ICT Major Incident Review: what outcome are you really after?
After the successful mitigation of a ICT Major Incident in an organisation, you would want to conduct a Major Incident Review (MIR); which is also sometimes referred to as a Post Incident Review (PIR). However in my experience, there are often differing opinions on what the outcomes of such a review are.
When an organisation’s Executives are requesting such a review, the outcomes they are after are often clear: how did this happen & what are you doing to prevent this reoccurring again.
Now, if you have any experience and interactions with the ITSM practices you may recognise those outcomes as an output of the Problem Management practice. I’ve often come into an organisation to find their MIR procedure and documentation simply serves as a way to generate a high level problem summary; quickly put together at the insistence of the C-suite and/or their direct reports.
I believe the pressure to determine the root cause and mitigation actions to address the problem in a significantly shortened timeframe, often requested within 24 hours, is (quite honestly) utterly stupid. It potentially compromises the determination of the true root cause and development of a sustainable and most appropriate action plan to address the problem, in favour of providing an expedited response to Executives who want to appear to their bosses or stakeholders that they have the answers.
Ideally, the Problem Management activities should be allowed to proceed as per usual to get these answers. But where does that leave the MIR if we are separating the Root Cause Analysis (RCA)?
For my part, I try and focus the MIR as a review of the detection and response to a Major Incident; focused on four key areas:
-
Detection of the incident and identification of its impact to the business (did we know about the incident and its impact as quickly as we could)
-
Coordination and management of resources to respond and mitigate the business impact as safely and quickly as possible (did we get the right people involved as quickly as possible, and did they follow the appropriate procedures in response)
-
Review of the actions taken and decisions made to determine if future incident responses could be improved to reduce the length of the business impact (did the actions taken result in minimising the impact to the business in the shortest possible time)
-
Communication of the incident to the appropriate stakeholders (did we follow the communications plans & did they achieve the outcome of informing the relevant parties appropriately)
Of course, the above is the ideal scenario for myself where the MIR and RCA are isolated to their respective practices; however the reality is that there will be stakeholder pressure to report on the incident’s cause regardless.
To address this need, I have included a Root Cause section early in my MIR template. However, it is made clear in the documentation (unless it is already determined) that the root cause listed in the MIR is what is understood at the time of generating the report. If a root cause is still being worked on through a problem record, then the MIR report should outline the problem record reference where the complete RCA will be published once finalised.
So you perform a review and end up with a number of actions to address the gaps identified within the review; how do you manage the MIR action items?
The second point of contention I find in the MIR procedure is how and where to manage the actions resulting from the review. I’ve seen dedicated tooling solutions to list, assign and manage the actions generated from the MIR procedures. I’ve also seen MIR actions shoehorned into its own problem record and related tasks.
Both of the above present issues. Having a separate list of actions from MIRs presents yet another procedure and list of items for teams to manage. Combined with all other lists and work that needs to be done, it can lead to fatigue and resistance to engage and truly address the actions raised. Having MIR actions managed in a dedicated problem record incorrectly leverages the problem practice to manage actions items that are often not related to addressing an ongoing problem; while also incorrectly inflating the metrics and measurements.
After wrangling with how to track and manage MIR actions items, my current guidance is to not have them as a separate action list. However, every action item should be an input into an existing practice where they can be managed.
Many items will be updates to procedures or improvements to ways of working, which is best managed via the CSI practice or simply a knowledge uplift. Sometimes, there’s cleanup work to fully restore the service to its state prior to the Major Incident; this would result in a separate incident, request or change records depending on the action needed. As much as the MIR should not be a problem discussion, items are naturally raised in relation to the root cause or addressing the underlying problem which can be captured in the existing problem, or trigger a new problem record.
The MIR report should still list and outline the action items raised from the meeting; however it should then list the record reference number for the related practice where that action item will be managed.
I feel it is important to outline that the above is where I’ve landed so far in relation to the Major Incident Review procedures, focusing on what I feel provides the best value for an organisation.
If you have different procedures or methods outside of this, I’m curious to know what they are and how they provide value to your Service Management practice and the organisation?
Rethinking my professional online presence

I’ve been thinking a lot about my online presence for career and professional purposes recently; even before I received a terribly depressing ad for LinkedIn.
Like many in the technology space, I have defaulted my professional online engagement to LinkedIn. I’ll admit I haven’t hated all of it, and even made a few good connections to others in my specific profession along the way. However a lot of it is time filler content.
While there’s occasionally a good discussion around an interesting topic, that’s increasingly rare as attention seeking copycats reshare the same (often AI generated) drivel as someone else when they see it get engagement through likes and comments.
Sound familiar? LinkedIn is in many ways, the new Facebook.
And much like Facebook, LinkedIn is also quickly being drowned in political opinions; some of which is occasionally astonishing that they would publicly post such attitudes on any platform, let alone something that’s meant to be a professional forum.
Is a connection request really connecting?
As I’ve started to get involved a little more in professional events, online interest groups, the very rare in person meetup and conferences; I’ve started to wonder if engaging on LinkedIn and occasionally liking or commenting on each others posts really achieves anything meaningful.
I’ve recently started to engage in online catchups with a group of ITSM professionals that I have connected with via LinkedIn for at least a year. However, it’s only in the last few months since I’ve been more active in these online sessions that I’ve started to really understand not only what they do, but how they think about ITSM. Those perspectives outside of my usual colleagues have been very useful in breaking some pre-conceptions about certain topics that I have developed over the years. While uncomfortable, I like it when my thoughts on the topic are challenged by a differing opinion.
While we can have that in LinkedIn on occasion; I know at least one of these other participants has been posting similar thoughts on LinkedIn prior, which I have been reading and following. But it occurs to me that I may not be truly taking in the content of these posts among scrolling the feed.
Of course, a direct engagement with someone is always going to be more fruitful and informative than reading someone’s post; but it does feel like many of us are increasingly replacing one with the other.
The Networking problem
As someone who has seriously high levels of social anxiety at times, is not particularly good at small talk and is horrible at networking; it’s fair to say I can’t stand it. Times where I have pushed myself out of my comfort zone to try and improve it, I’ve felt myself be inauthentic and insincere somehow.
To be honest, my general feeling on networking still remains highly pessimistic in terms of the authenticity (or lack thereof) involved; and I also don’t think I’m alone here. It’s this perception that I feel maybe leading to an increase in using platforms like LinkedIn as a replacement to more traditional networking opportunities for a subset of individuals like myself.
Like most things, there’s probably a balance here. Many are effectively utilising LinkedIn as a platform to either maintain professional relationships or develop new ones; but in combination with other relationship building skills like direct catchups or professional engagements that I lack.
How I intend to engage better without LinkedIn
I’ve considered deleting my LinkedIn account.
Part of this desire is to force myself away from the increasingly annoying parts of the platform; the other part is forcing myself to engage in more productive and direct ways in my professional life.
I signed myself up to attend a national conference later in the year which I’m already dreading (but looking forward to a trip to another city).
Potentially without the crux of simply connecting with people I meet professionally via a LinkedIn request, to get lost in the sea of random posts among the algorithm and my (currently) 375 other connections on the platform; I’ll need to decide on the best way to keep in contact with people.
Not only will I need to get beyond the discomfort of giving out my personal contact details; but also the discomfort of actually following up with people afterwards and actively keeping in touch. This part scares the fucking shit out of me and triggers the anxiety just thinking about it.
In the end, I know I need to push myself on this. However, I also know that if somehow my lotto numbers come up many of you may never hear from me again :D