The Importance of Conducting After-Action Reviews During the COVID-19 Crisis
Contributors: Keith Jones, SEC Subject Matter Expert, former CSO for The Charles Stark Draper Laboratory, Inc. and Dan Sauvageau, SEC Subject Matter Expert, former CSO for Fidelity Investments
Where this issue fits in the phases of the pandemic: Hot spots, flare-ups, next waves, business resumption, and phased recovery.
Summary: An After-Action Review (AAR) is a process-based approach used post events to provide insights, observations, and lessons learned to improve future actions for similar scenarios/events. AARs have their origins in the U.S. Army, dating back to the Vietnam war era and have since been adopted by various entities in both the private and public sectors. If conducted properly, they will provide a team with a retrospective analysis of the management of and response to an incident. The overall goal is to identify and document strengths, for example, risks that were mitigated, and areas for improvement.
This pandemic came as a great surprise to the world; there will be ample lessons-learned for most of us. We recommend starting AARs early in the course of this pandemic. Health officials warn of the strong possibility that a second round of COVID-19 cases is inevitable in the fall or winter of 2020. Since this event has a long duration it is suggested that AARs are conducted across all critical phases of the pandemic.
The following should be considered when conducting AARs:
- An AAR is not a process to blame, judge, or embarrass individuals, teams, or functions; instead, it is a process to:
- Improve individual and team performance.
- Increase proficiency and confidence with your company's ability to recover from an incident and return to "better-than-normal".
- Apply lessons for future success.
- Gather proven industry practices that may be incorporated into your incident management plans going forward.
- A cross-section of stakeholders should meet, including Security, HR, Legal, Safety, Audit, and Operations. Other functions may be added depending upon the organization's structure. Include every function that played a material role in the response/management of the incident without expanding the team to an unwieldy size.
- Stakeholders should agree upon the stated goals of the team.
- When the management of the incident concludes and operations return to "better-than-normal", stakeholders should meet immediately to prevent memories from fading; it is essential that lessons-learned be freshly documented electronically to maximize the full potential of accurate information for future use.
- Several key components of your company's incident management plan should be considered for evaluation, such as:
- What was the goal of implementing your company's incident management plan?
- Was the goal achieved?
- What aspects of your company's incident management plan were successful?
- What aspects of your company's incident management plan failed?
- What are the root causes of failure?
- What would you do differently next time?
- Once your company's incident management plan is thoroughly evaluated, recommendations and proposed adjustments should be considered and decided upon.
- Consider benchmarking after action review results with trusted colleagues to compare quality, cost, and measured effectiveness
Security leaders and other stakeholders must gain a full understanding of the current problems facing businesses that are currently open or will open soon. For example, from the Washington Post: Thousands of OSHA complaints filed against companies for virus workplace safety concerns, records show
Over the past five decades, there has been much written on how organizations can conduct effective AARs along with detailed procedures and templates. Rather than delve into the finer details of the AAR process and dos and don'ts, we suggest that organizations conduct their own research to find what format and set of tools work best for them.
We close with a quote from Winston Churchill, who valued the importance of lessons-learned exercises, as he once wisely stated: "The farther backward you can look, the farther forward you are likely to see."
For more resources see SEC's COVID-19 Security Related Resources
Contact us if you need assistance in COVID-19 strategic planning, response, or recovery at email@example.com