Know your Game Plan from your Roadmap

In our profession of data protection, GRC and AI governance, certain project/programme artefacts are essential for planning and communication our work.

When a new programme kicks off, two of my initial documents I produce for stakeholder engagement are a Roadmap and a Game Plan, and I really enjoy producing them.

While roadmaps are useful tools for showing the direction of travel, relying on them as your primary engagement tool is a common mistake. A roadmap tells you when things might happen, but it rarely explains how we will achieve our objectives, why we are doing it, or who needs to do what.

To truly lead a programme, especially one that requires behavioral change outside of the legal department, you don’t just need a map. You need a Game Plan.

A roadmap is a schedule. A Game Plan is a strategy on a page, and I make it as visual as possible - a it's a great excuse to get Procreate started up on my iPad.

In my experience leading complex security and data work, I’ve found that while detailed A3 plans are essential for underpinning the work, the Game Plan is the narrative tool that aligns the business.

A successful Game Plan visualises the five pillars of the project: What, Why, When, Who, and How. I've found it to be a useful way to summarise the business case.

Looking at the following examples from a security programme I managed a while back (click the images for a larger view), you’ll notice they look nothing like a standard Excel project tracker. Here is why this approach works:

1. It visualizes the "Why" (the target)

Legal and security projects often fail because they are viewed as abstract compliance exercises. A Game Plan anchors the project in a tangible goal.

• In the Asset Classification example, the target isn't just "compliance", it’s providing a tool to identify and protect highly confidential assets.

• In Security Awareness, the goal isn’t "send 5 emails", it’s "Employees adopt secure behaviors and support each other."

2. It humanises the "Who"

Roadmaps often ignore the human element. A Game Plan puts people front and centre.

• Look at the People Focus Game Plan. It uses the metaphor of climbing a mountain to show the journey of the Project Team, HR, and Unions.

• It explicitly lists Key Stakeholders, not just as a list of names, but as active participants in the project.

3. It articulates that the "How" is hard (risks & challenges)

A roadmap usually assumes a happy path where task B follows task A. A Game Plan is realistic.

• The DLP (Data Loss Prevention) Game Plan explicitly lists "Challenges" and "Lessons Learned from the PoC."

• The Corporate Security Policies plan highlights "Risks," such as stakeholder pushback or approval delays.

By visualising the friction points (using warning signs or jagged lines), you aren't being negative, you are building trust by showing you understand the landscape.

4. It narrates the "When" (phases, not just dates)

Instead of a rigid Gantt chart, a Game Plan shows the flow.

• The Physical Security plan uses a simple timeline but pairs it with visual metaphors of construction and barriers.

• The Asset Classification plan moves from "Pilot" to "Rollout," showing the logical progression of maturity rather than just arbitrary deadlines.

Moving beyond legal

This Game Plan concept sits at the heart of Purpose and Means. If we want to challenge the notion that data protection is primarily a task for legal professionals, we have to change how we communicate.

A 50-page Project Initiation Document written in legalese will not inspire an engineer to classify their data, nor will it convince a sales leader to adopt new security behaviors.

But a Game Plan, one that uses visual storytelling to connect the "What" to the "Why", can bridge that gap. It turns a compliance requirement into a shared mission.

This is probably why it's one of the most popular deliverables that I am asked about, and asked to produce by data protection leaders.

Interested to know more, or need a Game Plan for your project or programme? Get in touch to discuss your requirements.