Skip to main content

GRC leaders: how our workshop approach can help you plan for 2026 and beyond

·2 mins
GRC AI Act DORA NIS2 Workshop Facilitation

The workshop approach cuts through noise. We’ve used it to map AI Act obligations against actual data flows in 48 hours - something that typically takes weeks in spreadsheet hell.

GDPR was just the warm-up. The AI Act’s transparency logs, DORA’s incident reporting, and NIS2’s supply chain rules demand operational changes most compliance programs aren’t built for.

Here’s how we fix that: concrete action plans, not more policy documents. The workshop forces decisions about who does what by when. No more “we’ll figure it out later.”

How can GRC teams identify internal challenges?
Our workshop uses visual techniques and root cause analysis to uncover hidden inefficiencies and misalignments.

Most teams miss the connection between broken processes and regulatory risk. You’ll see this in audits when the same control failure appears across multiple frameworks. Our Rich Pictures method makes these patterns visible immediately.

The workshop surfaces:

  • Process gaps that create regulatory exposure
  • Teams working around broken systems
  • Root causes behind recurring compliance failures
  • Actual data flows versus policy claims

How can GRC teams prepare for EU AI Act, DORA, and NIS2 regulations?
Our workshop framework breaks down complex regulations into actionable steps and gap assessments.

We map regulations to operations by:

  1. Annotating exact Article 16 (AI Act) or Article 5 (DORA) requirements
  2. Flagging where one control satisfies multiple regimes
  3. Documenting evidence requirements upfront
  4. Assigning owners before leaving the room

How can GRC teams assess their practice maturity?
Our framework examines four key pillars: ways of working, tools, people, and information needs.

We assess real maturity by looking for:

  • Teams bypassing official channels (always a red flag)
  • Spreadsheets masquerading as systems
  • Risk assessments ignoring actual data flows
  • Contracts without specific AI governance clauses

How can GRC teams integrate diverse stakeholder viewpoints?
Our workshop structure ensures cross-functional collaboration across departments.

Stakeholder sessions get real when you:

  • Make legal explain requirements in operational terms
  • Require IT to demonstrate controls, not describe them
  • Challenge business units on their risk tolerance
  • Document every “we can’t because” as a risk acceptance

Purpose and Means handles global compliance where policies meet practice. Our clients avoid spending €200k on frameworks that don’t work. See client cases for how we’ve fixed actual implementations.

Author
Tim Clements

Browse by Topic

accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation audit and assessment automated decision-making awareness campaigns behaviour change beyond legal case law compliance monitoring cross-border transfers data breach notification data mapping data minimisation data protection day data quality data retention data sovereignty datatilsynet dora dpia education employee engagement esg executive communication finance and banking gdpr generative ai grc horizon scanning hr and employment incident response intellectual property leadership lego serious play machine learning nis2 privacy by design privacy culture public sector quantum computing records of processing regulatory guidance risk management risk reduction software development strategic planning sustainability training design trend radar vendor management visual communication weak signals workshop facilitation

Related Posts