Lesson 5.4 - Post-Incident Review¶
- Build a factual incident timeline.
- Identify root cause, contributing factors and control gaps.
- Assign corrective actions with responsible parties and due dates.
- What happened?
- When did it happen?
- What was the client, system and risk impact?
- Why did it happen and which controls were involved?
- What must change to reduce recurrence?
| Type | Example |
|---|---|
| Root cause | Quote-source session failure |
| Contributing factor | High-impact news and thin liquidity |
| Control that worked | Quote-source issue was isolated from normal monitoring |
| Control gap | Early quote-quality deterioration was not clearly highlighted |
| Preventive action | Add quote-source degradation alert threshold |
Quote Anomaly Review¶
Incident: one quote source bad tick was accepted and triggered client stops.
Review outcome: - Root cause: filter threshold did not catch that quote pattern. - Contributing factor: no secondary-source comparison alert. - Immediate action: approved temporary monitoring rule. - Preventive action: improve filter and test on historical ticks. - Follow-up: verify no similar events for 30 days.
Every action should include clear description, Shift Leader / follow-up, due date, priority, verification method and status.
A strong post-incident review turns operational events into improved controls, clearer ownership and lower future risk.
End of Chapter 5 Module A
Incident Record Template¶
During or after a material incident, the record should separate observation, scope, evidence, action and closure. Do not write conclusions before facts are verified.
Incident ID:
Severity: P1 / P2 / P3 / P4
Detected by:
Detection time:
Incident lead:
Observation:
- What was observed?
Scope:
- Platform:
- Symbols:
- Quote source / Bridge status:
- Client / group impact:
- Exposure impact:
- Company risk impact:
Timeline:
- HH:MM:
- HH:MM:
- HH:MM:
Verified evidence:
- Logs:
- Metrics:
- Order / deal IDs:
- Quote / quote source data:
Market context:
- Event / session:
- Spread / execution context:
Actions:
- Action taken:
- Shift Leader / follow-up:
- Approval required?
- Escalation recipients:
Recovery criteria:
- What must normalize?
- Monitoring period:
- Remaining remaining considerations:
Closure:
- Recovery confirmed by:
- Closure time:
- Post-incident review lead:
- Corrective action due date:
Rule: facts and assumptions must be separated. If root cause has not been verified, write "under review" rather than presenting a conclusion.
Completion Criteria¶
- Can explain the key risk or operational objective of this lesson
- Can identify the required systems, data, or evidence to review
- Can describe the correct escalation or handling process
- Has completed Shift Leader / follow-up review or practical confirmation