Lesson 5.4 - Post-Incident Review¶
- Build a factual incident timeline.
- Identify root cause, contributing factors and control gaps.
- Assign corrective actions with responsible parties and due dates.
- What happened?
- When did it happen?
- What was the client, system and risk impact?
- Why did it happen and which controls were involved?
- What must change to reduce recurrence?
| Type | Example |
|---|---|
| Root cause | Quote-source session failure |
| Contributing factor | High-impact news and thin liquidity |
| Control that worked | Quote-source issue was isolated from normal monitoring |
| Control gap | Early quote-quality deterioration was not clearly highlighted |
| Preventive action | Add quote-source degradation alert threshold |
Quote Anomaly Review¶
Incident: one quote source price spike was accepted and triggered client stops.
Review outcome: - Root cause: filter threshold did not catch that quote pattern. - Contributing factor: no secondary-source comparison alert. - Immediate action: approved temporary monitoring rule. - Preventive action: improve filter and test on historical ticks. - Follow-up: verify no similar events for 30 days.
Every action should include clear description, assigned owner, due date, priority, verification method and status.
A strong post-incident review turns operational events into improved controls, clearer ownership and lower future risk.
End of Chapter 5 Module A
Incident Record Template¶
During or after a material incident, the record should separate observation, scope, evidence, action and closure. Do not write conclusions before facts are verified.
Incident ID:
Severity: P1 / P2 / P3 / P4
Detected by:
Detection time:
Incident lead:
Observation:
- What was observed?
Scope:
- Platform:
- Symbols:
- Quote source / Bridge status:
- Client / group impact:
- Exposure impact:
- Internal market-risk impact:
Timeline:
- HH:MM:
- HH:MM:
- HH:MM:
Verified evidence:
- Logs:
- Metrics:
- Order / deal IDs:
- Quote / quote source data:
Market context:
- Event / session:
- Spread / execution context:
Actions:
- Action taken:
- assigned owner:
- Approval required?
- Escalation recipients:
Recovery criteria:
- What must normalize?
- Monitoring period:
- Remaining remaining considerations:
Closure:
- Recovery confirmed by:
- Closure time:
- Post-incident review lead:
- Corrective action due date:
Rule: facts and assumptions must be separated. When evidence is insufficient, do not decide the root cause or assign responsibility independently. Write "under review", preserve available evidence and escalate through the approved process.
Completion Criteria¶
- Can explain the key risk or operational objective of this lesson
- Can identify the required systems, data, or evidence to review
- Can describe the correct escalation or handling process
- Can apply the lesson correctly in a supervised scenario