AS-301h · Module 3

Improvement Action Tracking

3 min read

The post-incident review produces improvement actions. The improvement action tracking system ensures they actually get implemented. Without tracking, improvement actions join the graveyard of well-intentioned tasks that nobody prioritized. The cycle repeats: incident, review, actions, no follow-through, same incident.

Do This

Assign every improvement action a specific owner, a deadline, and a verification method — "done" means verified, not claimed
Track actions in the same system used for engineering work — not a separate compliance tracker that nobody checks
Report action completion status in the quarterly security review — leadership visibility creates accountability

Avoid This

Document actions in the post-mortem document and consider them tracked — documents are not tracking systems
Allow actions to be deprioritized indefinitely — if the action matters enough to identify, it matters enough to schedule
Mark actions as complete without verification — an unverified fix may not be a fix at all