Stephen GilfusExecutive Overview

    AI · Cyber

    Board Reporting

    Board reporting is the discipline of translating technical posture into a decision the board can actually make. It is not a status update. It is the artifact a fiduciary uses to discharge a duty — and it has to read like one. Most of the technology reporting I see arriving at audit, risk, and technology committees would not survive that test. Mine is built to.

    A board does not want a dashboard. It wants a thesis. The reporting I build tells the committee what is true, what changed, what it means, and what decision is being asked of them — in two pages, on a cadence, with the evidence behind it one click away.

    The frame

    Reporting as a governance instrument

    The audit committee, the risk committee, the technology committee, and the disclosure committee are not the same audience and they are not asking the same question. The reporting they receive should reflect that. The frame I install treats each committee report as a governance instrument — owned by a named executive, signed against evidence, and produced on a published cadence — not as a slide deck that gets reformatted every quarter.

    The same underlying evidence base feeds all four committees. What changes is the lens: financial integrity for audit, risk appetite for risk, capability and investment for technology, materiality and disclosure for the disclosure committee. One source of truth, four reports, no contradictions between them.

    Anatomy of the report

    What a credible committee report contains

    These are the elements I require in every committee-grade report I sign. Anything missing means the report is not yet ready to leave my desk.

    • Position & changeA one-paragraph statement of the current posture and what materially changed since the last meeting. If you cannot summarize the position in a paragraph, the underlying posture is not yet understood.
    • Risk appetite reconciliationEach material risk shown against the board-approved appetite, with breaches called out in the first page — not buried in an appendix.
    • Decisions requestedEvery report ends with the decisions being asked of the committee, the options considered, and the recommended path. A report that asks for nothing should not be on the agenda.
    • Evidence trailEvery assertion linked back to its underlying evidence (control test, incident record, model evaluation, vendor SOC report). The committee should never have to take a number on faith.
    • Forward lookWhat the committee should expect at the next meeting, what trigger events would change that, and what the executive will bring back early if a threshold is crossed.

    Translating technical posture

    From CISO / CIO / CDO data to committee language

    Most technology leaders I work with already have the data. What is missing is the translation. Cyber dwell time, model drift, control coverage, incident severity, vendor concentration — these are precise inside the function and opaque outside it. The reporting layer turns each into something the committee can act on.

    • Cyber posture into risk languageDetection mean time, recovery time objectives, and tabletop results expressed against the enterprise's risk appetite — not as scores out of ten.
    • AI posture into accountability languageModel inventory, risk tier distribution, evaluation deltas, and incident counts expressed in terms of decisions a human is accountable for — not in terms of model performance.
    • IT posture into investment languageCapability gaps and remediation plans expressed in capital and run-rate impact, with explicit trade-offs against the strategic plan.
    • Compliance posture into obligation languageRegulatory obligations, attestation status, and exception aging expressed against named regimes and their enforcement posture — not against an internal control taxonomy.

    Disclosure & external audience

    Reporting that anticipates the regulator

    The same reporting that informs the board has to be defensible to an external audience: the auditor, the regulator, the rating agency, the institutional investor. I build the reporting layer with that audience already in the room, so nothing in the committee report contradicts what will later appear in the 10-K, the proxy, the 8-K narrative, or the regulator response.

    The disclosure committee gets a dedicated view that pre-stages materiality decisions, 8-K narratives, and proxy disclosures — so when an event happens, the writing is editing, not drafting.

    How it runs

    The operating cadence

    Quarterly reports to each committee, an integrated annual report to the full board, and an exception cadence that surfaces material change between meetings rather than waiting for the calendar. Reports are signed by the accountable executive, peer-reviewed before they leave the management team, and stored in a single committee record. Pre-reads land at least five business days ahead of the meeting; the meeting time is spent on decision, not on briefing.

    Done this way, board reporting stops being the work the executive team dreads in the week before each meeting and becomes the work that disciplines the underlying program — because the report cannot be written if the operating model underneath it is not running.

    If your committee meetings are spent decoding the deck instead of making decisions — or your reporting and your disclosures are not telling the same story — the reporting layer is the right place to start. That is the work I do.