The next step in the recovery phase focuses on evaluating how well your mitigation strategies performed during the PNT disruption and using these insights to enhance your organisation's response capabilities. This process involves a thorough assessment of the incident, identifying what worked well, where improvements are needed, and updating both response plans and continuity frameworks. By systematically incorporating lessons learned, organisations can build greater resilience and readiness for future disruptions.

Organisations should conduct a comprehensive After-Action Review (AAR). Bring together key stakeholders involved in the response, including senior leaders, technical teams, operations managers, and external partners (e.g., PNT service providers, regulatory bodies). Ensure the review captures diverse perspectives on the disruption and the effectiveness of the response. The AAR should be structured to cover:

• An overview of the disruption (cause, duration, affected systems).
• A timeline of the response actions taken.
• An evaluation of the performance of mitigation strategies.
• Identification of gaps, challenges, or unexpected issues.
• Recommendations for improvements.

Use the data collected during the "Act" phase (e.g., performance metrics, system logs, root cause analysis) to provide an objective basis for assessing the effectiveness of mitigation measures. This ensures that discussions are evidence-based and focused on specific outcomes.

Assess how well backup and redundant PNT solutions performed. Did they activate as planned? Were there any delays or issues in the failover process?

Analyse the effectiveness of the response decisions made by operators and leaders during the disruption. Consider whether the decision-making process was efficient and aligned with predefined plans, note any instances where manual intervention or overrides were necessary and why, and assess the adequacy of communication and coordination across teams and with external stakeholders.

Determine the extent to which the disruption affected critical business functions and services. Did the implemented mitigation strategies adequately minimise operational disruptions and economic impacts? Identify any areas where business continuity was compromised or delayed.

Analyse unmet expectations or failures. Identify any instances where mitigation measures did not perform as expected. This may include:

• Backup systems failing to activate or providing inadequate accuracy.
• Delays in detecting the disruption, leading to slower response times.
• Communication breakdowns, such as inconsistent messaging to stakeholders or customers.

Consider any unforeseen issues that arose during the disruption. For example, if a previously unknown vulnerability was exploited, document this and explore how to mitigate similar risks in the future. Obtain direct feedback from operators, technical staff, and end users who were impacted by the disruption. Their insights can highlight practical challenges and offer valuable suggestions for improving response plans.

Based on the findings of the after-action review, update your incident response plans. This may include:

• Refining detection thresholds to improve early warning capabilities.
• Adjusting failover procedures to ensure faster activation of backup systems.
• Adding new scenarios or edge cases that were not previously accounted for.

Revise communication protocols to ensure timely, accurate, and consistent messaging across all stakeholder groups. Consider developing additional messaging templates for specific disruption scenarios.

Review and update your Business Continuity Plans to reflect the lessons learned during the disruption. Ensure that they include refined strategies for maintaining critical business functions with degraded PNT services and address any newly identified dependencies on PNT data and services. Where necessary provide clear guidance on alternative workflows and contingency procedures for key business processes.

Integrate the findings from the disruption into your risk management framework, updating risk assessments and impact analyses. This helps ensure that new or evolving risks are adequately covered on your risk register and in your mitigation plans.

If the disruption revealed that certain Recovery Time Objectives were not met, update these objectives to reflect realistic response capabilities and adjust resource allocations as needed.