Skip to main content

Know your Game Plan from your Roadmap

·4 mins
GRC Behaviour Change Executive Communication Visual Communication

We often confuse a schedule with a strategy, but while a roadmap tells you when a project finishes, only a Game Plan explains how you effectively succeed.

Game Plans

In our profession of data protection, GRC and AI governance, certain project/programme artefacts are essential for planning and communication our work.

When a new programme kicks off, two of my initial documents I produce for stakeholder engagement are a Roadmap and a Game Plan, and I really enjoy producing them.

While roadmaps are useful tools for showing the direction of travel, relying on them as your primary engagement tool is a common mistake. A roadmap tells you when things might happen, but it rarely explains how we will achieve our objectives, why we are doing it, or who needs to do what.

To truly lead a programme, especially one that requires behavioral change outside of the legal department, you don’t just need a map. You need a Game Plan.

A roadmap is a schedule. A Game Plan is a strategy on a page, and I make it as visual as possible - a it’s a great excuse to get Procreate started up on my iPad.

In my experience leading complex security and data work, I’ve found that while detailed A3 plans are essential for underpinning the work, the Game Plan is the narrative tool that aligns the business.

A successful Game Plan visualises the five pillars of the project: **What, Why, When, Who, and How. **I’ve found it to be a useful way to summarise the business case.

Looking at the following examples from a security programme I managed a while back (click the images for a larger view), you’ll notice they look nothing like a standard Excel project tracker. Here is why this approach works:

1. It visualizes the “Why” (the target) #

Legal and security projects often fail because they are viewed as abstract compliance exercises. A Game Plan anchors the project in a tangible goal.

  • In the Asset Classification example, the target isn’t just “compliance”, it’s providing a tool to identify and protect highly confidential assets.

  • In Security Awareness, the goal isn’t “send 5 emails”, it’s “Employees adopt secure behaviors and support each other.”

2. It humanises the “Who” #

Roadmaps often ignore the human element. A Game Plan puts people front and centre.

  • Look at the People Focus Game Plan. It uses the metaphor of climbing a mountain to show the journey of the Project Team, HR, and Unions.

  • It explicitly lists Key Stakeholders, not just as a list of names, but as active participants in the project.

3. It articulates that the “How” is hard (risks & challenges) #

A roadmap usually assumes a happy path where task B follows task A. A Game Plan is realistic.

  • The DLP (Data Loss Prevention) Game Plan explicitly lists “Challenges” and “Lessons Learned from the PoC.”

  • The Corporate Security Policies plan highlights “Risks,” such as stakeholder pushback or approval delays.

By visualising the friction points (using warning signs or jagged lines), you aren’t being negative, you are building trust by showing you understand the landscape.

4. It narrates the “When” (phases, not just dates) #

Instead of a rigid Gantt chart, a Game Plan shows the flow.

  • The Physical Security plan uses a simple timeline but pairs it with visual metaphors of construction and barriers.

  • The Asset Classification plan moves from “Pilot” to “Rollout,” showing the logical progression of maturity rather than just arbitrary deadlines.

This Game Plan concept sits at the heart of Purpose and Means. If we want to challenge the notion that data protection is primarily a task for legal professionals, we have to change how we communicate.

A 50-page Project Initiation Document written in legalese will not inspire an engineer to classify their data, nor will it convince a sales leader to adopt new security behaviors.

But a Game Plan, one that uses visual storytelling to connect the “What” to the “Why”, can bridge that gap. It turns a compliance requirement into a shared mission.

This is probably why it’s one of the most popular deliverables that I am asked about, and asked to produce by data protection leaders.

Interested to know more, or need a Game Plan for your project or programme? Get in touch to discuss your requirements.

Asset Classification Game Plan

Physical Security Game Plan

Corporate Security Policies

Data Loss Prevention (DLP) Game Plan

People Focus Game Plan

Security Awareness Game Plan

Author
Tim Clements
Tim Clements is Business Owner of Purpose and Means, a data protection and GRC consultancy based in Copenhagen, operating globally. He helps data protection and GRC leaders simplify complexity into actionable strategies, providing tools, training, and support to engage and influence across the organisation. Tim is a Chartered Fellow of the BCS (British Computer Society).

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design design thinking direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 passwords privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts