Skip to main content

GRC leaders: how our workshop approach can help you plan for 2026 and beyond

·2 mins
GRC AI Act DORA NIS2 Workshop Facilitation

The workshop approach cuts through noise. We’ve used it to map AI Act obligations against actual data flows in 48 hours - something that typically takes weeks in spreadsheet hell.

GDPR was just the warm-up. The AI Act’s transparency logs, DORA’s incident reporting, and NIS2’s supply chain rules demand operational changes most compliance programs aren’t built for.

Here’s how we fix that: concrete action plans, not more policy documents. The workshop forces decisions about who does what by when. No more “we’ll figure it out later.”

How can GRC teams identify internal challenges?
Our workshop uses visual techniques and root cause analysis to uncover hidden inefficiencies and misalignments.

Most teams miss the connection between broken processes and regulatory risk. You’ll see this in audits when the same control failure appears across multiple frameworks. Our Rich Pictures method makes these patterns visible immediately.

The workshop surfaces:

  • Process gaps that create regulatory exposure
  • Teams working around broken systems
  • Root causes behind recurring compliance failures
  • Actual data flows versus policy claims

How can GRC teams prepare for EU AI Act, DORA, and NIS2 regulations?
Our workshop framework breaks down complex regulations into actionable steps and gap assessments.

We map regulations to operations by:

  1. Annotating exact Article 16 (AI Act) or Article 5 (DORA) requirements
  2. Flagging where one control satisfies multiple regimes
  3. Documenting evidence requirements upfront
  4. Assigning owners before leaving the room

How can GRC teams assess their practice maturity?
Our framework examines four key pillars: ways of working, tools, people, and information needs.

We assess real maturity by looking for:

  • Teams bypassing official channels (always a red flag)
  • Spreadsheets masquerading as systems
  • Risk assessments ignoring actual data flows
  • Contracts without specific AI governance clauses

How can GRC teams integrate diverse stakeholder viewpoints?
Our workshop structure ensures cross-functional collaboration across departments.

Stakeholder sessions get real when you:

  • Make legal explain requirements in operational terms
  • Require IT to demonstrate controls, not describe them
  • Challenge business units on their risk tolerance
  • Document every “we can’t because” as a risk acceptance

Purpose and Means handles global compliance where policies meet practice. Our clients avoid spending €200k on frameworks that don’t work. See client cases for how we’ve fixed actual implementations.

Author
Tim Clements
Tim Clements is Business Owner of Purpose and Means, a data protection and GRC consultancy based in Copenhagen, operating globally. He helps data protection and GRC leaders simplify complexity into actionable strategies, providing tools, training, and support to engage and influence across the organisation. Tim is a Chartered Fellow of the BCS (British Computer Society).

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design design thinking direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 passwords privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts