Incident Management

A clear severity classification enables appropriately scaled responses without over-mobilizing resources for minor issues. Standard framework: SEV-1 (Critical) — complete service unavailability affecting all or most customers; requires immediate escalation to engineering leadership, executive notification, and public status page update within 15 minutes. SEV-2 (Major) — significant feature degradation or subset of customers unable to use core functionality; requires engineering on-call response and status page update within 30 minutes. SEV-3 (Minor) — limited functionality degradation affecting a small subset of customers or a non-critical feature; managed during business hours with a target resolution time. SEV-4 (Informational) — cosmetic issues or minor UX degradation with a clear workaround available; tracked as a bug, resolved in the normal development cycle. Support Ops trains agents to correctly classify incidents and escalate SEV-1 and SEV-2 to the on-call engineering team immediately.

Customer-facing incident communication requires speed, honesty, and appropriate technical depth for each audience. Timeline: within 15 minutes of incident detection, post a public status page update acknowledging the issue (even if investigation is just beginning — "We are aware of an issue affecting [Feature X] and are investigating"). Every 30 minutes during active incidents, update the status page with investigation progress. When resolved, post a closure update including: what happened (brief), when it started and ended, and what was done to resolve it. Within 72 hours, post a post-incident review summary for SEV-1 and SEV-2 incidents, covering root cause, timeline, and future prevention measures. Support teams handling incoming ticket volume during incidents should use macro responses linking to the status page, preventing agents from duplicating investigation effort across individual tickets.

A blameless postmortem focuses on system and process failures, not individual blame — the goal is learning and prevention, not accountability assignment. Effective postmortems include: a detailed timeline of the incident from first detection to resolution, reconstructed from logs, monitoring alerts, and Slack messages; a root cause analysis using the "5 Whys" technique (asking "why?" repeatedly to reach the true systemic cause rather than the proximate cause); identification of contributing factors beyond the root cause; and concrete action items to prevent recurrence, each with an owner and due date. Product Ops facilitates the postmortem meeting (typically 60–90 minutes, held within 5 business days of resolution), maintains the postmortem database, and tracks action item completion through to closure, reporting quarterly on postmortem-to-remediation completion rates.