Do you see the value in using FAIR™ quantitative analysis for risk management but still get stuck when it comes to presenting results? You are not alone. Presenting results is the most common challenge we see in FAIR Analysis Fundamentals Training.
By observing hundreds of new FAIR practitioners, we have summarized the top five tips to help you become more effective at presenting results. With practice and preparation using these tips as guides, you will be on your way to confidently communicate the results of a FAIR analysis to your stakeholders.
Bernadette Dunn is a FAIR risk analysis trainer for RiskLens Academy.
1. Be clear on the question you are answering
This is one of the most repeatable statements we provide when teaching FAIR. Yet, when we practice presenting a FAIR analysis result, data is often being communicated with zero context.
We recommend stating upfront the meeting's intention, starting with what the stakeholder asked you to do. Keep in mind that although you have spent a significant amount of time working on this request, the stakeholder has been off focusing on many other initiatives and needs to be reminded of the ask.
An example of how to quickly create common ground for the intention of the meeting would be something like this:
"Thank you, Ms. Dunn, for the time today. When we met a few weeks ago, you had asked me if my team can help you with a data breach concern. I have prepared a short presentation to support you with understanding this concern. Are you ready to see these results?"
Notice that I kept the language simple and asked the stakeholder for buy-in to present the results. This step is essential to ensure there is common ground to move forward with presenting. It also opens up the discussion in the event the stakeholder is not on the same page for the meeting and allows for any misunderstanding to be cleared up right away.
2. Know your role as a presenter
Identifying your presenter role is also a common source of uncertainty we see in training. Analysts are unsure if they are being asked to make recommendations, give advice, teach FAIR, or simply present the data (aka answering the stakeholder's risk-related question.)
If you don't know your role, ask. "Yes, Ms. Dunn, my team, can help you with your data breach concern. Are you looking for me to make recommendations or share the company's exposure?"
Here are the most common types of business presentations to help you determine your role:
- Informative: Brief and to the point. Stick to the facts and avoid complicated information. Neutral tone. Answers the stakeholder's question directly.
- Decision-making: Most common with prioritization, assessments, treatments. Designed to support stakeholders in taking action by giving evidence and pointing out what can happen if this is not done. Leverages comparisons.
- Persuasive/Consultative: Be clear if you are being asked to provide your advice or opinion - the analyst should be careful not to take on this role unless it is directly expected. Makes listeners accept and agree with the presenter's proposal. Often highly emotional to help gather support and approval. Leverages facts to support reinforcing credibility and solution.
- Instructional: Teaches new ideas, concepts, FAIR, etc. Give specific directions or orders. Checks the audience’s understanding of theory and practice. Very thorough and usually takes a long time.
3. Know your audience.
We use the term "stakeholder" generally, but not all stakeholders are alike. A business stakeholder is going to be quite different from your boss. A security executive will also have specific knowledge that a CFO, CIO, or board member might lack.
Most importantly, the presentation is about the audience (not the presenter). Spend time understanding what they care about and how they like to receive information. There are generally three types of audiences to support you in categorizing the type of presentation to create:
a. "Lay" – No special or expert knowledge on the topic. They need to connect with relatable examples, need background information, expect more definition and description, and want attractive graphics/visuals.
b. "Managerial" – May have more knowledge than the lay audience about the topic, but they need knowledge so they can make a decision about an issue. Provide background information, facts, and statistics.
c. "Experts" – They may be the most demanding in terms of knowledge, presentation, graphics, and visuals. Often "theorists" or "practitioners." Document formats are often elaborate and technical, style and vocabulary may be specialized or technical, source up-to-date citations.
4. Answer the stakeholders’ question in the language they understand
Once you've established the type of audience you are presenting to, then cater your language to meeting them where they are. Most likely, your audience will fall into the 'lay" and "managerial" categories.
It may seem like common sense to not talk in FAIR vernacular, but you just spent weeks, months, years learning this new language. It is incredibly important to take a step back and recognize that you may have built a habit using acronyms like "ALE" in place of words (Annualized Loss Exposure) or assumptions that everyone is on the same page with definitions of risk and vulnerability.
If Ms. Dunn has concerns about data breach, then communicate in her language. It is OK to explain new terms and provide explanations along the way, so we are all on the same page.
"Ms. Dunn, to analyze the exposure to data breach, we had to determine what the most valuable thing is to our company that would be impacted by a breach. We determined that it is PII. From an industry perspective, we know data breaches compromise the confidentiality of PII, and we focused on this happening by malicious cybercriminals. Do you have any questions on this approach?"[TM2]
Communicating the steps in "lay" terms for this audience type and checking for agreement allows everyone to stay on track. Ms. Dunn may fall into the "lay" category as it relates to a FAIR analysis. Still, she also may expect "managerial" details to help her make decisions on what to do next. This is why it is equally important to build your presentation and communicate in the style of the role Ms. Dunn asked of you (i.e., decision-making, informative, consultative, instructive.)
5. K.I.S.S. – Keep It Short & Simple
Time is one of our most valuable assets. You will quickly gain respect from your stakeholder when you learn to respect the value of his or her time. It is recommended to keep presentations high-level and organized while having detailed data as a back-up if the stakeholder chooses to dive further. Send the agenda with the meeting request and ask for alignment or changes. Use the agenda as the structure for the presentation.
Here is an example agenda:
- State the purpose/intention of the meeting
- List 3-5 Key Points that support goal(s) of the meeting
The more you practice, the better you get. By leveraging these five pro tips for presenting results, you will quickly gain a reputation in your organization for being an effective risk communicator.