Skip to main content

Incident response & blameless postmortems

A page fired (lesson 6.5). Something is broken and users are hurting. What now? Without a process, an incident becomes chaos — five people poking at production, nobody coordinating, no communication, and a "fix" that makes it worse. With a process, even a serious outage is calm: detect, coordinate, resolve, then learn. This lesson covers the incident lifecycle, the blameless postmortem that turns failure into durable improvement, and the broader SRE discipline — toil reduction and the error-budget policy — that all of this serves.

The incident lifecycle

An incident is an unplanned disruption or degradation that needs an urgent, coordinated response. The response moves through recognizable stages:

Detect\nalert fires/ reportTriage\nhow bad?assign severityRespond\nICcoordinates, commsflowMitigate\nstop thebleedingResolve\nback tonormalPostmortem\nlearn +action items

Detection and triage

Detection is when you find out — ideally a symptom-based SLO alert (lesson 6.5), not an angry customer tweet. Triage answers "how bad is this?" and assigns a severity level (SEV) that drives the size of the response:

  • SEV1 — major outage, broad user impact, money/trust on the line. All hands, executives informed.
  • SEV2 — significant but partial degradation. Urgent, but not everything-is-on-fire.
  • SEV3 — minor, limited impact. Handle in normal hours.

Severity isn't bureaucracy — it's how you avoid both under-reacting to a real outage and over-reacting (mobilizing twenty people) to a small one. It sets the right response size and escalation.

Roles: the incident commander

The most important idea in incident coordination: appoint an Incident Commander (IC). The IC is the single person who coordinates the response — deciding what to try, directing who does what, and owning communication. Critically, the IC coordinates; they don't have to be the one with hands on the keyboard fixing it. Their job is to keep the response organized so the responders can focus.

Why a single IC matters: without one, an incident fragments — several engineers independently changing production (sometimes undoing each other), nobody with the whole picture, no one talking to the rest of the company. One clear coordinator turns a mob into a team. On larger incidents the IC may delegate further roles (a communications lead for updates, an operations/ops lead doing the hands-on work, a scribe keeping the timeline).

Communication

During an incident, communication is half the job. Stakeholders — support, leadership, sometimes customers via a status page — need to know what's happening, even if the message is "we're aware and investigating." A single channel (an incident chat room) and regular updates from the comms lead prevent the second disaster: everyone interrupting the responders to ask "is it fixed yet?" A scribe keeping a timestamped timeline is gold later, for the postmortem.

Mitigate first, fix later

A crucial reflex: stop the bleeding before you find the root cause. If rolling back the last deploy makes users healthy again, do that first — mitigation — even before you understand why the deploy broke things. Restoring service for users is the priority; the deep diagnosis happens afterward, calmly, in the postmortem. (This is why the immutable-tag, revert-the-commit rollbacks from Chapter 5's progressive delivery matter so much — fast, safe mitigation.) Resolution is when service is fully restored to normal.

The blameless postmortem

After any significant incident, you write a postmortem (also "incident review" or "retrospective"): a document capturing what happened, why, and what you'll change so it doesn't happen the same way again. The single most important adjective is blameless.

:::tip Blameless means systems, not scapegoats A blameless postmortem assumes people acted reasonably given what they knew at the time, and asks what about the system let a normal human action turn into an outage — not who to blame. The instant a postmortem becomes about punishing a person, you've destroyed its entire value: people start hiding mistakes, stop reporting near-misses, and the organization goes blind. Blameless culture is what makes honesty — and therefore learning — possible. "Someone ran the wrong command" is never the lesson; "the system let a single wrong command take down production with no guardrail or confirmation" is. :::

Root cause vs contributing factors

Naive postmortems hunt for the root cause — the one triggering thing. Mature ones know that real outages are almost never one cause; they're a chain of contributing factors that each had to line up: a deploy and a missing test and an alert that was too slow and a runbook that was out of date. If you "fix the root cause" and ignore the contributing factors, the same accident recurs through a different door. The good postmortem addresses the systemic weaknesses that let a trigger become an outage — that's where durable reliability comes from.

The payoff: action items and runbooks

A postmortem that ends in a feeling ("we'll be more careful") is wasted. A good one ends in two durable artifacts:

  • Action items — concrete, owned, and tracked follow-up tasks: add the missing guardrail, write the alert that would have caught it sooner, fix the slow rollback. An action item with no owner and no due date is a wish, not a fix. These are how an incident actually makes the system better.
  • Runbooks — a runbook is a documented, step-by-step procedure for handling a known situation, so the next on-call engineer can resolve it fast without re-deriving everything at 3 a.m. Incidents are the raw material for runbooks: "here's how we diagnosed and fixed this; next time, follow these steps." Over time a library of runbooks turns scary novel incidents into routine, documented responses.

This loop — incident → blameless postmortem → action items + runbooks → a more resilient system — is the mechanism by which mature teams get steadily more reliable. Failure becomes fuel.

The broader SRE discipline: toil and the error-budget policy

Incident response and postmortems sit inside the larger discipline of SRE (Site Reliability Engineering) — running production systems using software-engineering practices. Two more durable ideas complete the picture.

Toil

Toil is the manual, repetitive, automatable operational work that scales with the size of your service and produces no lasting value — restarting a stuck service by hand, manually provisioning the same thing again, clicking through the same recovery steps every week. Toil isn't all operational work; it's specifically the dull, repetitive, automatable part. SRE treats toil as the enemy because it grows linearly with the system (more services = more manual chores) until it consumes all your time and leaves none for engineering. The mandate: cap toil and automate it away. Google's classic guideline is keeping toil under ~50% of an SRE's time, with the rest spent on engineering that reduces future toil. Every recurring manual fix is a candidate to be turned into automation — often, fittingly, a runbook automated into a script.

The error-budget policy, revisited

Recall the error budget from lesson 6.4 (100% − SLO) and its policy — the pre-agreed rule for what happens as the budget depletes. This is the governance layer that ties the whole chapter together and balances reliability against feature velocity:

  • Budget healthy → ship features, take risks (you're more reliable than you need to be).
  • Budget exhausted → freeze risky changes, redirect effort to reliability and toil reduction until you're back in budget.

The error-budget policy is what makes "how reliable is reliable enough?" a managed, data-driven decision instead of a recurring argument — and it's the spine of SRE as a discipline.

Common pitfalls

  • No incident commander. A leaderless mob, people undoing each other's changes, nobody communicating.
  • Diagnosing before mitigating. Hunting the root cause while users keep suffering, instead of rolling back to stop the bleeding first.
  • Blameful postmortems. Turning the review into "whose fault?" — which teaches everyone to hide mistakes and kills learning.
  • Chasing a single "root cause." Ignoring the chain of contributing factors, so the accident recurs through a different path.
  • Postmortems with no owned action items or runbooks. A document that produces feelings, not durable fixes — the incident taught nothing.
  • Ignoring toil. Letting manual, automatable work grow unchecked until ops drowns and there's no time left to engineer reliability.

Why it matters

When a page fires, a process turns chaos into calm: detect → triage (assign a severity) → respond under a single Incident Commander who coordinates and communicates → mitigate (stop the bleeding before diagnosing) → resolve. Then the real value is captured in a blameless postmortem that asks what about the system let a reasonable human action become an outage — addressing the chain of contributing factors, not hunting one scapegoat or one "root cause" — and that ends in owned action items and durable runbooks, so each failure makes the system measurably stronger. All of it lives inside the SRE discipline: relentlessly reducing toil (manual, repetitive, automatable work) so engineers can engineer, and governing the reliability-vs-velocity trade-off with the error-budget policy. That's the full arc of this chapter — from seeing the system to running it well. Next, lock it all in.

Next: Chapter 6 checkpoint →