pressmaster - Fotolia
After-action report template and guide for DR planning
Conducting an after-action report following disasters or internal DR exercises is a critical process that will help prepare an organization for future disruptive events.
The after-action report is a vital activity that is altogether too easy to forget about when an organization is under stress. These days, that's probably most organizations. According to experts, having an after-action report template ready to go, conducting a review and preparing a report is a key process for learning from crises and making changes.
After reading what IT experts have to say about after-action reports (AARs), organizations can get started on creating their own reports with our free-to-download after-action report template. Report requirements and categories will vary by organization due to industry, size and other factors, but this template should give disaster recovery teams a head start in crafting a customized AAR.
An after-action report, also referred to as an after-action review, is an absolute must following emergencies, crisis events or test exercises. According to Claudia E. Tatum, senior business continuity, cyber and IT disaster recovery consultant at Remver IT Consulting, a critical aspect of AARs is that they provide a thorough analysis and learning opportunities that organizations can apply to strengthen future emergency responses. Moreover, creating an AAR enables organizations to reflect on what happened, why it happened and how to remedy existing weaknesses.
Why create an after-action report template?
In general, according to Tatum, AARs focus on "lessons learned" -- what the organization did right, as well as what needs improvement. The organization performing the AAR can then incorporate these lessons into training and policies to help shape the emergency response for future catastrophic events.
It isn't just a matter of identifying what went wrong. Like similar exercises, such as a business impact analysis (BIA) or risk assessment, an AAR can reveal gaps in planning, technology and areas of responsibility. Howard Foard, a senior associate at Booz Allen Hamilton's Global Commercial Wargame & Exercise Practice, said one of the roles of the AAR is to focus attention on those organizational gaps -- the things that need to be modified -- and then come up with actionable recommendations. To assist with this step, he recommended putting the issues in a matrix that lists the responsible parties and a deadline for addressing the problem. "This brings accountability to the recommendations," Foard said.
When first drafting an after-action report template, Foard suggested mining standard operating procedures, relevant government regulations, and service-level agreements or performance metrics to help shape what the document should monitor or measure.
Questions an AAR should answer
"An AAR helps organizations evaluate their responses to various situations," said Darren Deslatte, vulnerability operations leader at Entrust Solutions. "It assists you in determining whether or not a response was effective, if it should be used again or if it needs to be improved upon."
For example, if your hardware was set up incorrectly and failed, and that failure caused some network downtime that cost the company money, an AAR can assess what went wrong and what should have happened. "You can also report on how it was corrected and how to enact changes that will avoid that same issue going forward," Deslatte said. "The more detailed an AAR is, the more helpful it will be in the future."
According to Deslatte, each AAR should answer the following questions:
- What was supposed to happen?
- What actually happened?
- Why were there discrepancies?
- What aspects of your response worked?
- What didn't work and why?
- What should be changed for the next time?
"The first three questions ensure that all team members are in agreement about what should have happened and what actually happened during the scenario or project. The latter three questions give the team an opportunity to reflect and learn, and, ultimately, decide how the process can be improved in the future," Deslatte said.
The scope of an after-action report
Expanding on the AAR process, Ottomatias Peura, head of growth at Speechly, said the COVID-19 pandemic has brought many businesses into new crises. "At the beginning of the coronavirus, our business experienced some funding shortages due to lockdown; during this time, we had also had the disruption of moving to remote work and all the other added stress that the lockdowns brought," Peura said.
With any AAR, it is important to state the problem, he said. "We find it helpful to get multiple perspectives and not just have one person working on the AAR so that we can see and describe the problem from different vantage points," he said. Initially, the emphasis is just on observing and simply trying to figure out what occurred rather than providing a fix.
"After we feel the problem has been explained in detail, then we break down how our organization attempted to solve it," Peura said. It is important at this stage to understand what the intended outcomes were at the time and if these outcomes were realized. "By focusing not only on our solutions, but also the attempted outcomes, we can assess whether our attempted solution resulted in the desired outcome," he said.
Critiquing the solution and trying to determine if a better one could have been achieved is an important next step. "Reflecting on the positives and negatives of a given solution in this way allows us to imagine other ways we might approach the problem in the future," Peura said.
Finally, he said, one of the most important aspects of the AAR process is to codify the better options that are identified and try to embed them into a procedural document like an after-action report template, "so that we know what to do whenever a similar problem arises."
Similar to a BIA or risk assessment, the AAR should be an ever-changing document, receiving necessary adjustments and critiques when incidents or tests occur.
Effects of COVID-19 pandemic on the process
Frequently, organizations don't do a great job of completing AARs after major incidents, which can be hugely detrimental when that same incident happens again, Deslatte said. Instead of learning from their experience and having a plan in place, those organizations are unprepared for a crisis and suffer from the same setbacks all over again, which costs them time and money.
"The current COVID-19 pandemic has changed many workplace scenarios, which means that even if an organization has completed an AAR previously, the planned response might be rendered obsolete," Deslatte said. Too often, maintaining plans and training for business continuity are neglected, he said.
A smart, proactive project for IT professionals today is to take stock of their current AARs, make sure that they're up to date and assess which parts of them need to be adjusted for current events, such as staff working remotely or a leaner staff altogether. Rather than completely replacing past responses with responses informed by the pandemic, resilience teams should add these new strategies and considerations alongside the existing ones. "This gives you a variety of options to choose from based on the situation," Deslatte said.
Of course, one of the perennial challenges with developing AARs is ensuring that companies plan for all potential disasters, even those that seem unlikely. Foard recalled an AAR he was involved in a decade ago for an exercise designed to help a government agency develop a plan for a severe flu pandemic. At the time, a global pandemic approaching the scale of COVID-19 seemed farfetched. "We all started on that path, but mostly we thought it would never be used," he said. Completing the exercise early likely saved the agency a major headache down the line.
The key takeaway from that experience, Foard said, is to take AAR development "as seriously as possible." Even if a particular disaster seems unlikely, treating it as an inevitability will prepare an organization for the worst.