The Post Incident Review (PIR) process is an evaluation of the incident management response and recovery effort for major, critical and high priority incidents. The post incident review meeting is initiated once the incident has been resolved. Therefore, information captured during the incident’s life-cycle is saved for review. A post incident review is a process to review the incident information from occurrence to closure. The output of the meeting is a report of potential findings detailing how the incident could have been handled better. For that reason, consistently performing post incident reviews are a great way to continuously improve the incident handling process.
Post Incident Review Goals
- Eliminate or reduce the risk of the incident to re-occur.
- Improve the initial incident detection time.
- Identify improvements needed to diagnose the incident including service impacted, priority level and the correct resolver teams to be engaged.
- Review the repair steps and identify recommendations to reduce a future incident repair duration.
- Review the duration to initiate and complete activities to ultimately identify improvement recommendations.
- Ensure incident communication was proper or if anything can be improved.
- Update the major incident management best practices as needed to continuously improve.
A post incident review is similar to football team reviewing game tapes. Similarly to the football team, the PIR goal is to understand what went well and what can be improved for the next event. Ultimately, you want to ensure the incident will never reoccur again. By identifying precursors of the incident, processes and configurations can be changed to eliminate re-occurrence. If the incident does reoccur again, the post incident review should have identified improvements on how to better detect, diagnose and repair the incident quicker and more efficiently.
Under direction of the incident manager, all resources involved in the incident as needed will be part of the post incident review. These resources are needed to create a timeline of actions during the incident. Above all, a post incident review of the process by resources involved can provide the most valuable information.
Post Incident Review Meeting Resources
For a post incident review meeting to be successful, all the needed resources should be gathered. While not all resources may be available or are in-progress of being completed, the meeting should complete as much of the review as possible. For that reason, follow up action items must also be assigned. Furthermore the action items must be completed in a timely manner with the goal of completing a formal report. Hence, some of the typical resources needed are listed.
- Incident Manager or delegate to run the post incident review
- Major incident manager or coordinator who ran the incident war room
- Incident documentation including the ticket data, timelines and decisions made
- Change ticket information, if applicable
- All incident recovery staff resources involved
- Event monitoring data
- Application or system engineers
- Problem management root cause analysis