Writing an Executive Summary is harder than writing the actual report for a client. It’s easy to report on what you did, what you found, the affects, and of course, how to fix them, but writing the Executive Summary is often the most challenging. Hopefully I can share a few pointers to help you perfect your Executive Summary.
The Executive Summary has to tell the reader, who is often in a very different role, the key points of your report. In many cases, the entire report can be 50+ pages and contain a wealth of information and details, you have to get the key pieces down to just a page. Here’s a few helping hints:
- Know your audience for the Executive Summary – but don’t write it exclusively for them. Trust me. Other people will be reading it. For example, your 50 page detailed information security risk assessment will likely go to the Director of IT Security and their team, but the Executive Summary may be destined for the CISO. So, write it for that person, but make sure that the General Counsel, the CIO, the Chief Compliance Officer, the Privacy Officer, and the Chief Operating Officer will be able to understand and appreciate the information in the Executive Summary. These are often NON-TECHNICAL people.
- The Executive Summary should be about one page. It can be a bit more of a bit less. But it is an EXECUTIVE SUMMARY. Executives are busy, have multiple responsibilities, and want to get to the “So What?” question pretty quickly. Summary means a “brief statement of account of the main points”. Hence, its short. Like a page.
- The Executive Summary should include what you did, what you found, the “So What?”, and the recommendations or options. Nothing else.
- The “So What?” can also include a score or some type of impact/result of the findings – either relative to other businesses or perhaps a compliance score (or whether they passed of failed) – which leads very nicely into the “So What?” question.
- The recommendations have to be specific. Now, you can’t include all of the details, but you can say what programs need to be built out, or what types of patches need to be installed – to give the reader a sense of what has to be done. As a bonus, I sometimes like to include the score or potential end result will be. Perhaps they failed a PCI Compliance pre-review, but if they fix these things, they would likely pass. That helps the Executive Summary reader understand the benefits of completing the recommendations.
- Re-Read it. Read it backwards. Have a co-worker who was not involved with the project read it and make sure that they understand what you are trying to say. Then have a few others read it to get some additional insight and incorporate any feedback that you may receive.
The Executive Summary is going to be the most read section of the report. It is often not read before the report, but in lieu of reading the report. So, the Executive Summary is not an introduction to your 50+ page report. It is an alternative version that has to stand alone. It’s sometimes frustrating to know that a lot of hard work went into the report. And I’m sure it will be read by those that will have to understand it, but the Executive Summary is going to be read by more people that are often more senior in the company so it has to be flawless.
And remember to make your recommendations specific. Actionable. And Relative.