GRC leaders: how our workshop approach can help you plan for 2026 and beyond

These days, GRC leaders are acutely aware of the ever-evolving regulatory landscape. With major legislation like the EU AI Act, DORA, and NIS2 at the top of their agendas, alongside existing frameworks such as GDPR, the pressure is on to ensure strong compliance and effective risk management.

For some, the instinct might be to react to each regulation in isolation, but to truly prepare for 2026 and beyond, using a proactive, structured approach will not just save you time upfront it will also uncover hidden challenges, align teams, and optimise resources.

This is where our "From Issues to Action" workshop approach offers a powerful solution. Designed for versatility and adaptability, it provides a collaborative framework that goes beyond simple compliance checklists, allowing you to go deep into the core of your GRC operations.

How is your team doing?

In my experience, the biggest hurdles aren't always going to be external laws and regulations. Internal inefficiencies, communication breakdowns, or misaligned priorities within teams often go unnoticed until things go badly wrong.

Our workshop is ideal at bringing these "under the surface" issues to light. Through preparation techniques like creating "Rich Pictures" (visual representations of current states) participants can visually describe relationships, processes, and even emotions, providing a holistic view of their challenges. The workshop itself enables a shared understanding, allowing your team to identify, group, and prioritise key issues. By then engaging in Root Cause Analysis, the workshop doesn't just list symptoms, it surfaces the fundamental reasons why something isn't working or needs improving, paving the way for sustainable solutions rather than quick fixes.

Impact analysis and planning for emerging regulations (EU AI Act, DORA, NIS2, etc.)

The beauty of this structured approach is in its versatility and adaptability. While it's great for internal operational improvements, it's equally potent for navigating new regulations. Instead of viewing each new law as a separate challenge, the workshop can be customised to conduct integrated impact analysis. Teams can use the framework to:

• Identify specific requirements: Break down complex regulatory texts into actionable items relevant to their department or team.

• Assess current state gaps: Using Rich Pictures and issue identification, pinpoint where existing practices will not live up to new regulatory demands.

• Prioritise and plan actions: Develop a clear "to-be" state, defining solutions, assigning responsibilities, and co-creating roadmaps that feed directly into your 2026 operational plans and budgets.

Assessing practice maturity

Proper GRC resilience requires continuous improvement across multiple dimensions. Our "From Issues to Action" framework facilitates a comprehensive practice maturity assessment, examining:

• Ways of working: Are your processes and procedures efficient, clearly defined and understood?

• Tools and technology: Are your existing systems adequate to support evolving GRC needs?

• People and organisation: Do your teams have the right skills and structures to meet future demands?

• Information and data: What changes may need to be made to reports, contracts, metrics, or the overall data and information needs of your company?
  

By analysing these pillars, the workshop helps you identify strengths to build upon, and weaknesses to address, and identify the needed work packages to accomplish this.

Integrating diverse stakeholder viewpoints

GRC is rarely the sole responsibility of one department. Data protection, security, and AI governance touch every part of a company. Our workshop structure has "cross-functional collaboration" built-in. By bringing together diverse stakeholders, from legal and IT to business units, the process ensures that all viewpoints are aired, conflicts are openly discussed, and solutions gain broad consideration.

Purpose and Means is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get sense of what we do.

We are experienced in working with data protection leaders and their teams in addressing troubled projects, programmes and functions. Feel free to book a call if you wish to hear more about how we can help you improve your work.