I recently presented a webinar with DevOps.com about the behaviors we see in teams who represent the leading edge of incident management. Using the incident management lifecycle as a jumping off point, we explored ten tips that nest into each of the five phases of an incident's lifecycle. Depending on a team's relative maturity, these ideas may represent anything from a starry-eyed daydream to an example of your normal operating practice.
A recording of the presentation, polls, and Q&A can be viewed here. I’ll explore the topics discussed further below.
Incident Management Lifecycle
As we’ve discussed before, we like to break up conversations around incident management into five phases. This framework gives us a common language to discuss improvements that teams can adopt to make on-call suck less.
Most people immediately recognize the first three phases; that’s certainly where all the action and adventure lives in on-call. That said, the last two are the most important for a team if reducing time-to-resolution is their focus. Analysis and readiness are where teams focus on learning and enacting improvements. Without significant, ongoing focus on these phases, teams will rarely manage to get out of a break/fix cycle.
The Zeroth Tip
Iteration. I cannot overstate that the best thing you can do to get better at incident management is to keep trying to get better at Incident Management. In most environments, the reality of on-call is a kind of foggy staggering between outages. A large event will occur, after which teams will scurry around trying to implement changes to detection, response, remediation, and systems all at once. A harried two weeks will come to a close with many ideas half implemented, then everyone returns to their day job of programming or systems. No further work is performed to get things better until the next big outage.
This is not a recipe for success.
Every iteration, every week, some percentage of the roadmap must be devoted to ongoing improvements to the systems, process, and people behind your on-call rotations.
Tip #1- Take a Blended Approach to Detection
Simple, static monitoring never provides a sufficient picture of system or application health. The best teams have a mature blend of Static, Synthetic, APM, Time Series, and Log Analysis systems in place.
While a blended approach gives far more insight and intelligence about what’s going on, teams must be wary of alert fatigue from too many things going beep.
Tip #2- Focus on Business Outcomes
While the aggregate network throughput on the outside interface of your load balancer is an interesting metric, it means little compared to midday revenue. Why has engineering moved so far away from business outcomes? The best teams use the businesses’ core metrics as a means to detect application health, and respond in kind to changes or variance beyond expected norms.
This expanded view of application health encourages incident management teams to consider the multitude of inputs (social media, NPM, etc.) available for them. The best incident management teams are multidisciplinary; they work closely with many organizational elements in the business.
Tip #3- Keep Alerts Actionable
So much has been said about this, you’d think we could all move on. However, the number one thing I still hear in casual conversations is how alert storms and un-actionable nonsense are ruining a team’s morale.
Actionability means both that the alert requires action (instead of being purely informational), and that the alert has been delivered to someone with the permission and ability to perform said action.
Tip #4- Start or Grow Your ChatOps Practice
At any level of adoption, ChatOps is a game changer for teams. Particularly as teams move to fully integrated ChatOps environments, the benefits to all phases of the lifecycle are manifest. At the most basic level of adoption, ChatOps creates a common, time-indexed, and searchable record of the firefight. These transcripts are useful for others joining the action and getting up to speed, and in the Analysis phase of after-action discussions.
An interesting poll result from the webinar shows that while adoption is growing, ChatOps remains an opportunity for a lot of teams. 25% of respondents indicated no use of ChatOps in their teams.
Tip #5- Runbooks Are Central to Remediation
As engineering teams continue to adopt complex technology systems, helping incident responders understand the what of a system becomes a critical area of focus. Getting paged for the Nth microservice created this week is great… if it’s your service. Cross-training for every application is hardly practical, so the best teams rely on runbooks as a bridge to establish context for on-call teams.
The best runbooks have several characteristics:
Clearly explain metrics and alerts.
Clearly explain application or system role.
Identify upstream and downstream dependencies.
Identify an escalation point or Subject Matter Expert.
Enumerate known failure states or symptoms.
List (through integration) recent work or incidents.
Are routinely updated.
Tip #6- Adopt Infrastructure-as-Code
It’s tough to call this a tip given the work involved for any team to move from older methods of maintaining infrastructure. Adopting configuration or infrastructure as code represents a multi-year project for nearly any established business.
The difficulty of adopting this approach aside, teams who operate infrastructure in the same workstream as developing code are a breed apart. Consolidated workstreams create a step function in efficiency and adaptability for any DevOps team dealing with outages. Full transparency into all state changes in systems lead to quicker diagnosis, and the ease with which these teams actualize changes are doubly impactful to remediation efforts.
Tip #7- Data Drives Investigation
If, like me, you’re tired of hearing about “data-driven” things, you can mentally rewrite this tip title to read “rigorous methodology drives investigation.” The best teams keep after-action analysis focused on clean observation, testable hypotheses, clear success criteria, and an iterative approach to learning. At their best, these approaches look more like the scientific method than anything else.
Moreover, these teams discuss the impact of cognitive biases on their work. Objectivity, rigor, and defensible analysis rule the day.
Tip #8- Keep Postmortems Blameless
Much like #3 above, this advice almost seems like piling on – who has been at a conference in the past year where at least one “blameless postmortem” talk was given? The number of people advocating it, though, is an indication of how utterly required it is for any on-call team. Blameful culture cripples responders, as they are less likely to act in the moment, and more likely to hide information after the fact.
The best teams create a culture where responders are empowered to act, expected to act, and rewarded for taking smart action. A postmortem focused on learning as much as possible from an event is one way to help foster a culture of action in your team.
Tip #9- Keep Postmortems Actionable
The most objective, learning-focused, rigorous Analysis phase imaginable is worth little if no action is taken. Far too often, teams go through the motions of after-action discussion, then lose track of the ideas, lose time to implement, or lose focus on those ideas through lack of leadership.
Improvements to incident management are as important, less important, or equally important as feature requests. Who knows which? Keeping product managers involved in your readiness will enable clear discussions about the tradeoffs with other work being planned. Adding those improvements to the same workstreams will not ensure they are actioned, but it does help you create a running backlog of desired improvements that can be added to longer term roadmap planning.
Tip #10- Organize the Swarm
One of the best questions from the Q&A time at this event was (paraphrased): “How can you help a team deal with the unknown or unexpected?” This is the heart of really everything we do. Things are going to break. They are probably going to break badly. They will break in a way you have only vaguely imagined… how can we be ready for the unknown?
The short answer is, you can’t! What you can (and should) do instead is focus on setting a group of smart people up for success. Give them tools, give them clear roles and organization, and let them be smart. They’ll figure it out, as long as they aren’t also trying to figure out organization and communication at the same time.
Any one of these ideas may represent months of work for a team. None of them is going to solve all your on-call problems the first time you try it. By adopting a continuous improvement mindset, Incident Management teams can implement small changes frequently, and start walking the path to being a highly effective team. These ideas and more are explored in the new ebook The Dev and Ops Guide to Incident Management, which you can download here.