Incident response reports are not only intended to record the facts and findings about a specific incident but should also include lessons learned and recommendations for improving processes and controls to prevent similar future incidents. Excluding such recommendations would limit the usefulness of the report for organizational learning and resilience building.