Incident management is a critical aspect of maintaining system reliability. When engineers are woken up late at night, getting on an incident chat, and trying to fix things while communicating with the team, a huge source of safety and stability is a playbook that describes what to do when. This article serves as a guide for application developers on how to get started writing playbooks for incident response.

Team Culture in Incident Response Playbooks

The term ‘playbook’ sometimes implies a sort of mechanical process that tells engineers exactly what to do, a bit like a robot following lines of code. But of course the term is taken from sport, where a playbook lists individual plays that allow for human participants and implicit randomness. Team culture is a clear part of incident response, and you need to consider how real people will interpret plans when faced with real failures and stressful situations. Two early questions are how much standardization of playbooks should happen between teams, and how to handle cases where people don’t follow the process.

How much should teams standardize their incident response?

A basic question when you start writing playbooks for incident response is how standard these playbooks need to be. Should teams write their own playbooks, or should ops, SRE, or platform teams write the playbook that all other teams need to follow. Standardization across the whole organization can’t be extreme. Let’s say a playbook has a decision point about the scope of an issue. A backend team working in database interfaces and a frontend team will have totally different answers to what ‘scope’ means and how to measure it. So we want standards for how incidents are handled, but now how they’re identified, investigated, or remediated. One senior ops engineer talks about the balance between team standardization and organizational process:
Teams are responsible for their own stuff at the end of the day. They will have their own runbooks as their systems will differ from other teams. The incident response process is standard across all teams, the software teams create and maintain will differ though, so this makes sense as a boundary of responsibility for this organisation. Generally teams manage their own alerts and dashboards. If they continually have problems as a result of poor visibility, it’ll be very clear to the leadership due to the number of incident tickets assigned to them. They’ll get the support they need to fix the underlying problem, be that fixing the system or improving the observability.
That general truism should apply to your organization: if a team’s individual process for incidents isn’t working, it’ll show up in the number of incidents assigned to the team.

What to Do When Someone Doesn’t Follow the Process

People often skip steps when the process feels slow or hard. If this happens, it means something is wrong—maybe the process is confusing, scary, or takes too long. Others might not ask for help because they had a bad experience before or feel rushed. First, ask nicely why they didn’t follow the rules. Don’t blame them—just listen. Maybe they didn’t know how, or the process didn’t work when they needed it. Next, talk to more people to see if others feel the same way. Anonymous surveys or quick chats can help find the real problem. Then, fix the official process before making the wrong way harder. If the right way is simple and fast, people will use it. Only after that should you add roadblocks to stop the shortcuts. The goal isn’t to punish—it’s to make the best way also the easiest way.

Conclusions

Effective incident response combines automation and teamwork. Automation helps by speeding up tasks and reducing errors, but human judgment is still key. Teams should standardize processes while allowing flexibility for different needs. If people skip steps, the focus should be on fixing the process, not blaming individuals. The goal is to make incident response faster, safer, and easier for everyone involved. By balancing automation with clear, simple processes, teams can handle incidents better and keep systems running smoothly.