How to use this template
This brief is decision-support, not an audit certificate. Every dollar figure is a modeled estimate from a FAIR-aligned Monte Carlo simulation (10,000 iterations producing P10 / base / P90), not an actuarial or legal opinion, and each one should carry a source so a director can challenge it. Keep the whole thing to a single page: lead with the dollar headline, give two or three drivers, benchmark it, state the ask ranked by return, show what moved since last quarter, and footnote the proof. Replace every bracket; delete any line you cannot support with evidence rather than guessing a number.
1. Headline exposure (P10 / base / P90)
Instruction: state total modeled annualized loss exposure as a three-point range — [P10 $__ (optimistic / 10th percentile)] | [base $__ (most likely)] | [P90 $__ (severe tail / 90th percentile)] — then one sentence on what that band means in plain terms, e.g. 'In a bad-but-plausible year we model up to $__ in losses, driven mostly by [scenario].' Name the scenario set behind the number (ransomware, data breach, business interruption, third-party) so the figure is anchored to events, not abstraction.
2. Top 2-3 risk drivers
Instruction: list the two or three scenarios contributing the most to the base-case number, each with its own dollar contribution and the underlying control gap — for example '[Driver 1: $__/yr — unpatched internet-facing systems]; [Driver 2: $__/yr — over-privileged cloud identities]; [Driver 3: $__/yr — third-party / vendor exposure].' Order them by dollar contribution, not by technical severity, so the board sees where loss actually concentrates rather than a vulnerability list.
3. Peer / sector benchmark
Instruction: place your exposure against a relevant comparison so the board knows whether the number is high, normal, or low — '[Our base exposure of $__ is __% above / below the median for [sector / revenue band / portfolio peer set]],' and cite the comparison basis (industry loss data, peer portfolio companies, prior-vendor estimate). State the benchmark's source and date; if you do not have a credible peer set yet, say 'no validated benchmark available this quarter' rather than implying one.
4. The funding ask, ranked by ROI
Instruction: present requested investments ranked by EBITDA-protected (or loss-avoided) per dollar spent, not by cost — table form works best: '[Initiative] | [Cost $__] | [Modeled annual loss reduction $__] | [Return multiple __x] | [Payback __ months].' Lead with the highest-return item and make the single recommended decision explicit, e.g. 'Approve [item 1] at $__ to remove $__ of modeled annual exposure (__x return).' Keep it to the three or four initiatives that actually move the headline number.
5. What changed since last quarter
Instruction: show the delta so directors track trajectory, not a static snapshot — '[Base exposure moved from $__ to $__, a __% increase / decrease],' then one line on why ('driven by [new acquisition / remediated control / new threat / scope change]'). Separately note what was funded last quarter and the realized result ('approved $__ for [item]; modeled exposure reduced by $__, on track / behind'). Honesty on misses builds more board trust than a clean trend line.
6. Proof and source behind each number
Instruction: footnote every figure to its origin so any number can be defended under questioning — '[Exposure model: FAIR Monte Carlo, 10,000 runs, inputs as of __/__]; [Control evidence: normalized proof objects from [scanner / IdP / EDR], collected __/__]; [Benchmark: source, date]; [Assumptions: list the two or three that most move the result].' State data freshness and known gaps explicitly. Source-of-truth systems remain in your environment; this brief reports normalized, tenant-isolated proof objects, and that provenance is itself part of the credibility.
7. Stage and assurance posture (footer)
Instruction: one honest line on the maturity of the program and its assurance, so the board is not misled on certification status — e.g. 'Security program: [stage]; external attestations: [SOC 2 in progress / roadmap — not yet complete], [other frameworks status].' Never present a roadmap item as a finished certification. Close with the owner and date: '[Prepared by __, CISO/Operating Partner], [date], next review [date].'