[OR] [P2] [S5] [LL] [C4] Sources and Triggers for Capturing Lessons Learned

[P2] [S5] Chapter 4

 Sources and Triggers for Capturing Lessons Learned

Introduction

A common weakness in many organisations is that lessons learned are only captured after major incidents. This reactive approach limits the organisation’s ability to proactively strengthen resilience.

In a mature operational resilience framework, lessons learned must be:

• Continuously captured
• Triggered by multiple events and conditions
• Embedded into daily operations and decision-making

Learning opportunities exist not only in failures but also in:

• Near misses
• Minor disruptions
• Testing outcomes
• External events

This chapter explores how organisations can establish a comprehensive and proactive approach to identifying and capturing lessons learned.

Purpose of the Chapter

To identify and define the key sources and triggers for capturing lessons learned, ensuring that organisations systematically recognise learning opportunities from disruptions, testing activities, and operational experiences across the operational resilience lifecycle.

Types of Triggers for Lessons Learned

Triggers are events or conditions that initiate the lessons learned process. These triggers can be categorised into four main types:

 Event-Driven Triggers

• Operational incidents
• Service disruptions
• System outages
• Cybersecurity breaches

Test-Driven Triggers

• Scenario testing exercises
• Crisis management simulations
• Business continuity exercises

Risk-Driven Triggers

• Near misses
• Emerging risks
• Control failures

Review-Driven Triggers

• Internal audits
• External audits
• Regulatory reviews

A comprehensive framework ensures that learning is not dependent on major failures alone.

Operational Incidents as a Primary Source

Operational incidents remain one of the most significant sources of lessons learned.

Types of Operational Incidents

• Technology failures (system downtime, application errors)
• Process failures (transaction errors, processing delays)
• Human errors (manual mistakes, misjudgements)
• Third-party failures (vendor outages, service disruptions)

Capturing Lessons from Incidents

For each incident, organisations should:

• Conduct structured post-incident reviews
• Identify root causes and contributing factors
• Assess impact on Critical Business Services (CBS)
• Evaluate response and recovery effectiveness

 Importance of Timely Capture

Lessons should be captured:

• Immediately after incident stabilisation
• While information is still fresh
• Before normal operations fully resume

Scenario Testing and Exercises

Scenario testing is a controlled environment for generating lessons learned.

Types of Exercises

• Tabletop exercises
• Simulation exercises
• End-to-end scenario testing
• Crisis management drills

 Value of Testing-Based Lessons

Testing allows organisations to:

• Identify hidden vulnerabilities
• Validate assumptions
• Test interdependencies
• Assess decision-making under stress

Structured Debriefing

Post-exercise reviews should include:

• What worked well
• What did not work
• Gaps in processes or controls
• Opportunities for improvement

Testing-based lessons are particularly valuable because they:

• Do not involve real customer impact
• Provide a safe environment for learning

Near Misses: A Critical but Underutilised Source

Near misses are incidents that could have resulted in disruption but did not.

Importance of Near Misses

Near misses:

• Reveal vulnerabilities before they cause harm
• Provide early warning signals
• Enable proactive improvements

Examples of Near Misses

• System performance degradation without outage
• Failed cyber attack attempts
• Temporary process breakdowns
• Vendor issues resolved before escalation

 Encouraging Near Miss Reporting

To capture near misses effectively, organisations must:

• Promote a no-blame culture
• Encourage reporting at all levels
• Provide simple reporting mechanisms

Organisations that ignore near misses often face repeat incidents.

 Audit and Regulatory Findings

Audits and regulatory reviews provide structured insights into organisational weaknesses.

Internal Audit

• Identifies control weaknesses
• Highlights process inefficiencies
• Assesses compliance with policies

External Audit

• Provides independent validation
• Benchmarks against industry standards

 Regulatory Reviews

• Highlight gaps in resilience capabilities
• Provide guidance on expected improvements
• Identify systemic risks

Integrating Audit Findings into Lessons Learned

Organisations should:

• Treat audit findings as lessons learned
• Integrate them into improvement plans
• Track remediation actions

Third-Party and Supply Chain Disruptions

Third-party failures are a growing source of operational risk.

Types of Third-Party Disruptions

• Vendor system outages
• Service delivery failures
• Cybersecurity incidents
• Financial instability of vendors

Lessons from Third-Party Failures

Organisations should assess:

• Dependency risks
• Contractual weaknesses
• Monitoring and oversight gaps

Extending Lessons Beyond the Organisation

Lessons learned should:

• Inform vendor management strategies
• Strengthen due diligence processes
• Enhance contingency planning

Customer Feedback and Service Disruptions

Customers often provide early indicators of service issues.

Sources of Customer Feedback

• Complaints
• Service requests
• Escalations
• Social media feedback

Value of Customer Insights

Customer feedback helps organisations:

• Identify service gaps
• Understand customer impact
• Improve service delivery

Linking Feedback to CBS

Customer insights should be mapped to:

• Critical Business Services
• Service delivery processes
• Customer journey

External Events and Industry Learning

Organisations can learn from events that occur outside their own environment.

Industry Incidents

• Banking outages
• Cybersecurity breaches
• Market disruptions

Regulatory Publications

• Guidance papers
• Enforcement actions
• Industry advisories

Peer Benchmarking

• Comparing practices with industry peers
• Identifying best practices

Benefits of External Learning

• Avoid repeating industry-wide mistakes
• Anticipate emerging risks
• Enhance preparedness

Real-Time vs Post-Event Learning

Lessons learned can be captured at different stages:

Real-Time Learning

• Captured during incidents or exercises
• Provides immediate insights
• Supports dynamic decision-making

Post-Event Learning

• Conducted after incident resolution
• Allows deeper analysis
• Enables comprehensive root cause identification

A balanced approach ensures both:

• Immediate improvements
• Long-term enhancements

Establishing a Structured Capture Mechanism

To ensure consistency, organisations must implement structured mechanisms.

Standardised Templates

• Lessons learned forms
• Incident review templates
• Exercise debrief templates

Centralised Repository

• Maintain a lessons learned database
• Enable tracking and analysis
• Provide organisation-wide visibility

Trigger Thresholds

Define clear thresholds for triggering lessons learned processes:

• Impact tolerance breach
• High-severity incidents
• Regulatory impact
• Repeated issues

Challenges in Capturing Lessons Learned

Organisations often face challenges such as:

• Failure to recognise learning opportunities
• Over-reliance on major incidents
• Poor documentation
• Lack of reporting culture
• Siloed information

Addressing these challenges requires:

• Clear frameworks
• Strong governance
• Cultural alignment

Embedding a Proactive Learning Approach

To move beyond reactive learning, organisations should:

Expand Scope of Learning

• Capture lessons from all events, not just failures

Encourage Continuous Reporting

• Make reporting part of daily operations

Integrate Across Functions

• Combine insights from:
• Risk
• IT
• Operations
• Business units

Leverage Data and Analytics

• Identify trends and recurring issues
• Predict potential disruptions

Capturing lessons learned is not a passive activity—it requires a structured, proactive, and multi-source approach. By recognising diverse triggers and sources, organisations can significantly enhance their ability to learn and improve.

A mature organisation captures lessons from:

• Incidents
• Testing
• Near misses
• Audits
• External events

This comprehensive approach ensures that:

• Learning is continuous
• Improvements are proactive
• Resilience capabilities are strengthened

Transition to Next Chapter

Having identified the key sources and triggers for capturing lessons learned, the next chapter will present a structured lessons learned framework and methodology, detailing how organisations can systematically capture, analyse, validate, and implement improvements.