Lesson 08 · Operating at Scale

Incident Leadership

Commanding an incident without touching a keyboard — and turning the postmortem into the most leveraged document you'll write all quarter.

Principal skill · be the calmest person in the worst hour
🎧 Listen to this lesson · ~8 min · narrated audiobook edition

Nothing makes staff+ operation more visible than a major incident. The whole org is watching one Slack channel; executives who've never read your ADRs are reading every message. Whoever brings order to that room is doing leadership without authority in its purest form — which is why incident stories are among the strongest promotion evidence and interview stories there are. But here's the counter-intuitive part this lesson is built on: in a well-run incident, the leader is not the person fixing the system. Leading and debugging are different jobs, and mixing them breaks both.

The Incident Commander model

PagerDuty open-sourced its real internal major-incident process — adapted from the Incident Command System that fire departments and emergency services have used for decades.1 Its center is the Incident Commander (IC): the single source of truth and decision-maker during the incident. And the guide is blunt about what the IC does not do: "You should not be performing any actions or remediations, checking graphs, or investigating logs" — deep technical knowledge is explicitly not required.1 The IC's job is coordination: keep a shared picture of what's happening, decide what happens next, and keep everyone else's hands free to work. The worst IC is often the best engineer on the failing service — because they dive into a terminal, and the moment they do, nobody is commanding the incident.

RoleOwnsNot their job
Incident CommanderDecisions, coordination, the single source of truthDebugging, remediating, reading graphs
ScribeTimestamped record of events and decisionsAnalysis — just capture
Subject-matter expertsDiagnosing and fixing their service, reporting statusDeciding overall direction
Liaisons (customer / internal)Status pages, exec and stakeholder updatesFreelancing messages — IC approves comms

On small incidents one person may wear several hats; the structure flexes. What never flexes is the separation of commanding from fixing. And note what this means for you: you don't need any title to take the IC role — you just need to be the person who brings the structure when nobody else does.

Severity is a decision rule, not a debate

The second load-bearing idea: severity levels are pre-agreed decision rules, set in peacetime — not something to negotiate mid-fire. Each level maps to a response: who gets paged, whether execs are woken, whether you post publicly. PagerDuty's rule for ambiguity is the one to memorize: if you're unsure whether it's a SEV-2 or a SEV-1, treat it as the higher one — and re-grade calmly in the review afterwards.2

LevelRoughly meansResponse
SEV-1Critical: many customers severely impactedFull response, execs notified, public comms
SEV-2Major functionality broken for many usersFull incident response, IC and roles staffed
SEV-3Stability at risk, limited customer impactOwning team responds promptly
SEV-4 / 5Minor or cosmetic, no customer-facing lossNormal work queue — no war room

Talk like a commander

Calm is a skill, and it lives in specific sentence shapes. Decisions use propose-and-object: "I propose we roll back the 14:02 deploy — any strong objections?" — implicit consensus in seconds, no committee. Tasks are assigned by name, with a time-box: "Priya, please check the connection pool change; I'll come back to you in ten minutes — understood?" Unnamed tasks evaporate into the bystander effect. Even executives get a script: if one starts directing the call, the IC asks "do you wish to take command?" — and if not, they observe quietly.1 Practice these shapes on small incidents so they're automatic on big ones; steadiness under pressure is rehearsed, not innate.

The blameless postmortem

The incident ends; the leadership work doesn't. The Google SRE book's chapter on postmortem culture sets the rule: a blameless postmortem assumes everyone involved acted with good intentions on the information they had — the failure belongs to the system, and the fix is better systems, not "fixed" people.3 John Allspaw's canonical essay sharpens the method: "human error" is where the analysis starts, never where it ends.4 If an engineer skipped the canary, the real questions are: why was skipping possible, why did it look reasonable at the time, why did nothing downstream catch it? That's also why strong reviews list contributing factors, plural — real failures are a conjunction of code, process, and detection gaps, and hunting a single "root cause" is mostly theater that stops at the first comfortable answer.

Here's the Principal angle: the postmortem document is org-level leverage. The incident cost you once; the document collects the return — it changes review checklists, deploy pipelines, alert thresholds, and how teams you've never met build things. That's why Google treats postmortems as artifacts to be reviewed by senior engineers, shared across the company, and visibly rewarded by leadership.3 And blamelessness isn't only ethics — it's engineering: people who fear blame hide facts, and a postmortem without facts fixes nothing. A calm IC plus a rigorous blameless review, witnessed by the whole org, is staff+ evidence money can't buy.

The mental model in one line During the fire, one person commands and doesn't touch the system. After the fire, the org studies the system and never the people — because the postmortem, not the fix, is where the incident pays for itself.

🧪 Lab: write a blameless incident review

This lesson's artifact is a one-to-two-page blameless incident review of a real past incident you were near — as responder, bystander, or cleanup crew. Old is fine; real is mandatory. Use this template, in order:

  1. Timeline — timestamped facts only: first signal, detection, escalation, key decisions, resolution. No interpretation yet.
  2. Impact in user and SLO terms — what did users actually experience, for how long, and how much error budget did it burn? (Lesson 07's vocabulary, applied.)
  3. Contributing factors — at least three, spanning more than one layer: code, process, detection. The phrase "root cause" is banned from the doc.
  4. What went well — the alert that fired, the rollback that worked, the person who coordinated. Reviews that skip this teach half the lesson.
  5. Action items — each systemic and owner-shaped: "platform team adds a canary gate to the deploy pipeline," never "engineers should be more careful."

Feedback loop: bring it back to me in chat. I'll review it against a Principal-level rubric — no names attached to blame anywhere; at least three contributing factors that span more than one layer; action items that change the system rather than exhort the humans. This review joins your evidence trail for Lesson 12's promotion packet — and it's a ready-made answer to the interview staple "tell me about a production incident."

Check yourself — command the scenario

Three scenarios. Decide from the mental model — don't scroll up. Wrong picks stay live.

Scenario A

A SEV-1 hits the payments service you know best, and you're made Incident Commander. Ten minutes in, you're fairly sure the cause is yesterday's connection pool change. What's the Principal move?

Scenario B

Checkout is failing for roughly 10% of users. On the call, two leads argue it's "only a SEV-2" — because SEV-1 means waking executives and posting a public status. As IC, what do you do?

Scenario C

A postmortem draft reads: "Root cause: engineer X skipped the canary and deployed to all regions. Action item: X to be more careful with deploys." You're the senior reviewer. What's the move?

Primary source — read this
PagerDuty's guide is its real internal major-incident process, open-sourced — start with the Incident Commander training and severity levels. Chapter 15 of the SRE book (free online) is the founding text on blameless postmortems. Together they cover the during and the after.
Your one tangible win You can now walk into a chaotic incident channel and impose structure with three sentences: name an IC who doesn't debug, call the severity from the pre-agreed rule, and assign the first task by name with a time-box. And you have a blameless review in your evidence trail that shows you thinking in systems, not scapegoats.
I'm your teacher — ask me anything. Can't pick which incident to review? Worried your draft reads as blamey? Want to rehearse the IC sentence shapes against a simulated incident before a real one finds you? Bring it to chat — I'll run the drill with you.

Recommended learning

Hand-picked follow-ups. None are required — the primary source above comes first.

References

  1. PagerDuty, Incident Response guideIncident Commander training and roles; the IC performs no remediations, checks no graphs, investigates no logs.
  2. PagerDuty, "Severity Levels", Incident Response guide — SEV-1–5 definitions; when unsure, treat the incident as the higher severity.
  3. Beyer, Jones, Petoff & Murphy (eds.), Site Reliability Engineering, Ch. 15, "Postmortem Culture: Learning from Failure" (Google/O'Reilly, 2016) — blameless postmortems, senior review, org-wide sharing.
  4. John Allspaw, "Blameless PostMortems and a Just Culture", Etsy Code as Craft (2012) — human error as the start of the investigation, not the end.