[OR] [BDCB] [E2] [C13] Improving Lessons Learnt

Chapter 13

  Improving Lessons Learned

Introduction

The effectiveness of any operational resilience framework depends not only on how well an organisation responds to disruptions but also on how systematically it learns from them.

For the Brunei Darussalam Central Bank (BDCB), as the nation’s central monetary authority, this means ensuring that every incident, disruption, or simulation exercise becomes a catalyst for continuous improvement.

The Improving Lessons Learned stage of the Implement phase is designed to capture insights from real events and planned tests, transform them into actionable enhancements, and embed those improvements into policies, processes, and culture.

This stage emphasises a structured approach to gathering feedback, conducting after-action reviews, prioritising remedial measures, and tracking progress until lessons are fully institutionalised. By doing so, BDCB not only strengthens its operational resilience capabilities but also reinforces trust across Brunei Darussalam’s financial system, ensuring that the organisation is better prepared for future challenges.

1. Objective & Scope

Objective:

Enhance the effectiveness of BDCB’s operational resilience by systematically capturing, evaluating, and improving upon lessons learned during exercises, incidents, disruptions, or real-world responses.

Scope:

Covers all resilience-related activities—from internal simulations (e.g., ICT outages, cyber-attacks, natural events) to real operational disruptions. It spans participants across BDCB: executive leadership, operations, IT, risk, compliance, and external partners (e.g., financial sector participants, government agencies).

2. Key Implementation Steps

2.1 Plan for Lessons Capture

• Designate “Lessons Leads” for each resilience exercise or event.
  • Example: Appoint a senior risk manager to lead post-event capture for a simulated cyber-incident.
• Define what to capture:
  • Scenario details (what happened, when, how it was detected).
  • Response effectiveness (timing, coordination, decision-making).
  • Resource performance (systems, communications, staff, third-party partners).
  • Gaps, strengths, coordination issues, policy or control deficiencies.
• Schedule “hot-wash” sessions immediately post-exercise or disruption—within 24–48 hours. Prompt reflection ensures timely recollections.
  • Example: After a live incident (e.g., temporary partial system outage), gather IT, operations, communications, and business continuity staff for a structured debrief within 24 hours.

2.2 Structured After-Action Reviews (AARs)

• Conduct more formal After-Action Reviews within 1–2 weeks, involving all stakeholders.
• Use standardised templates that include:
  • Incident timeline.
  • What went well? What didn’t? Why?
  • Root-cause analysis (e.g., was detection delayed due to misconfigured monitoring?).
  • Immediate and systematic recommendations.
  • Ownership and deadlines for corrective actions.
• Example: Following a regional flood simulation impacting BDCB building access, an AAR reveals that backup communications failed due to redundancy gaps; assign an IT infrastructure specialist to remediate by procuring alternate communication lines.

2.3 Validate & Prioritize Lessons

• Establish a Resilience Lessons Committee, chaired by a senior resilience officer and comprising cross-functional representation (IT, Ops, Risk, Compliance, Communications).
• Review AAR outputs, triage lessons:
  • Critical (e.g., threats to mission-critical operations or systemic risk).
  • Important (e.g., moderate impact or operational inconvenience).
  • Low priority (cosmetic improvements or low-risk issues).
• Allocate resources to remediation based on risk, cost, and regulatory or reputational impact.
  • Example: A critical finding (e.g., backup power failure in the DR site) is flagged for immediate remedy with budget and timeline; a low-priority observation (such as reordering of post-exercise refreshments) is noted but not actioned formally.

2.4 Implement Remedial Actions

• For each prioritised lesson, define:
  • Action owner, due date, milestones, and status tracking mechanism.
• Integrate into BDCB’s broader resilience and risk governance structures (e.g., resilience dashboards, risk registers, project management tools).
  • Example: The IT infrastructure team is tasked to deploy a secondary power feed at the disaster recovery site by Q4 2025; progress is tracked via monthly governance meetings.

2.5 Monitor & Evaluate Close-Out

• Conduct status reviews at defined intervals (e.g., 1 month, 3 months).
• Confirm whether actions have been completed, tested, and embedded into policy, procedures, or training.
  • Example: Six months after implementing a new incident escalation protocol, run a mini-test to validate awareness among branches.
• For actions not implemented or found ineffective, revisit AAR or escalate to executive leadership for resolution.

2.6 Share & Institutionalize Lessons

• Document a Lessons Learned Register, updated on a rolling basis.
  • Include summaries of exercises/incidents, key findings, implemented actions, status updates, and impact assessments.
• Disseminate key learnings across BDCB via:
  • Internal bulletins or newsletters.
  • Training sessions for front-line and incident response teams.
  • Operational playbooks or intranet knowledge bases.
  • Example: Following a simulation of a cyber-breach, publish a short, anonymised “what we learned” note to all staff, highlighting enhanced phishing detection training adopted bank-wide.

2.7 Continuous Improvement Loop

• At the next resilience test or real incident, explicitly reference prior lessons and test whether changes have improved outcomes.
  • Example: In a follow-up simulated communications failure, check if the newly installed dual-path communications succeeded without delay.
• Hold periodic resilience reviews (bi-annual or annual), assessing recurring themes across lessons, major trends, or systemic gaps. Feed these into strategic resilience-enhancement planning for the coming year.

3. Example Scenario: Minor System Outage During a Routine IT Update

4. Governance Integration & Accountability

• Senior Management Reporting:
  Quarterly updates on lessons learned and remedial status to the Executive Committee and Board, including:
  • Number of learnings captured.
  • Percentage of critical items closed.
  • Measurable improvements (e.g., average recovery time reduced).
• Audit & Compliance:
  Audit reviews incorporate checking whether timely AARs occurred, lessons were prioritised, and actions were closed in line with the methodology. This strengthens accountability and compliance with regulatory expectations.
• Cultural Reinforcement:
  Encourage a “just culture” that views lessons as opportunities—not blame—to cultivate thorough and honest learning. Recognise teams that identify and implement high-value improvements.

Summary

By systematically:

1. Capturing lessons promptly,
2. Evaluating and prioritising them,
3. Implementing corrective actions,
4. Monitoring progress,
5. Institutionalising improvements, and
6. Closing the feedback loop in future exercises,

BDCB can progressively enhance its operational resilience. Over time, this “Improving Lessons Learned” chapter embeds a resilient culture, ensuring that every exercise and incident becomes a stepping stone toward stronger, smarter, and more resilient operations.

Summing Up ...

The journey toward operational resilience is iterative, requiring organisations like BDCB to continually refine their strategies and practices. The Improving Lessons Learned stage ensures that disruptions—whether real or simulated—are not viewed as isolated events but as opportunities to build stronger, more agile, and more reliable operations. By embedding a culture of reflection, accountability, and improvement, BDCB ensures that resilience evolves alongside emerging risks and operational complexities.

Ultimately, the discipline of learning from experience strengthens not only BDCB’s ability to safeguard financial stability but also its role as a trusted steward of Brunei Darussalam’s monetary and financial integrity. Each lesson captured and acted upon represents a step closer to a more robust and adaptive central bank, capable of protecting critical services under any circumstance.

	Operational Resilience at BDCB: A Strategic Implementation Guide
	"Implement" Phase of the Operational Resilience Planning Methodology
	C8	C9	C10	C11	C12	C13

OR Planning Methodology Phases		Plan	Implement	Sustain

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.