Skip to content

Blameless Postmortems

Key Points

  • Blameless ≠ accountability-less. It means we attack systems, not people. Owners and dates still apply.
  • Hindsight bias is the enemy. "They should have known" is the smell of a postmortem going wrong.
  • No single root cause. Real incidents have contributing factors. Five Whys is a starting point, not the whole map.
  • Action items only count if they have owner + due date. Everything else is theater.
  • Cadence matters: postmortem within a week, follow-up review at 30 days. No follow-up = the lesson was discarded.
  • Language patterns are tools. "The system allowed X" >> "Bob did X". Same fact, different culture.
  • Public postmortems build trust. With customers, regulators, and your own team.

Concepts (deep dive)

Why blameless

The Etsy / Google SRE foundational insight: engineers will hide information when they fear blame. Hidden information turns a recoverable outage into a chronic, mysterious system. A blameless culture is not soft — it is the only culture in which the truth is reliably available.

What it actually means: - People can describe what they did, why it made sense at the time, and what they didn't know — without sanction. - The investigation focuses on the gaps (information, training, tooling, monitoring, process) that allowed the error. - "Human error" is never a root cause. It's a starting symptom.

What it does not mean: - "No consequences ever." Patterns of negligence still warrant performance conversations — outside the postmortem. - "Don't name names." The timeline must say what happened, who did what, when. Blameless isn't anonymous.

Postmortem structure

# Postmortem: <Incident Name> (YYYY-MM-DD)

## Summary
2-3 sentences. Severity, duration, impact. The BLUF.

## Impact
- Users affected: <number / segment>
- Revenue / SLO: <hard number where possible>
- Duration: detection→mitigation→resolution

## Timeline (UTC)
HH:MM — Event 1 (link to log/dashboard)
HH:MM — Alert fired (or didn't)
HH:MM — Engineer X paged
HH:MM — Mitigation deployed
HH:MM — Confirmed restored

## Contributing Factors
1. <Factor> — explanation. (Not "root cause".)
2. ...
3. ...

## What Went Well
- Things to keep doing.

## What Went Poorly
- Things to change. Systems, not people.

## Lucky / Latent Risks
- "We dodged a bullet because…" Don't lose this insight.

## Action Items
| ID | Item | Type | Owner | Due |
|----|------|------|-------|-----|
| AI-1 | Add alarm for queue depth > 1k | Detect | @alex | 2026-05-15 |
| AI-2 | Auto-scaler floor = 3 replicas | Mitigate | @sam | 2026-05-08 |
| AI-3 | Runbook for partial-outage failover | Prevent | @riley | 2026-05-30 |

## Lessons Learned
What we now believe that we didn't before.

Hindsight bias — the trap

After an incident, the path to failure looks obvious. It wasn't, in the moment. Fight it deliberately:

  • ✅ "Given what was on the dashboard at 14:02, the on-call's interpretation was reasonable."
  • ❌ "It was clearly a queue backup; they should have seen it."

The diagnostic question is: "What did the operator see, and what would a competent engineer have done with that information?" If the answer is "the same thing", the system failed, not the person.

Five Whys vs causal-graph vs human-factors

  • Five Whys (Toyota). Linear chain: ask "why" five times. Easy to teach; dangerous because it implies a single root cause and stops once you've found a satisfying narrative.
  • Causal-graph analysis (Reason's Swiss Cheese, Allspaw). Multiple contributing factors, multiple lines of defense that all failed simultaneously. Closer to reality.
  • Human-factors / cognitive systems engineering. What signals were available? What was the operator's mental model? Where did it diverge from reality? Excellent for high-stakes incidents.
  • Cynefin framing. Was this incident in the Complicated domain (best practices apply) or the Complex domain (emergent, no playbook)? Different domains demand different responses.

Use Five Whys to start; switch to causal graph when the chain branches; bring in human-factors when human decisions were central.

Action item taxonomy

Tag every action item:

  • Prevent — stops the cause. (E.g., add input validation.)
  • Detect — surfaces the cause earlier next time. (E.g., new alarm.)
  • Mitigate — limits blast radius. (E.g., circuit breaker.)
  • Educate — improves the team's mental model. (E.g., runbook, training.)

A postmortem with only "Prevent" items is naive — you can't prevent every bug. A healthy mix biases toward Detect + Mitigate, which compound.

Owner + due date is non-negotiable. An action item without them is a wish.

Cadence

  • Within 24h: factual timeline drafted while memory is fresh.
  • Within 1 week: postmortem meeting + finalized doc.
  • 30 days later: review action items. Closed? Slipped? Re-prioritize. This is where most cultures fail — items go stale, the lesson evaporates.
  • Quarterly: trend review. Are the same factors recurring? That's a meta-incident.

Public vs private postmortems

Public Private (internal)
Customer-facing summary, status page, blog Full timeline, names, internal tooling, action items
Drives trust, sometimes mandated by SLAs Honest, unvarnished, blameless
Light on internal detail The detail is the point

Both can exist for the same incident. The public version is a derivative of the private one.

Facilitation when someone clearly screwed up

The hardest case. An engineer pushed bad config, ran DROP TABLE on prod, deployed at 4 PM Friday. The team is angry; the engineer is mortified.

Language patterns: - ✅ "The deploy tool allowed a destructive change without a confirmation step." (system framing) - ✅ "In retrospect, with the information available, choosing X over Y was reasonable." (hindsight check) - ✅ "What signal would have told you not to proceed?" (focuses on missing signal) - ❌ "Why did you do that?" (interrogative, defensive) - ❌ "Anyone would have caught that." (hindsight bias, signals shame) - ❌ "We need to be more careful." (no system change; pure shame)

The facilitator's job is to surface the missing guardrail, not the missing person. Almost every "human error" is a guardrail that was never built.

Connection to incident response & SRE

  • A postmortem is the output of incident response; only as good as the data captured during the incident.
  • Pair every postmortem with runbook updates — the lesson lives in the runbook, not just the doc.
  • Track the error budget consumption per postmortem; recurring spend in one service is a structural signal.
  • The postmortem feeds the TD ledger (Topic 7) — many action items become long-lived debt items.

Tooling

  • Jeli / now part of PagerDuty — incident analysis platform; auto-builds timelines from chat + alerts.
  • Blameless — workflow-driven postmortem platform.
  • FireHydrant — incident lifecycle + postmortems.
  • incident.io — Slack-native; timeline auto-capture.
  • Internal Confluence / Notion template. Tooling helps but is not required — discipline is.

A consistent template, accessible archive, and follow-up discipline matter more than which SaaS you bought.


Patterns

  • The 24-hour timeline draftIntent: while memory is fresh, capture only the timeline (not analysis). Decouples facts from blame.
  • Contributing-factors framingIntent: language ban on "root cause" / "human error". Forces the conversation toward systems.
  • Action item triageIntent: every AI tagged Prevent/Detect/Mitigate/Educate; rebalance if mix is skewed. Avoids paranoid prevention culture.
  • 30-day follow-upIntent: standing review of postmortem AIs after a month. Closes the loop or re-prioritizes; lessons stick.
  • Quarterly meta-reviewIntent: look across the quarter's postmortems for patterns. Same service? Same time of day? Same kind of factor? Surface the systemic.
  • Pair-facilitationIntent: two facilitators (one technical, one neutral) for high-emotion postmortems. Reduces drift toward blame.

Pros & cons / trade-offs

Aspect Pros Cons
Blameless culture Truth surfaces, faster learning, retention Can drift to "no accountability" if poorly led
Five Whys Easy to teach, fast Implies single root cause
Causal graph Realistic, multi-factor Slower, requires skilled facilitator
Public postmortem Builds external trust Time to write, legal review
Heavy tooling (Jeli/Blameless) Auto-timelines, archive Cost, lock-in
Lightweight Confluence Cheap, flexible Manual discipline required

When to use / when to avoid

Always run a postmortem for: customer-impacting outages, security incidents, near-misses (the dodged-bullet kind), data loss, and SLO breaches.

Lightweight postmortem for low-severity but instructive incidents — even a half-page is worth writing.

Don't skip postmortems because "we know what happened" — the writing surfaces the unknowns.

Don't run a public postmortem before legal/PR review when regulated data was involved.

Don't merge postmortems with performance reviews. Ever. The moment that line blurs, blamelessness dies.


Senior-level tips

  • 💡 Volunteer to facilitate when you weren't on-call. Outsider neutrality + technical depth is the ideal facilitator profile.
  • 💡 Defend the on-call publicly. When leadership asks "who deployed this", your answer is "the system that allowed it" — every time.
  • 💡 Track action-item completion rate as a team metric. Below 70% means the postmortem ritual has become theater; intervene.
  • 💡 Read other companies' public postmortems (Cloudflare, GitHub, AWS). Their style is your benchmark.
  • 💡 Resist the "single root cause" framing in writing. Edit "the root cause was X" to "a key contributing factor was X" every time you see it.
  • 💡 Make new joiners read the last 5 postmortems as part of onboarding. Better than any architecture doc.
  • 💡 Run a postmortem on a near-miss too. The cheapest lesson is the one that didn't actually cost you.
  • 💡 Beware the "training" action item. "Educate the team" is often the cop-out when a real fix would cost engineering time. Demand a system change too.
  • 💡 The follow-up review is the actual postmortem. Anyone can write a doc; closing the loop is the senior move.

Common pitfalls

  • ⚠️ "Root cause: human error." Always wrong. Keep digging.
  • ⚠️ Action items with no owner or no due date. Equivalent to no action items.
  • ⚠️ Skipping the 30-day follow-up. The lesson decays; the next incident repeats.
  • ⚠️ Letting the postmortem turn into a status meeting. Facts and analysis only; status goes elsewhere.
  • ⚠️ Postmortem becoming a performance review proxy. Kills the culture in one session.
  • ⚠️ Over-investing in prevention to the exclusion of detection and mitigation. You can't prevent every bug; you can detect them faster.
  • ⚠️ Treating the public postmortem as marketing. Customers can tell.
  • ⚠️ Not writing a postmortem because "the fix was obvious". The lesson isn't always the fix.
  • ⚠️ Five Whys stopped at "we forgot to test that". Why did the test process allow the gap? Keep going.

Further reading