We’ll get through this; how will it make us stronger? Make COVID-19 “lessons learned” a priority

by | Jun 25, 2020 | Blog, Security Operations

The COVID-19 event, obviously, has had a wide-reaching negative impact for the entire country. Despite this, even in the face of the trauma linked to the loss of loved ones, we will eventually prevail and see the other side of this event. When that happens, a return to more normalized business operations will closely follow (if not already underway). There is a unique, somewhat limited, opportunity to position your organization for a far better response to this kind of event in the future. The primary method to achieve this is from an investigative effort, or what is more commonly referred to as a “lessons learned” exercise. In this case, the focus will be on the organization’s continuity planning, or contingency planning, approach and execution.

One way of viewing this exercise is from the phrase “Those who do not learn from history are condemned to repeat it.” Essentially, when mistakes happen, learn from them or you’ll be likely to encounter the same failures. The approach of a “lessons learned” exercise is a method of continuous improvement that is based on a singular event (COVID-19) or similarly related events. The entire goal should be to find areas where business unit operations or actions had difficulty or issues with the event under review. Generally speaking, a “lessons learned” exercise should be applied to all projects and, where it makes sense, to any smaller efforts made by an individual or handful of staff. This goes to its general principle of increasing efficiency and effectiveness in similar future events.

 

Lessons Learned Steps

For guidance, here are some suggested steps for carrying out a “lessons learned” exercise:

  1. Establish a person and team (tiger team) to manage the exercise. Dedicate time for meetings (and hold them, with an agenda)
  2. Ask questions, request feedback from business units and meet with managers to get direct feedback as to challenges encountered
  3. Consolidate feedback and information within documentation – have a dedicated role for maintaining minutes and records
  4. Based on data gathered and tiger team determinations, make recommendations for changes to existing plans or launch initiatives for new plans as needed, via a Plan of Action and Milestones (POAM). Ensure completion of the POAM
  5. The team should look to move to a quarterly or annual meeting to track progress on POAMs and provide historical knowledge to the exercise outcome. Store plans for future reference and use as a guideline for any other areas needing improvement

As with most things that address improvement, the first step is to set aside dedicated time to organize and focus on the effort. This will involve identifying the staff and lead manager that will be needed for the team that tackles this important undertaking. The staff will need to dedicate time to focus on the task at hand – this may not be very not easy depending on how recovery efforts are running. A notable challenge can be the need for accurate recall, in the absence of on-going issue tracking during the event. Regarding how much time to dedicate, have as many sessions as needed, but be aware of scope creep. A good method to guard against scope creep is for the team to set specific goals at the outset of the exercise. If other more significant issues arise, it may be best to have a separate investigation, so that proper focus and resources can be dedicated to each. A primary goal at this first stage should be the understanding that these meetings are to be kept (take attendance if needed) to get things kicked off and so the team can leverage the time-frame where staff still can readily recall details of their issues. Hopefully, some of the issues were already being noted during the crisis. If not already part of your contingency procedures, consider adding an “active event issues” list, as well as coordinating that data via check-ins with higher management. For the lessons learned, gather that information and data. The entire organization should understand that this exercise is underway and to provide any assistance needed to help the company be more successful in the future.

 

Key Questions

Once meetings have been established and are running, the effort will involve information gathering, where feedback should be openly asked for. Consider soliciting information from the entire organization, if appropriate and acceptable. In general, be sure to capture the following:

  1. What worked? These are things that you wish you had more of, that provided some level of assistance (even if small) and were successful, even if only deployed right before the end of the event.
  2. What didn’t work? Obviously, this goes to areas where weakness was seen. What gaps were noted? And are any currently being worked on for a solution? Assess the potential need for that solution in the future and be sure to keep it moving forward to closure.
    1. If this step results in long lists of issues being presented, consider asking for a “top 3” or “If you had to pick only 1 item, what were you most frustrated with during the crisis?”

Once the information has been gathered, it will need to be organized, condensed and reviewed for actionable issues. The staff to conduct those reviews should follow the business unit structure, where finance issues are reviewed by the finance department, technology issues reviewed by the Information Technology department, and so on. The information learned from these issue reviews must be captured in documentation and then collected for the group and team lead to review. Therefore, there is a need for a recognized keeper of documentation, including meeting minutes. All those on the team will coordinate with the records keeper to ensure full and accurate data is maintained on the issues being addressed. The minutes are generally distributed to the team for review and coordination of efforts on any “asks” from those meetings.

After there is confidence from the team that pertinent issues have been identified, start the hunt for solutions. Some problems will be easier than others and don’t forget to leverage the organization for ideas on how to address those problems. In the case of COVID-19, everyone has been impacted and likely will have some general idea as to what potential solutions could address the myriad of identified issues or gaps. Take those ideas and formulate a plan to address the issue and review solutions to ensure that they will indeed address the problem identified. A recognized method for implementing a fix is the Plan of Action and Milestones (POAM), which can be found in great detail within the National Institute of Standards and Technology (NIST) publications. After that, take corrective action following the POAM to resolve the gaps, adjusting as needed along the way.

 

Wrap up

Finally, keep an archive of the lessons learned activities for review and tracking. At the end of the exercise, it will be apparent that focused effort was expended to obtain results and the successful methods used should be repeated. Conducting this exercise will bring forward skill sets that can be re-engaged to address problems that trouble the organization elsewhere. As a last step, if not already part of the overall exercise, a summary report should be assembled to show the results from the team’s efforts. Send the report up the management tree for review, including executive management. Given the scope and impact of this event, and in order to prevent history from repeating itself, this should be a report of interest.

We will next look at the outline for a pandemic response and what should be considered for contingency planning, in the event that COVID-19, or something similar, comes knocking again.