The Crisis is Over…What Now?

Bud Garrick

Plans, What Plans?

Many organizations, both those in government and private business, have a manual sitting on someone’s bookshelf that is titled “Business Continuity Plan” or “Emergency Response Plan” or “Security Plan” because they are mandated, or expected, to have one. However, in reality these critical documents are rarely, if ever, taken off the shelf and put through a comprehensive review or update never mind being used for a regular (minimum annually) exercise. People often think of policies and procedures as rigid or unchanging.  Once they have been created, the job is done…until a completely unexpected event or crisis occurs. Or perhaps this type of crisis had been planned for, however the plan had never been reviewed, updated or tested in a comprehensive manner and people are surprised when it fails.

The last thing that any organization thinks about when going through a crisis is that they should consider updating their policies or response plans.  They are focused on surviving whatever particular situation they are experiencing. At the first possible opportunity following an event one of the first things an organization should think about is going through a “Lessons Learned” or “After-Action” Review.

What is an After-Action Review?

For decades, militaries around the World have recognized the importance of conducting proper After-Action Reviews (AAR) after operations or exercises so that they can review performance and improve.  This process saves lives. This AAR concept was brought to large corporations many years ago.  AAR meetings became a popular business tool after Shell Oil began experimenting with them in 1998 at the suggestion of board member Gordon Sullivan, a retired general. Teams at such companies as Colgate-Palmolive, DTE Energy and Harley-Davidson use these reviews to identify both best practices (which they want to spread) and mistakes (which they don’t want to repeat).¹

A key objective of the AAR is to determine what worked and what didn’t work during an organization’s response to a crisis. These are developed into lessons learned and recommendations (with a plan), to improve the organization’s ability to plan, adapt, and carry on with business operations during any future events.

The AAR can best be defined as a structured approach for reflecting on the response of a group and identifying strengths, weaknesses, and areas for improvement. An AAR is centered on four basic questions:²

  •  What was expected to happen?
  • What actually occurred?
  • What went well and why?
  • What can be improved and how?

A proper AAR features:

  • An open and honest professional discussion
  • Participation by everyone on the team
  • A focus on results of an event or project
  • Identification of ways to sustain what was done well
  • Development of recommendations on ways to overcome obstacles

It is critical that any AAR become more than just a report. Some organizations view an AAR the same way they view policies, believing that the objective is to create a document intended for other audiences.

If you don’t conduct AARs after each major event or crisis, you are rolling the dice with each response thereafter. If you don’t try to learn from your mistakes, you’re taking a chance that you will repeat mistakes.  The AAR is not:³

  • A critique or lecture
  • A gripe session
  • A tool to embarrass
  • A tool to compare or judge
  • A means to blame

The AAR is:

  • A tool to improve performance
  • A tool to increase proficiency and confidence
  • A positive meeting that may at times focus on negative aspects of an event BUT a good facilitator conducts it in a positive way

Importance of Independent Third-Party Reviews

There is no reason that organizations cannot conduct their own After-Action or Lessons Learned Reviews providing that they have experience personnel who approach the review from a non-emotional perspective. Often times, individuals selected to lead AAR have some sort of role to play in the development of response plans and response activities and as such have a personal investment. Bringing on a completely independent/third party to lead the AAR and assist with the development of recommendations and updated plans can often result in more honest and improved results.

No matter the size of the organization, from large government entities to small businesses, having an independent AAR can often bring beneficial results. A good example of this type of review on a large complex institution is one which a Presidia Team member, Jim Legere, supported – the Continuous Improvement for Federal Event Response (CIFER), Decision support for the development of the programme Concept of Operations (CONOPs), led by Defence Research and Development Canada (DRDC). The report can be found at:

Presidia Security Consulting, a member of the ADGA Group of Companies, has extensive experience conducting organizational reviews, After-Action Reviews and Lessons Learned Reviews for large government departments and private businesses. Should you require further information or assistance, we can be reached at

¹Learning in the Thick of it, Harvard Business Review, Marilyn Darling, Charles Parry and Joseph Moore, August 2005
²Guide To The After Action Review, Version 1.1, October 2010, Using Evaluation to Improve Our Work: A Resource Guide

The author, William (Bud) Garrick, is a Principal at Presidia Security Consulting.  He can be reached at