Many organizations successfully endure a major business disruption and then drop the ball by not looking back at the event and drawing lessons from it for the future. In today’s blog, we’ll look at how performing a Post-Incident Analysis (PIA) can help you turn a disruption into a powerful opportunity for learning and improvement.
In many fields, it’s routine to look back at past events to learn lessons that can be applied in the future. The Army conducts after-action reports, secret agents get debriefed, and football teams review game film.
However, in the world of Business Continuity (BC) and IT/Disaster Recovery (IT/DR), such post-event reviews are surprisingly rare.
A GOLDEN OPPORTUNITY
This is regrettable because a major disruption, while definitely a pain in the neck, is also a golden learning opportunity.
Don’t you think, after a disruption wreaks havoc on your organization, that you should at least try to get something positive out of it afterward by mining the event for useful insights?
Also, a disruption can reveal many gaps and weaknesses in your readiness that really should be closed to prevent an equal or worse problem from occurring in the future. The best way to find and fix these is by a systematic analysis after the event.
For all these reasons, I strongly recommend that companies that emerge from a significant business disruption conduct a formal review of the incident after the dust settles. Specifically, I recommend they conduct what’s known as a Post-Incident Analysis (PIA).
WHAT A PIA IS AND ISN’T
A PIA is the reconstruction of an incident to assess the chain of events that took place, the methods used to control the incident, and how the actions of your organization as well as those of outside entities such as emergency services and third-party vendors contributed to the eventual outcome.
A PIA is not a forum for criticizing anyone’s performance during the incident or second-guessing any actions that were taken.
BENEFITS OF A PIA
Conducting a PIA can bring many benefits to an organization just emerging from a business disruption. These include:
- Creating a comprehensive record of the incident from which departmental procedures and recovery plans can be evaluated.
- Allowing an assessment of response and company response areas under actual conditions.
- Providing an assessment of the communications carried out during the event with internal and external stakeholders.
- Supplying an assessment of the organization’s safety practices and related procedures.
- Giving an assessment of the training needs for department personnel.
- Providing an assessment of the organization’s working relationships with outside agencies.
- Allowing an assessment of the organization’s alternate work sites and strategies.
THE PIA MEETING AND REPORT
What should the PIA meeting and report cover? The following areas should be addressed, at a minimum:
- Date and time of the incident. The date and time the event occurred.
- Location of incident. The location and address of the incident.
- Type of incident. Include a brief description of the type of event (fire, flood, workplace violence, power failure, etc.) that required the activation of the Business Continuity Plan (BCP).
- Situation upon activation of the BCP process. Include a brief description of the situation encountered by the first personnel assessing or arriving on the scene. The type of personnel responding should be listed.
- The final outcome of the incident. List the extent of damage and impact to business operations. Also, include personal injuries or casualties if applicable.
- Strategy. List the strategies chosen to respond and recover from the event. For each strategy, list what the strategy entailed (e.g., close off the building and relocate affected staff) as well as the results of implementing each strategy.
- Common obstacles. List those problems encountered by more than one department or Incident Commander (IC) that may indicate a need for a review of department procedures or training or recovery plans.
- Recommendations. List any recommendations for correction or reduction of these obstacles.
- Operational successes. Look at what operations worked well and why. Consider strategies and results, not only at the IC level but also at the department level, if appropriate. This helps reinforce procedures and tactics that were successful so they may be applied to similar situations in the future.
- Stakeholder communication. Review the process of internal and external communications used during the incident. Were communications adequate, proactive, and regularly updated? Were the appropriate stakeholders communicated with during and after the event?
- Incident organizational chart. Using a simple organizational chart, show lines of authority and responsibility. Identify the span of control. This allows for a more formal review of the BCP process in order to identify the positive aspects and correct deficiencies.
GETTING THE PIA REPORT REVIEWED AND APPROVED
The final PIA report should be formally reviewed and approved by the appropriate parties to ensure accuracy and comprehensiveness.
Ideally, the PIA should be completed within 14 days of the incident, while memories are fresh and the needed records and source materials readily available.
All participants in the analysis process must be truthful and candid in an effort to determine operational or management areas that must be improved.
Note also that it is important to remember that the purpose of the PIA report is not to criticize or discipline any person or to second-guess any action taken during the event.
THE SILVER LINING
A major business disruption is as much fun as a case of the measles. However, organizations can find the silver lining in the cloud by conducting a Post-Incident Analysis.
By conducting a PIA meeting and writing a PIA report as described above, you can identify what you are doing right and also where your gaps and vulnerabilities lie.
This information can help you improve your business recovery plans and strategies moving forward, increasing the resilience of your organization and better-protecting everyone who depends on it.
For more information on this and other hot topics in business continuity and disaster recovery, check out the following recent posts on BCMMETRICS and MHA Consulting.
- Client’s Guide to Hiring a BC Consultant
- Hanging by a Thread: Protecting Yourself from Single Points of Failure
- Sweating the Big Stuff: 5 Things that Really Matter in BCM
- Whitewash: When Clients Try to Get BCM Consultants to Conceal Their Problems
- Become a Master of Disaster: Educate Yourself with These Key BC Resources