Skip to content

Lesson 5.4 - Post-Incident Review

  • Build a factual incident timeline.
  • Identify root cause, contributing factors and control gaps.
  • Assign corrective actions with responsible parties and due dates.
Incident Closed Build Timeline
Timeline Confirm Facts / Evidence
Facts Root Cause Analysis
Root Contributing Factors
Factors Control Assessment
Controls Corrective / Preventive Actions
Actions Assign Owner / Due Date
Lead Follow-up Review
  1. What happened?
  2. When did it happen?
  3. What was the client, system and risk impact?
  4. Why did it happen and which controls were involved?
  5. What must change to reduce recurrence?
Type Example
Root cause Quote-source session failure
Contributing factor High-impact news and thin liquidity
Control that worked Quote-source issue was isolated from normal monitoring
Control gap Early quote-quality deterioration was not clearly highlighted
Preventive action Add quote-source degradation alert threshold

Quote Anomaly Review

Incident: one quote source price spike was accepted and triggered client stops.

Review outcome: - Root cause: filter threshold did not catch that quote pattern. - Contributing factor: no secondary-source comparison alert. - Immediate action: approved temporary monitoring rule. - Preventive action: improve filter and test on historical ticks. - Follow-up: verify no similar events for 30 days.

Every action should include clear description, assigned owner, due date, priority, verification method and status.

A strong post-incident review turns operational events into improved controls, clearer ownership and lower future risk.


End of Chapter 5 Module A

Incident Record Template

During or after a material incident, the record should separate observation, scope, evidence, action and closure. Do not write conclusions before facts are verified.

Incident ID:
Severity: P1 / P2 / P3 / P4
Detected by:
Detection time:
Incident lead:

Observation:
- What was observed?

Scope:
- Platform:
- Symbols:
- Quote source / Bridge status:
- Client / group impact:
- Exposure impact:
- Internal market-risk impact:

Timeline:
- HH:MM:
- HH:MM:
- HH:MM:

Verified evidence:
- Logs:
- Metrics:
- Order / deal IDs:
- Quote / quote source data:

Market context:
- Event / session:
- Spread / execution context:

Actions:
- Action taken:
- assigned owner:
- Approval required?
- Escalation recipients:

Recovery criteria:
- What must normalize?
- Monitoring period:
- Remaining remaining considerations:

Closure:
- Recovery confirmed by:
- Closure time:
- Post-incident review lead:
- Corrective action due date:

Rule: facts and assumptions must be separated. When evidence is insufficient, do not decide the root cause or assign responsibility independently. Write "under review", preserve available evidence and escalate through the approved process.

Completion Criteria

  • Can explain the key risk or operational objective of this lesson
  • Can identify the required systems, data, or evidence to review
  • Can describe the correct escalation or handling process
  • Can apply the lesson correctly in a supervised scenario