After-Action Reviews: From Incident to Improvement
The after-action review (AAR) is where an incident either compounds into organizational learning or evaporates into folklore. The difference is discipline — a consistent structure that leadership, insurers, auditors, and regulators all recognize.
This guide provides the AAR template we use inside IR-OS and explains why each section exists. The template works for real incidents and for tabletop exercises — the structure is the same, only the stakes differ. For how to run the exercises themselves, see our tabletop exercise guide.
Why Most AARs Fail
The three most common failure modes:
- The war story. A narrative that is engaging but extracts no actionable findings.
- The blame report. A document that makes someone the villain, which guarantees the next incident will be hidden instead of reported.
- The wish list. Recommendations without owners, severities, or dates.
A good AAR avoids all three by forcing a specific structure and a specific review cadence.
The Eight-Section AAR Template
1. Executive Summary (one page, no jargon)
Leadership will read this and nothing else. It must answer: what happened, how did we respond, what was the impact, and what are we changing. A VP of Sales or board member should understand it without looking up a single acronym.
2. Incident Timeline
A precise, timestamped record from initial indicator through full recovery. Every decision, every notification, every handoff. This is the section that a regulator or plaintiff's attorney will read most carefully, so it must be defensible. This is exactly why IR-OS records every event in an append-only hash-chained ledger — see the defensible record.
3. What Worked
Often skipped, always important. If you do not document what worked, you cannot protect it from being "improved" into nothing. Examples: "The decision to isolate backups at hour 2 preserved recovery." "The legal liaison maintained privilege from the start." "The comms lead drafted the customer statement before it was needed."
4. Gaps Identified (with severity)
Each gap gets a consistent severity rating. We use three levels:
- Critical — gap would materially worsen a future incident. Must be remediated within 30 days.
- High — gap would slow or complicate response. Must be remediated within 90 days.
- Medium — friction and inefficiency. Should be remediated within 180 days.
5. SLA Compliance
Did you meet your own response SLAs? Did you meet the regulatory clocks (SEC, GDPR, HIPAA, state law)? Did you meet the insurer's first-notice window? Did you file the 8-K within four business days of materiality determination? This is a factual table — met or missed, by how much.
6. Regulatory Notification Status
Every notification made, every notification declined, every decision documented. If you decided not to notify a regulator or data subjects, explain why — this is the Article 33(5) accountability paper trail that GDPR specifically requires.
7. Remediation Plan
Every gap from section 4 becomes a row here with:
- Gap description
- Severity
- Owner (a human, not a team)
- Due date
- Success criteria (how you will know it is closed)
- Status (open, in-progress, closed)
8. Appendices
Evidence, not narrative. Full hash-chained timeline, copies of notifications, screenshots, communication threads, vendor reports. Kept under privilege where applicable.
The Structured JSON Format
Inside IR-OS, every AAR is stored as structured JSONB — not a Word document — so it can be queried, compared across incidents, and exported to other formats. The schema:
{
"incident_id": "uuid",
"executive_summary": "string",
"timeline": [{"timestamp":"iso8601","event":"string","decision_by":"string"}],
"what_worked": ["string"],
"gaps": [{"id":"string","severity":"critical|high|medium","description":"string"}],
"sla_compliance": {"internal":{"met":true,"notes":"..."},"sec":{"met":true,"notes":"..."}},
"regulatory_status": [{"regulator":"SEC","action":"notified","date":"..."}],
"remediation": [{"gap_id":"string","owner":"string","due":"date","status":"open"}],
"appendices": ["url"]
}
The Review Cadence
An AAR that is not reviewed is just a document. The cadence that works:
- T+10 business days: Draft AAR completed and distributed
- T+15: Hot-wash debrief with everyone who participated
- T+30: Final AAR approved by the Incident Commander and Executive Sponsor
- Monthly: CISO staff meeting reviews open remediation items
- Quarterly: Board / audit committee reviews status of open critical and high gaps
- Next tabletop: Explicitly test the remediated gaps
Auto-generate structured AARs inside IR-OS
Every IR-OS incident produces a structured JSONB after-action review — timeline, gaps, SLA compliance, regulatory status, remediation plan. No blank page. No missed findings.
Start free