Blameless Postmortems
Key Points
- Blameless ≠ accountability-less. It means we attack systems, not people. Owners and dates still apply.
- Hindsight bias is the enemy. "They should have known" is the smell of a postmortem going wrong.
- No single root cause. Real incidents have contributing factors. Five Whys is a starting point, not the whole map.
- Action items only count if they have owner + due date. Everything else is theater.
- Cadence matters: postmortem within a week, follow-up review at 30 days. No follow-up = the lesson was discarded.
- Language patterns are tools. "The system allowed X" >> "Bob did X". Same fact, different culture.
- Public postmortems build trust. With customers, regulators, and your own team.
Concepts (deep dive)
Why blameless
The Etsy / Google SRE foundational insight: engineers will hide information when they fear blame. Hidden information turns a recoverable outage into a chronic, mysterious system. A blameless culture is not soft — it is the only culture in which the truth is reliably available.
What it actually means: - People can describe what they did, why it made sense at the time, and what they didn't know — without sanction. - The investigation focuses on the gaps (information, training, tooling, monitoring, process) that allowed the error. - "Human error" is never a root cause. It's a starting symptom.
What it does not mean: - "No consequences ever." Patterns of negligence still warrant performance conversations — outside the postmortem. - "Don't name names." The timeline must say what happened, who did what, when. Blameless isn't anonymous.
Postmortem structure
# Postmortem: <Incident Name> (YYYY-MM-DD)
## Summary
2-3 sentences. Severity, duration, impact. The BLUF.
## Impact
- Users affected: <number / segment>
- Revenue / SLO: <hard number where possible>
- Duration: detection→mitigation→resolution
## Timeline (UTC)
HH:MM — Event 1 (link to log/dashboard)
HH:MM — Alert fired (or didn't)
HH:MM — Engineer X paged
HH:MM — Mitigation deployed
HH:MM — Confirmed restored
## Contributing Factors
1. <Factor> — explanation. (Not "root cause".)
2. ...
3. ...
## What Went Well
- Things to keep doing.
## What Went Poorly
- Things to change. Systems, not people.
## Lucky / Latent Risks
- "We dodged a bullet because…" Don't lose this insight.
## Action Items
| ID | Item | Type | Owner | Due |
|----|------|------|-------|-----|
| AI-1 | Add alarm for queue depth > 1k | Detect | @alex | 2026-05-15 |
| AI-2 | Auto-scaler floor = 3 replicas | Mitigate | @sam | 2026-05-08 |
| AI-3 | Runbook for partial-outage failover | Prevent | @riley | 2026-05-30 |
## Lessons Learned
What we now believe that we didn't before.
Hindsight bias — the trap
After an incident, the path to failure looks obvious. It wasn't, in the moment. Fight it deliberately:
- ✅ "Given what was on the dashboard at 14:02, the on-call's interpretation was reasonable."
- ❌ "It was clearly a queue backup; they should have seen it."
The diagnostic question is: "What did the operator see, and what would a competent engineer have done with that information?" If the answer is "the same thing", the system failed, not the person.
Five Whys vs causal-graph vs human-factors
- Five Whys (Toyota). Linear chain: ask "why" five times. Easy to teach; dangerous because it implies a single root cause and stops once you've found a satisfying narrative.
- Causal-graph analysis (Reason's Swiss Cheese, Allspaw). Multiple contributing factors, multiple lines of defense that all failed simultaneously. Closer to reality.
- Human-factors / cognitive systems engineering. What signals were available? What was the operator's mental model? Where did it diverge from reality? Excellent for high-stakes incidents.
- Cynefin framing. Was this incident in the Complicated domain (best practices apply) or the Complex domain (emergent, no playbook)? Different domains demand different responses.
Use Five Whys to start; switch to causal graph when the chain branches; bring in human-factors when human decisions were central.
Action item taxonomy
Tag every action item:
- Prevent — stops the cause. (E.g., add input validation.)
- Detect — surfaces the cause earlier next time. (E.g., new alarm.)
- Mitigate — limits blast radius. (E.g., circuit breaker.)
- Educate — improves the team's mental model. (E.g., runbook, training.)
A postmortem with only "Prevent" items is naive — you can't prevent every bug. A healthy mix biases toward Detect + Mitigate, which compound.
Owner + due date is non-negotiable. An action item without them is a wish.
Cadence
- Within 24h: factual timeline drafted while memory is fresh.
- Within 1 week: postmortem meeting + finalized doc.
- 30 days later: review action items. Closed? Slipped? Re-prioritize. This is where most cultures fail — items go stale, the lesson evaporates.
- Quarterly: trend review. Are the same factors recurring? That's a meta-incident.
Public vs private postmortems
| Public | Private (internal) |
|---|---|
| Customer-facing summary, status page, blog | Full timeline, names, internal tooling, action items |
| Drives trust, sometimes mandated by SLAs | Honest, unvarnished, blameless |
| Light on internal detail | The detail is the point |
Both can exist for the same incident. The public version is a derivative of the private one.
Facilitation when someone clearly screwed up
The hardest case. An engineer pushed bad config, ran DROP TABLE on prod, deployed at 4 PM Friday. The team is angry; the engineer is mortified.
Language patterns: - ✅ "The deploy tool allowed a destructive change without a confirmation step." (system framing) - ✅ "In retrospect, with the information available, choosing X over Y was reasonable." (hindsight check) - ✅ "What signal would have told you not to proceed?" (focuses on missing signal) - ❌ "Why did you do that?" (interrogative, defensive) - ❌ "Anyone would have caught that." (hindsight bias, signals shame) - ❌ "We need to be more careful." (no system change; pure shame)
The facilitator's job is to surface the missing guardrail, not the missing person. Almost every "human error" is a guardrail that was never built.
Connection to incident response & SRE
- A postmortem is the output of incident response; only as good as the data captured during the incident.
- Pair every postmortem with runbook updates — the lesson lives in the runbook, not just the doc.
- Track the error budget consumption per postmortem; recurring spend in one service is a structural signal.
- The postmortem feeds the TD ledger (Topic 7) — many action items become long-lived debt items.
Tooling
- Jeli / now part of PagerDuty — incident analysis platform; auto-builds timelines from chat + alerts.
- Blameless — workflow-driven postmortem platform.
- FireHydrant — incident lifecycle + postmortems.
- incident.io — Slack-native; timeline auto-capture.
- Internal Confluence / Notion template. Tooling helps but is not required — discipline is.
A consistent template, accessible archive, and follow-up discipline matter more than which SaaS you bought.
Patterns
- The 24-hour timeline draft — Intent: while memory is fresh, capture only the timeline (not analysis). Decouples facts from blame.
- Contributing-factors framing — Intent: language ban on "root cause" / "human error". Forces the conversation toward systems.
- Action item triage — Intent: every AI tagged Prevent/Detect/Mitigate/Educate; rebalance if mix is skewed. Avoids paranoid prevention culture.
- 30-day follow-up — Intent: standing review of postmortem AIs after a month. Closes the loop or re-prioritizes; lessons stick.
- Quarterly meta-review — Intent: look across the quarter's postmortems for patterns. Same service? Same time of day? Same kind of factor? Surface the systemic.
- Pair-facilitation — Intent: two facilitators (one technical, one neutral) for high-emotion postmortems. Reduces drift toward blame.
Pros & cons / trade-offs
| Aspect | Pros | Cons |
|---|---|---|
| Blameless culture | Truth surfaces, faster learning, retention | Can drift to "no accountability" if poorly led |
| Five Whys | Easy to teach, fast | Implies single root cause |
| Causal graph | Realistic, multi-factor | Slower, requires skilled facilitator |
| Public postmortem | Builds external trust | Time to write, legal review |
| Heavy tooling (Jeli/Blameless) | Auto-timelines, archive | Cost, lock-in |
| Lightweight Confluence | Cheap, flexible | Manual discipline required |
When to use / when to avoid
✅ Always run a postmortem for: customer-impacting outages, security incidents, near-misses (the dodged-bullet kind), data loss, and SLO breaches.
✅ Lightweight postmortem for low-severity but instructive incidents — even a half-page is worth writing.
❌ Don't skip postmortems because "we know what happened" — the writing surfaces the unknowns.
❌ Don't run a public postmortem before legal/PR review when regulated data was involved.
❌ Don't merge postmortems with performance reviews. Ever. The moment that line blurs, blamelessness dies.
Senior-level tips
- 💡 Volunteer to facilitate when you weren't on-call. Outsider neutrality + technical depth is the ideal facilitator profile.
- 💡 Defend the on-call publicly. When leadership asks "who deployed this", your answer is "the system that allowed it" — every time.
- 💡 Track action-item completion rate as a team metric. Below 70% means the postmortem ritual has become theater; intervene.
- 💡 Read other companies' public postmortems (Cloudflare, GitHub, AWS). Their style is your benchmark.
- 💡 Resist the "single root cause" framing in writing. Edit "the root cause was X" to "a key contributing factor was X" every time you see it.
- 💡 Make new joiners read the last 5 postmortems as part of onboarding. Better than any architecture doc.
- 💡 Run a postmortem on a near-miss too. The cheapest lesson is the one that didn't actually cost you.
- 💡 Beware the "training" action item. "Educate the team" is often the cop-out when a real fix would cost engineering time. Demand a system change too.
- 💡 The follow-up review is the actual postmortem. Anyone can write a doc; closing the loop is the senior move.
Common pitfalls
- ⚠️ "Root cause: human error." Always wrong. Keep digging.
- ⚠️ Action items with no owner or no due date. Equivalent to no action items.
- ⚠️ Skipping the 30-day follow-up. The lesson decays; the next incident repeats.
- ⚠️ Letting the postmortem turn into a status meeting. Facts and analysis only; status goes elsewhere.
- ⚠️ Postmortem becoming a performance review proxy. Kills the culture in one session.
- ⚠️ Over-investing in prevention to the exclusion of detection and mitigation. You can't prevent every bug; you can detect them faster.
- ⚠️ Treating the public postmortem as marketing. Customers can tell.
- ⚠️ Not writing a postmortem because "the fix was obvious". The lesson isn't always the fix.
- ⚠️ Five Whys stopped at "we forgot to test that". Why did the test process allow the gap? Keep going.
Further reading
- John Allspaw — Blameless PostMortems and a Just Culture (Etsy, the canonical post)
- Google — Site Reliability Engineering, ch. 15: Postmortem Culture
- Google — The Site Reliability Workbook, ch. 10
- Sidney Dekker — The Field Guide to Understanding 'Human Error' (foundational on hindsight bias)
- James Reason — Human Error (Swiss Cheese model)
- John Allspaw — How Complex Systems Fail (Richard Cook; Allspaw's annotated version)
- AWS Builders' Library — COE — Correction of Errors
- Howie: the Post-Incident Guide (Jeli)
- Cloudflare / GitHub / Stripe public postmortem archives — read for style and structure
- PagerDuty Postmortem documentation