Manage Learn to apply best practices and optimize your operations.

Prepare an after-action report for disaster recovery

Paul Kirvan discusses the importance of creating an after-action report following a disaster recovery exercise and offers tips on creating the report.

Perhaps just as important as a business continuity or disaster recovery exercise is the document that summarizes...

what happened in the exercise, called an after-action report or AAR.

Exercises are conducted to validate that what has been developed with regard to a BC/DR plan and its processes. If the exercise proceeds through to a satisfactory conclusion, the AAR documents that fact. If the exercise does not proceed as planned, the AAR documents what worked right, what didn't work, what was created as a workaround or alternate process, who participated in the process, and the lessons learned in the course of the exercise.

After-action report outline

The following table describes the AAR components, what is provided in each section, and the value each section offers to the overall BC/DR process and the associated plan(s).

Exercise activity

Information provided

Value to the BC/DR plan

Purpose and scope

Describe the reason for the exercise and what is being exercised.

Sets the baseline for the exercise.

Exercise objectives

Defines what is expected from the exercise, e.g., validating that a specific recovery procedure works properly.

Defines what the endgame is for the exercise.

Exercise type

Identifies the exercise process, e.g., a tabletop, structured walkthrough or systems test.

Indicates the rigor of the exercise, ranging from a high-level review to a detailed step-by-step analysis.

Exercise methodology

Describes how the exercise was performed, e.g., where the exercise was held, what actions were performed in the exercise, what constituted the end of the exercise.

Provides a detailed explanation of the exercise; this is especially important from an audit perspective.

Participants

Lists the people who participated in the exercises and their roles.

Identifies who participated in the exercise.

Exercise scenario

Defines what situation presumably necessitated the launch of the exercise activity, e.g., a power failure that required launching of emergency power systems.

Provides the circumstances for the exercise to ensure the scenario was realistic and acceptable to management

Exercise findings

Identifies what actually happened in the exercise, based on time, event, who executed the activity, results, what alternate arrangements were made, how the exercise participants performed

Provides a sequential summary of what happened in the exercise; this is also important from an audit perspective

Summary of next steps

Lists what should occur after the conclusion of the exercise, e.g., rewrite the plan procedures, rewrite the exercise process, change the participant duties, conduct a follow-up exercise.

Demonstrates that the exercise is part of a process that results in the best possible BC/DR plan and its associated procedures.

Table 1

Use the above table as a framework for building your own after-action report. Set up the sections and prepare placeholders for you to write up the various elements of the AAR. When preparing for the exercise, the AAR document should also be prepared and ready for use.

Documenting the exercise

During the exercise, it is essential to have someone function as a "note taker." This individual can also serve as a timekeeper to ensure the exercise is conducted along specific time frames and is completed on or close to the desired target time. Documenting the exercise is a critical part of the overall exercise process, as it provides the evidence for improving BC/DR plans, as well as ways to improve future exercises.

Preparing the after-action report

If your exercise includes an immediate post-exercise discussion, typically called a "hot wash," this is an important opportunity to take notes that can be built into the after-action report. If you are the exercise facilitator and note taker, be sure to take time during the discussion to take notes of what is said, especially what worked, what didn't work and lessons learned.

Try to prepare the AAR as soon as possible following the exercise while details are still fresh in your mind. If possible, circulate the draft AAR to exercise participants for their comments and input. Once you have obtained all comments, prepare the final report for distribution.

Distribute the AAR to department heads whose operations were exercised, internal audit, risk, IT (if IT systems and assets were exercised) and senior company management.

An important part of the AAR is next steps, which may include recommendations to 1) improve the BC/DR plan, 2) modify an operational process to improve its recoverability, 3) identify recovery steps that may be in the wrong sequence, 4) identify changes to a system or technology that will improve its recoverability, or 5) determine changes to the exercise process.

Use the data in an after-action report as a tool for improving your overall BC/DR capabilities. An AAR is the ideal complement to an exercise. It also provides an important audit tool, documenting what happened in the exercise, what worked/didn't work, and what can be done to improve the BC/DR process.

About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant and auditor, and is secretary of the U.S. chapter of the Business Continuity Institute and member of the BCI Global Membership Council. He can be reached at pkirvan@msn.com.

Next Steps

What your post-DR after-action review should include

DR test mistakes you must avoid

Security report writing best practices

This was last published in September 2014

Dig Deeper on Disaster recovery planning - management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Are there any differences between the BC AAR and the DR AAR?
Cancel
In my experience the two terms, business continuity and disaster recovery, are used interchangeably in most cases. If, however, they are used to refer to what they actually mean, then there should be a difference.
Cancel
Nowadays, DR and BC are typically used interchangeably. The difference--and a very subtle one at that--was that DR referred to the recovery of apps and data, and BC referred to actually getting business systems up and running again. So BC also factored in things like personnel, office space, communications, etc.
Cancel

-ADS BY GOOGLE

SearchSolidStateStorage

SearchCloudStorage

SearchDataBackup

SearchStorage

Close