Accurately assigning categories is an essential step in incident management. Two main categories affecting how your response team handles an incident are severity and priority. Although priority and severity are related, they're separate concepts that should be assigned individually.
That said, here at incident.io we believe in keeping incident response as simple as possible, which is why you'll only hear us talking about severities, and not priorities. It’s an approach that’s worked well for us internally and for our customers. Regardless, we realize that some organizations have needs to further classify and often lean on priority as an additional way to tailor their response. So here, we’ll explain the biggest differences between the two and how they might fit together as part of a dedicated incident response process.
Severity levels classify an incident based on the impact it will have on your business or your customers. Your entire organization should understand an incident's severity level since you'll need everyone on board to avoid alignment issues or other conflicts in handling the incident.
The severity level will help your product manager and incident response team determine how to prioritize and handle the incident to mitigate the damage as much as possible. Severity will be defined differently by each organization, but it should be clear enough that anyone involved can feel confident declaring an incident and rating its severity.
Although you could follow someone else's guide for determining severity levels, you'll get better results by creating severity levels and definitions customized to your organization. Consider your business needs and the impact incidents could have on your organization. Determine which metrics are most important to you, such as customer satisfaction or productivity, and how an incident could affect those metrics.
Next, you'll want to define incident severity levels that align with your business needs based on factors such as how many users are affected, its impact on user experience, and how long it will take to resolve.
S1 is the highest severity setting and indicates a critical incident significantly impacting your business or many users. Data corruption and loss of revenue are likely with an incident like this. Your response team will need to take action immediately and implement resources and escalation processes to help resolve the issue as soon as possible.
An S2 event is still a major incident that affects many users but has a more moderate business impact. Your product functionality is severely limited, and your incident response team should respond urgently to resolve an S2 incident. An S2 isn’t as urgent as an S1, but it will still require an all-hands-on-deck approach.
Incidents classified with a severity level of S3 are minor incidents that affect only a small percentage of users and have minimal business impact. These incidents can be handled during regular business hours and don't require immediate action.
S4 incidents can be addressed as part of a normal maintenance workflow. They don't affect many users, have no significant impact on business operations, and are typically cosmetic or informational issues. Ultimately, these are low-severity incidents that will come up more often than not.
An incident's priority level determines when it should be addressed. The severity level is a consideration in determining the priority level, but it's not the only factor. Other issues, such as urgency, complexity, and available resources, may also affect the priority of incidents.
Creating customized priority levels for your organization offers the same benefits as creating customized severity levels. If you have priority levels in place already, you can start by reviewing concepts of priority and assessing their effectiveness. Look at how previous incidents were handled and their outcome and adjust each priority parameter.
Consider your business's critical systems and services and assign them a higher priority. Clearly define the criteria for each level, including impact, urgency, and complexity. You should also consider what priority defects may conflict with severity levels. For example, a less severe incident that affects a major customer may warrant a higher-severity incident that impacts more minor customers.
A P1 incident is high-priority. No matter what else is going on, a P1 incident takes precedence over all other activities and needs to be handled immediately.
P2 incidents are urgent, but you don't necessarily need to mobilize your response team in the middle of the night.
A P3 incident can be handled the next business day without giving your incident response team more gray hairs.
You can address a P4 incident during regular maintenance. It needs to be resolved, but there's not a lot of urgency to it.
Severity and priority are related but distinct concepts, and some incidents, like defect triage, require both. The severity of a bug is determined solely by the degree of impact, while priority is determined by severity and other factors.
When considering priority vs. severity in testing, for example, keep your response's time frame in mind. Priority determines what you need to take action on first.
Enter your details to receive our monthly newsletter, filled with incident related insights to help you in your day-to-day!