BLUF – There are three core questions underlying intelligence reports. Answering these questions creates concise, direct communication whilst retaining relevance to the original observation and audience.

Background

In the intelligence field there are a lot of studies done with historical context, relative projections and, in some cases, predictive analysis. Often times these studies extend into a long report covering a long period of time, ensuring every bit is covered (though without any recommendations, as it’s not our role). Unfortunately, doorstop studies act as wonderful reference documents (or paperweights), but tend to lose sight of the holiest of holies for the intel community: the trinity of intel.

Now you may be asking why you’ve studied intel and not heard of said trinity. How you could be in the intel community and not heard it referred to as such. But you have, as you know the three questions at the core of intelligence.

What? So what? Now what?

If there is to be an answer provisioned within intel, at the core it will bear these three questions.

What: Observing what happened, the details of an incident, activity, or other observation. This lays the facts of what we know. Period. Unless it is a fact (preferably vetted) and known, it is not part of this portion of the discussion. This is usually the first portion under the executive summary or BLUF.

• E.g. On Wday Xmonth, we observed a paper wrapped package tied to a red balloon land at Ylocation. The package remained at this location for Zduration. It is unclear if Ylocation was the intended destination.

So what: Explain the event or observation’s significance, provisioning a reason to care for the audience. Why your observation is important is framed in the context of:

• Previous observations: this confirms or alters what we’ve seen happening and gives greater understanding to the group/tool/etc under observation. This provisions context, adding to the general understanding of the current observation by showing how the current action/ group etc observed is adding to the existing body of knowledge about it.
  • E.g. This is similar to other observed package deliveries observed in the last Xmonths/weeks/years based on the new implementation of the US Postal Services’ automated non-drone delivery service. This service is exploring other options to ease the increased inflation costs of drone-based deliveries due to the propeller shortages stemming from…
• Things we care about: a different approach would be looking at what this could mean for the interests of the audience. Especially when referencing potential risk to individuals or organisations, it captures attention as it identifies how the observation could be meaningful to programmes, projects, or the organisation itself.
  • E.g. Undisclosed packages delivered without personal presence of a human could present a risk to an organisation’s physical security, accurate delivery, and the urban wildlife-in-residence. Even without malicious contents being delivered, the inconsistent climate attributed to varying altitudes could have inadvertent impacts to the contents of the package – especially related to consumable items such as food.

Now what: What do we look for in the future in relation to this observation/ event? Does this change or verify expectations? Do we expect more of the same or a different approach? These questions can be answered in these frameworks:

• Expectations of the observed parties: After watching the observation and contextualising what was going on, what can we expect to see in relation to the activity or the party conducting it? As a bit of predictive analysis, we try to fit soft logic conclusions in this part – as rarely does a single incident cause sweeping change, but we may see either more/ less/ same logically following the behaviours observed.
  • E.g. With limited confirmation packages were delivered to the proper address in the allotted time using the balloon-release method, it is likely USPS will continue to experiment with other discussed solutions to provision a more consistent mode of delivery.
• Expectations of the audience: Taking a different route, this provisions actions to be taken on behalf of the audience or things to be done by the audience. By creating actionable intelligence, the writer uses the event to support a desired outcome – something verboten in traditional intelligence. Not without reason, as in traditional intelligence we merely look for the cause and correlation, reporting on it as independently as possible, eliminating bias and groups’ potential for stacking the deck in their favour as much as possible. In a nation-level intelligence communities, there is too much at stake for agendas to be pushed via intelligence. Most of us in the private sector have comparatively fewer lives or resources at stake, sharing intel with fewer decision-makers holding sufficient institutional knowledge to fully understand how to interpret intel to take action. Oftentimes it’s unclear what actions to take – so in private sector, unless told otherwise, provisioning recommendations is not bad.
  • E.g. (general awareness) Your postal security team at Xorganisation is diligently monitoring for balloon or other implement-delivered packages, to ensure the package is right, and gets to the right place. If you see a package delivered by bird, balloon or any other means, please call postal security at xxx-xxx-xxxx.
  • E.g. (senior-level decision-makers) The postal security team has implemented a process control manual for the retrieval, securing and delivery of balloon-delivered parcels, however requires Xteam or Ytool to be able to process further parcels at Zdestination.

The intel trinity is vital to answering the core questions your readers have. Works quite well in conversations with limited time and attention paid. In relaying important observations and analysis, using the trinity to keep your output concise and relevant to both the event and the audience helps drive the necessary decisions they didn’t know needed made.

-scl