Why one-page board reporting works
Boards need clarity, not length. A single page with clear metrics and actions supports informed oversight and accountability. Regulators and insurers expect boards to receive regular, meaningful updates on cyber and IT risk—not a once-a-year tick or a 50-page technical report.
Suggested sections for your one-pager
Headline posture — e.g. StrategyOS Score or equivalent; trend vs last period (improving, stable, declining). One number or traffic light that the board can grasp.
Top risks — 2–3 current priorities (e.g. ransomware, supply chain, compliance). Brief description and owner; not a full risk register.
Key controls — Status of incident response (tested?), backup testing (last test date?), Cyber Essentials/compliance (certified? gap plan?). One line each; evidence on request.
Incidents and near misses — Brief summary of any material incidents or near misses in the period; lessons learned and actions. If none, say so—don't leave a blank.
Next quarter — 2–3 planned initiatives (e.g. tabletop exercise, MFA rollout, insurance renewal). Keeps the board aligned with what is coming.
What good looks like vs common gaps
Good: One page; headline metric (e.g. StrategyOS Score) with trend; risks and controls with owners; incidents and next steps. Board can read it in 5 minutes and ask informed questions.
Common gaps: No headline metric; risks listed without owners or treatment; no incident summary ("nothing happened" or silence); no forward look.
Get a StrategyOS Score for your board pack—benchmark your maturity in 2 minutes and use it in your next board update.