On this page
- The incident is over. The expensive part is what you do next.
- Blame the system, not the person
- The loop a postmortem lives inside
- When (and when not) to write one
- The same fact, two ways: blameful vs blameless framing
- How to write the postmortem, step by step
- A template you can copy today
- How to run the review meeting
- Common mistakes that quietly kill the practice
- Takeaways
- Where to go next
The incident is over. The expensive part is what you do next.
It is 3pm. Checkout was down for 22 minutes. You paged the on-call, found the bad deploy, rolled it back, and the graphs are green again. Everyone exhales. The temptation now is to close the ticket, mutter "don't do that again," and move on.
That instinct is how you guarantee it happens again. The outage already cost you revenue, sleep, and trust. The only way to get a return on that cost is to extract everything the incident is willing to teach you, and then change the system so the next person literally cannot make the same mistake. That document is a postmortem, and the thing that makes it actually work is one word: blameless.
Who this is for
Engineers who get paged, on-call leads who run incident reviews, and managers who keep asking "who broke it?" If you have ever sat through a finger-pointing retro that fixed nothing, or written a postmortem nobody read, this is for you. No prior process knowledge assumed, we build it from zero.
Blame the system, not the person
If a single human action can take down production, the problem is the system that allowed it, not the human who performed it. Blame the system, fix the system.
Here is the uncomfortable truth blameless culture is built on: smart, careful, well-meaning people cause outages every day. The engineer who ran the migration against prod instead of staging was not careless, they were handed two terminals that looked identical, with no guardrail between them. Punish them and you learn nothing except that people will now hide their mistakes. Fix the system, add a confirmation prompt, color the prod shell red, require a second approver, and the mistake becomes impossible for *everyone*.
Blame is not just unkind, it is actively counterproductive. The moment people fear being named as "the cause," they stop volunteering details, stop reporting near-misses, and stop touching scary systems. Your richest source of safety data, honest human accounts of what actually happened, dries up. Blamelessness is not about being nice. It is about keeping the information flowing.
Aviation does not ground the pilot of every near-miss, it would lose its pilots and its data. Instead it treats each event as a free, fully-paid lesson in how the system can fail. A blameless postmortem is your cockpit-voice-recorder for software.
The loop a postmortem lives inside
A postmortem is not a document you file and forget, it is one stage of a loop that should make each class of incident rarer over time. Here is the whole cycle:
The postmortem loop: a resolved incident feeds learning back into the system so the same failure recurs less often.
- 1
Incident resolved
Service is restored and the page is cleared. The clock on memory starts ticking immediately, details fade fast, so capture the rough timeline while it is fresh.
- 2
Timeline reconstructed
Pull the facts: when the alert fired, what was deployed, who did what, when it recovered. Timestamps from logs, dashboards, and chat, not opinions.
- 3
Contributing factors identified
Ask "why" until you reach systemic causes, not a person. Most real incidents have several contributing factors, not one neat root cause.
- 4
Action items assigned
Each fix gets a named owner and a due date and lands in your normal backlog, not a forgotten wiki page. An action item with no owner is a wish.
- 5
Systemic fixes shipped
The guardrails, alerts, and runbooks actually get built and merged. This is the step that breaks the recurrence cycle.
- 6
Feedback closes the loop
Because the system changed, this class of incident gets rarer. Fewer repeats is the only metric that proves the postmortem worked.
When (and when not) to write one
You do not need a postmortem for every blip. Write one when an incident was user-visible, breached an [error budget](/blog/error-budgets-explained) or SLO, required a rollback or manual intervention, or simply surprised you, including near-misses where you got lucky. The trigger is "did we learn something the system should remember?", not "how big was the explosion?"
Near-misses are free lessons
The deploy that almost wiped the database but got caught by a fluke is the cheapest postmortem you will ever write, all of the learning, none of the outage. Teams that only write postmortems for major incidents miss the most valuable, lowest-cost data they have.
The same fact, two ways: blameful vs blameless framing
Blameless is mostly a discipline of language. The facts do not change, the framing moves the spotlight off a person and onto the system that set them up. Train yourself to rewrite every "X did Y" into "the system allowed Y."
| Blameful framing | Blameless framing |
|---|---|
| Priya ran the migration against prod by mistake | Prod and staging shells were visually identical, so a single typo targeted prod |
| The new hire pushed untested code | Code could reach prod without passing the integration test gate |
| Sam ignored the alert | The alert was one of 40 that fire daily, so a real one was indistinguishable from noise |
| Ops forgot to renew the TLS cert | Cert renewal was a manual calendar reminder with no automation or expiry alert |
| The engineer didn't follow the runbook | The runbook was three releases out of date and pointed at a deleted service |
| Someone deleted the wrong S3 bucket | Production buckets had no deletion protection and no confirmation step |
Notice that every blameless version ends with something you can build: a confirmation prompt, a test gate, alert deduplication, automated renewal, a current runbook, deletion protection. The blameful versions end with a feeling. Only one of those prevents the next outage.
How to write the postmortem, step by step
A good postmortem has a predictable anatomy: summary, impact, timeline, root cause / contributing factors, and action items. Fill them in this order while the incident is fresh, ideally within a day or two.
- 1
Write the summary
Two or three sentences a stranger could read: what broke, for how long, and the headline cause. If someone reads only this, they should understand the incident.
- 2
Quantify the impact
Be concrete: "22 minutes of checkout downtime, ~4,100 failed orders, ~$18k revenue at risk." Numbers turn an abstract outage into a prioritized fix.
- 3
Reconstruct the timeline
Timestamped, factual, neutral. Detection → diagnosis → mitigation → resolution. Pull times from logs and chat, not memory. This is where you spot how long detection actually took.
- 4
Find contributing factors with the 5 whys
Start at the symptom and ask "why" about five times, but branch, do not just go deeper. Real incidents have multiple contributing factors. Stop when the answer is a system property, never when it is a person.
- 5
Write action items with owners and due dates
Each one is specific, owned by a named person, dated, and filed as a real ticket. Split them into "prevent recurrence" and "detect/mitigate faster next time."
- 6
Circulate, then review
Share the draft, let people add facts and correct the timeline, then hold the review meeting. The doc is a living artifact until action items are tracked.
The 5 whys is a guardrail against stopping too early, not a script
"Why did checkout fail? A bad config shipped. Why? It skipped review. Why? Reviews are optional for config. Why? We never gated config changes in CI." That last answer is a system you can fix. If your chain of whys ever bottoms out at "because Priya made a mistake," you stopped one why too soon.
A template you can copy today
Keep a template in your repo so every postmortem looks the same and nothing gets skipped. Drop this in as docs/postmortems/TEMPLATE.md and copy it per incident:
# Postmortem: Checkout outage (2026-06-04)
**Status:** Reviewed | **Severity:** SEV-2 | **Owner:** @sri
## Summary
A config change disabled the payments feature flag in production for
22 minutes, causing checkout to fail for all users. Resolved by rollback.
This is a blameless postmortem: we describe what the *system* allowed.
## Impact
- Duration: 14:58–15:20 UTC (22 min)
- Users affected: 100% of checkout attempts (~4,100 failed orders)
- Revenue at risk: ~$18k | Error-budget burned: 31% of the monthly budget
## Timeline (UTC)
| Time | Event |
|-------|-------|
| 14:55 | Config PR #842 merged and auto-deployed |
| 14:58 | Checkout error rate jumps to ~100% |
| 15:03 | PagerDuty alert fires; on-call acknowledges |
| 15:11 | Bad flag identified via deploy diff |
| 15:20 | Rollback completes; error rate returns to baseline |
## Contributing factors (the 5 whys)
1. Checkout failed because the payments flag was set to false.
2. The flag flipped because a config PR changed it unintentionally.
3. The change shipped because config changes skip the CI test gate.
4. Detection took 5 min because the checkout SLO alert lacked urgency.
5. Rollback was manual because we have no automated flag-revert path.
-> Systemic, not personal: the pipeline let an untested config reach prod.
## Action items
| # | Action | Owner | Due | Ticket |
|---|--------|-------|-----|--------|
| 1 | Gate config changes behind the CI test suite | @sri | Jun 12 | OPS-921 |
| 2 | Add a page-severity SLO alert on checkout errors | @maya | Jun 10 | OPS-922 |
| 3 | Build one-command flag rollback | @lee | Jun 18 | OPS-923 |
## What went well
- On-call diagnosed the root cause from the deploy diff in under 10 min.
- Rollback procedure worked cleanly once identified.
How to run the review meeting
The review is where the team turns one person's draft into shared, validated learning. Keep it to 30–45 minutes and protect the blameless tone like the facilitator's only job, because it is.
- Everyone reads the doc first (or read it silently for the first 5 minutes, library-style). Do not narrate the timeline out loud, discuss it.
- Walk the timeline together and let people add facts you missed. New details almost always surface here.
- Pressure-test the contributing factors. Ask "would a different, careful person have hit this too?" If yes, it is systemic, good.
- Agree on action items, owners, and due dates live, in the room. Cut vague ones; an unowned action is not an action.
- Facilitator interrupts blame instantly. If "who" creeps in, redirect to "what in the system made that the easy/likely thing to do?"
- Close by confirming where the action items are tracked, real tickets in the real backlog, reviewed at the next planning session.
Common mistakes that quietly kill the practice
- Sneaking blame back in. "Blameless" framing with a tone of "obviously Priya should have known" fools no one. People read the room, clam up, and your data dries up.
- No action items. A postmortem that ends with reflection and zero changes is a diary entry. If nothing in the system changes, the incident will return on schedule.
- Action items that are never tracked. Owners and due dates on a wiki page nobody revisits are theater. Put them in the same backlog you actually groom, and review open items each cycle.
- Only writing them for huge incidents. SEV-1s get postmortems; the constant SEV-3s and near-misses, where most of your cheap learning lives, get shrugged off.
- Treating root cause as a single thing. Hunting for the one true cause hides the three contributing factors that all had to line up. Capture the whole chain.
- Letting it become a punishment ritual. If a postmortem is the meeting where someone gets grilled, people will fight to avoid declaring incidents at all, and you lose visibility entirely.
Takeaways
The whole article in seven lines
- A postmortem is how you collect the return on an incident you already paid for.
- Blame the system, fix the system, if one human action can break prod, the system is the bug.
- Blamelessness keeps information flowing; fear makes people hide the data you need.
- Anatomy: summary, impact, timeline, contributing factors (5 whys), action items with owners + due dates.
- Write one whenever you learned something, including near-misses, not just SEV-1s.
- Action items with no owner, no date, or no tracking are wishes, not fixes.
- Fewer repeats is the only metric that proves the loop is working.
Where to go next
Postmortems are the learning half of incident work, the response half is what gets you to a resolved incident in the first place. Pair this with how on-call and incident command actually run, and with the budgets that decide which incidents are worth this effort:
- Incident Management & On-Call, triage, severities, comms, and getting to "resolved" so you have something to write up.
- Error Budgets, the SLO math that tells you when an incident breached the budget and demands a postmortem.
- Walk the full SRE career path to see where reliability culture fits alongside monitoring, automation, and capacity work.
Want to go deeper?
This article covers concepts taught hands-on in the Cloud Engineer and DevOps career paths, with real terminal labs, production scenarios, and structured lessons.