Mission
By the end of this chapter, you can establish incident command, publish a qualified update, guide a recovery decision, and turn a learning review into verified improvement.
- Measurable outcome: Build an incident command structure, first internal update, and learning-review plan for a multi-team incident; achieve at least 3 of 4 on the rubric.
- Prerequisites: Chapters 16, 22, 24, 25, and 26.
- Work product: An Incident Coordination Card usable in the first ten minutes.
- Time: 75–95 minutes.
Before you read: Predict → Commit → Connect
Northstar Devices has released a firmware update. Some devices repeatedly reboot, the mobile app shows stale status, and Support is posting individual theories into the engineering channel. The most senior executive joins and starts assigning fixes.
Predict the first role you would name and the first sentence you would say. Commit before reading. Connect to Chapter 16: decision rights become most valuable when time and information are scarce.
The first job is to create a control system
An incident is not simply a technical fault. It is a fast-changing program with uncertain scope, multiple workstreams, customer harm, competing hypotheses, and a severe attention constraint. The TPM may become incident commander if the local model assigns that role, but seniority or job title should not decide automatically. The commander needs authority, calm, system-level attention, and freedom from hands-on diagnosis.
A practical minimum structure separates four functions:
- Incident command: sets objectives, priorities, severity, cadence, and role changes.
- Technical operations: investigates, mitigates, validates, and reports evidence.
- Communications: creates one truthful view for internal and external audiences.
- Scribe/coordination: records timeline, decisions, owners, hypotheses, and next checkpoints.
Large incidents may add customer support, legal/privacy, vendor, logistics, safety, regional, or continuity leads. Add roles when they reduce cognitive load; do not build an org chart while harm grows.
The commander protects the system from two common failures. First is role collision: the same person diagnoses a low-level bug, answers executives, and decides rollback. Second is hypothesis capture: the loudest theory becomes “the cause” before evidence exists. Maintain a distinction among observation, hypothesis, action, result, and decision.
Stabilize, communicate, learn
The operational sequence is not a rigid waterfall. Detection, analysis, containment, recovery, and communication overlap. Still, explicit objectives help:
- Establish scope and immediate harm.
- Stop amplification where a safe containment exists.
- Preserve evidence and decision history.
- Restore a known acceptable service state.
- Validate recovery from the customer and system perspectives.
- Transfer to normal ownership with heightened monitoring.
- Conduct a learning review and close corrective actions.
NIST SP 800-61 Revision 3, finalized in April 2025, frames incident response as part of continuous cybersecurity risk management rather than an isolated emergency phase. That principle generalizes: readiness before the incident and institutional learning after it determine response quality during it.
Communication is an operational control. An update should state what is known, user impact, what is being done, what is explicitly unknown, and when the next update will arrive. Avoid causal certainty before evidence. Avoid “no impact” when you mean “no impact observed yet.” Cadence is a promise; if there is no new fact, say so at the promised time.
For Northstar, a clean first update might be:
We declared SEV-1 at 14:08 UTC for repeated reboots after firmware 8.4. Confirmed scope is still under investigation; affected devices may appear stale in the app. Automatic rollout is paused. The firmware team is testing rollback compatibility while cloud operations verifies whether stale state persists after recovery. We have not established root cause. Next update: 14:25 UTC.
Decision rights: Who owns what?
- The incident commander owns incident objectives, severity, cadence, role assignment, and operational decision closure within the response charter.
- Technical leads own diagnosis and the integrity of technical recommendations.
- Service owners/SRE normally own mitigation and recovery execution for their systems.
- Security, Privacy, Legal, Safety, and Communications own specialist obligations and regulated notifications where assigned.
- Product/Business leadership owns customer and business trade-offs outside the commander’s delegated authority.
- The TPM often owns cross-team coordination, dependency visibility, decision records, executive alignment, and follow-through. If the TPM commands, appoint another scribe/coordinator.
The executive does not gain tactical command merely by joining. The commander should translate executive intent into objectives and keep hands-on work inside the response structure.
I do
I respond to the executive: “We have one incident command channel and Priya is commander. Our objective is to stop additional device impact and validate a safe rollback. Please route priorities to Priya; Marco will give you updates every 20 minutes.” This acknowledges authority while preventing parallel command.
I create a decision log entry before rollback: evidence, options, compatibility uncertainty, customer harm of waiting, authorized decider, decision, validation checks, and fallback.
We do
At 14:22, engineers report that rollback works on lab devices, but 8% of the field population missed the last bootloader update. Waiting for segmentation takes 45 minutes. Continuing reboots may damage customer confidence but is not known to damage hardware.
Together formulate the commander’s decision request. Separate known fact, uncertainty, option, consequence, and recommendation.
Show the model answer
Model answer
Known: rollback succeeds on current-bootloader lab devices; field bootloader state is incomplete. Unknown: rollback behavior for up to 8% of devices. Option A rolls back all devices now, reducing active reboots but exposing the uncertain segment. Option B holds broad rollback for up to 45 minutes while pausing rollout and testing/segmenting. Technical Operations recommends B, with targeted rollback for confirmed-compatible devices, because current harm is disruptive but not known to be destructive. Decision owner: incident commander with firmware service owner; next checkpoint 15:05 UTC.
Rubric (0–4)
- 0: Announces an action without evidence or owner.
- 1: Lists facts but not uncertainty or consequences.
- 2: Gives options and recommendation but lacks decision authority or checkpoint.
- 3: Separates fact/hypothesis, names trade-offs, owner, and validation time.
- 4: Also limits blast radius, preserves evidence, and states reversal conditions.
You do
Create an Incident Coordination Card:
| Field | Entry |
|---|---|
| Incident ID / severity / declared time | |
| Commander / technical lead / comms / scribe | |
| Confirmed user impact | |
| Unknowns and leading hypotheses | |
| Current objective | |
| Containment or mitigation | |
| Decisions needed and authorities | |
| Update audiences and cadence | |
| Recovery validation | |
| Next checkpoint |
Then draft the first 100-word update. After recovery, write five learning-review prompts: what signals existed, what made the response harder, which defenses worked, how decisions made sense at the time, and which system changes will reduce recurrence or impact.
Learning without ritual blame
A learning review reconstructs conditions and decisions; it does not search for a careless person to complete the narrative. “Human error” is a label, not a causal explanation. Ask what made the action locally reasonable, which controls were absent or misleading, and where the organization relied on heroics.
Blameless does not mean consequence-free. Recklessness, misconduct, or repeated disregard may require separate management processes. Keep those processes distinct from the technical learning review so fear does not erase evidence. Every corrective action needs an owner, due date, priority, verification method, and closure forum. A document without follow-through is incident literature, not improvement.
Pause & Recall
Recall the four minimum roles without looking. From Chapter 22, why does psychological safety affect time-to-detection? From Chapter 26, how could error-budget burn change post-incident release policy? Name one sentence that communicates uncertainty without sounding evasive.
Production lens
Rehearse incident roles and access. Keep alternate commanders across time zones. Test status-page, customer-notification, vendor, and regulatory paths. During a real incident, protect rest and rotate roles before judgment degrades. Track the handoff from incident mode to normal ownership; unresolved temporary controls often become permanent hidden risk.
Workplace artifact: incident update
Copyable update
At [time], we are responding to [observable incident] affecting [confirmed population/journey]. [Containment] is active. We know [facts]; we do not yet know [uncertainties]. Teams are [actions] under [commander]. Customers should [guidance, if any]. Next update: [time], even if status is unchanged.
Chapter compression
An incident is a compressed technical program. Establish command, technical operations, communications, and a record. Separate observation from hypothesis. Contain harm, validate recovery, communicate at a promised cadence, and convert learning into verified system change.
Retrieval deck
- Q: Why separate incident command from technical diagnosis? A: To preserve system-level attention and avoid role collision.
- Q: What belongs in every update? A: Known impact, action, uncertainty, and next update time.
- Q: What is hypothesis capture? A: Treating the loudest early theory as established cause.
- Q: What makes a learning action real? A: Owner, priority, due date, verification, and closure forum.
- Q: Does blameless mean no accountability? A: No; learning and personnel/conduct processes have different purposes and should remain distinct.
Spaced review
- Now: Name commander, technical lead, communications lead, and scribe for the case.
- +1 day: Recreate the four-role structure and first-update fields from memory.
- +3 days: Draft a decision request that separates fact, hypothesis, option, and owner.
- +7 days: Run a 15-minute declaration-and-update tabletop.
- +14 days: Audit whether one corrective action changed the system and close or replan it.