How to turn your quarterly report into a sales moment

You have a platform and you have data, but for a customer, isolated figures mean little. The question every partner runs into sooner or later is: what do I actually say to my customer? A list of completed training sessions convinces no one, whereas a clear story about behavioural change is exactly what makes the difference between a customer who cancels and a customer who renews.

This article gives you a fixed structure for your quarterly conversation, often called a QBR, and shows how you turn the figures from 2LRN4 into a decision. It connects to "How to build a revenue model around security awareness", because reporting is precisely the place where you make your advisory value visible.

The three levels of reporting

Good reporting builds up across three levels. Each level answers a different question and is intended for a different reader within your customer's organisation. Start at the bottom with compliance and work towards business impact, because that is where the story sits that resonates with a management team.

Level	What you show	For whom	Example figures
1. Compliance	That everyone has taken part and the basics are in order.	The auditor and the regulator.	Completion rate, click rate on phishing.
2. Trend	That behaviour is improving over time.	The security officer or the responsible manager.	Click rate falling each quarter, more people reporting.
3. Business impact	That the culture is changing and the risk is falling.	The management team and the board.	Number of reports rising, time to report falling.

Level 1: Compliance

This is the foundation that every organisation needs in order to demonstrate that it is meeting its duty of care. You show what proportion of employees has completed the training and how the organisation scores on the phishing simulations. Under NIS2 and the GDPR, this is valuable evidence, because a regulator wants to see that awareness was not a one-off action but an ongoing programme. Keep this level brief, because it is necessary but not the story that gets your customer excited.

Level 2: Trend

This is where it gets interesting, because you show the movement over time. A single measurement says little, but a click rate that falls over three quarters tells a story of progress. Always compare with the previous period and name both what is improving and what is lagging behind. An honest trend, even when it is not positive everywhere, makes you credible and immediately gives you a topic for the coming quarter.

Level 3: Business impact

This is the level that resonates with a management team, because it is no longer about training but about behaviour and culture. The strongest signal is often the number of reports of suspicious messages, because that rises as people become more alert and feel safer about reporting something. An organisation that goes from zero to a handful of reports a month shows that employees are thinking along instead of looking away. Translate that into what it means: a lower chance of a successful attack and a demonstrably lower risk.

A fixed structure for your quarterly conversation

A quarterly conversation works best with a fixed structure, so that your customer knows what to expect and you forget nothing. You work through the structure below in about half an hour, and it always ends with a decision.

1. Review of the agreements. Start with the goals you agreed last quarter, so that the conversation has direction from the outset.
2. The figures on the three levels. Run briefly through compliance, then the trend, and spend most of the time on business impact.
3. Your translation. Explain what the figures mean for the organisation. This is your added value, because the customer can see the numbers but cannot interpret them.
4. One or two decisions. Propose concrete actions for the coming quarter, for example an extra training for the finance department or a campaign on a specific theme.
5. Look ahead. Agree the goals for the next conversation, so that the cycle is complete.

By repeating this structure every quarter, you build a storyline that takes the customer along over time. You not only show what has happened, but also where you are working towards together.

Every report is also a sales moment

A quarterly conversation is not only a review, but also the natural moment to propose a next step. The figures point out the opportunities for themselves. If you see that a particular department still does not recognise phishing well, that is the opening for a classroom training for exactly that group. If desired behaviour is lagging, for example the reporting of suspicious messages, you can propose a targeted communication campaign. A disappointing trend is therefore not bad news, but a concrete starting point for your next assignment.

Link every finding to a service from your offering. This is where the figures come together with the revenue models from "How to build a revenue model around security awareness": the report shows the need, and you have the service that matches it. In this way, your reporting becomes not an obligatory exercise, but an engine for recurring revenue.

What the figures show	Which next step you propose
A department still does not recognise phishing well enough.	A classroom training for that specific audience.
Few employees report suspicious messages.	A communication campaign on the importance of reporting.
The management team wants more grip on the risk.	A multi-year programme with direction and board reporting.
A new department or location is being added.	A baseline measurement and a rollout for that new group.
The customer has an audit coming up soon.	Compliance and audit support with the right reporting.

By tying reporting and offering together in this way, your proposal never feels like a sales pitch, but like a logical next step that the customer sees in the figures themselves. That is the most pleasant way to sell, because you are solving a visible problem.

Report behaviour, not training activity

The biggest pitfall in reporting is telling the customer how much training has taken place instead of what has changed. A management team is not interested in the number of completed modules, but in whether the organisation has become safer. Put the behavioural figures up front, therefore, and use compliance only as supporting evidence.

A handy test is to ask yourself, for each figure: does this show that people are acting differently? A completion rate says that someone has taken a training, but a rising number of reports says that someone is behaving differently. The latter is what convinces a customer to renew, and it is exactly what you can demonstrate with the platform.

How to put this into practice

The division of roles is simple: the 2LRN4 platform provides the figures, and you provide the interpretation. Create a fixed structure for your reporting that you reuse for every customer, so that each quarter you only have to fill in the current figures and have time left for the conversation itself. In this way, your service scales along with your customer base without each conversation costing fresh work.

Start small with the three levels and build out your structure as you notice which figures resonate most with your customers. Get in touch to discuss which reporting from the platform suits the conversations you have with your customers.

Sources for further reading

You will find the platform's reporting capabilities on the partner page. For the broader context of the revenue model and the sales conversation, see "How to build a revenue model around security awareness" and "How to sell security awareness in a conversation".

Related on partnership

How to build a revenue model around security awareness · How to sell security awareness in a conversation · 2LRN4 partner programme

FAQ

What do you report to a customer about security awareness?

You report on three levels: compliance (did everyone take part, for the audit), trend (is behaviour improving over time) and business impact (is the culture changing, for example because more people report suspicious messages). The platform provides the figures, and you translate them into what they mean for the organisation.

What is the difference between reporting on compliance and on business impact?

Compliance shows that everyone has taken part and is intended mainly for the auditor and the regulator. Business impact shows that behaviour and culture are changing and is intended for the management team. Compliance is the supporting evidence, business impact is the story that convinces a customer to renew.

How often do you hold a quarterly conversation with the customer?

As the name says, every quarter, so four times a year. That rhythm is frequent enough to show a trend and adjust course, but not so frequent that the conversation becomes an obligation. Keep a fixed structure, so that the customer knows what to expect and you work efficiently.

Which figures show real behavioural change?

The number of reports of suspicious messages is the strongest signal, because that rises as people become more alert. In addition, a falling click rate on phishing simulations and a shorter time to report show that people are acting differently. A completion rate only says that someone has taken a training, not that behaviour has changed.

Who provides the data for the reporting?

The 2LRN4 platform provides the figures automatically, so you do not have to keep track of anything manually. Your role is to interpret those figures and translate them into a decision for the customer. That is where your advisory value sits, and that is why reporting is a natural part of a managed service or a multi-year programme.