POST-EVENT AFTER-ACTION REPORT
[EVENT / OPERATION NAME - AFTER-ACTION TITLE]
Retrospective, evidence-based evaluation of a completed protective operation or protected event: what was planned, what actually happened, what to sustain, what to improve, the root cause of material deficiencies, and the corrective actions. Center of gravity: reconstruct the operation against its plan-of-record and convert observed performance into actionable lessons. It is a planned-event after-action review. It does NOT: cover a crisis/emergency activation or serious incident after-action (Post-Crisis After-Action Report); produce a forward-looking pre-event threat or risk assessment (Event Threat & Risk Assessment / Venue Security Survey / Protective Advance Survey & Recce Report); or conduct a forensic incident/criminal investigation (→ dedicated investigation; this report evaluates the operation, it does not adjudicate fault for disciplinary or legal liability). It assesses systems, decisions, and procedures - not individual blame.
Document Control
| Field | Entry |
|---|---|
| Report Reference | [REF-YYYY-###] |
| Date of Report | [ ] |
| Classification / Handling | [e.g., CONFIDENTIAL // CLIENT EYES ONLY] |
| Client / Sponsor | [ ] |
| Requesting Party | [ ] |
| Event / Operation | [ ] |
| Event Date(s) & Location(s) | [ ] |
| Reporting Period (after-action window) | [ ] |
| Prepared By | [ ] |
| Reviewed By | [ ] |
| Approving Officer | [ ] |
| Version | [ ] |
| Distribution | [ ] |
Handling, Legal & Ethical Caveat
State classification/TLP marking. Note that this is an internal evaluative after-action product that may contain candid performance assessment and personal data (from logs, footage, interviews) - handle under data-protection law (GDPR/CCPA as applicable) and the client’s retention policy. Where the event involved an incident that may lead to litigation or a claim, flag potential work-product / privilege and route preparation through counsel and any litigation-hold. Frame all performance findings as non-disciplinary, systems-focused (assess decisions and procedures, not individual fault); any HR/disciplinary or criminal process is separate and governed elsewhere. Reconstruction relies only on lawfully held records and consenting interviews.
Operation Snapshot
One-glance card: the operation, its protective objective, headline after-action outcome, count of incidents/deviations by severity, and the single highest-priority corrective action - all [ ] placeholders, no findings.
| Field | Entry |
|---|---|
| Protected Principal(s) / Asset | [ ] |
| Protective Objective | [e.g., the stated end-state the operation existed to achieve] |
| Headline After-Action Outcome | [e.g., objective met / met-with-exceptions / not met] |
| Incidents & Deviations | [ ] (Critical [ ] / High [ ] / Elevated [ ] / Moderate [ ] / Low [ ]) |
| Highest-Priority Corrective Action | [ ] |
| Overall Analytic Confidence | [e.g., HIGH / MODERATE / LOW] |
Table of Contents
Numbered to the sections below; page numbers populate on export to Word/PDF.
- BLUF
- Executive Summary
- Key Judgments
- Priority Intelligence Requirements (PIRs) - Reconstruction
- Event Overview & Operating Parameters
- Objectives & Plan-of-Record
- Timeline / Reconstructed Sequence of Events
- Execution Assessment by Function
- Incidents & Deviations Register
- Sustainments (What Worked)
- Deficiencies & Gaps (What to Improve)
- Root-Cause Analysis
- Verified Reconstruction Summary
- Red Flag / Systemic-Risk Indicators
- Analysis of Competing Hypotheses (ACH)
- Key Assumptions Check (KAC)
- Reconstruction Gaps & RFIs
- Lessons Learned & Recommendations (Corrective-Action Plan)
- Annex A - Sources & Methodology
- Appendices
1. BLUF
2–3 sentences, most important after-action finding first: whether the protective objective was met, the most consequential deficiency observed, and the single highest-priority corrective action. No new analysis below it.
[ ]
2. Executive Summary
The purpose of the after-action review and its scope; a concise narrative of the operation’s outcome - what went well at altitude, the material deficiencies, and the corrective direction - deferring detail to the body.
[ ]
3. Key Judgments
The 3–6 load-bearing after-action judgments. Frame each as an assessment of whether an observed strength/deficiency is systemic and its likelihood of recurrence absent action. Likelihood (of recurrence) and Analytic Confidence (in the evidence base) are SEPARATE columns - never combined (ICD 203). Each carries a change indicator.
| # | Key Judgment | Likelihood (recurrence absent action) | Analytic Confidence | Change Indicator (what would shift this) |
|---|---|---|---|---|
| KJ-1 | [ ] | [e.g., likely / probable (55–80%)] | [e.g., MODERATE] | [ ] |
| KJ-2 | [ ] | [ ] | [ ] | [ ] |
| KJ-3 | [ ] | [ ] | [ ] | [ ] |
| KJ-4 | [ ] | [ ] | [ ] | [ ] |
4. Priority Intelligence Requirements (PIRs) - Reconstruction
The questions the after-action review must answer to reconstruct and evaluate the operation, decomposed PIR → Indicator → source (logs, footage, comms records, interviews). Each PIR carries an answer/evidence/confidence row plus the summary matrix.
- PIR-1: [e.g., What was the actual sequence and timing of the principal’s movements versus the planned schedule?]
- Indicators / source records: [ ]
- Answer / Evidence: [ ]
- Analytic Confidence: [ ]
- PIR-2: [ ]
- PIR-3: [ ]
| PIR | Status (answered / partial / open) | Key Evidence | Confidence | Residual Gap → RFI |
|---|---|---|---|---|
| PIR-1 | [ ] | [ ] | [ ] | [ ] |
| PIR-2 | [ ] | [ ] | [ ] | [ ] |
| PIR-3 | [ ] | [ ] | [ ] | [ ] |
5. Event Overview & Operating Parameters
Describe the event/operation as executed: nature and scale, location(s) and venue posture, principal(s) and party, dates/duration, threat context in effect, force/asset composition, and the partner agencies/vendors involved. The factual baseline the evaluation rests on.
| Parameter | Detail |
|---|---|
| Event Type / Scale | [ ] |
| Location(s) / Venue Posture | [ ] |
| Principal(s) / Protected Party | [ ] |
| Threat Context in Effect | [ ] |
| Force / Asset Composition | [ ] |
| Partners / Vendors / Liaison | [ ] |
6. Objectives & Plan-of-Record
State the operation’s protective objectives and the plan as approved (the baseline against which execution is measured): concept of operations, key control measures, contingency triggers, and success criteria. Deviations in §9 are measured against this.
| Planned Element | Plan-of-Record | Success Criterion |
|---|---|---|
| [e.g., concept of operations] | [ ] | [ ] |
| [e.g., movement/route plan] | [ ] | [ ] |
| [e.g., contingency triggers] | [ ] | [ ] |
7. Timeline / Reconstructed Sequence of Events
Reconstruct the operation chronologically from graded source records: each key event, the time, what occurred, and the source basis (with reliability grade). Mark deviations from the plan and decision points. This is the spine the function-by-function assessment references.
| Time | Event / Action | Planned vs Actual | Source Basis (grade) | Note / Deviation Ref |
|---|---|---|---|---|
| [ ] | [ ] | [e.g., on-plan / deviation] | [ ] | [ ] |
| [ ] | [ ] | [ ] | [ ] | [ ] |
8. Execution Assessment by Function
Evaluate each protective function against its plan: what was planned, what happened, and the assessment (effective / effective-with-exceptions / deficient). Cover the standard functions - adjust to the operation. Cross-reference incidents to §9 and deficiencies to §11.
| Function | Planned | Actual | Assessment | Cross-Ref (§9 / §11) |
|---|---|---|---|---|
| Advance & Site Preparation | [ ] | [ ] | [ ] | [ ] |
| Access Control & Screening | [ ] | [ ] | [ ] | [ ] |
| Close Protection / Detail | [ ] | [ ] | [ ] | [ ] |
| Movement & Transport | [ ] | [ ] | [ ] | [ ] |
| Communications & Coordination | [ ] | [ ] | [ ] | [ ] |
| Medical & Emergency Readiness | [ ] | [ ] | [ ] | [ ] |
| Contingency / Incident Response | [ ] | [ ] | [ ] | [ ] |
| Liaison (LE / venue / partners) | [ ] | [ ] | [ ] | [ ] |
9. Incidents & Deviations Register
Log every incident, near-miss, and deviation from the plan. Score each on Likelihood (of recurrence absent action) × Impact (consequence had it / did it fully materialize), and rate severity. Score cells are EMPTY placeholders - this is a blank form. Use the verbatim risk-scoring key in Annex A.
| ID | Incident / Deviation | Function (§8) | Likelihood (1–5) | Impact (1–5) | Score (1–25) | Severity Band | Immediate Action Taken |
|---|---|---|---|---|---|---|---|
| I-1 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| I-2 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| I-3 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
10. Sustainments (What Worked)
Document the practices, decisions, and capabilities that performed well and should be retained/codified. Each entry: what worked, why (the enabling factor), and how to institutionalize it.
| # | Sustainment | Enabling Factor | How to Institutionalize |
|---|---|---|---|
| S-1 | [ ] | [ ] | [ ] |
| S-2 | [ ] | [ ] | [ ] |
11. Deficiencies & Gaps (What to Improve)
Document each material deficiency or capability gap observed. Each entry: the deficiency, its observed/potential consequence, and the function affected. Root cause is developed in §12; corrective action in §18.
| # | Deficiency / Gap | Observed / Potential Consequence | Function Affected | → Root Cause (§12) |
|---|---|---|---|---|
| D-1 | [ ] | [ ] | [ ] | [ ] |
| D-2 | [ ] | [ ] | [ ] | [ ] |
12. Root-Cause Analysis
For each material deficiency, drive past the symptom to the root cause (e.g., people / process / equipment / information / coordination / external). State the analytic basis and confidence; avoid attributing systemic failures to individual error where a process gap is the true cause.
| Deficiency (§11) | Symptom | Root Cause (category + statement) | Basis | Confidence |
|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] |
13. Verified Reconstruction Summary
Roll up the key reconstructed facts with a verification status (verified by multi-source/footage/log / unverified / contradicted), source grade, confidence, and materiality to the evaluation. Distinguish established fact from inference.
| Reconstructed Fact | Status (verified / unverified / contradicted) | Source Grade | Confidence | Materiality |
|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] |
14. Red Flag / Systemic-Risk Indicators
Indicators that a deficiency is systemic rather than one-off, or that risk is trending (e.g., a recurring deviation, a control that failed silently, a near-miss masked by luck). Provide the flag table, type definitions, and a severity rollup.
| Flag | Type | Basis (cross-ref §) | Severity |
|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] |
Indicator-type definitions: [e.g., define each flag type used above].
15. Analysis of Competing Hypotheses (ACH)
Apply ACH to a contested root cause or a disputed account of a key incident (e.g., “the access-control lapse at [time] resulted from H1 staffing / H2 procedure / H3 equipment”). Weigh the evidence for/against each hypothesis and identify the most diagnostic evidence.
| Evidence / Indicator | H1: [ ] | H2: [ ] | H3: [ ] |
|---|---|---|---|
| [ ] | [e.g., consistent / inconsistent / N/A] | [ ] | [ ] |
| [ ] | [ ] | [ ] | [ ] |
Most diagnostic evidence: [ ]. Hypothesis assessment: [ ].
16. Key Assumptions Check (KAC)
Surface the assumptions underpinning the reconstruction and evaluation (completeness of records, reliability of recollection, representativeness of this event, that the plan-of-record was the actual approved baseline). For each: basis, confidence, and impact if wrong.
| Assumption | Basis | Confidence | Impact if Wrong |
|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] |
17. Reconstruction Gaps & RFIs
Where the after-action picture is incomplete (missing footage, un-interviewed personnel, gaps in comms logs). State the gap, its impact on the evaluation, the recommended collection, and priority.
| Gap | Impact on Evaluation | Recommended Collection | Priority |
|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] |
18. Lessons Learned & Recommendations (Corrective-Action Plan)
Convert deficiencies and root causes into prioritized corrective actions and codify sustainments. Each item: the lesson, the corrective action, the named owner, target date, and how completion is verified. This is the operational output of the report.
| Priority | Lesson Learned | Corrective Action | Owner | Target Date | Verification of Closure |
|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Recommendations are advisory; implementation and any policy/training change route through the client’s accountable owner.
Annex A - Sources & Methodology
State the after-action methodology (records reviewed, interviews conducted under consent, the evidence-grading approach); the source register graded with the Admiralty two-axis code; and the explicit likelihood-vs-confidence separation statement. Reproduce the reference scales below verbatim.
Reconstruction methodology: [Describe the records and interviews used, the reconstruction and verification standard, the non-disciplinary/systems-focused framing, and the data-protection handling.]
Source register (graded):
| # | Source / Record | Type | Date | Reliability (A–F) | Credibility (1–6) | Notes |
|---|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Source reliability (Admiralty, A–F): A Completely reliable · B Usually reliable · C Fairly reliable · D Not usually reliable · E Unreliable · F Reliability cannot be judged.
Information credibility (Admiralty, 1–6): 1 Confirmed by other sources · 2 Probably true · 3 Possibly true · 4 Doubtful · 5 Improbable · 6 Truth cannot be judged. (Each sourced datum carries a two-character grade, e.g., B2.)
Estimative probability / likelihood (ICD 203): almost no chance / remote (01–05%) · very unlikely / highly improbable (05–20%) · unlikely / improbable (20–45%) · roughly even chance (45–55%) · likely / probable (55–80%) · very likely / highly probable (80–95%) · almost certain / nearly certain (95–99%).
Analytic confidence (evidence base, separate from likelihood): HIGH (multiple independent reliable sources, primary documentation, no significant contradiction) · MODERATE (some corroboration, gaps, minor unresolved inconsistency) · LOW (single / uncorroborated source, significant gaps, plausible alternatives open). Never combine a likelihood term and a confidence level in the same sentence.
Risk scoring: Likelihood (1–5) × Impact (1–5) = 1–25; key: 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical.
Identity-resolution confidence: Confirmed / Probable / Possible / Unresolved, with the matched identifiers stated - disambiguation is explicit, never assumed.
Appendices
Attach: B - Personnel & Role Index (roles, not blame); C - Full Source/Record Register; D - Evidence Archive & chain-of-custody pointer (logs / footage / comms records held lawfully); E - Plan-of-Record Reference; F - Glossary; G - Revision History.
- Appendix B - Personnel & Role Index: [ ]
- Appendix C - Full Source / Record Register: [ ]
- Appendix D - Evidence Archive & Chain-of-Custody Pointer: [ ]
- Appendix E - Plan-of-Record Reference: [ ]
- Appendix F - Glossary: [ ]
- Appendix G - Revision History: [ ]
Verification disclaimer: this after-action report reconstructs the operation from lawfully held records and consenting interviews available within the reporting window; it evaluates systems, decisions, and procedures and is not a determination of individual fault, disciplinary liability, or legal causation. Findings are advisory.
Document Control (footer): [REF-YYYY-###] · Version [ ] · Classification [ ] · Prepared [ ] · Reviewed [ ] · Approved [ ]
END OF REPORT
Model wiring
Generated from cell frontmatter at publish time.