The Requirements For Aftermath Projects

Given that this is the holiday season in the US and both “Black Friday” and “Cyber Monday” are coming up, we thought we’d give some more detail on what doing an Aftermath project entails.

We sincerely hope not to hear from you!

What is an Aftermath project?

An “Aftermath” project is an immediate investigation and analysis of a significant incident. 

An Aftermath project provides senior management with a calibrated, independent review of the incident and the response. Aftermath projects ‘work’ because ACL is neutral, independent, and highly qualified to investigate, analyze, and produce and share productive perspectives and understandings.

An Aftermath project is intense, exciting and different than other projects we tend to do more often. Major incident aftermath is difficult and even dangerous period. But, as the saying goes, “This ain’t our first rodeo!” Our goal is to help the client company understand the incident and response in productive ways. 

Why would a company ask ACL to come in and do such an analysis? 
  1. to demonstrate to stakeholders (such as investors, board members, partners, customers, etc.) that leaders are taking the event seriously. 
  2. to provide an independent, explicit, technical account of the event and response;
  3. to reduce the tensions that flow from high-impact events;
  4. to prepare for additional reviews and follow-on decision making;

In some cases, clients ask us to do an aftermath analysis because they believe stakeholders (investors, board members, etc.) are skeptical that they’d be able to do a deep and productive analysis themselves. On one occasion, we heard the client was told rather bluntly (paraphrasing) “Why should we trust you to do the follow-up investigation when you were the ones who created the incident in the first place?” The client mentioned that the fact that we are an external (neutral, independent) group was just as important as the quality of the analysis.

What is the product of the analysis?
  1. The tangible products are: 
    1. a written report and 
    2. a presentation to management describing the results of the analysis.
  2. The intangible products are:
    • immediate action that resonates with stakeholders, who are typically the primary audience for the results;
    • recognition of the company’s determination to obtain an independent evaluation of the incident and response;
    • interaction with operators, engineers, and managers that bolsters the company’s expressed interest in a thorough and deliberate analysis;   
    • the visible, palpable presence of the ACL team on site.
How long does it take?

Aftermath projects take about 3 weeks: 2 weeks for data collection and analysis, 1 week for synthesis, writing, and presentation.

Where does it happen?

Aftermath projects are conducted on-site. ACL personnel are present throughout the project. Final presentation takes place on-site.

What is the startup process? How do we get going?

    1. A company senior manager contacts ACL via email or phone to set up a meeting.
    2. The senior manager provides the company’s Non-Disclosure Agreement to ACL and the NDA is executed.
    3. ACL and company senior managers have a short videoconference that reviews the incident and immediate concerns.
    4. ACL proposes and company accepts a formal engagement.
    5. ACL personnel travel to the site and begin work. 
What sort of event is suitable for an Aftermath project?
    1. The event occurred in the past 24 to 72 hours and the engagement will start within 24 to 48 hrs; an older event or delay in startup is likely to make Aftermath work impractical (more on this below); 
    2. The event took place in an IT system, subsystem, or supporting system;
    3. The event involves a response process with IT features;
    4. The event has generated a substantial loss OR a repeat of the event would likely generate substantial loss;
    5. The event is not a crime.
What are the obstacles?
  1. Organizational “drag” in approval:
    • Typical procurement processes don’t move quickly, even for a 2-3 week project.
    • Approval and endorsement from the highest company authority is essential. Without this approval it is difficult to obtain cooperation at all levels of the organization.
  2. Entanglement with other investigations: parallel regulatory or legal processes may make an Aftermath project infeasible.
  3. Cost is usually not an obstacle. The incident will already have generated much greater costs and likely threatens to do more damage.

If we can’t begin the analysis within days of the event, we’re not likely to be able to do the project. Why? Most importantly, the later we show up, the more the memories of individual perspectives will have coalesced into a single “party line” story. If we begin our analysis and everyone we speak with gives us (roughly) the same story, it’s a signal that we’re too late to obtain authentic recall.

People talk to each other, especially right after significant events. This immediate sense-making takes place among those responding to the event. As time passes, the impact of the event and its consequences become clearer. Agendas and cross-currents begin to modify the story of the incident. Blame attaches to some people, groups, or parts of the org. Counterfactuals (“If only X had not been broken this would never have happened”) begin to dominate the interpretation of the event. Different perspectives harden into fixed accounts — often incomplete or even incorrect but nonetheless satisfying — that vie for attention. Peripheral issues begin to join as stakeholders recognize the potential of the incident as a motive force.

In parallel, work continues to “clean up” the aftermath. Customers or partners are contacted. Contractual obligations and their consequences are evaluated and plans generated to deal with them. Over time, stories about the origins of the incident are simplified and become narrow as the organization struggles to free itself of the fear, shame, and anxiety that the event produced.

 

Scroll to Top