Communicating Security and Compliance Risks to Product Stakeholders
Designed for Product managers and technical leads responsible for delivering features in regulated industries (e.g., fintech, healthtech) who must communicate security and compliance risks to senior business stakeholders. to spark real collaboration and high-energy learning.
A 90-minute interactive virtual workshop for cross-functional product teams working in remote or hybrid environments. Participants often encounter friction when translating technical security requirements into stakeholder conversations, leading to delays, frustration, or misunderstood priorities. The group is accustomed to fast-paced delivery and often feels compliance is an afterthought imposed on their work.
Risk Headlines Icebreaker
Participants scroll through a live Miro board with real and fictional headlines like 'Startup Fined $2M for Data Leak' or 'Feature Launch Delayed by Surprise Audit'—but some are totally made up. Teams guess which are real and discuss the context behind each. This immediately sparks curiosity about the tangible impacts of security/compliance risks.
Tap to view the full activity.
Why this works
Uncertainty and surprise activate curiosity, priming the brain for learning. Real headlines create immediate relevance and urgency.
Mythbusters: Risk Edition
Flash a list of common product stakeholder statements—such as ‘Our product is too small to be targeted’ or ‘Compliance slows us down, but it’s all paperwork’—and invite participants to select one they’ve heard or even believed themselves. Together, unpack the flawed reasoning behind each with expert input.
Tap to view the full activity.
Why this works
Directly confronting misconceptions supports conceptual change and helps participants reframe limiting beliefs.
Emoji Thermometer Check-in
After introducing a challenging risk scenario, have participants select an emoji (from a provided set) that represents their comfort level with communicating this risk to a VP or exec. No names required—just emoji reactions in chat or on a shared slide. The group then sees the emotional spread and feels less isolated.
Tap to view the full activity.
Why this works
Low-pressure activities reduce social threat, build psychological safety, and increase willingness to participate in more challenging discussions.
Speed Stakeholder Roleplay
Breakout into trios for rapid-fire roleplay: one is the product stakeholder (with a provided persona card), one is the risk communicator, and one observes. Each ‘risk communicator’ has 90 seconds to explain a specific risk scenario. Observers give instant feedback using a checklist: was it clear, actionable, and non-technical?
Tap to view the full activity.
Why this works
High-energy, time-boxed activities simulate real stress and force clarity, helping to build confidence and skill under pressure.
Red Button Dilemma
Present a vivid dilemma: ‘Your product team discovers a low-likelihood, high-impact security flaw one week before a promised launch. Fixing it will require a two-week delay. Do you hit the “red button” and stop the launch? Why or why not?’ Teams debate choices, weigh business impact vs. risk, and share rationales with the group.
Tap to view the full activity.
Why this works
Dilemmas and decision-making scenarios activate critical thinking and help participants see the messy reality of balancing risk and delivery.
Personal Risk Story Mapping
Invite participants to think of a time when they witnessed (or heard of) a security or compliance issue being ignored or mishandled during a project. On a shared board, they jot a single takeaway or lesson learned (no names or details required for anonymity). Volunteers then connect these stories to communication missteps and brainstorm what could have been done differently.
Tap to view the full activity.
Why this works
Personal reflection increases ownership, while anonymous sharing lowers barriers to honesty and self-awareness.
Sign up to unlock 3 more activities
Get the full pack, facilitation flow, and more ready-to-run ideas.