GRAA

Rather than dismissing Governance, Risk, and Compliance (GRC), the book recognizes its historical value while arguing that it has reached its practical limits.

GRC successfully organized governance activities around policies, risks, controls, and compliance obligations. However, modern digital enterprises operate across cloud environments, third-party ecosystems, AI systems, and business processes that continuously change far faster than traditional governance models were designed to manage.

To address this challenge, the authors introduce GRAA—Governance, Resilience, Assurance, and Accountability. In this model, governance establishes strategic intent, resilience ensures the organization can continue operating under adverse conditions, assurance continuously verifies that intended outcomes are being achieved through trusted evidence, and accountability ensures ownership exists for both decisions and operational outcomes.

These four capabilities operate together rather than as isolated organizational functions. Governance without resilience becomes aspiration. Resilience without assurance becomes luck. Assurance without accountability becomes reporting. Accountability without the other three becomes blame. GRAA transforms governance from a documentation exercise into an operational capability that continuously learns and adapts.

DVMS as the Operating Overlay

The practical engine behind this transformation is the Digital Value Management System® (DVMS). Rather than replacing existing frameworks such as NIST CSF, ISO 27001, COBIT, ITIL, or regulatory requirements, DVMS functions as an operating overlay that connects them into one coherent governance system.

Frameworks identify what organizations should pay attention to. DVMS determines how organizations continuously demonstrate that these requirements are producing the desired outcomes.

The overlay continuously connects governance intent with operational execution through evidence gathered directly from production environments. Policies establish expectations. Operational telemetry produces evidence. Evidence validates whether desired outcomes are being achieved. The resulting knowledge feeds back into governance decisions, creating a continuous assurance loop.

In this model, governance becomes a living system that evolves as operational evidence changes rather than a static collection of documents periodically reviewed by auditors.

The Create, Protect, Deliver Model

To simplify executive governance, the book introduces the Create, Protect, Deliver (CPD) model.

Every digital organization exists to perform three simultaneous responsibilities. It must continuously create new business value through innovation and transformation. It must protect that value from cyber threats, operational failures, regulatory violations, and business disruption. Finally, it must reliably deliver that value to customers, citizens, stakeholders, and partners.

These are not independent objectives competing for resources. They represent three inseparable dimensions of digital business performance. Organizations fail when they optimize one while neglecting the others.

The CPD model gives boards and executives a straightforward way to understand digital governance. Every governance decision should ultimately improve an organizational ability to create, protect, and deliver value reliably across complex digital ecosystems.

Measuring What Actually Matters

Traditional governance emphasizes activities. The book instead advocates measuring outcomes.

Rather than asking whether required controls exist, leaders should ask whether those controls consistently produce trusted outcomes. Rather than verifying policy compliance, organizations should validate operational capability. Instead of counting completed audits or implemented controls, they should continuously evaluate whether strategic objectives are being achieved through measurable operational evidence.

To support this approach, the authors introduce Question Outcomes (QO), Question Metrics (QM), assurance loops, evidence streams, and seven Minimum Viable Capabilities that define the essential operational characteristics every critical business boundary must possess. These capabilities include Govern, Assure, Plan, Design, Change, Execute, and Innovate, creating a practical governance operating model that continuously connects leadership intent with measurable operational performance.

Culture as a Governance Capability

A distinguishing feature of the book is its treatment of organizational culture as a measurable governance capability rather than a soft organizational attribute.

Culture determines how people behave when procedures no longer provide clear answers. It influences whether employees raise concerns, whether incidents become learning opportunities, and whether governance remains connected to operational reality.

The authors argue that culture should generate evidence just like technical systems do. Speaking up, responding to incidents, learning from mistakes, collaborating across organizational boundaries, and adapting to changing conditions all become observable behaviors that strengthen or weaken governance effectiveness.

By integrating cultural evidence into governance, organizations gain a far more complete understanding of how their systems operate.

Artificial Intelligence as an Assurance Accelerator

The book also explores the emerging role of artificial intelligence in governance. Rather than replacing human decision-making, AI serves as an assurance accelerator capable of analyzing enormous volumes of operational evidence, identifying patterns, detecting anomalies, and highlighting areas where governance intent may be diverging from operational behavior.

Human leadership remains responsible for governance decisions, ethical judgment, and accountability. AI enhances governance by increasing the speed, scope, and precision of evidence analysis, allowing leaders to understand complex digital ecosystems that are increasingly impossible to govern through manual observation alone.

Conclusion

Governing By Assurance challenges one of the most deeply held assumptions in modern governance: that compliance documentation provides sufficient confidence that organizations are operating effectively. Instead, the authors argue that confidence must be continuously earned through evidence generated by the living system itself.

The book presents Governance by Assurance as a new leadership discipline in which evidence replaces assumptions, operational behavior validates policy, and governance becomes a continuous learning system rather than a periodic reporting exercise. By integrating GRAA, the DVMS operating overlay, the Create-Protect-Deliver model, continuous assurance loops, measurable culture, and AI-enabled evidence analysis, the authors provide a comprehensive blueprint for governing modern digital enterprises.

Ultimately, the book argues that the organizations most likely to succeed in an increasingly interconnected and AI-enabled world will not be those with the largest collections of policies or the most sophisticated compliance programs. They will be organizations that can continuously demonstrate, through trusted, audit-ready evidence, that their strategic intent is consistently fulfilled through the creation, protection, and delivery of digital value. That shift from governing by documentation to governing by assurance is the book’s central message and its vision for the future of digital governance.

About the Author

Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute

Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2026 All Rights Reserved

 

 

More To Explore

DVMS and the Modern Enterprise

Governance By Assurance in the AI-Driven Enterprise

Governance By Assurance in the AI-Driven Enterprise: Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute The AI Revolution Requires a New



DVMS: a Governance by Assurance™ Overlay System that continuously transforms fragmented operational data into trusted, audit-ready evidence, enabling leaders to provide continuous assurance that the business is fulfilling its strategic and operational intent for creating, protecting, and delivering trusted, resilient, and accountable digital value.