Couple of thoughts.
1.) Exec's are targeting progress and high level metrics. Showing them how many failed login's or top 10 would mean nothing. If you are doing incident resolution or mitigation, I would recommend providing reporting on trending of how many incidents are resolved over a week period, maybe compare this to how many are opened. Other ideas are showing collection stats. How many EPS does the organization produce? How successful is the SIEM? (What were the original business definition or purpose for the SIEM? Show progress towards that goal. Show alert trending? Write up a summary of a incident the SIEM helped resolve with charts and graphs.
2.) There are various blogs out there that could assist in developing use cases
http://logmanagementcentral.com/
And/or, leverage RSA professional Services to help tailor the solution. Use case development could even start at reviewing the previous set of security incidents of 2010, and determine how one could leverage the SIEM to pro-actively either report or mitigate them.
3.) Also, for PCI or SOX definition, one must define what is In-Scope (What assets are required for compliance). Setting up proper groups and filters should be done during implementation or pre imp. Phase. Configuring a set of reports to run every day is a good start. These reports should map to the various compliance controls with the week ending reports running on Sunday AM for review on Monday.
4.) Capacity Planning is often overlooked. I recommend you develop weekly reporting on total events collected, average EPS, storage growth snapshot, and ETA on run out of space. Answering the question of what happens should never happen if you properly plan 
/db
