How to Write an After-Action Report for a BCP Exercise: Template and Examples

TL;DR

• An after-action report is not an optional nice-to-have — it’s what FFIEC and ISO 22301 both require to demonstrate that your exercises produce genuine program improvements
• The difference between a hot wash and an AAR: hot wash is the immediate debrief; AAR is the formal document with findings, root cause, and corrective actions
• Write findings using the Observation-Discussion-Recommendation format — not a bullet list of “things that went wrong”
• Corrective actions without assigned owners and due dates are intentions, not plans

The Exercise That Goes Nowhere

Scenario: Your team runs a 90-minute ransomware tabletop. Someone’s secretary orders pizza. People flag real problems — the backup restoration process is unclear, three key contacts aren’t in the plan, IT wasn’t in the room and their recovery steps are untested assumptions. The facilitator says “great discussion, let’s document this.”

Six months later, an examiner asks what changed after your last exercise. The BCM manager pulls out the sign-in sheet and the scenario card. There is no AAR. The findings from that meeting exist only in the memory of whoever was in the room.

That’s not a testing program. That’s a compliance activity that consumes time without creating resilience.

The after-action report is the mechanism that converts exercise discussion into documented findings, documented findings into corrective actions, and corrective actions into a better BCP. Without it, every exercise is a closed loop — and your program isn’t improving.

The FFIEC Business Continuity Management booklet is direct on this: exercise results must be documented, findings must be tracked through remediation, and the BIA and BCPs must be updated based on lessons learned. ISO 22301 Clause 8.5 makes the same requirement. Examiners ask for the AAR specifically.

Here’s how to write one that actually gets used.

Hot Wash First, AAR Second

The after-action process has two stages. Conflating them is the most common mistake.

The hot wash happens immediately after the exercise concludes — before anyone leaves the room. It’s 15–30 minutes of open, facilitated discussion. The questions are simple:

• What went well? What would we do the same way in a real incident?
• What didn’t work? What confused people or created delays?
• What was missing — from the plan, the room, or the team?
• What needs to change before our next exercise?

The hot wash is informal. No recording required. Someone takes rough notes. The facilitator captures themes on a whiteboard or notepad. The value is immediacy — observations while the scenario is still vivid, before people rationalize what happened.

The hot wash informs the AAR but does not replace it. The AAR is written after the hot wash, typically over the following week, using the hot wash notes plus any exercise observation forms collected from participants.

AAR Structure: What to Include

A complete BCP exercise AAR has six sections. Here’s what goes in each one.

Section 1: Executive Summary (1 page)

The executive summary is written for readers who won’t read the rest of the document — typically senior management and board members reviewing the BCM program.

Include:

• Exercise date, type (tabletop, functional, full-scale), and scenario name
• Total number of participants and departments represented
• High-level summary: how did the exercise go overall?
• Number of findings (broken down by severity: Critical / Significant / Minor)
• Top 2–3 corrective actions, with expected completion dates

Keep this to one page. If it’s longer, you’ve written a second introduction.

Section 2: Exercise Overview

This section provides the context any reader needs to understand what happened.

Include:

• Scenario summary: What was the exercise scenario? (e.g., “A ransomware attack encrypts the core banking system and customer database at 7:45am on a Tuesday. The IT help desk receives the first alerts at 8:00am.”)
• Exercise objectives: What was the exercise designed to test? List 3–5 specific objectives (e.g., “Test activation procedures,” “Validate communication protocols,” “Identify technology recovery dependencies”).
• Scope: What processes, systems, and locations were in scope?
• Participants: List attendees by name, title, and department. This creates the audit trail examiners ask for.
• Exercise type and duration: Tabletop? Functional? Full-scale drill? How long did it run?

Section 3: Methodology

Brief section explaining how the exercise was facilitated and how findings were collected. Two to three paragraphs.

Include:

• Facilitation approach (facilitator-led scenario inject, participant-driven response, hybrid)
• How observations were captured (observation forms, facilitator notes, recorded debrief)
• How findings were categorized (severity classification used)

Section 4: Findings — The Core of the AAR

This is the section that matters. Each finding should use the Observation-Discussion-Recommendation (ODR) format — the structure FEMA’s Homeland Security Exercise and Evaluation Program (HSEEP) uses and the format examiners expect.

Observation: A specific, factual statement about what happened during the exercise. Not an opinion — a direct observation.

Example: “When the scenario activated at T+15 minutes, the operations team could not identify the location of the offline backup media for the core banking system.”

Discussion: The context, root cause, and implications of the observation. What does this gap mean for real-world recovery?

Example: “The BCP references ‘offline backup media’ but does not specify storage location, access credentials, or the step sequence for initiating a restore. In an actual ransomware event, this gap would add significant delay to the recovery timeline. The BCP’s stated 4-hour RTO for core banking assumes immediate access to backup media — an assumption that was not validated.”

Recommendation: The specific action needed to close the gap. Who needs to do what, by when.

Example: “Update Section 4.3 of the Core Banking BCP to specify: (1) physical location of offline backup media, (2) access credentials or credential retrieval procedure, and (3) step-by-step restore sequence with estimated time at each step. Assign IT Operations as owner; complete within 30 days.”

Finding Severity Classification

Classify each finding by severity so management can prioritize the corrective action plan:

Section 5: Corrective Action Plan (CAP)

Every finding generates a corrective action. The corrective action plan is a tracking table that captures:

The CAP lives outside the AAR as a tracked document — it should be a standing agenda item at your next BCM steering committee meeting.

Section 6: Appendices

• Attendance roster (signed, if possible)
• Exercise scenario card(s)
• Exercise observation forms (if used)
• Exercise timeline/inject log
• Any scenario artifacts (materials used in the exercise)

What FFIEC Examiners Ask for

When an FFIEC examiner reviews your testing program, the questions cluster around four themes:

1. Did you test? Basic documentation: sign-in sheets, scenario description, exercise date. This is the floor, not the ceiling.

2. Did you document what happened? The AAR. Not notes — a formal document with findings.

3. Did you track findings to completion? The corrective action plan, with evidence of closure. An open finding from two exercises ago without a remediation date is a problem.

4. Did testing change anything? The BCP update log. If your last three exercises produced findings and your BCP hasn’t been updated in two years, something is broken. Examiners connect the dots.

The testing program that passes exam scrutiny has: annual exercises at minimum, an AAR with documented findings, a corrective action plan with named owners, evidence of closure, and a BCP that was updated based on what the exercise revealed. If you’re building out your exercise program and haven’t started with scenarios, see our guide to tabletop exercise scenarios for business continuity.

Common AAR Failures

No findings documented. “The exercise went well” is not a finding. Every exercise reveals something — a process ambiguity, an outdated contact, an assumption that wasn’t validated. If your AAR has zero findings, either the exercise wasn’t challenging enough or the facilitation was too passive.

Findings with no owners. “Update the BCP” assigned to no one means it won’t happen. Every corrective action needs a named individual, not a function or department.

No connection to BCP updates. Findings from exercises should drive BCP revisions. If your last AAR generated five findings and none of them made it into the BCP, the program isn’t working. ISO 22301 Clause 8.5 treats this as a nonconformity.

AAR buried in a folder. The AAR is a live document until every corrective action is closed. It should be reviewed at BCM steering committee meetings, not filed after the exercise. BCM programs often track this separately in an issues log or corrective action register.

Only documenting what went wrong. Strengths deserve documentation too — especially capabilities you want to replicate in future exercises. “The crisis communication tree activated in under 10 minutes” is worth capturing because it validates a control.

A Note on ISO 22301 Clause 8.5

ISO 22301:2019 Clause 8.5 requires that exercises be conducted at planned intervals and that results are used to evaluate and improve BCMS effectiveness. The standard uses the phrase “documented information” — meaning your exercise records, including the AAR, are mandatory, reviewable artifacts.

What certification bodies look for in an audit:

• Evidence that exercises were conducted (schedule, attendance, scenario)
• Evidence that results were documented and analyzed (the AAR)
• Evidence that findings drove improvements (plan updates, corrective actions closed)
• Evidence of a continuous improvement cycle, not a one-time event

An internal audit finding commonly cited in BCMS audits is “lessons learned from exercises not incorporated into plans” — which is exactly what a closed-loop AAR process is designed to prevent. See our guide on building and executing a tabletop exercise template for the upstream design process.

Connecting the AAR to Your BCP Review Cycle

The AAR is most valuable when it’s connected to your BCM maintenance cycle, not treated as a standalone event:

1. Exercise produces hot wash notes and AAR
2. AAR produces corrective actions with owners and due dates
3. Corrective actions drive BCP and BIA updates
4. BCP updates are documented in the change log
5. Next exercise validates whether the changes actually fixed the problems

This loop is what “continuous improvement” means in practice. FFIEC’s maintenance guidance and ISO 22301 Clause 10 (Improvement) are both pointing at the same thing: the program gets better through systematic cycles of testing, documenting, updating, and retesting.

For organizations building out their full BCM testing approach — including how exercises fit into an annual testing calendar — our comprehensive business continuity testing guide covers the full picture.

So What?

An exercise without an AAR is organizational theater. Your team practiced, your facilitator asked good questions, real problems were identified — and then nothing changed because no one wrote it down in a way that created accountability.

The AAR template is simple: Executive Summary → Exercise Overview → Methodology → Findings (using ODR format) → Corrective Action Plan → Appendices. Write it within 10 business days. Assign every finding to a named owner with a specific due date. Track corrective actions through closure at your next BCM steering meeting. Update the BCP.

That’s the loop. That’s what FFIEC and ISO 22301 are asking for. And that’s what separates a testing program that improves your resilience from one that just satisfies the annual calendar requirement.

Frequently Asked Questions

What is an after-action report (AAR) for a BCP exercise? An AAR is a formal written document produced after a BCP exercise that summarizes what happened, identifies strengths and gaps, documents findings using a standardized format, and specifies corrective actions with owners and due dates. It’s the mechanism that turns a 90-minute exercise into a lasting improvement in your BCP.

What is the difference between a hot wash and an after-action report? A hot wash is an informal debrief conducted immediately after the exercise — 15–30 minutes of facilitated discussion while observations are fresh. An AAR is the formal written document produced in the days following, incorporating structured findings and a corrective action plan. The hot wash captures raw observations; the AAR organizes them into actionable intelligence.

What sections should a BCP exercise AAR include? Executive Summary, Exercise Overview, Methodology, Findings (using Observation-Discussion-Recommendation format), Corrective Action Plan with owners and due dates, and Appendices (attendance roster, scenario cards, timeline).

What does FFIEC require for BCP exercise documentation? The FFIEC BCM booklet requires that exercise results be documented, findings be tracked through remediation, and the BIA and BCPs be updated based on lessons learned. Examiners ask for the AAR and corrective action records to verify that testing creates genuine program improvement.

Does ISO 22301 require an after-action report? ISO 22301 Clause 8.5 requires that exercises are documented and that results are used to improve BCMS effectiveness. The documentation requirement is functionally equivalent to an AAR. Certification bodies look for evidence that exercise findings drove measurable improvements.

How long after an exercise should the AAR be completed? Best practice is to complete the draft AAR within 5–10 business days of the exercise. The corrective action plan should be finalized and assigned within 30 days. Waiting longer significantly reduces the likelihood that findings will be acted on.