[OR] [P2] [S5] [LL] [C2] The Role of Lessons Learned in the Operational Resilience Lifecycle

[P2] [S5] Chapter 2

The Role of Lessons Learned in the Operational Resilience Lifecycle

Introduction

Operational resilience is not a one-time implementation exercise—it is a continuous, evolving lifecycle. Organisations must constantly adapt to new threats, changing business models, and increasing regulatory expectations. Within this lifecycle, Lessons Learned act as the central feedback loop, ensuring that every disruption, exercise, and operational experience contributes to strengthening resilience.

Without an effective lessons learned process, organisations risk:

• Repeating the same failures
• Maintaining ineffective controls
• Failing to improve resilience capabilities over time

This chapter explores how lessons learned integrate into the operational resilience lifecycle and why they are essential for achieving resilience maturity.

Purpose of the Chapter

To explain how Lessons Learned are embedded within the operational resilience lifecycle and how they serve as a critical feedback mechanism that drives continuous improvement across all resilience capabilities, including governance, risk management, and service delivery.

Overview of the Operational Resilience Lifecycle

The operational resilience lifecycle can be broadly structured as:

Plan → Implement → Test → Improve

Each phase plays a distinct role:

The “Improve” stage, driven by lessons learned, ensures that the lifecycle is closed and continuously reinforced.

Lessons Learned as the Feedback Loop

Lessons learned function as a closed-loop feedback mechanism that connects all phases of the lifecycle.

Feedback into Planning

Insights from lessons learned are used to:

• Refine resilience strategies
• Update risk assessments
• Reassess critical business services (CBS)
• Strengthen governance frameworks

Feedback into Implementation

Lessons learned drive improvements in:

• Process design
• Technology resilience
• Third-party risk management
• Resource allocation

Feedback into Testing

Lessons learned enhance:

• Scenario design
• Testing scope and realism
• Validation of impact tolerances

This continuous feedback ensures that resilience capabilities are:

• Adaptive
• Responsive to real-world conditions
• Aligned with evolving risks

Integration with Key Operational Resilience Components

Lessons learned are not isolated—they must be integrated across all core components of operational resilience.

Integration with Critical Business Services (CBS)

• Lessons must be mapped to specific CBS
• Identify service-level vulnerabilities
• Strengthen end-to-end service delivery

Integration with Impact Tolerance

• Validate whether tolerances were breached
• Assess realism of tolerance thresholds
• Refine tolerance levels based on actual performance

Integration with Mapping of Interdependencies

• Identify weak dependencies across:
• People
• Processes
• Technology
• Third parties
• Improve visibility of interconnections

Integration with Scenario Testing

• Use lessons to refine future scenarios
• Introduce more severe and plausible disruptions
• Improve testing methodologies

Alignment with ISO Standards

Lessons learned are a core requirement under international standards.

ISO 22301 (Business Continuity Management)

ISO 22301 emphasises continual improvement through:

• Monitoring and measurement
• Internal audits
• Management reviews
• Corrective actions

Lessons learned provide the evidence base for:

• Identifying non-conformities
• Implementing corrective actions
• Enhancing the BCMS

ISO 22361 (Crisis Management)

ISO 22361 requires organisations to:

• Conduct post-crisis reviews
• Capture insights from crisis response
• Improve crisis management capabilities

Lessons learned ensure that crisis experiences are:

• Analysed systematically
• Embedded into future preparedness

Regulatory Expectations

Regulators globally are placing increasing emphasis on learning and continuous improvement as indicators of resilience maturity.

2.6.1 Monetary Authority of Singapore (MAS)

MAS expects financial institutions to:

• Conduct scenario testing
• Analyse outcomes and identify gaps
• Implement improvements to maintain service continuity

2.6.2 Bangko Sentral ng Pilipinas (BSP Circular 1203)

BSP requires:

• Post-incident reviews
• Continuous improvement of resilience capabilities
• Evidence of learning from disruptions

2.6.3 Bank Negara Malaysia (BNM)

BNM emphasises:

• Ongoing monitoring and review
• Continuous enhancement of resilience frameworks
• Integration of lessons into risk management

UK PRA/FCA

UK regulators require:

• Firms to remain within impact tolerances
• Continuous improvement based on testing outcomes
• Evidence of resilience evolution over time

Across all regulators, a common expectation emerges:

Organisations must demonstrate that they learn, adapt, and improve continuously.

Lessons Learned as Evidence of Resilience Maturity

The effectiveness of an organisation’s lessons learned process is a key indicator of its resilience maturity.

2.7.1 Characteristics of Mature Organisations

• Systematic capture of lessons
• Strong root cause analysis
• Timely implementation of improvements
• Integration across all resilience components
• Clear governance and accountability

2.7.2 Characteristics of Immature Organisations

• Ad hoc or inconsistent reviews
• Focus on symptoms rather than causes
• Lack of follow-through on actions
• Siloed learning across departments
• Limited visibility to senior management

Regulators and auditors increasingly assess:

• Whether lessons are captured
• Whether actions are implemented
• Whether improvements are effective

Closing the Loop: From Learning to Improvement

A critical success factor is ensuring that lessons learned are not only identified but also translated into measurable improvements.

The Closed-Loop Process

1. An event or disruption occurs
2. Lessons are captured and analysed
3. Root causes are identified
4. Improvement actions are defined
5. Actions are implemented
6. Effectiveness is monitored
7. Results feed back into the lifecycle

Avoiding Common Gaps

Organisations often fail to close the loop due to:

• Lack of ownership
• Poor tracking of actions
• Insufficient governance oversight
• Competing priorities

Closing the loop requires:

• Clear accountability
• Strong governance
• Effective monitoring mechanisms

Embedding Lessons Learned into Organisational Culture

For lessons learned to be effective, they must be embedded into the organisation’s culture.

Building a Learning Culture

• Encourage transparency and openness
• Promote reporting of incidents and near misses
• Avoid blame-based approaches

Leadership Commitment

• Senior management must:
• Support learning initiatives
• Allocate resources for improvements
• Drive accountability

 Cross-Functional Collaboration

• Break down silos between:
• Risk management
• IT
• Operations
• Business units

A strong culture ensures that lessons learned are:

• Actively used
• Widely shared
• Continuously applied

Lessons learned are the engine of continuous improvement within the operational resilience lifecycle. They transform experiences—whether from disruptions, testing, or near misses—into actionable insights that strengthen resilience capabilities.

By embedding lessons learned across all phases of the lifecycle, organisations can:

• Enhance the resilience of Critical Business Services
• Improve preparedness for future disruptions
• Meet regulatory expectations
• Achieve higher levels of resilience maturity

Ultimately, operational resilience is not defined by static controls or plans, but by the organisation’s ability to continuously learn, adapt, and improve.

Transition to Next Chapter

Having established the role of lessons learned within the operational resilience lifecycle, the next chapter will examine the governance and ownership structures required to manage lessons learned effectively, including roles, responsibilities, and oversight mechanisms.