Skip to content

Lesson 5.4 - Post-Incident Review

  • Build a factual incident timeline.
  • Identify root cause, contributing factors and control gaps.
  • Assign corrective actions with responsible parties and due dates.
Incident Closed Build Timeline
Timeline Confirm Facts / Evidence
Facts Root Cause Analysis
Root Contributing Factors
Factors Control Assessment
Controls Corrective / Preventive Actions
Actions Assign Shift Leader / follow-up / Due Date
Lead Follow-up Review
  1. What happened?
  2. When did it happen?
  3. What was the client, system and risk impact?
  4. Why did it happen and which controls were involved?
  5. What must change to reduce recurrence?
Type Example
Root cause Quote-source session failure
Contributing factor High-impact news and thin liquidity
Control that worked Quote-source issue was isolated from normal monitoring
Control gap Early quote-quality deterioration was not clearly highlighted
Preventive action Add quote-source degradation alert threshold

Quote Anomaly Review

Incident: one quote source bad tick was accepted and triggered client stops.

Review outcome: - Root cause: filter threshold did not catch that quote pattern. - Contributing factor: no secondary-source comparison alert. - Immediate action: approved temporary monitoring rule. - Preventive action: improve filter and test on historical ticks. - Follow-up: verify no similar events for 30 days.

Every action should include clear description, Shift Leader / follow-up, due date, priority, verification method and status.

A strong post-incident review turns operational events into improved controls, clearer ownership and lower future risk.


End of Chapter 5 Module A

Incident Record Template

During or after a material incident, the record should separate observation, scope, evidence, action and closure. Do not write conclusions before facts are verified.

Incident ID:
Severity: P1 / P2 / P3 / P4
Detected by:
Detection time:
Incident lead:

Observation:
- What was observed?

Scope:
- Platform:
- Symbols:
- Quote source / Bridge status:
- Client / group impact:
- Exposure impact:
- Company risk impact:

Timeline:
- HH:MM:
- HH:MM:
- HH:MM:

Verified evidence:
- Logs:
- Metrics:
- Order / deal IDs:
- Quote / quote source data:

Market context:
- Event / session:
- Spread / execution context:

Actions:
- Action taken:
- Shift Leader / follow-up:
- Approval required?
- Escalation recipients:

Recovery criteria:
- What must normalize?
- Monitoring period:
- Remaining remaining considerations:

Closure:
- Recovery confirmed by:
- Closure time:
- Post-incident review lead:
- Corrective action due date:

Rule: facts and assumptions must be separated. If root cause has not been verified, write "under review" rather than presenting a conclusion.

Completion Criteria

  • Can explain the key risk or operational objective of this lesson
  • Can identify the required systems, data, or evidence to review
  • Can describe the correct escalation or handling process
  • Has completed Shift Leader / follow-up review or practical confirmation