POST-CRISIS AFTER-ACTION REPORT
[CRISIS / EMERGENCY INCIDENT NAME - AFTER-ACTION TITLE]
Retrospective, evidence-based evaluation of an unplanned crisis or serious incident and the organisation’s emergency response: what occurred, how the response was activated and executed, root causes of the incident and response deficiencies, what to sustain, what to improve, and the corrective actions. This product covers unplanned/uncontrolled crisis events, emergency activations, serious incidents, and their aftermath. It does NOT: cover a planned protective operation or scheduled event after-action (see Post-Event After-Action Report); produce a forward-looking pre-event threat or risk assessment (see Event Threat & Risk Assessment / Venue Security Survey / Protective Advance Survey & Recce Report); or conduct a forensic incident, criminal investigation, or legal liability determination (→ dedicated investigation; this report evaluates the response system, it does not adjudicate fault for disciplinary or legal liability). It assesses systems, decisions, and procedures - not individual blame. Reconstruction relies only on lawfully held records and consenting interviews; any concurrent investigation, litigation-hold, or regulatory inquiry is outside the scope of this report and should be coordinated with counsel.
Document Control
| Field | Entry |
|---|---|
| Report Reference | [REF-YYYY-###] |
| Date of Report | [ ] |
| Classification / Handling | [e.g., CONFIDENTIAL // CLIENT EYES ONLY] |
| Client / Sponsor | [ ] |
| Requesting Party | [ ] |
| Crisis / Incident | [ ] |
| Crisis Date(s) & Location(s) | [ ] |
| Reporting Period (after-action window) | [ ] |
| Prepared By | [ ] |
| Reviewed By | [ ] |
| Approving Officer | [ ] |
| Version | [ ] |
| Distribution | [ ] |
Handling, Legal & Ethical Caveat
State classification/TLP marking. Note that this is an internal evaluative after-action product that may contain candid performance assessment and personal data (from logs, footage, call recordings, interviews) - handle under data-protection law (GDPR/CCPA as applicable) and the client’s retention policy. Where the crisis has led or may lead to litigation, regulatory enforcement, an insurance claim, or a criminal investigation, flag potential work-product / privilege, confirm any litigation-hold is in effect, and route preparation through counsel. Frame all performance findings as non-disciplinary, systems-focused (assess decisions and procedures, not individual fault); any HR/disciplinary, regulatory, or criminal process is separate and governed elsewhere. Reconstruction relies only on lawfully held records and consenting interviews.
Crisis Snapshot
One-glance card: the crisis type, the headline response outcome, count of injuries/fatalities/damages by category, and the single highest-priority corrective action - all [ ] placeholders, no findings.
| Field | Entry |
|---|---|
| Crisis Type | [e.g., natural disaster / security incident / facility/fire / medical mass-casualty / cyber / reputational / personnel emergency / mixed] |
| Headline Response Outcome | [e.g., objective met / met-with-exceptions / not met] |
| Injuries & Fatalities (if applicable) | [ ] fatalities [ ] serious injuries [ ] minor injuries [ ] none |
| Asset / Property / Environmental Damage (if applicable) | [ ] |
| Highest-Priority Corrective Action | [ ] |
| Overall Analytic Confidence | [e.g., HIGH / MODERATE / LOW] |
Table of Contents
Numbered to the sections below; page numbers populate on export to Word/PDF.
- BLUF
- Executive Summary
- Key Judgments
- Priority Intelligence Requirements (PIRs) - Crisis Reconstruction
- Crisis Overview & Operating Context
- Pre-Crisis Baseline & Risk Posture
- Timeline / Reconstructed Sequence of Events
- Crisis Response - Activation & Command
- Crisis Response - Execution Assessment by Function
- Incidents & Deviations Register
- Sustainments (What Worked)
- Deficiencies & Gaps (What to Improve)
- Root-Cause Analysis
- Verified Reconstruction Summary
- Red Flag / Systemic-Risk Indicators
- Analysis of Competing Hypotheses (ACH)
- Key Assumptions Check (KAC)
- Reconstruction Gaps & RFIs
- Lessons Learned & Recommendations (Corrective-Action Plan)
- Annex A - Sources & Methodology
- Appendices
1. BLUF
2–3 sentences: most important after-action finding first - whether the crisis response was effective, the most consequential deficiency observed, and the single highest-priority corrective action. No new analysis below it.
[ ]
2. Executive Summary
The purpose of the after-action review and its scope; a concise narrative of the crisis and the response outcome - what went well at altitude, the material deficiencies in activation/execution/recovery, and the corrective direction - deferring detail to the body.
[ ]
3. Key Judgments
The 3–6 load-bearing after-action judgments. Frame each as an assessment of whether an observed strength/deficiency is systemic and its likelihood of recurrence absent action. Likelihood (of recurrence) and Analytic Confidence (in the evidence base) are SEPARATE columns - never combined (ICD 203). Each carries a change indicator.
| # | Key Judgment | Likelihood (recurrence absent action) | Analytic Confidence | Change Indicator (what would shift this) |
|---|---|---|---|---|
| KJ-1 | [ ] | [e.g., likely / probable (55–80%)] | [e.g., MODERATE] | [ ] |
| KJ-2 | [ ] | [ ] | [ ] | [ ] |
| KJ-3 | [ ] | [ ] | [ ] | [ ] |
| KJ-4 | [ ] | [ ] | [ ] | [ ] |
4. Priority Intelligence Requirements (PIRs) - Crisis Reconstruction
The questions the after-action review must answer to reconstruct and evaluate the crisis and response, decomposed PIR → Indicator → source (logs, call recordings, footage, incident reports, interviews, 911/emergency-service records, medical/triage records, crisis-communication records). Each PIR carries an answer/evidence/confidence row plus the summary matrix.
- PIR-1: [e.g., What was the complete sequence and timing of the crisis from first indication to stabilisation/demobilisation?]
- Indicators / source records: [ ]
- Answer / Evidence: [ ]
- Analytic Confidence: [ ]
- PIR-2: [e.g., When and how was the crisis management team / emergency response activated, and was activation timely?]
- Indicators / source records: [ ]
- Answer / Evidence: [ ]
- Analytic Confidence: [ ]
- PIR-3: [e.g., What life-safety / security actions were taken, and were they executed in accordance with the crisis plan?]
- Indicators / source records: [ ]
- Answer / Evidence: [ ]
- Analytic Confidence: [ ]
- PIR-4: [e.g., What communication was issued internally and externally, and was it consistent with the crisis communication plan?]
- Indicators / source records: [ ]
- Answer / Evidence: [ ]
- Analytic Confidence: [ ]
| PIR | Status (answered / partial / open) | Key Evidence | Confidence | Residual Gap → RFI |
|---|---|---|---|---|
| PIR-1 | [ ] | [ ] | [ ] | [ ] |
| PIR-2 | [ ] | [ ] | [ ] | [ ] |
| PIR-3 | [ ] | [ ] | [ ] | [ ] |
| PIR-4 | [ ] | [ ] | [ ] | [ ] |
5. Crisis Overview & Operating Context
Describe the crisis as it occurred: nature, cause vector (if known), location(s) and environment, date/time/duration, personnel and assets affected, immediate life-safety outcome, concurrent emergencies or compounding factors. The factual baseline the evaluation rests on.
| Parameter | Detail |
|---|---|
| Crisis Type & Nature | [ ] |
| Cause Vector (preliminary) | [ ] |
| Location(s) / Environment | [ ] |
| Date(s) & Duration | [ ] |
| Personnel Affected | [ ] |
| Assets / Infrastructure Affected | [ ] |
| Immediate Life-Safety Outcome | [ ] |
| Concurrent / Compounding Factors | [ ] |
6. Pre-Crisis Baseline & Risk Posture
Describe the organisation’s pre-crisis preparedness posture: the applicable crisis/emergency plan(s) in effect (version, date of last review), training and exercise history, risk assessments covering the crisis type, residual risk acceptance, available resources. This is the baseline the response is measured against.
| Baseline Element | Pre-Crisis Status | Relevant Plan / Reference |
|---|---|---|
| Crisis / Emergency Plan (version, date) | [ ] | [ ] |
| Last Tabletop / Drill / Exercise | [ ] | [ ] |
| Applicable Risk Assessment(s) | [ ] | [ ] |
| Residual Risk Acceptance | [ ] | [ ] |
| Available Response Assets | [ ] | [ ] |
7. Timeline / Reconstructed Sequence of Events
Reconstruct the crisis chronologically from graded source records: each key event, the time, what occurred, and the source basis (with reliability grade). Include the pre-crisis lead-in (if warning signs existed), the crisis initiation, escalation, response actions, and stabilisation/demobilisation. Mark deviations from the plan and key decision points. This is the spine the function-by-function assessment references.
| Time | Event / Action | Phase (pre-crisis / initiation / response / stabilisation / recovery / demobilisation) | Planned vs Actual | Source Basis (grade) | Note / Deviation Ref |
|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [e.g., on-plan / deviation / no-plan-applicable] | [ ] | [ ] |
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
8. Crisis Response - Activation & Command
Assess the activation and command/coordination sequence: how the crisis was detected and reported, whether the crisis management team (CMT) / incident command was activated, the timeliness and completeness of activation, command structure and span-of-control decisions, liaison with external emergency services, handover / demobilisation. Cross-reference to incidents and deviations.
| Activation Element | Planned | Actual | Assessment | Cross-Ref (§10 / §12) |
|---|---|---|---|---|
| Detection / Initial Report | [ ] | [ ] | [ ] | [ ] |
| CMT / Incident Command Activation | [ ] | [ ] | [ ] | [ ] |
| Coordination with External Services | [ ] | [ ] | [ ] | [ ] |
| Holding / Handover / Demobilisation | [ ] | [ ] | [ ] | [ ] |
9. Crisis Response - Execution Assessment by Function
Evaluate each crisis-response function against the plan (where one existed) and against reasonable practice: what was planned or expected, what happened, and the assessment (effective / effective-with-exceptions / deficient / not-activated). Cover the crisis type-appropriate functions - adjust to the crisis. Cross-reference incidents to §10 and deficiencies to §12.
| Function | Planned / Expected | Actual | Assessment | Cross-Ref (§10 / §12) |
|---|---|---|---|---|
| Life Safety / Evacuation / Shelter | [ ] | [ ] | [ ] | [ ] |
| Medical / First Aid / Triage | [ ] | [ ] | [ ] | [ ] |
| Security / Access Control / Scene Safety | [ ] | [ ] | [ ] | [ ] |
| Crisis Communications (Internal) | [ ] | [ ] | [ ] | [ ] |
| Crisis Communications (External / Media) | [ ] | [ ] | [ ] | [ ] |
| IT / Cyber / Data Continuity | [ ] | [ ] | [ ] | [ ] |
| Facilities / Infrastructure Response | [ ] | [ ] | [ ] | [ ] |
| Logistics & Supply | [ ] | [ ] | [ ] | [ ] |
| Family / Next-of-Kin Liaison | [ ] | [ ] | [ ] | [ ] |
| Regulatory / Legal / Insurance Coordination | [ ] | [ ] | [ ] | [ ] |
| Business Continuity / Recovery | [ ] | [ ] | [ ] | [ ] |
10. Incidents & Deviations Register
Log every incident, near-miss, and deviation from the crisis plan (where one existed) or from expected practice. Include both crisis-origin events and response-origin events (e.g., a communication failure during the response). Score each on Likelihood (of recurrence absent action) × Impact (consequence had it / did it fully materialise), and rate severity. Score cells are EMPTY placeholders - this is a blank form. Use the verbatim risk-scoring key in Annex A.
| ID | Incident / Deviation | Function (§8 / §9) | Likelihood (1–5) | Impact (1–5) | Score (1–25) | Severity Band | Immediate Action Taken |
|---|---|---|---|---|---|---|---|
| I-1 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| I-2 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| I-3 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
11. Sustainments (What Worked)
Document the practices, decisions, and capabilities that performed well during the crisis response and should be retained/codified. Each entry: what worked, why (the enabling factor), and how to institutionalise it.
| # | Sustainment | Enabling Factor | How to Institutionalise |
|---|---|---|---|
| S-1 | [ ] | [ ] | [ ] |
| S-2 | [ ] | [ ] | [ ] |
12. Deficiencies & Gaps (What to Improve)
Document each material deficiency or capability gap observed in the pre-crisis preparedness, activation, response, or recovery. Each entry: the deficiency, its observed/potential consequence, and the function affected. Root cause is developed in §13; corrective action in §19.
| # | Deficiency / Gap | Observed / Potential Consequence | Function Affected | → Root Cause (§13) |
|---|---|---|---|---|
| D-1 | [ ] | [ ] | [ ] | [ ] |
| D-2 | [ ] | [ ] | [ ] | [ ] |
13. Root-Cause Analysis
For each material deficiency, drive past the symptom to the root cause (e.g., people / process / equipment / information / coordination / external / plan-gap / training-gap / resource-gap). State the analytic basis and confidence; avoid attributing systemic failures to individual error where a process or plan gap is the true cause. Distinguish between the cause of the crisis itself and the cause of response failures.
| Deficiency (§12) | Symptom | Root Cause (category + statement) | Basis | Confidence |
|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] |
14. Verified Reconstruction Summary
Roll up the key reconstructed facts with a verification status (verified by multi-source/footage/log / unverified / contradicted), source grade, confidence, and materiality to the evaluation. Distinguish established fact from inference. Include event facts (what happened in the crisis) and response facts (what actions were taken).
| Reconstructed Fact | Status (verified / unverified / contradicted) | Source Grade | Confidence | Materiality |
|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] |
15. Red Flag / Systemic-Risk Indicators
Indicators that a deficiency is systemic rather than one-off, or that risk is trending (e.g., a recurring failure pattern across drills and real events, a control that failed silently, a near-miss masked by luck, warning signs that were not escalated). Provide the flag table, type definitions, and a severity rollup.
| Flag | Type | Basis (cross-ref §) | Severity |
|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] |
Indicator-type definitions: [e.g., define each flag type used above].
16. Analysis of Competing Hypotheses (ACH)
Apply ACH to a contested root cause or a disputed account of a critical incident within the crisis or response (e.g., “the failure to evacuate [area] resulted from H1 alarm-not-heard / H2 no-evacuation-order / H3 blocked-exit / H4 procedural-gap”). Weigh the evidence for/against each hypothesis and identify the most diagnostic evidence.
| Evidence / Indicator | H1: [ ] | H2: [ ] | H3: [ ] | H4: [ ] |
|---|---|---|---|---|
| [ ] | [e.g., consistent / inconsistent / N/A] | [ ] | [ ] | [ ] |
| [ ] | [ ] | [ ] | [ ] | [ ] |
Most diagnostic evidence: [ ]. Hypothesis assessment: [ ].
17. Key Assumptions Check (KAC)
Surface the assumptions underpinning the reconstruction and evaluation (completeness of records, reliability of recollection and witness accounts, representativeness of this crisis of the organisation’s preparedness posture, that the crisis plan was the current approved version, that no records were lost/destroyed). For each: basis, confidence, and impact if wrong.
| Assumption | Basis | Confidence | Impact if Wrong |
|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] |
18. Reconstruction Gaps & RFIs
Where the after-action picture is incomplete (missing footage, un-interviewed personnel, gaps in call logs or incident reports, destroyed evidence, concurrent investigation restrictions). State the gap, its impact on the evaluation, the recommended collection, and priority.
| Gap | Impact on Evaluation | Recommended Collection | Priority |
|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] |
19. Lessons Learned & Recommendations (Corrective-Action Plan)
Convert deficiencies and root causes into prioritised corrective actions and codify sustainments. Each item: the lesson, the corrective action, the named owner, target date, and how completion is verified. This is the operational output of the report. Distinguish between corrective actions addressing the crisis type recurrence (prevention/mitigation) and those addressing response capability.
| Priority | Lesson Learned | Corrective Action | Owner | Target Date | Verification of Closure |
|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Recommendations are advisory; implementation and any policy, training, or resource change route through the client’s accountable owner. Any corrective action touching on legal, regulatory, or insurance matters should be coordinated with counsel.
Annex A - Sources & Methodology
State the after-action methodology (records reviewed, interviews conducted under consent, the evidence-grading approach, the non-disciplinary/systems-focused framing, and the data-protection handling). Note any concurrent investigation or litigation-hold that limited access to sources. Reproduce the reference scales below verbatim.
Reconstruction methodology: [Describe the records and interviews used, the reconstruction and verification standard, the non-disciplinary/systems-focused framing, any access limitations (e.g., concurrent investigation, litigation-hold, witness-availability), and the data-protection handling.]
Source register (graded):
| # | Source / Record | Type | Date | Reliability (A–F) | Credibility (1–6) | Notes |
|---|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Source reliability (Admiralty, A–F): A Completely reliable · B Usually reliable · C Fairly reliable · D Not usually reliable · E Unreliable · F Reliability cannot be judged.
Information credibility (Admiralty, 1–6): 1 Confirmed by other sources · 2 Probably true · 3 Possibly true · 4 Doubtful · 5 Improbable · 6 Truth cannot be judged. (Each sourced datum carries a two-character grade, e.g., B2.)
Estimative probability / likelihood (ICD 203): almost no chance / remote (01–05%) · very unlikely / highly improbable (05–20%) · unlikely / improbable (20–45%) · roughly even chance (45–55%) · likely / probable (55–80%) · very likely / highly probable (80–95%) · almost certain / nearly certain (95–99%).
Analytic confidence (evidence base, separate from likelihood): HIGH (multiple independent reliable sources, primary documentation, no significant contradiction) · MODERATE (some corroboration, gaps, minor unresolved inconsistency) · LOW (single / uncorroborated source, significant gaps, plausible alternatives open). Never combine a likelihood term and a confidence level in the same sentence.
Risk scoring: Likelihood (1–5) × Impact (1–5) = 1–25; key: 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical.
Identity-resolution confidence: Confirmed / Probable / Possible / Unresolved, with the matched identifiers stated - disambiguation is explicit, never assumed.
Appendices
Attach: B - Personnel & Role Index (roles, not blame); C - Full Source / Record Register; D - Evidence Archive & chain-of-custody pointer (logs / footage / call recordings / incident reports held lawfully); E - Crisis Plan-of-Record Reference; F - Glossary; G - Revision History.
- Appendix B - Personnel & Role Index: [ ]
- Appendix C - Full Source / Record Register: [ ]
- Appendix D - Evidence Archive & Chain-of-Custody Pointer: [ ]
- Appendix E - Crisis Plan-of-Record Reference: [ ]
- Appendix F - Glossary: [ ]
- Appendix G - Revision History: [ ]
Verification disclaimer: this after-action report reconstructs the crisis and response from lawfully held records and consenting interviews available within the reporting window; it evaluates systems, decisions, and procedures and is not a determination of individual fault, disciplinary liability, legal causation, or regulatory compliance. Where a concurrent investigation, litigation-hold, or regulatory process exists, this report is subject to legal privilege and should be coordinated with counsel. Findings are advisory.
Document Control (footer): [REF-YYYY-###] · Version [ ] · Classification [ ] · Prepared [ ] · Reviewed [ ] · Approved [ ]
END OF REPORT
Model wiring
Generated from cell frontmatter at publish time.